Popups and slow computer Part 2

sandi149 · May 28, 2008

Ok, here are the logs from my son's acct.

Mbam found something called Fake.Beep.Sys yesterday and it said that to delete it I would have to reboot which I did. Today I ran another scan and the same thing came up. Here is the log. I tried to do Hijack This on his account but I got this error msg. "It looks like you're running HijackThis from a read only device like a CD or locked floppy disk. If you want to make backups of items you fix, you must copy HijackThis.exe to your hard disk first and run it from there. If you continue you might get Path/File Access errors". So I don't know what that is all about. I have the hijackthis.exe file on my hard disk. It's on the C drive located in Program Files under Trend Micro.

Malwarebytes' Anti-Malware 1.12

Database version: 793

Scan type: Quick Scan

Objects scanned: 31718

Time elapsed: 13 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> No action taken.

nosirrah · May 28, 2008

There are a lot of current infections that replace beep.sys with malware .

If you have an install disk or i386 folder in your computer we can fix this .

sandi149 · May 28, 2008

I don't know where the install disk is but I see in the search window that there are a lot of i386 folders.

JeanInMontana · June 4, 2008

What's going on with this thread? Do you need help with this still Sandi? Seems you have been deserted, sorry for that.

sandi149 · June 4, 2008

Yes, thank you. But I won't be able to do much today because I'm very busy. I will have more time tomorrow morning.

I have to run combofix for my husband's username. This thread is for my son's.

Still getting the popups on occasion but what really seems to be the problem is how slow the computer is at times and that programs still freeze up.

But I will be back tomorrow to do all the diagnostics that you give me.

Thanks. :lol:

JeanInMontana · June 4, 2008

Ok sounds good. We will start with an updated MBAM scan and a HJT log. Please post both of those and we'll go from there.

JeanInMontana · June 4, 2008

I just got updated info that you have been instructed in your other thread so ... I'm backing out of this one. Advanced Setup will continue, he is more up to speed with what's going on at this point. Please follow the instructions he has given you and ignore mine.

sandi149 · June 5, 2008

I'm just wondering if my problem could be related to Firefox? I stopped using Firefox yesterday and started using IE and so far have not had any popups and the computer has been working ok. Whenever I was using firefox, it would open and close very slowly, make other programs freeze and then after I would close out of Firefox I would get an error msg asking if I want to send an error report. I always said no because doesn't that error report go to Microsoft?

So what do you think?

AdvancedSetup · June 5, 2008

Well Firefox could be an issue on your box but it is not Malware.

Go into Control Panel - Add/Remove and uninstall Firefox.

Then after removal go to C:\Documents and Settings\{your profile name}\Application Data\Mozilla and delete the Mozilla folder.

Then download and run the ComboFix as requested. ComboFix.exe

Double-click ComboFix and run it.

Post back the log.

Then visit FireFox Website and download a new version of Firefox and install that and see how it runs for you.

.

sandi149 · June 5, 2008

Ok, here's the log from Combofix. I am now going to go and download firefox again.

ComboFix 08-06-04.5 - Sandi 2008-06-05 8:12:03.2 - NTFSx86

Running from: C:\Documents and Settings\Sandi\Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))

.

2008-06-05 06:50 . 2008-06-05 06:50 <DIR> d-------- C:\WINDOWS\LastGood

2008-06-02 09:02 . 2008-06-05 07:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-06-02 09:02 . 2008-06-02 09:02 1,409 --a------ C:\WINDOWS\QTFont.for

2008-05-28 21:16 . 2008-05-28 21:16 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\SiteHound

2008-05-27 13:40 . 2008-05-27 13:42 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\SiteHound

2008-05-27 13:26 . 2008-05-27 13:26 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Malwarebytes

2008-05-26 12:24 . 2008-05-26 12:24 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\SUPERAntiSpyware.com

2008-05-26 12:01 . 2008-05-26 12:01 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Malwarebytes

2008-05-26 08:09 . 2008-05-27 12:59 <DIR> d-------- C:\Program Files\Mozilla Thunderbird

2008-05-26 06:12 . 2008-05-26 06:12 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Thunderbird

2008-05-25 17:26 . 2008-05-25 17:27 <DIR> d-------- C:\Documents and Settings\Sandi\Application Data\Thunderbird

2008-05-25 16:19 . 2008-05-25 16:19 16,247 --a------ C:\WINDOWS\system32\tcerjhvx.zip

2008-05-25 08:52 . 2008-05-14 06:38 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-05-24 16:20 . 2008-06-01 09:42 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\SiteHound

2008-05-24 13:48 . 2008-05-26 14:07 <DIR> d-------- C:\Program Files\Lavasoft

2008-05-23 12:54 . 2008-05-23 12:59 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2008-05-23 09:11 . 2008-05-23 09:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-05-23 09:11 . 2008-05-23 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-05-22 21:43 . 2008-05-27 20:58 <DIR> d-------- C:\Program Files\limewire

2008-05-22 21:28 . 2008-05-22 21:30 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy

2008-05-22 15:30 . 2008-05-22 15:31 <DIR> d-------- C:\Program Files\Panda Security

2008-05-22 08:08 . 2008-05-30 06:50 <DIR> d-------- C:\Documents and Settings\Sandi\Application Data\SiteHound

2008-05-22 08:07 . 2008-05-22 08:07 <DIR> d-------- C:\Program Files\FireTrust

2008-05-22 06:28 . 2008-05-22 06:28 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\WinPatrol

2008-05-21 06:22 . 2008-05-27 18:01 <DIR> d-------- C:\Program Files\EsetOnlineScanner

2008-05-17 06:36 . 2008-05-24 09:33 <DIR> d-------- C:\Program Files\SpywareGuard

2008-05-16 17:23 . 2008-05-16 17:23 <DIR> d-------- C:\Deckard

2008-05-16 16:41 . 2008-05-26 13:30 636 --a------ C:\delete.bat

2008-05-16 16:36 . 2008-05-16 16:38 <DIR> d-------- C:\NoLopBackups

2008-05-16 14:46 . 2008-05-16 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-05-16 14:45 . 2008-05-24 20:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-05-16 14:45 . 2008-05-16 14:45 <DIR> d-------- C:\Documents and Settings\Sandi\Application Data\SUPERAntiSpyware.com

2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

2008-05-15 12:01 . 2008-05-15 12:01 <DIR> d-------- C:\Program Files\EULAlyzer

2008-05-15 08:20 . 2008-05-15 08:20 <DIR> d-------- C:\Program Files\BillP Studios

2008-05-15 08:20 . 2008-05-15 08:20 <DIR> d-------- C:\Documents and Settings\Sandi\Application Data\WinPatrol

2008-05-15 07:59 . 2008-05-15 07:59 <DIR> d-------- C:\WINDOWS\system32\scripting

2008-05-15 07:59 . 2008-05-15 07:59 <DIR> d-------- C:\WINDOWS\system32\en

2008-05-15 07:59 . 2008-05-15 07:59 <DIR> d-------- C:\WINDOWS\system32\bits

2008-05-15 07:59 . 2008-05-15 07:59 <DIR> d-------- C:\WINDOWS\l2schemas

2008-05-15 07:56 . 2008-05-15 07:56 <DIR> d-------- C:\WINDOWS\ServicePackFiles

2008-05-15 07:46 . 2008-05-15 07:46 <DIR> d-------- C:\WINDOWS\EHome

2008-05-15 07:03 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll

2008-05-15 07:02 . 2008-04-13 20:11 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll

2008-05-14 12:54 . 2008-05-14 12:54 <DIR> d-------- C:\Program Files\Common Files\Java

2008-05-14 12:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-05-14 10:40 . 2008-05-14 10:40 <DIR> d-------- C:\Documents and Settings\Sandi\Application Data\Malwarebytes

2008-05-14 10:39 . 2008-05-31 09:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-05-14 10:39 . 2008-05-14 10:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-05-14 10:39 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-05-14 10:39 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-05-14 10:12 . 2008-05-14 10:12 30,760 --a------ C:\WINDOWS\system32\tcerjhvx.exe

2008-05-14 09:31 . 2008-05-14 09:31 <DIR> d-------- C:\VundoFix Backups

2008-05-14 08:17 . 2008-05-14 08:17 <DIR> d-------- C:\Program Files\Trend Micro

2008-05-14 07:38 . 2008-05-29 09:38 <DIR> d-------- C:\Program Files\SpywareBlaster

2008-05-14 06:38 . 2008-05-25 08:52 <DIR> d-------- C:\Documents and Settings\Sandi\.housecall6.6

2008-05-13 20:32 . 2008-05-13 20:32 <DIR> d-------- C:\WINDOWS\system32\Logs

2008-05-13 17:37 . 2008-05-13 17:37 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll

2008-05-12 21:32 . 2008-05-12 21:32 <DIR> d-------- C:\hegames

2008-05-10 15:47 . 2008-05-10 15:47 <DIR> d-------- C:\Documents and Settings\Sandi\Application Data\DivX

2008-05-10 10:52 . 2008-05-10 10:52 <DIR> d-------- C:\Program Files\Netflix

2008-05-08 09:55 . 2008-05-08 09:55 60,968 --a------ C:\Documents and Settings\Sandi\GoToAssistDownloadHelper.exe

2008-05-08 07:35 . 2008-05-08 07:35 <DIR> d-------- C:\WINDOWS\system32\Dell

2008-05-08 07:35 . 2008-05-08 07:35 <DIR> d-------- C:\Program Files\Dell

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-05 09:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

2008-06-05 02:13 --------- d-----w C:\Documents and Settings\Lee\Application Data\LimeWire

2008-06-05 00:43 --------- d-----w C:\Documents and Settings\Sandi\Application Data\SiteAdvisor

2008-06-04 20:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-06-04 00:16 --------- d-----w C:\Documents and Settings\TEMP\Application Data\SiteAdvisor

2008-06-02 23:49 --------- d-----w C:\Documents and Settings\TEMP\Application Data\LimeWire

2008-06-02 09:38 --------- d-----w C:\Program Files\McAfee

2008-05-29 13:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-05-26 18:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-05-26 18:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-05-24 23:13 --------- d-----w C:\Program Files\mIRC

2008-05-23 01:28 --------- d-----w C:\Program Files\Yahoo!

2008-05-23 01:28 --------- d-----w C:\Program Files\Common Files\Scanner

2008-05-22 01:27 --------- d-----w C:\Program Files\SiteAdvisor

2008-05-21 01:47 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-05-17 19:38 --------- d-----w C:\Program Files\IncrediMail

2008-05-16 20:20 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-05-14 16:54 --------- d-----w C:\Program Files\Java

2008-05-10 17:55 --------- d-----w C:\Documents and Settings\Sandi\Application Data\dvdcss

2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys

2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys

2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys

2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll

2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe

2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll

2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin

2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe

2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll

2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll

2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys

2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys

2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys

2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll

2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys

2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll

2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll

2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll

2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll

2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll

2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys

2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys

2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys

2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys

2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys

2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys

2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys

2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys

2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys

2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys

2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys

2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys

2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys

2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys

2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys

2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys

2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys

2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys

2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys

2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys

2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys

2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys

2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys

2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys

2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys

2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys

2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys

2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys

2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys

2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys

2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys

2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys

2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys

2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys

2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys

2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys

2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys

2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys

2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys

2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys

2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys

2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys

2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys

2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys

2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys

2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys

2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys

2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys

2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys

2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys

2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys

2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys

2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys

2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys

.

((((((((((((((((((((((((((((( snapshot@2008-05-24_ 6.17.18.12 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-24 10:08:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-06-04 20:32:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2006-07-11 13:41:36 345,656 ----a-w C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll

- 2008-03-14 12:01:33 217,864 ----a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe

+ 2008-06-04 20:46:13 217,864 ----a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe

- 2008-03-14 12:00:11 35,088 ----a-r C:\WINDOWS\Installer\{90120000-00B2-0409-0000-0000000FF1CE}\expxic.exe

+ 2008-06-04 20:43:19 35,088 ----a-r C:\WINDOWS\Installer\{90120000-00B2-0409-0000-0000000FF1CE}\expxic.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="" []

"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-24 20:32 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 339968 C:\WINDOWS\stsystra.exe]

"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30 152144]

"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 17:57 36640]

"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 15:00 98304]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-25 13:31 333120]

C:\Documents and Settings\Lee\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-04-18 15:21:09 147456]

C:\Documents and Settings\TEMP\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]

C:\Documents and Settings\Sandi\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]

SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 16:40:46 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 16:39 294400]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-24 20:32 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2007-11-14 16:31 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= pvmjpg21.dll

"VIDC.PVW2"= pvwv220.dll

"VIDC.PIMJ"= pvljpg20.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.EXE" -b

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"C:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=

"C:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=

"C:\\Program Files\\Common Files\\AOL\\1195078141\\ee\\aolsoftware.exe"=

"C:\\Program Files\\AOL 9.1\\waol.exe"=

"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

S2 0016821212663035mcinstcleanup;McAfee Application Installer Cleanup (0016821212663035);C:\WINDOWS\TEMP\001682~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []

S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []

S3 WLNR;WLNR;C:\WINDOWS\system32\DRIVERS\WLNR.sys []

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

"2008-06-02 13:06:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-05-15 05:15:23 C:\WINDOWS\Tasks\McDefragTask.job"

- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'

"2008-06-01 05:00:38 C:\WINDOWS\Tasks\McQcTask.job"

- c:\PROGRA~1\mcafee\mqc\QcConsol.exe

"2008-06-05 06:04:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Program Files\Windows Defender\MpCmdRun.exe

"2008-05-30 19:00:02 C:\WINDOWS\Tasks\Norton Security Scan.job"

- C:\Program Files\Norton Security Scan\Nss.exe

"2008-06-04 23:03:34 C:\WINDOWS\Tasks\User_Feed_Synchronization-{B6E57C32-1A10-42A0-946E-A3182C4B41C7}.job"

- C:\WINDOWS\system32\msfeedssync.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-05 08:20:14

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe

-> C:\Program Files\SiteAdvisor\6253\saHook.dll

.

Completion time: 2008-06-05 8:25:50

ComboFix-quarantined-files.txt 2008-06-05 12:25:45

ComboFix2.txt 2008-05-24 10:18:18

Pre-Run: 114,341,601,280 bytes free

Post-Run: 114,488,135,680 bytes free

295 --- E O F --- 2008-06-03 22:20:29

sandi149 · June 5, 2008

Just wanted to tell you that even with installing firefox again, I'm still getting those popups from adzgalore. I thought I was doing good but just a second ago one came up. :lol:

Now what do I do?

AdvancedSetup · June 5, 2008

Yes, I'll get back with you later on today. There are still items that don't belong running on the system.

sandi149 · June 5, 2008

ok.....thank you. :lol:

AdvancedSetup · June 6, 2008

Sorry Sandi. Just too much work at work and at home.

I will post back information for you in the morning.

sandi149 · June 6, 2008

No problem.....I understand.

Just wanted to let you know that last night my desktop background changed and I never had that happen to me before. Whatever virus I have must be really bad. Most of it was removed a couple weeks ago, but it seems like there are still remnants of it.

I will wait for further instructions.

Thanks.

AdvancedSetup · June 6, 2008

Please start Malwarebytes - go to the UDPATE tab and click on "Check for Updates" and this will update you to the new 1.15 version.

Then after update start the program and go to the More Tools tab and click on the Run Tool for FileAssassin.

Browse to this location C:\WINDOWS\system32\tcerjhvx.zip and DELETE this file.
Browse to this location C:\WINDOWS\system32\tcerjhvx.exe and DELETE this file.
Browse to this location C:\WINDOWS\system32\vbzip10.dll and DELETE this file.

Though not directly involved with Malware it's possible an advertiser with them is for the program IncrediMail. I would recommend you remove this program but it's up to you.

You can read more about it here. IncrediMail at Wikipedia

Do you still have any SYMANTEC or NORTON products installed on your system?

There are still some traces of the program that should be removed if you no longer have the products installed.

After deleting the above files please run a new FULL SCAN with Malwarebytes. This scan will take a long time to run so please choose a time when the computer won't be needed for a while.

When completed please run a new DSS scan and post back that log and the MB log.

.

sandi149 · June 6, 2008

Hiya Advanced Setup, I removed those files, I deleted Incredimail. I never used it. I had downloaded it a few months ago but then decided not to use it, but never deleted it. I also deleted the Nortan Security Scan. I am currently running the Mbam scan, it's about half way through and then I will post that log and the other logs you requested. Hopefully, we can get rid of this virus or whatever is plaguing my computer.

I also want to say thank you for all your help. And thank you to Jean and everyone else on the Malwarebytes team for helping all of us out. You give us your time free of charge and I'm just so grateful. I never could have done all this without your help. So a really big THANK YOU to all of you!!! :lol:

sandi149 · June 6, 2008

Ok, here are the logs. Mbam found a Trojan and removed it. A few days ago when I ran a scan it came out clean so I really don't know what's going on with this computer.

Malwarebytes' Anti-Malware 1.15

Database version: 834

5:26:40 PM 6/6/2008

mbam-log-6-6-2008 (17-26-40).txt

Scan type: Full Scan (C:\|)

Objects scanned: 161491

Time elapsed: 1 hour(s), 14 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{905A1CB1-E057-4677-98E1-F289BB5F2846}\RP324\A0045933.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Here is Deckard's Scan log.

Deckard's System Scanner v20071014.68

Run by Sandi on 2008-06-06 17:28:06

Computer is in Normal Mode.

--------------------------------------------------------------------------------

Percentage of Memory in Use: 81% (more than 75%).

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Sandi.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:28:23 PM, on 6/6/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\McAfee\MSK\MskAgent.exe

C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\Program Files\SpywareGuard\sgbhp.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Sandi\Desktop\Computer Tools\dss.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\Sandi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe

O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html

O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/Activ...iveXClient1.cab

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll

O23 - Service: McAfee Application Installer Cleanup (0108021212736068) (0108021212736068mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\010802~1.EXE (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 12363 bytes

-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-05 08:30:55 0 d-------- C:\Documents and Settings\Sandi\Application Data\Mozilla

2008-06-05 06:50:28 0 d-------- C:\WINDOWS\LastGood

2008-05-28 21:16:54 0 d-------- C:\Documents and Settings\Alex\Application Data\Adobe

2008-05-28 21:16:09 0 d-------- C:\Documents and Settings\Alex\Application Data\SiteHound

2008-05-27 13:40:44 0 d-------- C:\Documents and Settings\Lee\Application Data\SiteHound

2008-05-27 13:26:14 0 d-------- C:\Documents and Settings\Lee\Application Data\Malwarebytes

2008-05-26 12:24:40 0 d-------- C:\Documents and Settings\TEMP\Application Data\SUPERAntiSpyware.com

2008-05-26 12:01:44 0 d-------- C:\Documents and Settings\TEMP\Application Data\Malwarebytes

2008-05-26 08:47:00 0 dr-h----- C:\Documents and Settings\Sandi\Recent

2008-05-26 08:09:45 0 d-------- C:\Program Files\Mozilla Thunderbird

2008-05-26 06:12:09 0 d-------- C:\Documents and Settings\TEMP\Application Data\Thunderbird

2008-05-25 17:26:39 0 d-------- C:\Documents and Settings\Sandi\Application Data\Thunderbird

2008-05-24 16:20:08 0 d-------- C:\Documents and Settings\TEMP\Application Data\SiteHound

2008-05-24 13:48:35 0 d-------- C:\Program Files\Lavasoft

2008-05-24 05:59:08 68096 --a------ C:\WINDOWS\zip.exe

2008-05-24 05:59:08 49152 --a------ C:\WINDOWS\VFind.exe

2008-05-24 05:59:08 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>

2008-05-24 05:59:08 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>

2008-05-24 05:59:08 98816 --a------ C:\WINDOWS\sed.exe

2008-05-24 05:59:08 80412 --a------ C:\WINDOWS\grep.exe

2008-05-24 05:59:08 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >

2008-05-24 05:59:07 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>

2008-05-23 12:54:33 0 d-------- C:\WINDOWS\BDOSCAN8

2008-05-23 09:11:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-05-23 09:11:28 0 d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-05-22 21:43:50 0 d-------- C:\Program Files\limewire

2008-05-22 21:28:15 0 d-------- C:\Program Files\CA Yahoo! Anti-Spy

2008-05-22 15:30:26 0 d-------- C:\Program Files\Panda Security

2008-05-22 08:08:03 0 d-------- C:\Documents and Settings\Sandi\Application Data\SiteHound

2008-05-22 08:07:53 0 d-------- C:\Program Files\FireTrust

2008-05-22 06:28:20 0 d-------- C:\Documents and Settings\TEMP\Application Data\WinPatrol

2008-05-21 06:22:32 0 d-------- C:\Program Files\EsetOnlineScanner

2008-05-17 06:36:51 0 d-------- C:\Program Files\SpywareGuard

2008-05-16 16:41:34 636 --a------ C:\delete.bat

2008-05-16 16:36:51 0 d-------- C:\NoLopBackups

2008-05-16 14:46:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-05-16 14:45:44 0 d-------- C:\Program Files\SUPERAntiSpyware

2008-05-16 14:45:43 0 d-------- C:\Documents and Settings\Sandi\Application Data\SUPERAntiSpyware.com

2008-05-15 12:01:04 0 d-------- C:\Program Files\EULAlyzer

2008-05-15 08:20:41 0 d-------- C:\Documents and Settings\Sandi\Application Data\WinPatrol

2008-05-15 08:20:32 0 d-------- C:\Program Files\BillP Studios

2008-05-15 08:05:22 0 d-------- C:\WINDOWS\Prefetch

2008-05-15 07:59:24 0 d-------- C:\WINDOWS\system32\scripting

2008-05-15 07:59:23 0 d-------- C:\WINDOWS\l2schemas

2008-05-15 07:59:22 0 d-------- C:\WINDOWS\system32\en

2008-05-15 07:59:22 0 d-------- C:\WINDOWS\system32\bits

2008-05-15 07:56:29 0 d-------- C:\WINDOWS\ServicePackFiles

2008-05-15 07:46:48 0 d-------- C:\WINDOWS\EHome

2008-05-14 12:54:02 0 d-------- C:\Program Files\Common Files\Java

2008-05-14 10:40:18 0 d-------- C:\Documents and Settings\Sandi\Application Data\Malwarebytes

2008-05-14 10:39:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-05-14 10:39:50 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-05-14 09:31:31 0 d-------- C:\VundoFix Backups

2008-05-14 08:17:24 0 d-------- C:\Program Files\Trend Micro

2008-05-14 07:38:44 0 d-------- C:\Program Files\SpywareBlaster

2008-05-14 06:38:53 0 d-------- C:\Documents and Settings\Sandi\.housecall6.6

2008-05-13 20:32:39 0 d-------- C:\WINDOWS\system32\Logs

2008-05-13 19:21:33 0 dr-h----- C:\Documents and Settings\TEMP\Recent

2008-05-12 21:32:27 0 d-------- C:\hegames

2008-05-10 15:47:28 0 d-------- C:\Documents and Settings\Sandi\Application Data\DivX

2008-05-10 10:52:35 0 d-------- C:\Program Files\Netflix

2008-05-08 07:35:46 0 d-------- C:\WINDOWS\system32\Dell

2008-05-08 07:35:46 0 d-------- C:\Program Files\Dell

-- Find3M Report ---------------------------------------------------------------

2008-06-06 16:19:36 0 d-------- C:\Documents and Settings\Sandi\Application Data\SiteAdvisor

2008-06-02 05:38:56 0 d-------- C:\Program Files\McAfee

2008-05-26 14:06:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-05-24 19:13:35 0 d-------- C:\Program Files\mIRC

2008-05-22 21:28:16 0 d-------- C:\Program Files\Common Files\Scanner

2008-05-22 21:28:00 0 d-------- C:\Program Files\Yahoo!

2008-05-22 15:30:32 4158 --a------ C:\WINDOWS\mozver.dat

2008-05-21 21:27:32 0 d-------- C:\Program Files\SiteAdvisor

2008-05-20 21:47:50 0 d-------- C:\Program Files\Microsoft Silverlight

2008-05-16 16:20:25 0 d--h----- C:\Program Files\InstallShield Installation Information

2008-05-15 07:59:45 0 d-------- C:\Program Files\Messenger

2008-05-15 07:59:21 0 d-------- C:\Program Files\Movie Maker

2008-05-15 07:56:14 0 d-------- C:\Program Files\Windows NT

2008-05-14 12:54:47 0 d-------- C:\Program Files\Java

2008-05-14 12:54:02 0 d-------- C:\Program Files\Common Files

2008-05-10 13:55:22 0 d-------- C:\Documents and Settings\Sandi\Application Data\dvdcss

2008-04-29 15:40:03 0 d-------- C:\Documents and Settings\Sandi\Application Data\Adobe

2008-03-13 16:50:50 577536 --a------ C:\WINDOWS\SiteHoundServer.dll <Not Verified; Firetrust Limited.; SiteHound>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 10:05 PM]

"SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 06:20 PM C:\WINDOWS\stsystra.exe]

"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [01/17/2007 04:30 PM]

"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [08/24/2007 05:57 PM]

"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [02/01/2005 03:00 PM]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [04/25/2008 01:31 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="" []

"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [06/08/2007 10:59 AM]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/24/2008 08:32 PM]

C:\Documents and Settings\Sandi\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 5:45:42 AM]

SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2/5/2007 4:40:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=0 (0x0)

"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=0 (0x0)

"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 04:39 PM 294400]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/24/2008 08:32 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]

C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 11/14/2007 04:31 PM 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.EXE" -b

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

eapsvcs eaphost

dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

napagent

hkmsvc

*Newly Created Service* - CATCHME

-- End of Deckard's System Scanner: finished at 2008-06-06 17:31:10 ------------

AdvancedSetup · June 6, 2008

Start HJT and do a Scan Only and place a check mark on these two items.

O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O23 - Service: McAfee Application Installer Cleanup (0108021212736068) (0108021212736068mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\010802~1.EXE (file missing)
Then click on
"Fix selected"

Click on START - RUN and type in

ComboFix /U

and remove ComboFix and all it's files and backups.

I would recommend that you disable System Restore which will remove all OLD files. Then re-enable it which will create a new restore point.

Then run the System Restore and create a NEW restore point with a name you provide.

How to turn off and turn on System Restore in Windows XP

Then restart your computer and run Spybot Search & Destroy and update it. Then do a system scan and let me know if it finds anything.

.

sandi149 · June 6, 2008

When I tried to do that delete combofix, it said it wasn't there. Yesterday I deleted combofix.exe from my desktop....would that have anything to do with it?

AdvancedSetup · June 6, 2008

Yes, that is not the correct method to remove the program.

Download the new version and install and run it.

sandi149 · June 7, 2008

So do I have to run the whole combofix procedure again or just download it and do that Start, Run thing that you mentioned in the other post?

AdvancedSetup · June 7, 2008

Just download a new copy. Then double-click it and run it.

sandi149 · June 7, 2008

Ok, here's a new log from that Combofix. After it gave me the log it never restored my desktop so I had to reboot.

ComboFix 08-06-06.4 - Sandi 2008-06-07 8:01:34.3 - NTFSx86

Running from: C:\Documents and Settings\Sandi\Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))