Popups and slow computer Part 2

[Jintan]

If you haven't already done so in the work here so far, Go Here and download ATF cleaner. Close all open browsers, then click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

And if you have them, you can also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.

This will clear out some of the IE and other temp folder storage to smooth the way. Scan, and post when done and we will review then.

[sandi149]

Hi Jintan,

Ok....I used that ATF Cleaner. I have actually been using it for a few weeks now. I also ran the scan again, this time it found nothing and after it finished it still stalled for a very long time and I had to close it cause it wasn't responding.

Yesterday I was using Firefox and didn't get the popups again. Do you think this computer is finally cleaned?

I will wait for your next instructions.

Thanks,

Sandi

[Jintan]

I actually hadn't seen an instance on an infected system where BitDefender located nothing - even bad files already quarantined might be picked up by it usually, or System Restore entries. Not that I doubt anyone's word, but when no logs are posted and I am asked to post if I think the system is cleaned, best I can say is that you said nothing was found. But those Adzgalore unseen files are surely removed, and were very likely the sources of the ongoing popups there.

One look now at a new Deckards scanlog to be sure before we just clean up what all this work added to that system.

Please place the Deckards dss.exe directly on your desktop (not in a folder on the desktop).

Then go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore

Process Modules

Then under Extra Log, uncheck all the boxes except this one:

Security Center

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

[sandi149]

I seem to have problems with some of these online virus scanners. A couple weeks ago I tried running that Panda scan 4 times, it would get to about 80-90% and then the browser would shut down.

Anyway, here is the log from DSS.

Deckard's System Scanner v20071014.68

Run by Sandi on 2008-06-22 07:26:53

Computer is in Normal Mode.

--------------------------------------------------------------------------------

Performed disk cleanup.

Percentage of Memory in Use: 90% (more than 75%).

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Sandi.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:27:23 AM, on 6/22/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Comodo\CBOClean\BOCORE.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\SearchIndexer.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Comodo\CBOClean\BOC426.EXE

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\Citrix\GoToAssist\480\G2AProcessFactory.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Sandi\desktop\dss.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\Sandi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll

O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing)

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - S-1-5-21-1123561945-725345543-718052757-1005 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Jay')

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing)

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/Activ...iveXClient1.cab

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll

O23 - Service: McAfee Application Installer Cleanup (0178261214042686) (0178261214042686mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\017826~1.EXE (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 12728 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080514-090944-963 O2 - BHO: (no name) - {7C484BFF-CA10-4B2A-9AD5-75C7A5D14719} - C:\WINDOWS\system32\opnlMeby.dll (file missing)

backup-20080514-113113-573 O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll

backup-20080514-113113-594 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll

backup-20080514-113113-602 O2 - BHO: (no name) - {07764166-9D68-401C-891A-D4BE02ABF96A} - C:\WINDOWS\system32\tuvTNExv.dll (file missing)

backup-20080514-113113-871 O2 - BHO: adzgalore - {67cfb213-dd3a-982b-bfac-cf0dcd9a6981} - C:\WINDOWS\system32\nsi208.dll

backup-20080514-113114-400 O2 - BHO: (no name) - {7C484BFF-CA10-4B2A-9AD5-75C7A5D14719} - C:\WINDOWS\system32\opnlMeby.dll (file missing)

backup-20080514-113114-667 O2 - BHO: DNSEred - {8c07920e-6a65-7111-fe6e-74f96b71ea49} - C:\WINDOWS\system32\iednser.dll

backup-20080514-113115-370 O2 - BHO: (no name) - {B27D416A-2615-4DD6-8CF2-8F2ED6A1D316} - C:\WINDOWS\system32\hgGvspOG.dll (file missing)

backup-20080514-113115-586 O4 - HKLM\..\Run: [50ce3c37] rundll32.exe "C:\WINDOWS\system32\lbyyerva.dll",b

backup-20080514-113115-787 O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)

backup-20080514-123241-136 O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)

backup-20080514-123241-188 O2 - BHO: (no name) - {e01041d1-605d-7744-17b0-76d03d43c970} - (no file)

backup-20080514-123241-374 O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - (no file)

backup-20080514-123241-593 O2 - BHO: (no name) - {11B25F73-3D33-40C7-A118-D7E204EE424B} - C:\WINDOWS\system32\opnnlKaX.dll (file missing)

backup-20080514-123241-978 O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)

backup-20080514-141628-108 O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

backup-20080514-141628-124 O2 - BHO: (no name) - {7C484BFF-CA10-4B2A-9AD5-75C7A5D14719} - (no file)

backup-20080514-141628-158 O2 - BHO: (no name) - {11B25F73-3D33-40C7-A118-D7E204EE424B} - (no file)

backup-20080514-141628-297 O2 - BHO: (no name) - {8c07920e-6a65-7111-fe6e-74f96b71ea49} - (no file)

backup-20080514-141628-304 O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - (no file)

backup-20080514-141628-323 O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)

backup-20080514-141628-374 O2 - BHO: (no name) - {e01041d1-605d-7744-17b0-76d03d43c970} - (no file)

backup-20080514-141628-617 O4 - HKLM\..\Run: [50ce3c37] rundll32.exe "C:\WINDOWS\system32\lbyyerva.dll",b

backup-20080514-141628-788 O2 - BHO: (no name) - {B27D416A-2615-4DD6-8CF2-8F2ED6A1D316} - (no file)

backup-20080514-141628-857 O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)

backup-20080514-141628-859 O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -

backup-20080514-141628-950 O2 - BHO: (no name) - {07764166-9D68-401C-891A-D4BE02ABF96A} - (no file)

backup-20080514-141628-973 O2 - BHO: (no name) - {67cfb213-dd3a-982b-bfac-cf0dcd9a6981} - (no file)

backup-20080514-141629-964 O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -

backup-20080517-155227-286 O4 - HKLM\..\Run: [MATH DOES FIRST MODE] C:\Documents and Settings\All Users\Application Data\live 64 math does\Link Bias.exe

backup-20080523-164010-513 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)

backup-20080523-164010-869 O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)

backup-20080524-175057-112 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing)

backup-20080524-175057-779 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing)

backup-20080531-083255-904 O4 - HKCU\..\Run: [Web Logo] C:\DOCUME~1\TEMP\APPLIC~1\GRIMON~1\win trust dvd.exe

backup-20080606-194332-101 O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM

backup-20080606-194332-300 O23 - Service: McAfee Application Installer Cleanup (0108021212736068) (0108021212736068mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\010802~1.EXE (file missing)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*

.reg - regfile - shell\open\command - regedit.exe "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>

R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>

S3 catchme - c:\combofix\catchme.sys (file missing)

S3 WLNR - c:\windows\system32\drivers\wlnr.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 0178261214042686mcinstcleanup (McAfee Application Installer Cleanup (0178261214042686)) - c:\windows\temp\017826~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: PCI Simple Communications Controller

Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&5855BE9&0&18F0

Manufacturer:

Name: PCI Simple Communications Controller

PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&5855BE9&0&18F0

Service:

-- Scheduled Tasks -------------------------------------------------------------

2008-06-22 02:04:21 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job

2008-06-21 22:50:25 422 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{B6E57C32-1A10-42A0-946E-A3182C4B41C7}.job

2008-06-21 15:24:03 404 --ah----- C:\WINDOWS\Tasks\MSK_ABImport_Daily_Sandi.job

2008-06-16 09:06:50 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

2008-06-15 01:03:02 340 --a------ C:\WINDOWS\Tasks\McDefragTask.job

2008-06-01 01:00:38 332 --a------ C:\WINDOWS\Tasks\McQcTask.job

-- Files created between 2008-05-22 and 2008-06-22 -----------------------------

2008-06-21 06:04:40 0 d-------- C:\WINDOWS\LastGood

2008-06-19 13:25:23 0 d-------- C:\Program Files\Mozilla Firefox 3

2008-06-18 18:06:09 0 d-------- C:\Documents and Settings\Sandi\Application Data\Mozilla

2008-06-16 08:02:41 0 d-------- C:\Documents and Settings\Sandi\Application Data\Malwarebytes

2008-06-16 08:02:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-06-16 08:02:35 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-06-16 08:01:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Google

2008-06-16 07:45:05 0 d-------- C:\Documents and Settings\Sandi\g3jm65up.default

2008-06-16 07:36:55 0 d-------- C:\MBSAVE

2008-06-14 07:15:07 261 --a------ C:\NOTMPS.BAT

2008-06-11 14:21:41 0 d-------- C:\Documents and Settings\All Users\Application Data\BOC426

2008-06-11 14:21:33 0 d-------- C:\Program Files\Comodo

2008-05-28 21:16:54 0 d-------- C:\Documents and Settings\Alex\Application Data\Adobe

2008-05-28 21:16:09 0 d-------- C:\Documents and Settings\Alex\Application Data\SiteHound

2008-05-27 13:40:44 0 d-------- C:\Documents and Settings\Lee\Application Data\SiteHound

2008-05-26 12:24:40 0 d-------- C:\Documents and Settings\TEMP\Application Data\SUPERAntiSpyware.com

2008-05-26 12:01:44 0 d-------- C:\Documents and Settings\TEMP\Application Data\Malwarebytes

2008-05-26 08:47:00 0 dr-h----- C:\Documents and Settings\Sandi\Recent

2008-05-26 08:09:45 0 d-------- C:\Program Files\Mozilla Thunderbird

2008-05-26 06:12:09 0 d-------- C:\Documents and Settings\TEMP\Application Data\Thunderbird

2008-05-25 17:26:39 0 d-------- C:\Documents and Settings\Sandi\Application Data\Thunderbird

2008-05-24 16:20:08 0 d-------- C:\Documents and Settings\TEMP\Application Data\SiteHound

2008-05-24 13:48:35 0 d-------- C:\Program Files\Lavasoft

2008-05-23 12:54:33 0 d-------- C:\WINDOWS\BDOSCAN8

2008-05-23 09:11:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-05-23 09:11:28 0 d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-05-22 21:43:50 0 d-------- C:\Program Files\limewire

2008-05-22 21:28:15 0 d-------- C:\Program Files\CA Yahoo! Anti-Spy

2008-05-22 15:30:26 0 d-------- C:\Program Files\Panda Security

2008-05-22 08:08:03 0 d-------- C:\Documents and Settings\Sandi\Application Data\SiteHound

2008-05-22 08:07:53 0 d-------- C:\Program Files\FireTrust

2008-05-22 06:28:20 0 d-------- C:\Documents and Settings\TEMP\Application Data\WinPatrol

-- Find3M Report ---------------------------------------------------------------

2008-06-21 07:48:19 0 d-------- C:\Documents and Settings\Sandi\Application Data\SiteAdvisor

2008-06-20 10:13:44 0 d-------- C:\Program Files\McAfee

2008-06-19 09:02:46 0 d-------- C:\Program Files\Common Files\McAfee

2008-06-18 07:08:01 0 d-------- C:\Program Files\Java

2008-06-08 12:26:00 0 d-------- C:\Program Files\SUPERAntiSpyware

2008-05-29 09:38:21 0 d-------- C:\Program Files\SpywareBlaster

2008-05-27 18:01:51 0 d-------- C:\Program Files\EsetOnlineScanner

2008-05-26 14:06:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-05-26 13:30:55 636 --a------ C:\delete.bat

2008-05-24 19:13:35 0 d-------- C:\Program Files\mIRC

2008-05-24 09:33:18 0 d-------- C:\Program Files\SpywareGuard

2008-05-22 21:28:16 0 d-------- C:\Program Files\Common Files\Scanner

2008-05-22 21:28:00 0 d-------- C:\Program Files\Yahoo!

2008-05-22 15:30:32 4158 --a------ C:\WINDOWS\mozver.dat

2008-05-21 21:27:32 0 d-------- C:\Program Files\SiteAdvisor

2008-05-20 21:47:50 0 d-------- C:\Program Files\Microsoft Silverlight

2008-05-16 16:20:25 0 d--h----- C:\Program Files\InstallShield Installation Information

2008-05-16 14:45:43 0 d-------- C:\Documents and Settings\Sandi\Application Data\SUPERAntiSpyware.com

2008-05-15 12:01:05 0 d-------- C:\Program Files\EULAlyzer

2008-05-15 08:20:41 0 d-------- C:\Documents and Settings\Sandi\Application Data\WinPatrol

2008-05-15 08:20:32 0 d-------- C:\Program Files\BillP Studios

2008-05-15 07:59:45 0 d-------- C:\Program Files\Messenger

2008-05-15 07:59:21 0 d-------- C:\Program Files\Movie Maker

2008-05-15 07:56:14 0 d-------- C:\Program Files\Windows NT

2008-05-14 12:54:02 0 d-------- C:\Program Files\Common Files

2008-05-14 12:54:02 0 d-------- C:\Program Files\Common Files\Java

2008-05-14 08:17:24 0 d-------- C:\Program Files\Trend Micro

2008-05-10 15:47:28 0 d-------- C:\Documents and Settings\Sandi\Application Data\DivX

2008-05-10 13:55:22 0 d-------- C:\Documents and Settings\Sandi\Application Data\dvdcss

2008-05-10 10:52:35 0 d-------- C:\Program Files\Netflix

2008-05-08 07:35:46 0 d-------- C:\Program Files\Dell

2008-04-29 15:40:03 0 d-------- C:\Documents and Settings\Sandi\Application Data\Adobe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]

11/26/2007 10:46 AM 324936 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 10:05 PM]

"SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 06:20 PM C:\WINDOWS\stsystra.exe]

"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [08/24/2007 05:57 PM]

"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [02/01/2005 03:00 PM]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [04/25/2008 01:31 PM]

"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]

"BOC-426"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="" []

"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [06/08/2007 10:59 AM]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/08/2008 12:26 PM]

C:\Documents and Settings\Sandi\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 5:45:42 AM]

SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=0 (0x0)

"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=0 (0x0)

"HideStartupScripts"=0 (0x0)

"DisableRegistryTools"=0 (0x0)

"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 04:39 PM 294400]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/24/2008 08:32 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]

C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 11/14/2007 04:31 PM 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.EXE" -b

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

eapsvcs eaphost

dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

napagent

hkmsvc

-- End of Deckard's System Scanner: finished at 2008-06-22 07:30:30 ------------

Deckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.

-- End of Deckard's System Scanner: finished at 2008-06-22 07:30:30 ------------

[Jintan]

Got a bit of defense overkill going on there. This system likely has pretty slow startups, and I can't see how it wouldn't bog down when all the security software loading there is actively monitoring functions, and each other as well. Spyware Guard is probably very involved in scan problems, and in truth, given the full install of McAfee here, I sense these two on the same system is not the best of choices.

But you also have Windows Defender, and Win Patrol, and Comodo's BOClean and now SUPERAntiSpyware, along with Ad-ware and it's part in all that. A first consideration of all those would be if any are current and paid installs, but I suggest you consider uninstalling at least two, then disabling all but one for active monitoring. For now all of those and McAfee need to be disabled, for some repairs left to do.

Here are my older steps for disabling Spyware Guard. Might be a bit dated, but should suffice.

Right click the running icon of Spywareguard, it will open the program.

Then go to Menu, file, exit.

Then confirm the program is closed.

Then go to Start > Run and type

cmd

and OK. At the prompt type (or copy\paste) the below commands and hit "Enter" after each line

sc config WLNR start= disabled

sc delete WLNR

Type Exit to close.

-------------------------------

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it badfixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

-----------------------------

With Spyware Guard and the other security softwares disabled now, see about completing that BitDefender scan and post those results please.

[sandi149]

Ok...did all that you told me to do but the BitDefender still stalls. Had it running for over an hour. It scans all the files and then it just stops after the last one and nothing happens.

I know I have a lot of security programs. After I was infected with Vundo last month and I got that cleaned off, I wanted to make sure I was fully protected like Ft. Knox....LOL But if you don't recommend me having all those programs, which ones should I get rid of?

[Jintan]

I admit I have not tried the upgrade myself. If your computer had the adware alterations to your Firefox account at that time, it might explain the problems. Did the Temp user try opening the upgraded Firefox then, before you chose to uninstall it? Do you happen to still have the 2.0.0.14 installer you can use for now to reinstall? You also have the Mozilla ActiveX Control, which is not the usual mod the average user has installed. But I am not purporting to be all that Mozilla savvy.

[JeanInMontana]

Since the infection has been removed from this machine I will close the topic to prevent others from posting into it. Jintan your help has been beyond and above the norm and is appreciated so very much.

The fixes in this thread were for this machine only. Applying them to your machine can result in utter destruction. If you need assistance follow the directions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 and begin your own topic.