Jump to content

Cannot Remove AntiVirus XP with MBAM


Recommended Posts

I have use MBAM in the past to remove similar programs, but this time no such luck. So here is where I am at:

1.) I performed the following registry edit in order to run .exe without Antivirus XP 2010 blocking them:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]

[-HKEY_CURRENT_USER\Software\Classes\secfile]

[-HKEY_CLASSES_ROOT\secfile]

[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]

@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]

@="exefile"

"Content Type"="application/x-msdownload"

2.) I have followed all the available instructions on this site and others, but MBAM has only found and removed the following:

Hijacked.exeFile

Disabled.SecurityCenter

AnitiVirus XP 2010 no longer begins at start up, I am able to open various files and .exe programs without problem, but once I try to open Internet Explorer, AntiVirus XP 2010 begins to run and shuts everything down. I am able to access the internet in IE if I launch a browser through another program.

I've attached my HijackThis logfile. I will attempt to run and post an additional logfile after AV2010 is running.

I would appreciate any help that can be provided.

hijackthis_Log.txt

Link to post
Share on other sites

Hello nomorevirus! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install any software or hardware, while work on.

Step 1:

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. rkill.pif
  5. WiNlOgOn.exe
  6. uSeRiNiT.exe

Please post the log in your next reply.

Note: The log can be found at the root of your installed hard drive entitled rkill.log

Step 2:

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 3:

  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

* HijackThis Uninstall List

* HijackThis log (new)

* RKill log

* MalwareBytes' Anti-Malware log

Link to post
Share on other sites

Hello, and thank you for responding.

1. RKill Log

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as Owner on 03/02/2010 at 14:26:34.

Processes terminated by Rkill or while it was running:

C:\WINNT\system32\UAService7.exe

C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe

C:\Documents and Settings\Owner\Desktop\rkill.exe

Rkill completed on 03/02/2010 at 14:26:39.

2. MBAM Log

Malwarebytes' Anti-Malware 1.44

Database version: 3815

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/2/2010 2:57:49 PM

mbam-log-2010-03-02 (14-57-49).txt

Scan type: Quick Scan

Objects scanned: 129473

Time elapsed: 14 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HijackThis Uninstall List

ABBYY FineReader 5.0 Sprint Plus

Acer eDisplay Management

Adobe Atmosphere Player for Acrobat and Adobe Reader

Adobe Flash Player 10 ActiveX

Adobe Photoshop Album 2.0 Starter Edition

Adobe Reader 8.1.6

Adobe Shockwave Player 11

Ahead Nero BurnRights

AOL Instant Messenger

Apple Application Support

Apple Software Update

ArcSoft Software Suite

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Control Panel

ATI Display Driver

Battle.net

Blackhawk Striker

Blackhawk Striker from Gateway (remove only)

Blasterball 2

Blasterball 2 from Gateway (remove only)

Blasterball Wild

Bounce Symphony from Gateway (remove only)

Comcast High-Speed Internet Install Wizard

Comcast Rhapsody

Creative Driver

Critical Update for Windows Media Player 11 (KB959772)

DAEMON Tools Toolbar

Diablo

DoMore

DVD

DVD Shrink 3.1.7

EPSON CardMonitor

EPSON Copy Utility

EPSON ES CX6400 Manual

EPSON Photo Print

EPSON PhotoStarter3.0

EPSON Printer Software

EPSON Scan

EPSON Smart Panel

Excavation from Gateway (remove only)

Final Draft 7

Five Card Frenzy from Gateway (remove only)

FLV Player 2.0 (build 25)

GameTap

Gateway Drivers and Applications Recovery

Gateway Ink Monitor

Gem Master 2

GrabIt 1.7.2 Beta 3 (build 996)

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Image Transfer

InetDctr

Intel® 537EP Data Fax Modem

Intel® PRO Network Adapters and Drivers

Intel® PROSet

IrfanView (remove only)

iriver Music Manager

iRiver Updater

J2SE Runtime Environment 5.0 Update 6

Java 2 Runtime Environment, SE v1.4.2

Learn2 Player (Uninstall Only)

LiveUpdate 2.0 (Symantec Corporation)

Logitech Audio Echo Cancellation Component

Logitech Desktop Messenger

Logitech iTouch Software

Logitech MouseWare 9.75

Logitech QuickCam

Logitech Resource Center

Logitech Video Enumerator

Logitech

Link to post
Share on other sites

Step 1:

Please uninstall the following applications:

ABBYY FineReader 5.0 Sprint Plus

Adobe Reader 8.1.6

DAEMON Tools Toolbar

LiveUpdate 2.0 (Symantec Corporation)

After finish our work, please download and install the latest version of ABBYY FineReader and Adobe Reader from:

http://www.abbyy.com/

http://www.adobe.com/

Step 2:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 3:

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 4:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

In your next reply, please include these log(s):

* JavaRa log

* ComboFix log

Link to post
Share on other sites

Hey, it seems to be fixed! Thanks much.

Any idea why MBAM couldn't find whatever this was and remove it? If I purchase a full version of MBAM would it still prevent this nonsense?

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Mar 02 16:44:27 2010

Found and removed: C:\Program Files\Java\j2re1.4.2

Found and removed: C:\Windows\System32\jpicpl32.cpl

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410200

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\

------------------------------------

Finished reporting.

ComboFix 10-03-02.02 - Owner 03/02/2010 17:44:39.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.599 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\Local Settings\Application Data\MSASCui.exe

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\75aNA5oy8.jpg

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\PXb600mB.jpg

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\YlYbbx.jpg

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\YYBAj7.jpg

c:\documents and settings\Owner\Start Menu\NOTEPAD.EXE

c:\recycler\S-1-5-21-159346707-5220257-1326429942-1003

c:\winnt\BackUp

c:\winnt\BackUp\S\50309000.DAT

c:\winnt\BackUp\S\50621000.DAT

c:\winnt\BackUp\S\50901000.DAT

c:\winnt\patch.exe

c:\winnt\repair\dvditna.bak1

c:\winnt\repair\dvditna.bak2

c:\winnt\repair\dvditna.ini

c:\winnt\repair\dvditna.ini2

c:\winnt\repair\dvditna.tmp

c:\winnt\system\oeminfo.ini

c:\winnt\system32\4566309.exe

c:\winnt\system32\bccdd.bak1

c:\winnt\system32\bccdd.bak2

c:\winnt\system32\bccdd.tmp

c:\winnt\system32\Cache

c:\winnt\system32\Cache\chart 1.bmp

c:\winnt\system32\Cache\ding.bmp

c:\winnt\system32\Cache\disk 1.bmp

c:\winnt\system32\Cache\document.bmp

c:\winnt\system32\Cache\mail unreaded.bmp

c:\winnt\system32\Cache\msg.bin

c:\winnt\system32\Cache\peoples 1.bmp

c:\winnt\system32\Cache\search find 2.bmp

c:\winnt\system32\Cache\web app.bmp

c:\winnt\system32\command.pif

C:\xcrashdump.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))

.

2010-03-01 20:51 . 2010-03-01 20:51 -------- d-----w- c:\program files\TrendMicro

2010-03-01 17:49 . 2010-03-01 17:49 -------- d--h--w- c:\winnt\PIF

2010-02-09 18:49 . 2010-02-09 18:49 664 ----a-w- c:\winnt\system32\d3d9caps.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-02 22:57 . 2004-11-25 05:17 384 ----a-w- c:\winnt\system32\DVCStateBkp-{00000003-00000000-00000001-00001102-00000004-10061102}.dat

2010-03-02 22:57 . 2004-11-25 05:17 384 ----a-w- c:\winnt\system32\DVCState-{00000003-00000000-00000001-00001102-00000004-10061102}.dat

2010-03-02 21:54 . 2004-06-17 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-02 21:35 . 2004-01-08 14:44 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-03-01 20:06 . 2009-11-19 02:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-01 06:23 . 2004-04-16 02:41 51584 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat

2010-02-03 15:59 . 2005-10-24 20:52 -------- d-----w- c:\program files\World of Warcraft

2010-01-22 09:25 . 2009-07-07 03:11 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-20 22:49 . 2008-05-04 19:32 -------- d-----w- c:\documents and settings\Owner\Application Data\U3

2010-01-12 05:50 . 2009-04-24 06:03 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6

2010-01-07 21:07 . 2009-11-19 02:05 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07 . 2009-11-19 02:05 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys

2009-12-31 16:50 . 2003-03-28 16:54 353792 ----a-w- c:\winnt\system32\drivers\srv.sys

2009-12-21 19:14 . 2004-08-24 01:32 916480 ----a-w- c:\winnt\system32\wininet.dll

2009-12-16 18:43 . 2004-09-13 03:49 343040 ----a-w- c:\winnt\system32\mspaint.exe

2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\winnt\system32\GPhotos.scr

2009-12-14 07:08 . 2003-03-31 12:00 33280 ----a-w- c:\winnt\system32\csrsrv.dll

2009-12-08 19:26 . 2003-04-24 13:57 2145280 ----a-w- c:\winnt\system32\ntoskrnl.exe

2009-12-08 18:43 . 2003-04-24 13:57 2023936 ----a-w- c:\winnt\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2002-11-18 16:27 455424 ----a-w- c:\winnt\system32\drivers\mrxsmb.sys

2009-10-27 01:42 . 2009-10-27 01:42 66936 --sha-w- c:\winnt\dlinfo_0.drv

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [N/A]

"WinPatrol"="c:\progra~1\BILLPS~1\WINPAT~1\WinPatrol.exe" [N/A]

"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [N/A]

"mswspl"="c:\progra~1\BILLPS~1\WINPAT~1\WinPatrol.exe" [N/A]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]

"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 19968]

"kdx"="c:\winnt\kdx\KHost.exe" [N/A]

"CTHelper"="CTHELPER.EXE" [2004-03-11 28672]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]

"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 243248]

"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-22 81920]

"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200]

"EPSON Stylus CX6400"="c:\winnt\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" [N/A]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [N/A]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"SetDefaultMIDI"="MIDIDef.exe" [2003-06-20 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SetDefaultMidi"="MIDIDEF.EXE" [2003-06-20 49152]

"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2004-3-2 274432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk

backup=c:\winnt\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^CurseClientStartup.ccip]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\CurseClientStartup.ccip

backup=c:\winnt\pss\CurseClientStartup.ccipStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]

c:\program files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]

2004-07-01 21:20 212992 ----a-w- c:\program files\iRiver\iRiver Manager\Updater\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LimeShop]

c:\program files\LimeShop\LimeShoprun.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2006-06-26 14:34 614960 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ---ha-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

c:\program files\MSN Messenger\msnmsgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 10:50 155648 -c--a-r- c:\winnt\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\warez]

c:\program files\Warez P2P Client\warez.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]

c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=

"c:\\Program Files\\World of Warcraft\\WoW-1.8.0-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Diablo\\diablo.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader

"6112:TCP"= 6112:TCP:Blizzard Downloader

"8887:TCP"= 8887:TCP:BitComet 8887 TCP

"8887:UDP"= 8887:UDP:BitComet 8887 UDP

"16794:TCP"= 16794:TCP:BitComet 16794 TCP

"16794:UDP"= 16794:UDP:BitComet 16794 UDP

R0 sptd;sptd;c:\winnt\system32\drivers\sptd.sys [2/20/2009 7:27 AM 721904]

S3 SaiHFF0C;SaiHFF0C;c:\winnt\system32\drivers\SaiHFF0C.sys [3/15/2004 2:16 PM 56576]

S3 SaiUFF0C;SaiUFF0C;c:\winnt\system32\drivers\saiuFF0C.sys [3/15/2004 2:16 PM 19584]

S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\winnt\system32\drivers\wg121nd5.sys [3/2/2004 8:13 PM 337184]

.

Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\winnt\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-27 16:22]

2010-03-01 c:\winnt\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-27 16:22]

2010-03-02 c:\winnt\Tasks\User_Feed_Synchronization-{068BA5E8-C8F5-4CD2-9DE4-1E19C8A9C188}.job

- c:\winnt\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www6.comcast.net/a/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = about:blank

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab

DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} - hxxp://www.streamerp2p.com/sfiles/phasex.cab

DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-14009.cab

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

AddRemove-15tvbtn8 - c:\winnt\15tvbtn8.exe

AddRemove-4AF3F682-FE2A-488D-A11C-A0470A325E93 - c:\program files\WildTangent\Apps\GameChannel\Games\4AF3F682-FE2A-488D-A11C-A0470A325E93\Uninstall.exe

AddRemove-5A137FCB-35EA-4849-8239-AFEBD2F45B3B - c:\program files\WildTangent\Apps\GameChannel\Games\5A137FCB-35EA-4849-8239-AFEBD2F45B3B\Uninstall.exe

AddRemove-618CD711-AFB3-4EB4-9B48-ABD2AB370B21 - c:\program files\WildTangent\Apps\GameChannel\Games\618CD711-AFB3-4EB4-9B48-ABD2AB370B21\Uninstall.exe

AddRemove-70216ACD-1547-44E5-8966-615BE9569EAD - c:\program files\WildTangent\Apps\GameChannel\Games\70216ACD-1547-44E5-8966-615BE9569EAD\Uninstall.exe

AddRemove-97D31CB6-F2B5-4875-B6B0-8AF75AC414DB - c:\program files\WildTangent\Apps\GameChannel\Games\97D31CB6-F2B5-4875-B6B0-8AF75AC414DB\Uninstall.exe

AddRemove-A375E2C6-77CA-4F2F-AB6F-CD0A96D87B24 - c:\program files\WildTangent\Apps\GameChannel\Games\A375E2C6-77CA-4F2F-AB6F-CD0A96D87B24\Uninstall.exe

AddRemove-AA4162B8-1BB1-4110-8F93-0092D4DEF122 - c:\program files\WildTangent\Apps\GameChannel\Games\AA4162B8-1BB1-4110-8F93-0092D4DEF122\Uninstall.exe

AddRemove-ADFCE1E4-A420-437C-998D-EAF04E3601BE - c:\program files\WildTangent\Apps\GameChannel\Games\ADFCE1E4-A420-437C-998D-EAF04E3601BE\Uninstall.exe

AddRemove-BECB8A74-E07D-44A1-813D-1E390EB3047B - c:\program files\WildTangent\Apps\GameChannel\Games\BECB8A74-E07D-44A1-813D-1E390EB3047B\Uninstall.exe

AddRemove-C4D2212B-5331-470D-9BF7-96DB25A398C7 - c:\program files\WildTangent\Apps\GameChannel\Games\C4D2212B-5331-470D-9BF7-96DB25A398C7\Uninstall.exe

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

AddRemove-{1336A42D-44B3-4063-B160-9F81ECE7D6D7} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {1336A42D-44B3-4063-B160-9F81ECE7D6D7}

AddRemove-{539E887B-98A5-4CDC-85D6-07371995D66E} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {539E887B-98A5-4CDC-85D6-07371995D66E}

AddRemove-{5E83229B-2295-4C3C-B97D-81156122759B} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {5E83229B-2295-4C3C-B97D-81156122759B}

AddRemove-{93F8CA95-311D-4DB1-8226-AD572B8CC0CE} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {93F8CA95-311D-4DB1-8226-AD572B8CC0CE}

AddRemove-{A399157E-EF92-4012-8F7A-DBDBDE3A269F} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {A399157E-EF92-4012-8F7A-DBDBDE3A269F}

AddRemove-{CA3420D8-75ED-41BC-AC6A-D41EA327649C} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {CA3420D8-75ED-41BC-AC6A-D41EA327649C}

AddRemove-{FAA23FA3-E415-488A-94BE-CD18942DC813} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {FAA23FA3-E415-488A-94BE-CD18942DC813}

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-02 18:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spia.sys >>UNKNOWN [0x87386938]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7592f28

\Driver\ACPI -> ACPI.sys @ 0xf73bccb8

\Driver\atapi -> atapi.sys @ 0xf7377b40

\Driver\iaStor -> iaStor.sys @ 0xf7357cd0

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e

ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e

ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3167290857-1794671658-1875467217-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\ACPI\PNP0F03\4&35f762c4&0\LogConf]

@DACL=(02 0000)

"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,

00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\

"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,

00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\HID\Vid_046d&Pid_c016\7&2924c29b&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)

c:\winnt\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(7008)

c:\winnt\system32\WININET.dll

c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll

c:\program files\Logitech\MouseWare\System\LgWndHk.dll

c:\winnt\system32\ctagent.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

c:\program files\Portrait Displays\Pivot Software\winphook.dll

c:\winnt\system32\ieframe.dll

c:\winnt\system32\webcheck.dll

c:\winnt\system32\WPDShServiceObj.dll

c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll

c:\winnt\system32\PortableDeviceTypes.dll

c:\winnt\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\winnt\system32\Ati2evxx.exe

c:\winnt\system32\Ati2evxx.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

c:\winnt\system32\UAService7.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\winnt\system32\CTHELPER.EXE

c:\program files\Logitech\MouseWare\system\em_exec.exe

c:\program files\Acer Display\eDisplay Management\DTHtml.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Portrait Displays\Pivot Software\floater.exe

c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\winnt\system32\defrag.exe

c:\winnt\system32\DfrgNtfs.exe

.

**************************************************************************

.

Completion time: 2010-03-02 18:52:44 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-02 23:52

Pre-Run: 3,019,915,264 bytes free

Post-Run: 3,506,503,680 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINNT

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - D2D6DA33B6682829F17AAB3E1058142B

Link to post
Share on other sites

We're not ready! Please be patient!

Step 1:

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Step 2:

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

File::
c:\documents and settings\Owner\Application Data\wklnhst.dat

AWF::

MBR::

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

ComboFix 10-03-02.08 - Owner 03/03/2010 7:56.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.492 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"c:\documents and settings\Owner\Application Data\wklnhst.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\Application Data\wklnhst.dat

.

((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))

.

2010-03-03 02:47 . 2010-03-03 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-03-03 02:47 . 2010-03-03 02:47 -------- d-----w- c:\program files\NOS

2010-03-01 20:51 . 2010-03-01 20:51 -------- d-----w- c:\program files\TrendMicro

2010-03-01 17:49 . 2010-03-01 17:49 -------- d--h--w- c:\winnt\PIF

2010-02-09 18:49 . 2010-02-09 18:49 664 ----a-w- c:\winnt\system32\d3d9caps.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-03 13:11 . 2004-11-25 05:17 384 ----a-w- c:\winnt\system32\DVCStateBkp-{00000003-00000000-00000001-00001102-00000004-10061102}.dat

2010-03-03 13:11 . 2004-11-25 05:17 384 ----a-w- c:\winnt\system32\DVCState-{00000003-00000000-00000001-00001102-00000004-10061102}.dat

2010-03-03 12:47 . 2004-01-08 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-03-03 12:47 . 2004-01-08 14:38 -------- d-----w- c:\program files\Viewpoint

2010-03-02 21:54 . 2004-06-17 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-02 21:35 . 2004-01-08 14:44 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-03-01 20:06 . 2009-11-19 02:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-03 15:59 . 2005-10-24 20:52 -------- d-----w- c:\program files\World of Warcraft

2010-01-22 09:25 . 2009-07-07 03:11 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-20 22:49 . 2008-05-04 19:32 -------- d-----w- c:\documents and settings\Owner\Application Data\U3

2010-01-12 05:50 . 2009-04-24 06:03 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6

2010-01-07 21:07 . 2009-11-19 02:05 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07 . 2009-11-19 02:05 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys

2009-12-31 16:50 . 2003-03-28 16:54 353792 ----a-w- c:\winnt\system32\drivers\srv.sys

2009-12-21 19:14 . 2004-08-24 01:32 916480 ------w- c:\winnt\system32\wininet.dll

2009-12-16 18:43 . 2004-09-13 03:49 343040 ----a-w- c:\winnt\system32\mspaint.exe

2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\winnt\system32\GPhotos.scr

2009-12-14 07:08 . 2003-03-31 12:00 33280 ----a-w- c:\winnt\system32\csrsrv.dll

2009-12-08 19:26 . 2003-04-24 13:57 2145280 ------w- c:\winnt\system32\ntoskrnl.exe

2009-12-08 18:43 . 2003-04-24 13:57 2023936 ------w- c:\winnt\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2002-11-18 16:27 455424 ----a-w- c:\winnt\system32\drivers\mrxsmb.sys

2009-10-27 01:42 . 2009-10-27 01:42 66936 --sha-w- c:\winnt\dlinfo_0.drv

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [N/A]

"WinPatrol"="c:\progra~1\BILLPS~1\WINPAT~1\WinPatrol.exe" [N/A]

"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [N/A]

"mswspl"="c:\progra~1\BILLPS~1\WINPAT~1\WinPatrol.exe" [N/A]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]

"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 19968]

"kdx"="c:\winnt\kdx\KHost.exe" [N/A]

"CTHelper"="CTHELPER.EXE" [2004-03-11 28672]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]

"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 243248]

"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-22 81920]

"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200]

"EPSON Stylus CX6400"="c:\winnt\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" [N/A]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [N/A]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"SetDefaultMIDI"="MIDIDef.exe" [2003-06-20 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SetDefaultMidi"="MIDIDEF.EXE" [2003-06-20 49152]

"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2004-3-2 274432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk

backup=c:\winnt\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^CurseClientStartup.ccip]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\CurseClientStartup.ccip

backup=c:\winnt\pss\CurseClientStartup.ccipStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]

c:\program files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]

2004-07-01 21:20 212992 ----a-w- c:\program files\iRiver\iRiver Manager\Updater\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LimeShop]

c:\program files\LimeShop\LimeShoprun.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2006-06-26 14:34 614960 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ---ha-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

c:\program files\MSN Messenger\msnmsgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 10:50 155648 -c--a-r- c:\winnt\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\warez]

c:\program files\Warez P2P Client\warez.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]

c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=

"c:\\Program Files\\World of Warcraft\\WoW-1.8.0-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Diablo\\diablo.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader

"6112:TCP"= 6112:TCP:Blizzard Downloader

"8887:TCP"= 8887:TCP:BitComet 8887 TCP

"8887:UDP"= 8887:UDP:BitComet 8887 UDP

"16794:TCP"= 16794:TCP:BitComet 16794 TCP

"16794:UDP"= 16794:UDP:BitComet 16794 UDP

R0 sptd;sptd;c:\winnt\system32\drivers\sptd.sys [2/20/2009 7:27 AM 721904]

S3 SaiHFF0C;SaiHFF0C;c:\winnt\system32\drivers\SaiHFF0C.sys [3/15/2004 2:16 PM 56576]

S3 SaiUFF0C;SaiUFF0C;c:\winnt\system32\drivers\saiuFF0C.sys [3/15/2004 2:16 PM 19584]

S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\winnt\system32\drivers\wg121nd5.sys [3/2/2004 8:13 PM 337184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\winnt\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-27 16:22]

2010-03-01 c:\winnt\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-27 16:22]

2010-03-03 c:\winnt\Tasks\User_Feed_Synchronization-{068BA5E8-C8F5-4CD2-9DE4-1E19C8A9C188}.job

- c:\winnt\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www6.comcast.net/a/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = about:blank

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab

DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} - hxxp://www.streamerp2p.com/sfiles/phasex.cab

DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-14009.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-03 08:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spsj.sys >>UNKNOWN [0x87386938]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7557f28

\Driver\ACPI -> ACPI.sys @ 0xf7381cb8

\Driver\atapi -> atapi.sys @ 0xf733cb40

\Driver\iaStor -> iaStor.sys @ 0xf731ccd0

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e

ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e

ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3167290857-1794671658-1875467217-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\ACPI\PNP0F03\4&35f762c4&0\LogConf]

@DACL=(02 0000)

"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,

00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\

"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,

00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\HID\Vid_046d&Pid_c016\7&2924c29b&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)

c:\winnt\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(7608)

c:\winnt\system32\WININET.dll

c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll

c:\program files\Logitech\MouseWare\System\LgWndHk.dll

c:\winnt\system32\ctagent.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

c:\program files\Portrait Displays\Pivot Software\winphook.dll

c:\winnt\system32\ieframe.dll

c:\winnt\system32\webcheck.dll

c:\winnt\system32\WPDShServiceObj.dll

c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll

c:\winnt\system32\PortableDeviceTypes.dll

c:\winnt\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\winnt\system32\Ati2evxx.exe

c:\winnt\system32\Ati2evxx.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

c:\winnt\system32\UAService7.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\winnt\system32\wscntfy.exe

c:\winnt\system32\CTHELPER.EXE

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Logitech\MouseWare\system\em_exec.exe

c:\program files\Portrait Displays\Pivot Software\floater.exe

c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2010-03-03 08:36:14 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-03 13:36

ComboFix2.txt 2010-03-02 23:52

Pre-Run: 3,434,721,280 bytes free

Post-Run: 3,464,105,984 bytes free

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 8:30:42 PM, on 3/3/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\UAService7.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\system32\CTHELPER.EXE

C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe

C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Portrait Displays\Pivot Software\floater.exe

C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe

C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINNT\system32\ctfmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [mswspl] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"

O4 - HKLM\..\Run: [DT ACR] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR

O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [setDefaultMIDI] MIDIDef.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [setDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [setDefaultMIDI] MIDIDef.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [setDefaultMidi] MIDIDEF.EXE (User 'Default user')

O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINNT\system32\GPhotos.scr/200

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: ActiveGS.cab - http://activegs.freetoolsassociation.com/ActiveGS.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} (PhaseCaster Widget) - http://www.streamerp2p.com/sfiles/phasex.cab

O16 - DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} (Wild Pockets Loader Plugin Control Class) - http://www.wildpockets.com/common/WildPock...oader-14009.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe

O24 - Desktop Component 1: (no name) - http://bushclock.lose.com/timer.shtml

--

End of file - 10354 bytes

Link to post
Share on other sites

Step 1:

Please, open HiJackThis and select Do a system scan only.

Check the following entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)

Then, close all open windows except that of HijackThis, and select Fix Checked.

Step 2:

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Let me know how are things running now.

In your next reply, please include these log(s):

* GMER log

* HijackThis log (new)

Link to post
Share on other sites

Well, everything seems to be running fine, and again, I thank you for all of your time and help.

So I have tried running the GMER.exe scan three times, but each time, at about 20 minutes into the scan, the computer goes to a blue screen and begins a physical memory dump. I saw the following messages during two of the dumps (note these were on two seperate memory dumps and were not both listed together):

1. PFN_List_Corrupt

2. *** STOP 0x000000F4 (0x00000003, 0x865F78E0, 0x865F7A54, 0x8060567E)

Link to post
Share on other sites

Let's try with RootRepeal:

Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.