Temp0.exe? pt. 1- my post was too long

researchvet · July 8, 2008

I was directed here from another post. McAfee keeps alerting me to the presence of Temp0.exe. See my original posts here: http://www-

307.ibm.com/pc/support/IbmEgath.cab

O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) -

https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32

\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32

\ibmpmsvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program

Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program

Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program

Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation -

C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32

\TpKmpSVC.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program

Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 11712 bytes

Any help would be greatly appreciated.

AdvancedSetup · July 8, 2008

Hello researchvet.

Let me ask you this. Is this a Work computer? Normally home users don't have an Enterprise version.

The reason I ask is that most Companies take a dim view of users fixing, repairing, or otherwise altering their computers. They have their own IT Support that manages these systems. I don't want you to get in trouble for working on the system if it's a work computer.

1. Do you have the original installation disk for McAfee ?

2. Have you contacted McAfee about this problem?

3. You should go and undo the prevention of files executing from the %temp% as many programs require access to this folder for normal operation.

4. Update McAfee manually to the latest version once again after undoing the permissions on the %temp% location.

5. You need to decide which forum you want to get assistance from as most sites take a dim view of working against each other or giving different advice at the same time. Bottom line is I'm sure you want help and either forum can provide you with assistance, but only one should be helping you. If you have an open post on Bleeping then you should remain there and follow their instructions.

Let us know please and we can proceed as you want based on your answers.

.

JeanInMontana · July 8, 2008

Link to your thread at BC please. You can't get help at two forums at the same time. This can cause major damage and takes up the time of two helpers.

researchvet · July 8, 2008

Hello researchvet.
Let me ask you this. Is this a Work computer? Normally home users don't have an Enterprise version.
The reason I ask is that most Companies take a dim view of users fixing, repairing, or otherwise altering their computers. They have their own IT Support that manages these systems. I don't want you to get in trouble for working on the system if it's a work computer.
1. Do you have the original installation disk for McAfee ?
2. Have you contacted McAfee about this problem?
3. You should go and undo the prevention of files executing from the %temp% as many programs require access to this folder for normal operation.
4. Update McAfee manually to the latest version once again after undoing the permissions on the %temp% location.
5. You need to decide which forum you want to get assistance from as most sites take a dim view of working against each other or giving different advice at the same time. Bottom line is I'm sure you want help and either forum can provide you with assistance, but only one should be helping you. If you have an open post on Bleeping then you should remain there and follow their instructions.
Let us know please and we can proceed as you want based on your answers.
.

This is a personal computer. However, I received the McAfee program through my college. Students download it from their server using FirstClass. I have now graduated so I cannot access the college's IT help forums. So, I never had a CD. Also, because I received McAfee through my school, my past attempts to contact them have failed-- they tell you to speak with the IT department.

My fear in allowing programs to run from the temp folder is that the TEMP0.exe file will run.

I would like to get assistance from this forum. I had asked on the other forum because I was having problems with SDFix, something that site recommends.

Can you help me deal with Temp0.exe and all of these other issues? Can you see what my problem is from the info I posted?

researchvet · July 8, 2008

Link to your thread at BC please. You can't get help at two forums at the same time. This can cause major damage and takes up the time of two helpers.

I noticed that many users were posting in both forums and did not realize this was not allowed. However, I am taking the advice of this forum.

AdvancedSetup · July 8, 2008

However, I am taking the advice of this forum.

Well based on the fact that you don't have a valid CD, a valid update account, or any other reason to stay with McAfee (which is a huge resource hog on your computer) I recommend that you fully remove it and install one of the free versions of Antivirus

Avira AntiVir Personal - FREE Antivirus

or

FREE avast! antivirus 4.x Home Edition

ESET/NOD32 is also a good Antivirus product but it is not free.

You can keep McAfee if you choose to, but it is not my recommendation. If you do keep it then you will need to disable it for the tests that we need to do.

Let me know what you would like to do please so that we can move on to the Pre-Hijackthis portion to get further information from your system while McAfee is not interfering with the scans.

.

researchvet · July 9, 2008

Well based on the fact that you don't have a valid CD, a valid update account, or any other reason to stay with McAfee (which is a huge resource hog on your computer) I recommend that you fully remove it and install one of the free versions of Antivirus
Avira AntiVir Personal - FREE Antivirus
or
FREE avast! antivirus 4.x Home Edition
ESET/NOD32 is also a good Antivirus product but it is not free.
You can keep McAfee if you choose to, but it is not my recommendation. If you do keep it then you will need to disable it for the tests that we need to do.
Let me know what you would like to do please so that we can move on to the Pre-Hijackthis portion to get further information from your system while McAfee is not interfering with the scans.
.

I am able to update McAfee using their control panel. In any case, for now I think I would like to hang on to it, but disable it for the tests. I appreciate your help. I'll wait to hear back.

AdvancedSetup · July 9, 2008

Okay you can keep it. Just make sure you disable it as it will prevent us from properly scanning your system.

STEP 1

Please download and run an updated version of Spybot Search & Destroy.

STEP 2

Download

CCleaner
from
here
to clean temp files from your computer.

Double click on the ccsetup.exe file to start the installation of the program.
Select your language and click
OK
, then
next
.
Read the license agreement and click
I Agree
.
Click
next
to use the default install location.
Under Install Options, choose all the default settings except
I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
Click
Install
then
finish
to complete installation.
Double click the
CCleaner
shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."

deselect
"Only delete files in Windows Temp folders older than 48 hours."
Caution:
It is not recommended that you use the "Registry" feature unless you are very familiar with the registry as it has been known to find legitimate items.
Click on Registry and make sure Registry Integrity is UNchecked!
Click on the "Cleaner" icon on the left side of the window, then click
Run Cleaner
to run the program.
After
CCleaner
has completed its process, click
Exit.

STEP 3

Update Malwarebytes and run a

Quick Scan

and fix any issues found

STEP 4

PANDA ONLINE SCAN

(NOTE: You must use Internet Explorer)

Please go

>here<

to run Panda's ActiveScan

Once you are on the Panda site, click the
Scan your PC now
button
A new window will open...click the
Scan Now
button
Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
Run
the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
When the scan has finished, click on
Export To
Save the file as
Activescan.txt
to your Desktop
Close the Activescan window then go to your Desktop
Double-click on
Activescan.txt
and it will open in Notepad
In Notepad, click
Edit
>
Select all
, then
Edit
>
Copy
Reply to this thread and click
Ctrl+V
to paste the log in your reply

STEP 5

Run HJT and do a Scan Only and save the log file.

STEP 6

Return here and post the log files from Spybot, MB, PANDA, HJT

.

researchvet · July 10, 2008

Okay you can keep it. Just make sure you disable it as it will prevent us from properly scanning your system.
Return here and post the log files from Spybot, MB, PANDA, HJT
.

I followed these steps and posted them above. An admin had directed me to do so in a different post on the forum. I could not post the full Spybot log because it the forum indicated it was too long even if I broke it into several posts.

Thanks.

AdvancedSetup · July 10, 2008

MAKE SURE McAfee is disabled so that ComboFix and DSS can both run properly

We need these programs to run properly and not be stopped by McAfee. IF you have ComboFix or DSS already please delete them and download a new version and follow the instructions below.

Start HJT and do a Scan Only

Then place a check mark on the following items.

O4 - HKLM\..\RunOnce: [spybotDeletingA2451] command /c del "C:\WINDOWS\wt\webdriver.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC5495] cmd /c del "C:\WINDOWS\wt\webdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB9260] command /c del "C:\WINDOWS\wt\webdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD3167] cmd /c del "C:\WINDOWS\wt\webdriver.dll"

Quit any open browsers and then click on "Fix checked"

Please start Malwarebytes and go to the UPDATE tab and update the program. Then run a

Quick Scan

and post back the log

Then go to the

More Tools

tab and click on the

Run Tool

button for

FileASSASSIN

and browse to these files and force delete them if they're still on your system.

C:\Documents and Settings\Katie Pierce\Local Settings\Application Data\Wildtangent\Cdacache\00\00\1D.dat

C:\Documents and Settings\Katie Pierce\Local Settings\Application Data\Wildtangent\Cdacache\00\00\17.dat

Download

The Avenger by Swandog469

, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop
Run avenger.exe by double-clicking on it.
Check the 'Input script manually' box.
Click on the magnifying glass icon.
Copy everything in the code box below, and paste it in the box that opens:
```
Folders to delete:

C:\WINDOWS\wt
```
Now click the 'Done' button.
Click on the traffic light icon and OK the prompt.
You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at C:\avenger.txt

Download and Run ComboFix

from your DESKTOP (It must be run from the Desktop)

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file
from one of the three below listed places and place it on your
DESKTOP
:

For information regarding this download, please visit this webpage:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.forospyware.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe
Very Important!
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Then double click
combofix.exe
& follow the prompts.
When finished, it will produce
a log
for you.
Post that log
in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open

Task Manager

then

Processes

tab (press ctrl, alt and del at the same time) and end any processes of

findstr, find, sed or swreg

, then combofix should continue.

If that happened we want to know, and also what process you had to end

Then run this tool

Download

Deckard's System Scanner (DSS)

to your

Desktop

.

Note: You must be logged onto an account with administrator privileges.

Close
all applications and windows.
Double-click
on
dss.exe
to run it, and follow the prompts.
When the scan is complete, two text files will open -
main.txt

<- this one will be maximized
and
extra.txt
<-this one will be minimized
Copy
(Ctrl+A then Ctrl+C)
and paste
(Ctrl+V)
the contents of
main.txt
and the extra.txt to your post in your reply

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Notes:

The first time that the Deckard scanner is run, the extra.txt is generated in a minimized window. The second time you will not obtain the extra.txt. You must go to

Start

=>

Run

and copy the following

"%userprofile%\desktop\dss.exe" /config

in the line and click OK You will receive a pop-up box with options to check for the Main log and Extra Log and Options.

Post back the logs from these applications on your next reply.

.

AdvancedSetup · July 11, 2008

Hi researchvet,

If you can please post the requested information. I'm going to be leaving for vacation next week and I don't want to have to leave this with someone else if I can prevent it.

Thanks

researchvet · July 14, 2008

Hi researchvet,
If you can please post the requested information. I'm going to be leaving for vacation next week and I don't want to have to leave this with someone else if I can prevent it.
Thanks

I apologize for the delay. I have been dealing with some health problems and was away from home. I just ran HJT and this time the files you told me to remove did not come up on the scan. Here is the latest log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:14:33 PM, on 7/14/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\WINDOWS\Uidler.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [storageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB002" /M "Stylus C82"

O4 - HKLM\..\Run: [uidler] C:\WINDOWS\Uidler.exe /start

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Gizmo Project for LJ Talk] C:\Program Files\Gizmo Project for LJ Talk\Gizmo-LJ.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab

O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 11271 bytes

Should I continue through the next steps in your post? Anything in this latest HJT that I should remove?

Thank you.

AdvancedSetup · July 14, 2008

I'm sorry to hear of your health issues. Hope you're doing better now.

Yes, please step through the tasks as I posted above. For those items in the HJT log that are no longer there you can ignore, but then disable your McAfee AntiVirus and run the other tools so that we can ensure your system gets cleaned up.

Post back the results as requested. Thanks.

researchvet · July 14, 2008

I'm sorry to hear of your health issues. Hope you're doing better now.
Yes, please step through the tasks as I posted above. For those items in the HJT log that are no longer there you can ignore, but then disable your McAfee AntiVirus and run the other tools so that we can ensure your system gets cleaned up.
Post back the results as requested. Thanks.

When I entered the two Wild Tangent files to be deleted using Mawarebytes File Assassin, I saw that there were other Wild Tangent files. Should I delete the entire Cdacache? The entire Wild Tangent file? Or only the two .dats specified in the original post?

researchvet · July 14, 2008

Also, when I opened The Avenger, the instructions given in the post were not applicable.

These items are not there:

# Check the 'Input script manually' box.

# Click on the magnifying glass icon.

# Copy everything in the code box below, and paste it in the box that opens:

CODE

Folders to delete:

C:\WINDOWS\wt

# Now click the 'Done' button.

# Click on the traffic light icon and OK the prompt.

When it is open there is just a place that says, "input script here." The only two boxes to check are "Scan for rootkits" and "automatically disable any rootkits found."

Should I paste in

Folders to delete:

C:\WINDOWS\wt

into that field?

AdvancedSetup · July 14, 2008

Let's try to check this file with some other vendors. Maybe Spybot is not accurately marking it.

Wild Tangent is a Game development studio and though in marketing it may not be an actual virus or malware.

Please visit this site and upload and test the file below

Online malware scan

C:\WINDOWS\wt\webdriver.dll

I'll download the exact version of Avenger and see what's up with it. The interface may be different now, and I'll get back to you.

Let me know what Jotti finds about that file please.

researchvet · July 14, 2008

Let's try to check this file with some other vendors. Maybe Spybot is not accurately marking it.
Wild Tangent is a Game development studio and though in marketing it may not be an actual virus or malware.
Please visit this site and upload and test the file below
Online malware scan
C:\WINDOWS\wt\webdriver.dll
I'll download the exact version of Avenger and see what's up with it. The interface may be different now, and I'll get back to you.
Let me know what Jotti finds about that file please.

I don't actually see the wt file under windows. When I entered C:\WINDOWS\wt\webdriver.dll into the program this came up:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Also, in reference to deleting the files like

C:\Documents and Settings\Katie Pierce\Local Settings\Application Data\Wildtangent\Cdacache\00\00\1D.dat

using file assassin, I noticed that I cannot find by hand the local settings folder-- I can't see it under Katie Pierce. However, when I entered the file into the program, it was able to pull it up. Is there a way for me to access the folder, local settings?

Given that I had run into problems previously with McAfee, today I unistalled all of the spyware programs, turned off mcafeee, and have been collecting new logs from spybot, malware bytes, HJT, and Panda. Would you like me to post these new logs as well? (I am currently running Panda.)

Finally, I noticed a quarantine folder that has some files in it, should I delete them?

AdvancedSetup · July 14, 2008

Yes please post the logs. No for now do not delete the quarantine files. There is a tool to remove stuff when we're all done.

You need to unhide your folders and files. Open My Computer, click on Tools, Folder Options, then the View tab, place a check mark in the following items.

Display the contents of the system folders

Show hidden files and folders

Then UNCHECK the following items

Hide extensions for known file types

Hide protected operating system files (Recommended)

Click on Apply, then OK

That should allow you to see all the hidden files and folders on the system.

Also, when you reply and you see my response in the edit window, you can delete all of my response as it's not needed.

researchvet · July 15, 2008

When I ran Spybot it picked up the Wildtangent files, said it would delete them, but they still appear under local settings. Two of the files under Cdacache were deleted when I used malawarebyte's file assasin. I did not delete the others and am wondering if we should do that.

While running a new Panda scan I got the blue screen of death and my computer shut down. Do you want me to try and run another full scan? I was able to run a quick scan. The log is:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-07-14 18:53:54

PROTECTIONS: 1

MALWARE: 6

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

McAfee VirusScan Enterprise 8.5.0.781 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00103551 adware/windowenhancer Adware No 0 Yes No c:\windows\system32\sbutils

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Katie Pierce\Application Data\Mozilla\Firefox\Profiles\q4ns5c86.default\cookies.txt[.com.com/]

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Katie Pierce\Application Data\Mozilla\Firefox\Profiles\q4ns5c86.default\cookies.txt[.statcounter.com/]

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Katie Pierce\Application Data\Mozilla\Firefox\Profiles\q4ns5c86.default\cookies.txt[statse.webtrendslive.com/]

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Katie Pierce\Application Data\Mozilla\Firefox\Profiles\q4ns5c86.default\cookies.txt[.overture.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Katie Pierce\Application Data\Mozilla\Firefox\Profiles\q4ns5c86.default\cookies.txt[.adultfriendfinder.com/]

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location "

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description "

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Combofix:

ComboFix 08-07-13.14 - Katie Pierce 2008-07-14 17:03:53.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.210 [GMT -4:00]

Running from: C:\Documents and Settings\Katie Pierce\Desktop\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))

.

2008-07-14 13:18 . 2008-07-14 14:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-07-14 13:18 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-07-14 13:18 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-07-11 16:38 . 2008-07-11 16:41 <DIR> d-------- C:\Documents and Settings\Katie Pierce\Application Data\CVS

2008-07-10 13:23 . 2008-07-10 13:23 1,374 --a------ C:\WINDOWS\imsins.BAK

2008-07-07 20:06 . 2008-07-07 20:06 <DIR> d-------- C:\Program Files\Trend Micro

2008-07-07 19:37 . 2008-07-07 19:37 557,056 --a------ C:\Documents and Settings\Katie Pierce\GoToAssist_phone__317_en.exe

2008-07-07 16:35 . 2008-07-14 15:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-07-07 16:35 . 2008-07-14 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-07-06 23:11 . 2008-07-06 23:11 <DIR> d-------- C:\Documents and Settings\Katie Pierce\Application Data\Malwarebytes

2008-07-06 23:11 . 2008-07-06 23:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-07-06 21:59 . 2008-07-06 21:59 <DIR> d-------- C:\WINDOWS\ERUNT

2008-07-06 21:26 . 2008-07-06 22:26 <DIR> d-------- C:\SDFix

2008-07-01 19:05 . 2008-07-01 19:05 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard

2008-07-01 19:01 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll

2008-07-01 19:01 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll

2008-07-01 19:01 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll

2008-07-01 19:01 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe

2008-07-01 19:01 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe

2008-07-01 19:01 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll

2008-07-01 19:00 . 2008-07-01 19:01 <DIR> d-------- C:\Program Files\HP

2008-07-01 18:59 . 2008-07-01 19:05 68,294 --a------ C:\WINDOWS\hpoins05.dat

2008-07-01 18:59 . 2005-07-15 11:17 51,120 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys

2008-07-01 18:59 . 2005-07-15 11:17 21,744 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys

2008-07-01 18:59 . 2005-07-15 11:17 19,696 --------- C:\WINDOWS\hpomdl05.dat

2008-07-01 18:59 . 2005-07-15 11:17 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys

2008-07-01 18:57 . 2005-07-15 11:17 708,608 --a------ C:\WINDOWS\system32\hpotiop.dll

2008-07-01 18:57 . 2005-07-15 11:17 278,528 --a------ C:\WINDOWS\system32\hpgwiamd.dll

2008-07-01 18:57 . 2005-07-15 11:17 274,432 --a------ C:\WINDOWS\system32\HPZc3212.dll

2008-07-01 18:57 . 2005-07-15 11:17 229,376 --a------ C:\WINDOWS\system32\hpovst08.dll

2008-07-01 18:56 . 2005-07-15 11:17 393,216 --a------ C:\WINDOWS\system32\hpzcon12.dll

2008-07-01 18:56 . 2005-07-15 11:17 196,608 --a------ C:\WINDOWS\system32\hpzcoi12.dll

2008-07-01 18:56 . 2005-07-15 11:17 139,345 --a------ C:\WINDOWS\system32\hpzlnt12.dll

2008-07-01 18:55 . 2008-07-01 18:59 <DIR> d-------- C:\Temp\HP_WebRelease

2008-07-01 18:55 . 2008-07-01 18:55 <DIR> d-------- C:\Temp

2008-07-01 18:35 . 2008-04-13 14:45 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2008-07-01 18:35 . 2008-04-13 14:45 32,128 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys

2008-06-30 16:07 . 2008-06-30 16:07 <DIR> d-------- C:\Program Files\CCleaner

2008-06-30 15:34 . 2008-06-30 15:49 <DIR> d-------- C:\Documents and Settings\Katie Pierce\Application Data\Uniblue

2008-06-29 00:53 . 2008-06-30 16:02 <DIR> d-------- C:\Program Files\DNA

2008-06-29 00:53 . 2008-06-30 15:52 <DIR> d-------- C:\Documents and Settings\Katie Pierce\Application Data\DNA

2008-06-29 00:47 . 2008-07-14 15:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-06-29 00:47 . 2008-06-29 00:47 1,409 --a------ C:\WINDOWS\QTFont.for

2008-06-20 13:46 . 2008-06-20 13:46 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 13:46 . 2008-06-20 13:46 147,968 --------- C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 07:51 . 2008-06-20 07:51 361,600 --------- C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 07:40 . 2008-06-20 07:40 138,496 --------- C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 07:08 . 2008-06-20 07:08 225,856 --------- C:\WINDOWS\system32\dllcache\tcpip6.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-10 19:47 --------- d-----w C:\Documents and Settings\Katie Pierce\Application Data\U3

2008-06-29 03:49 --------- d-----w C:\Program Files\DivX

2008-06-26 17:44 --------- d-----w C:\Program Files\FirstClass

2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-10 02:03 --------- d-----w C:\Program Files\Common Files\Adobe

2008-06-10 01:59 --------- d-----w C:\Documents and Settings\Katie Pierce\Application Data\AdobeUM

2008-05-27 16:40 --------- d-----w C:\Program Files\Apple Software Update

2008-05-24 22:55 --------- d-----w C:\Program Files\Semagic

2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-05-21 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee

2008-05-21 21:32 --------- d-----w C:\Program Files\McAfee

2008-05-21 21:31 --------- d-----w C:\Program Files\Common Files\McAfee

2008-05-21 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates

2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll

2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll

2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll

2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll

2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll

2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll

2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll

2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll

2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll

2008-05-08 14:02 203,136 ------w C:\WINDOWS\system32\dllcache\rmcast.sys

2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe

2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe

2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe

2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe

2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll

2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll

2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll

2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll

2008-04-14 09:42 11,264 ------w C:\WINDOWS\system32\spnpinst.exe

2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll

2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin

2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe

2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll

2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll

2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll

2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll

2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll

2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll

2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll

2005-07-21 04:19 94,520 ----a-w C:\Documents and Settings\Katie Pierce\Application Data\GDIPFONTCACHEV1.DAT

2007-07-26 20:01 114,688 ----a-w C:\Program Files\internet explorer\plugins\ChimeShim.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2008-04-13 20:12 1695232]

"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 16:00 540672]

"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 19:34 3084288]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-01 11:22 110592]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-01 11:21 618496]

"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-08-07 19:57 94208]

"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 05:32 64000]

"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-01-17 05:32 20480]

"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-03-27 06:06 53248]

"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-08-08 19:39 897024]

"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-12-24 06:01 204800]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-30 01:00 315392]

"StorageGuard"="c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 04:01 155648]

"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 16:00 540672]

"EPSON Stylus C82 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE" [2002-04-25 03:00 74240]

"Uidler"="C:\WINDOWS\Uidler.exe" [2001-08-02 18:21 57344]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 05:20 122940]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-30 13:20 185784]

"Gizmo Project for LJ Talk"="C:\Program Files\Gizmo Project for LJ Talk\Gizmo-LJ.exe" [2006-10-13 18:45 2985984]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 20:50 112216]

"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]

"S3TRAY2"="S3Tray2.exe" [2001-10-12 02:32 69632 C:\WINDOWS\system32\S3Tray2.exe]

"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-13 20:12 380416 C:\WINDOWS\system32\irprops.cpl]

"TP4EX"="tp4ex.exe" [2002-09-04 05:05 53248 C:\WINDOWS\system32\TP4EX.exe]

"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 09:53 88363 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-13 17:49:41 113664]

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2006-02-09 14:50:10 114688]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 05:01:04 83360]

NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2004-08-14 13:19:29 118784]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"C:\\Program Files\\myTunes Redux\\mDNSResponder.exe"=

"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=

"C:\\StubInstaller.exe"=

"C:\\Program Files\\Gizmo Project for LJ Talk\\mDNSResponder.exe"=

"C:\\Program Files\\Gizmo Project for LJ Talk\\Gizmo-LJ.exe"=

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\AIM\\aim.exe"=

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Support.com\\Bin\\tgcmd.exe"=

"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2003-03-27 06:06]

R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-01-17 05:32]

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]

S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 19:22]

.

Contents of the 'Scheduled Tasks' folder

"2008-06-13 12:28:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2005-12-30 22:39:44 C:\WINDOWS\Tasks\BMMTask.job"

- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE

"2008-07-10 19:34:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"

- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

"2008-06-30 19:34:28 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"

- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-tgcmd - (no file)

HKCU-Run-Aim6 - (no file)

HKLM-Run-UC_SMB - (no file)

HKLM-Run-tgcmd - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-14 17:09:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

Completion time: 2008-07-14 17:13:41

ComboFix-quarantined-files.txt 2008-07-14 21:12:37

Pre-Run: 18,611,843,072 bytes free

Post-Run: 18,601,058,304 bytes free

207 --- E O F --- 2008-07-10 17:27:30

mbam:

Malwarebytes' Anti-Malware 1.20

Database version: 949

Windows 5.1.2600 Service Pack 3

3:15:05 PM 7/14/2008

mbam-log-7-14-2008 (15-15-05).txt

Scan type: Quick Scan

Objects scanned: 40765

Time elapsed: 8 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Katie Pierce\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.

HJT: