Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

TrustedAntiVirus..Gah. [RESOLVED]

Started by Rensu , Feb 08 2008 08:46 PM

  • This topic is locked This topic is locked

#1
Rensu
Posted 08 February 2008 - 08:46 PM

Rensu

    New Member

  • Member
  • Pip
  • 9 posts
Hello, and apologies in advance for technology's folly. Okay, long story short:

I share my desktop computer with my brother and my sister. I come home today to find an odd extra toolbar on my Internet Explorer window. I try to remove it..and it just comes back. After a few hours and some internet research, I hear about the 'TrustedAntiVirus' trojan...and irritation ensues.

Already, I can't access the Task Manager, because it's been 'disabled by an administrator', and the spam-messages have begun to ensue: 'Download this to fix your computer!', and so on. I have a stupid red X icon on my taskbar that keeps flashing and so on...And so long story short, i'm staying off that computer until I can take action against this thing- it seems to be stealth-downloading more crud onto my computer as it stays on.

I at least managed to run HijackThis on it, however:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:22 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SXG Advisor - {FD66D953-73D5-4A4B-8D97-A3E505C24121} - C:\WINDOWS\dmdqdrxglr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: emotrlq - {71043D18-3FC1-46BD-B1AF-2342E18DBAE3} - C:\WINDOWS\emotrlq.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: MEMonitor.lnk.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...176/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: bdmnopx - {F8A8D50E-7EA7-4328-A9AF-FF90624512B1} - C:\WINDOWS\bdmnopx.dll
O21 - SSODL: admggxp - {856391CB-3E48-4110-BF52-37675306CDC7} - C:\WINDOWS\admggxp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7791 bytes

Also, I ran Adaware- it deleted some things, but it didn't remove the problem in the slightest.

Thank you in advance.
  • 0

Advertisements

#2
kahdah
Posted 08 February 2008 - 08:56 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Rensu

Welcome to G2Go. :)
===============
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\dmdqdrxglr.dll
C:\WINDOWS\bdmnopx.dll
C:\WINDOWS\admggxp.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
======================
After that Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
Rensu
Posted 09 February 2008 - 01:25 AM

Rensu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Well, I got the files to be moved as you needed! Which is good. However...the computer seems even slower now- I think that's just from the course of the trojan, though moving the files didn't help. Also...For some reason, when I moved the files the first time, I got a 'this application has performed a critical error and must close' message...I hate those messages. But, I just ran it a second time, and it worked fine:

1)

C:\WINDOWS\dmdqdrxglr.dll unregistered successfully.
C:\WINDOWS\dmdqdrxglr.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\bdmnopx.dll
C:\WINDOWS\bdmnopx.dll NOT unregistered.
C:\WINDOWS\bdmnopx.dll moved successfully.
File/Folder D:\WINDOWS\admggxp.dll not found.

OTMoveIt2 v1.0.19 log created on 02092008_020622

2)

File/Folder C:\WINDOWS\dmdqdrxglr.dll not found.
File/Folder C:\WINDOWS\bdmnopx.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\admggxp.dll
C:\WINDOWS\admggxp.dll NOT unregistered.
C:\WINDOWS\admggxp.dll moved successfully.

OTMoveIt2 v1.0.19 log created on 02092008_020901

And here's the two DSS Files:

Main-

Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-09 02:17:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
87: 2008-02-09 07:17:50 UTC - RP87 - Deckard's System Scanner Restore Point
86: 2008-02-08 21:20:20 UTC - RP86 - System Checkpoint
85: 2008-02-07 19:55:28 UTC - RP85 - Software Distribution Service 3.0
84: 2008-02-06 23:43:51 UTC - RP84 - System Checkpoint
83: 2008-02-05 19:49:20 UTC - RP83 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-11-19 20:24:37 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:41 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: emotrlq - {71043D18-3FC1-46BD-B1AF-2342E18DBAE3} - C:\WINDOWS\emotrlq.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WXKF0V4J\install_sbd_en[1].exe
O4 - HKLM\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: MEMonitor.lnk.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...176/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: bdmnopx - {F8A8D50E-7EA7-4328-A9AF-FF90624512B1} - C:\WINDOWS\bdmnopx.dll (file missing)
O21 - SSODL: admggxp - {856391CB-3E48-4110-BF52-37675306CDC7} - C:\WINDOWS\admggxp.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7569 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S2 npkcrypt - c:\nexon\mabinogi\npkcrypt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-09 02:04:50 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-02-06 18:26:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-02-01 15:03:36 408 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job
2008-02-01 01:06:25 332 --a------ C:\WINDOWS\Tasks\McQcTask.job
2007-12-03 21:39:59 340 --a------ C:\WINDOWS\Tasks\McDefragTask.job


-- Files created between 2008-01-09 and 2008-02-09 -----------------------------

2008-02-08 22:22:48 0 d-------- C:\Program Files\TrustedAntivirus
2008-02-08 22:22:48 0 d-------- C:\Program Files\Common Files\TrustedAntivirus
2008-02-08 19:14:06 0 d-------- C:\Program Files\Trend Micro
2008-02-08 15:44:43 90112 --a------ C:\WINDOWS\fsxloqf.exe
2008-02-08 15:44:43 204800 --a------ C:\WINDOWS\emotrlq.dll <Not Verified; ; emotrlq Module>
2008-02-08 15:41:12 0 d-------- C:\Program Files\MediaEntertainmentCodec
2008-02-05 06:02:56 0 d-------- C:\Program Files\WinBudget
2008-02-04 19:59:29 0 d-------- C:\WINDOWS\system32\bak
2008-01-31 15:52:49 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2008-01-31 15:52:17 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-01-31 15:46:57 0 d-------- C:\Nexon
2008-01-30 18:51:46 0 d-------- C:\Program Files\iPod
2008-01-30 18:51:28 0 d-------- C:\Program Files\iTunes
2008-01-30 18:49:05 0 d-------- C:\Program Files\QuickTime
2008-01-29 21:39:18 0 d-------- C:\Program Files\PeerCast
2008-01-27 18:10:23 118272 --a------ C:\WINDOWS\system32\SX5363S.DLL <Not Verified; Lucent Technologies; elemedia SX5363S G.723 codec using MMX Technology>
2008-01-27 18:10:23 102400 --a------ C:\WINDOWS\system32\RV32RTP.dll <Not Verified; RADVision; RADVision RTP/RTCP>
2008-01-27 18:10:23 0 d-------- C:\Program Files\Gameforge4D
2008-01-24 20:12:10 0 d-------- C:\Program Files\Samsung
2008-01-24 20:11:31 0 d-------- C:\Program Files\Sprint music manager
2008-01-21 12:34:21 0 d-------- C:\Documents and Settings\Owner\Application Data\WinRAR
2008-01-20 23:24:36 0 d-------- C:\Program Files\Audiosurf
2008-01-15 22:04:58 0 d-------- C:\Program Files\SMART Technologies Inc
2008-01-14 19:00:59 17144 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-01-09 21:24:07 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-09 21:23:02 0 d-------- C:\Program Files\Common Files\Apple


-- Find3M Report ---------------------------------------------------------------

2008-02-08 22:22:48 0 d-------- C:\Program Files\Common Files
2008-02-08 17:06:11 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-08 15:03:41 0 d-------- C:\Program Files\McAfee
2008-02-06 20:30:23 0 d-------- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-02-04 20:06:33 0 d-------- C:\Program Files\Windows Defender
2008-02-04 20:06:33 0 d-------- C:\Program Files\AIM6
2008-02-04 20:04:32 14860 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-02-03 09:19:31 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-02 11:23:06 0 d-------- C:\Program Files\Norton Security Scan
2008-02-01 17:36:28 0 d-------- C:\Program Files\DivX
2008-01-29 05:58:01 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-01-25 17:22:53 0 d-------- C:\Program Files\World of Warcraft
2008-01-13 11:26:28 0 d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2008-01-13 10:39:46 0 d-------- C:\Program Files\Azureus
2008-01-06 17:26:03 0 d-------- C:\Program Files\Apple Software Update
2007-12-31 16:34:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2007-12-31 16:05:10 0 d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2007-12-31 15:46:41 0 d-------- C:\Program Files\Skype
2007-12-31 15:43:39 0 d-------- C:\Program Files\Common Files\Skype
2007-12-26 14:27:31 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2007-12-26 14:27:07 0 d-------- C:\Program Files\Java
2007-12-23 21:36:37 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2007-12-17 21:44:41 0 d-------- C:\Program Files\SiteAdvisor
2007-12-16 10:52:05 0 d-------- C:\Program Files\There
2007-12-15 12:31:00 0 d-------- C:\Program Files\Steam
2007-12-10 21:55:37 0 d-------- C:\Program Files\LimeWire
2007-12-10 21:54:52 0 d-------- C:\Program Files\Common Files\Java
2007-12-09 16:44:20 0 d-------- C:\Program Files\VideoLAN
2007-12-09 16:35:11 0 d-------- C:\Program Files\Combined Community Codec Pack
2007-12-03 21:19:44 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-12-03 21:19:44 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-11-29 18:08:16 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2007-11-29 17:28:10 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-19 15:20:49 0 -rahs---- C:\MSDOS.SYS
2007-11-19 15:20:49 0 -rahs---- C:\IO.SYS
2007-11-19 15:20:49 0 --a------ C:\CONFIG.SYS
2007-11-19 15:20:49 0 --a------ C:\AUTOEXEC.BAT
2007-11-19 15:18:29 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-11-19 10:10:23 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
09/19/2007 06:15 AM 329032 --a------ C:\Program Files\McAfee\MSK\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [11/13/2002 02:34 AM C:\WINDOWS\system32\sstray.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [02/04/2008 08:04 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [02/04/2008 08:04 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [02/04/2008 08:04 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 10:33 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [02/04/2008 08:04 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [02/04/2008 08:04 PM]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/04/2008 08:04 PM]
"SBI"="C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WXKF0V4J\install_sbd_en[1].exe" [02/08/2008 10:19 PM]
"TrustedAntivirus"="C:\Program Files\TrustedAntivirus\pgs.exe" [10/30/2007 10:24 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [02/04/2008 08:04 PM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [12/3/2007 4:35:53 PM]
MEMonitor.lnk.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [1/24/2008 8:11:33 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bdmnopx"= {F8A8D50E-7EA7-4328-A9AF-FF90624512B1} - C:\WINDOWS\bdmnopx.dll [ ]
"admggxp"= {856391CB-3E48-4110-BF52-37675306CDC7} - C:\WINDOWS\admggxp.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""




-- Hosts -----------------------------------------------------------------------

127.0.0.1 204.13.11.27
127.0.0.1 audio-surf.com
127.0.0.1 www.audio-surf.com


-- End of Deckard's System Scanner: finished at 2008-02-09 02:19:10 ------------

extra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 3200+
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 511.48 MiB / 136.07 MiB
Pagefile Memory (total/avail): 1248.01 MiB / 871.18 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1945.28 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 298.08 GiB total, 272.5 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - MAXTOR S TM3320620AS SCSI Disk Device - 298.09 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 298.08 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
AntivirusOverride is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Steam\\steamapps\\rensu\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\rensu\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Steam\\steamapps\\rensu\\half-life\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\rensu\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-94BF3B59D
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\OWNER-94BF3B59D
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=OWNER-94BF3B59D
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Audiosurf Beta --> "C:\Program Files\Audiosurf\unins000.exe"
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
Combined Community Codec Pack 2007-07-22 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
Counter-Strike --> "C:\Program Files\Steam\steam.exe" steam://uninstall/10
DivX 5.0.2 Bundle --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\uninstal.log
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Download Accelerator Plus (DAP) --> C:\PROGRA~1\DAP\DAPREMOVE.EXE
FINAL FANTASY XI for Windows - Official Benchmark Program 3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E4D0E11A-CF32-4F7A-8C06-8EC3E2DB2E92} /l1033
Flysis 1.0.0.9 --> "C:\Program Files\Gameforge4D\Flysis\unins000.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Half-Life --> "C:\Program Files\Steam\steam.exe" steam://uninstall/70
Half-Life 2: Demo --> "C:\Program Files\Steam\steam.exe" steam://uninstall/219
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LimeWire 4.14.12 --> "C:\Program Files\LimeWire\uninstall.exe"
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Media Entertainment Codec v1.6 --> C:\Program Files\MediaEntertainmentCodec\Uninstall.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
Norton Security Scan --> MsiExec.exe /I{DA15D535-5E1D-4076-B520-8571346D6238}
Notebook Interactive Viewer --> MsiExec.exe /X{24BA79B5-53F9-475C-9D49-EC4BDE8B09CF}
NVIDIA nForce Utilities --> C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_SSUtilsNT 132 C:\WINDOWS\INF\nvautlml.inf
NVIDIA Windows 2000/XP nForce Drivers --> rundll32.exe C:\WINDOWS\system32\NVNFINST.DLL,NvUninstallCrush
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sprint music manager --> C:\PROGRA~1\SPRINT~1\Setup.exe /remove /q0
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
There --> "C:\Program Files\There\ThereClientUninst.exe"
TrustedAntivirus 2.1.355.14 --> "C:\Program Files\TrustedAntivirus\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
WebVideo Support --> C:\WINDOWS\fsxloqf.exe
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1895 / Error
Event Submitted/Written: 02/09/2008 02:09:06 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application otmoveit2.exe, version 1.0.17.0, faulting module unknown, version 0.0.0.0, fault address 0x00b8dd80.
Processing media-specific event for [otmoveit2.exe!ws!]

Event Record #/Type1893 / Error
Event Submitted/Written: 02/09/2008 02:08:02 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application otmoveit2.exe, version 1.0.17.0, faulting module unknown, version 0.0.0.0, fault address 0x00b8dd80.
Processing media-specific event for [otmoveit2.exe!ws!]

Event Record #/Type1891 / Error
Event Submitted/Written: 02/09/2008 02:06:24 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application otmoveit2.exe, version 1.0.17.0, faulting module unknown, version 0.0.0.0, fault address 0x00b8ac47.
Processing media-specific event for [otmoveit2.exe!ws!]

Event Record #/Type1881 / Warning
Event Submitted/Written: 02/08/2008 08:53:34 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1871 / Warning
Event Submitted/Written: 02/08/2008 08:49:32 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6226 / Error
Event Submitted/Written: 02/09/2008 02:01:49 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The npkcrypt service failed to start due to the following error:
%%2

Event Record #/Type6222 / Warning
Event Submitted/Written: 02/08/2008 10:26:18 PM
Event ID/Source: 1073 / USER32
Event Description:
The attempt to power off OWNER-94BF3B59D failed

Event Record #/Type6221 / Warning
Event Submitted/Written: 02/08/2008 10:26:18 PM
Event ID/Source: 1073 / USER32
Event Description:
The attempt to power off OWNER-94BF3B59D failed

Event Record #/Type6220 / Warning
Event Submitted/Written: 02/08/2008 10:26:17 PM
Event ID/Source: 1073 / USER32
Event Description:
The attempt to power off OWNER-94BF3B59D failed

Event Record #/Type6219 / Warning
Event Submitted/Written: 02/08/2008 10:26:07 PM
Event ID/Source: 1073 / USER32
Event Description:
The attempt to power off OWNER-94BF3B59D failed



-- End of Deckard's System Scanner: finished at 2008-02-09 02:19:10 ------------

Thanks again. Yes, I say thanks alot. >>
  • 0

#4
kahdah
Posted 09 February 2008 - 06:38 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#5
Rensu
Posted 09 February 2008 - 03:26 PM

Rensu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Alrighty...ComboFix ran fine, got a logfile. immediately after, I went to get a HijackThis log...when I went to save it, for some reason, the keyboard and mouse stopped responding. A restart later, though, and it was working fine.

As of now, interestingly enough...the computer seems better on the surface at least- I can access the Task Manager now, and My Computer loads up fine...However, the TrustedAntiVirus program is still in my program groups, and the toolbar (simply labeled 'emotrlq') is in my toolbars menu. Anywho, logs:

Combofix:

ComboFix 08-02.05.3 - Owner 2008-02-09 8:07:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.180 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner\Favorites\Error Cleaner.url
C:\Documents and Settings\Owner\Favorites\Privacy Protector.url
C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\tempzor
C:\WINDOWS\dat.txt
C:\WINDOWS\search_res.txt

----- BITS: Possible infected sites -----

hxxp://onsafepro.com
hxxp://softworldnetwork.com
.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 02:16 . 2008-02-09 02:16 <DIR> d-------- C:\Deckard
2008-02-09 02:06 . 2008-02-09 02:06 <DIR> d-------- C:\_OTMoveIt
2008-02-08 22:22 . 2008-02-08 22:24 <DIR> d-------- C:\Program Files\TrustedAntivirus
2008-02-08 22:22 . 2008-02-08 22:23 <DIR> d-------- C:\Program Files\Common Files\TrustedAntivirus
2008-02-08 22:22 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-08 22:22 . 2004-10-07 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-08 22:22 . 2004-10-07 13:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-02-08 22:22 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-08 19:14 . 2008-02-08 19:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 15:44 . 2008-02-08 13:37 204,800 --a------ C:\WINDOWS\emotrlq.dll
2008-02-08 15:44 . 2008-02-08 13:37 90,112 --a------ C:\WINDOWS\fsxloqf.exe
2008-02-08 15:41 . 2008-02-08 15:42 <DIR> d-------- C:\Program Files\MediaEntertainmentCodec
2008-02-04 19:59 . 2008-02-04 19:59 <DIR> d-------- C:\WINDOWS\system32\bak
2008-01-31 15:52 . 2008-01-31 15:52 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-01-31 15:52 . 2003-07-19 10:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-01-31 15:52 . 2005-01-03 01:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-01-31 15:46 . 2008-01-31 15:46 <DIR> d-------- C:\Nexon
2008-01-30 18:51 . 2008-02-04 20:06 <DIR> d-------- C:\Program Files\iTunes
2008-01-30 18:51 . 2008-01-30 18:51 <DIR> d-------- C:\Program Files\iPod
2008-01-30 18:49 . 2008-02-04 20:06 <DIR> d-------- C:\Program Files\QuickTime
2008-01-29 21:39 . 2008-01-29 21:45 <DIR> d-------- C:\Program Files\PeerCast
2008-01-27 18:10 . 2008-01-27 18:10 <DIR> d-------- C:\Program Files\Gameforge4D
2008-01-27 18:10 . 2004-05-10 13:14 118,272 --a------ C:\WINDOWS\system32\SX5363S.DLL
2008-01-27 18:10 . 2004-05-10 13:14 102,400 --a------ C:\WINDOWS\system32\RV32RTP.dll
2008-01-27 18:10 . 2004-05-10 13:15 40 --a------ C:\WINDOWS\system32\Sx5363.ini
2008-01-24 20:12 . 2008-01-24 20:12 <DIR> d-------- C:\Program Files\Samsung
2008-01-24 20:12 . 2005-08-17 08:46 93,872 --a------ C:\WINDOWS\system32\drivers\sscdmdm.sys
2008-01-24 20:12 . 2005-08-17 08:47 73,696 --a------ C:\WINDOWS\system32\drivers\sscdserd.sys
2008-01-24 20:12 . 2005-08-17 08:45 58,352 --a------ C:\WINDOWS\system32\drivers\sscdbus.sys
2008-01-24 20:12 . 2005-08-17 08:46 8,272 --a------ C:\WINDOWS\system32\drivers\sscdmdfl.sys
2008-01-24 20:12 . 2005-08-17 08:47 6,176 --a------ C:\WINDOWS\system32\drivers\sscdcmnt.sys
2008-01-24 20:12 . 2005-08-17 08:47 6,176 --a------ C:\WINDOWS\system32\drivers\sscdcm.sys
2008-01-24 20:12 . 2005-08-17 08:44 5,840 --a------ C:\WINDOWS\system32\drivers\sscdwhnt.sys
2008-01-24 20:12 . 2005-08-17 08:44 5,840 --a------ C:\WINDOWS\system32\drivers\sscdwh.sys
2008-01-24 20:11 . 2008-01-24 20:11 <DIR> d-------- C:\Program Files\Sprint music manager
2008-01-24 20:11 . 2008-02-04 21:32 1,609,728 --a------ C:\WINDOWS\MEDB.mdb
2008-01-20 23:24 . 2008-01-21 12:34 <DIR> d-------- C:\Program Files\Audiosurf
2008-01-15 22:04 . 2008-01-15 22:04 <DIR> d-------- C:\Program Files\SMART Technologies Inc
2008-01-14 19:00 . 2008-01-14 19:00 17,144 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-09 21:24 . 2008-01-09 21:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-09 21:23 . 2008-01-09 21:23 <DIR> d-------- C:\Program Files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-08 22:40 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-08 22:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-08 20:03 --------- d-----w C:\Program Files\McAfee
2008-02-07 01:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-02-05 01:06 --------- d-----w C:\Program Files\Windows Defender
2008-02-05 01:06 --------- d-----w C:\Program Files\AIM6
2008-02-05 01:04 14,860 ----a-w C:\WINDOWS\system32\NeroCheck.exe
2008-02-03 14:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-02 16:23 --------- d-----w C:\Program Files\Norton Security Scan
2008-02-01 22:36 --------- d-----w C:\Program Files\DivX
2008-02-01 02:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-25 22:22 --------- d-----w C:\Program Files\World of Warcraft
2008-01-13 16:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-01-13 15:39 --------- d-----w C:\Program Files\Azureus
2008-01-06 22:26 --------- d-----w C:\Program Files\Apple Software Update
2008-01-06 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-06 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-31 21:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2007-12-31 21:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
2007-12-31 20:46 --------- d-----w C:\Program Files\Skype
2007-12-31 20:45 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-31 20:43 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-31 20:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-26 19:27 --------- d-----w C:\Program Files\Java
2007-12-18 02:44 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-17 19:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-16 15:52 --------- d-----w C:\Program Files\There
2007-12-15 17:31 --------- d-----w C:\Program Files\Steam
2007-12-11 02:55 --------- d-----w C:\Program Files\LimeWire
2007-12-11 02:54 --------- d-----w C:\Program Files\Common Files\Java
2007-12-09 21:44 --------- d-----w C:\Program Files\VideoLAN
2007-12-09 21:35 --------- d-----w C:\Program Files\Combined Community Codec Pack
2007-12-09 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-04 02:19 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2007-11-29 23:08 50,688 ----a-w C:\WINDOWS\system32\wbhelp2.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 39,792 2007-10-11 00:51:56 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

----a-w 50,528 2007-10-04 15:20:54 C:\Program Files\AIM6\bak\aim6.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\AIM6\aim6.exe

----a-w 267,048 2008-01-15 08:22:56 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-09-25 06:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

----a-w 582,992 2007-08-04 03:33:14 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
----a-w 582,992 2007-08-04 03:33:14 C:\Program Files\McAfee.com\Agent\mcagent.exe

----a-w 385,024 2008-01-10 20:27:36 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\QuickTime\qttask.exe

----a-w 36,640 2007-08-24 21:57:48 C:\Program Files\SiteAdvisor\6172\bak\SiteAdv.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\SiteAdvisor\6172\SiteAdv.exe

----a-w 866,584 2006-11-04 00:20:12 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\Windows Defender\MSASCui.exe

----a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe
----a-w 14,860 2008-02-05 01:04:32 C:\WINDOWS\system32\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{71043D18-3FC1-46BD-B1AF-2342E18DBAE3}

[HKEY_CLASSES_ROOT\clsid\{71043d18-3fc1-46bd-b1af-2342e18dbae3}]
[HKEY_CLASSES_ROOT\emotrlq.1]
[HKEY_CLASSES_ROOT\TypeLib\{AD1759A5-8FE6-461C-B426-7FF31442430F}]
[HKEY_CLASSES_ROOT\emotrlq]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-02-04 20:04 14860]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [2002-11-13 02:34 73728 C:\WINDOWS\system32\sstray.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-02-04 20:04 14860]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-02-04 20:04 14860]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-04 20:04 14860]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2008-02-04 20:04 14860]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-02-04 20:04 14860]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 20:04 14860]
"SBI"="C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WXKF0V4J\install_sbd_en[1].exe" [2008-02-08 22:19 1271048]
"TrustedAntivirus"="C:\Program Files\TrustedAntivirus\pgs.exe" [2007-10-30 10:24 2023424]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-12-03 16:35:53 147456]
MEMonitor.lnk.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [2008-01-24 20:11:33 929792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bdmnopx"= {F8A8D50E-7EA7-4328-A9AF-FF90624512B1} - C:\WINDOWS\bdmnopx.dll [ ]
"admggxp"= {856391CB-3E48-4110-BF52-37675306CDC7} - C:\WINDOWS\admggxp.dll [ ]

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2004-08-27 03:18]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2004-05-20 04:35]
R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 23:26:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-04 02:39:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 06:06:25 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-02-09 13:04:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-01 20:03:36 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 08:09:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SBI = C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WXKF0V4J\install_sbd_en[1].exe???/?? ???"???????????4????&?|?????%?|????t?p?Ha<?????????????????)??|\?A~???????????????| ?????????B~??B~????????????????????t?p?????x?@????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-09 8:10:26
ComboFix-quarantined-files.txt 2008-02-09 13:10:18
.
2008-02-07 19:55:45 --- E O F ---


Newest HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:20:55 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: emotrlq - {71043D18-3FC1-46BD-B1AF-2342E18DBAE3} - C:\WINDOWS\emotrlq.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WXKF0V4J\install_sbd_en[1].exe
O4 - HKLM\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...176/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: bdmnopx - {F8A8D50E-7EA7-4328-A9AF-FF90624512B1} - C:\WINDOWS\bdmnopx.dll (file missing)
O21 - SSODL: admggxp - {856391CB-3E48-4110-BF52-37675306CDC7} - C:\WINDOWS\admggxp.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6870 bytes
  • 0

#6
kahdah
Posted 09 February 2008 - 03:42 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::C:\WINDOWS\emotrlq.dllC:\WINDOWS\fsxloqf.exeC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WXKF0V4J\install_sbd_en[1].exeFolder::C:\Program Files\TrustedAntivirusC:\Program Files\Common Files\TrustedAntivirusC:\Program Files\MediaEntertainmentCodecC:\Program Files\ViewpointRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{71043D18-3FC1-46BD-B1AF-2342E18DBAE3}"=-[-HKEY_CLASSES_ROOT\clsid\{71043d18-3fc1-46bd-b1af-2342e18dbae3}][-HKEY_CLASSES_ROOT\emotrlq.1][-HKEY_CLASSES_ROOT\TypeLib\{AD1759A5-8FE6-461C-B426-7FF31442430F}][-HKEY_CLASSES_ROOT\emotrlq][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SBI"=-"TrustedAntivirus"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"bdmnopx"=-"admggxp"=- Driver::Viewpoint Manager Service


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt
===========================
After that You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#7
Rensu
Posted 09 February 2008 - 05:51 PM

Rensu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Combofix:

ComboFix 08-02.05.3 - Owner 2008-02-09 18:43:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.152 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
File::C:\WINDOWS\emotrlq.dllC:\WINDOWS\fsxloqf.exeC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WXKF0V4J\install_sbd_en[1].exeFolder::C:\Program Files\TrustedAntivirusC:\Program Files\Common Files\TrustedAntivirusC:\Program Files\MediaEntertainmentCodecC:\Program Files\ViewpointRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{71043D18-3FC1-46BD-B1AF-2342E18DBAE3}"=-[-HKEY_CLASSES_ROOT\clsid\{71043d18-3fc1-46bd-b1af-2342e18dbae3}][-HKEY_CLASSES_ROOT\emotrlq.1][-HKEY_CLASSES_ROOT\TypeLib\{AD1759A5-8FE6-461C-B426-7FF31442430F}][-HKEY_CLASSES_ROOT\emotrlq][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SBI"=-"TrustedAntivirus"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"bdmnopx"=-"admggxp"=- Driver::Viewpoint Manager Service
.

((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 16:05 . 2008-02-09 16:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-09 16:05 . 2008-02-09 16:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-09 02:06 . 2008-02-09 02:06 <DIR> d-------- C:\_OTMoveIt
2008-02-08 22:22 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-08 22:22 . 2004-10-07 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-08 22:22 . 2004-10-07 13:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-02-08 22:22 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-08 19:14 . 2008-02-08 19:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 15:44 . 2008-02-08 13:37 204,800 --a------ C:\WINDOWS\emotrlq.dll
2008-02-08 15:44 . 2008-02-08 13:37 90,112 --a------ C:\WINDOWS\fsxloqf.exe
2008-02-08 15:41 . 2008-02-08 15:42 <DIR> d-------- C:\Program Files\MediaEntertainmentCodec
2008-02-04 19:59 . 2008-02-04 19:59 <DIR> d-------- C:\WINDOWS\system32\bak
2008-01-31 15:52 . 2008-01-31 15:52 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-01-31 15:52 . 2003-07-19 10:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-01-31 15:52 . 2005-01-03 01:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-01-31 15:46 . 2008-01-31 15:46 <DIR> d-------- C:\Nexon
2008-01-30 18:51 . 2008-02-04 20:06 <DIR> d-------- C:\Program Files\iTunes
2008-01-30 18:51 . 2008-01-30 18:51 <DIR> d-------- C:\Program Files\iPod
2008-01-30 18:49 . 2008-02-04 20:06 <DIR> d-------- C:\Program Files\QuickTime
2008-01-29 21:39 . 2008-01-29 21:45 <DIR> d-------- C:\Program Files\PeerCast
2008-01-27 18:10 . 2008-01-27 18:10 <DIR> d-------- C:\Program Files\Gameforge4D
2008-01-27 18:10 . 2004-05-10 13:14 118,272 --a------ C:\WINDOWS\system32\SX5363S.DLL
2008-01-27 18:10 . 2004-05-10 13:14 102,400 --a------ C:\WINDOWS\system32\RV32RTP.dll
2008-01-27 18:10 . 2004-05-10 13:15 40 --a------ C:\WINDOWS\system32\Sx5363.ini
2008-01-24 20:12 . 2008-01-24 20:12 <DIR> d-------- C:\Program Files\Samsung
2008-01-24 20:12 . 2005-08-17 08:46 93,872 --a------ C:\WINDOWS\system32\drivers\sscdmdm.sys
2008-01-24 20:12 . 2005-08-17 08:47 73,696 --a------ C:\WINDOWS\system32\drivers\sscdserd.sys
2008-01-24 20:12 . 2005-08-17 08:45 58,352 --a------ C:\WINDOWS\system32\drivers\sscdbus.sys
2008-01-24 20:12 . 2005-08-17 08:46 8,272 --a------ C:\WINDOWS\system32\drivers\sscdmdfl.sys
2008-01-24 20:12 . 2005-08-17 08:47 6,176 --a------ C:\WINDOWS\system32\drivers\sscdcmnt.sys
2008-01-24 20:12 . 2005-08-17 08:47 6,176 --a------ C:\WINDOWS\system32\drivers\sscdcm.sys
2008-01-24 20:12 . 2005-08-17 08:44 5,840 --a------ C:\WINDOWS\system32\drivers\sscdwhnt.sys
2008-01-24 20:12 . 2005-08-17 08:44 5,840 --a------ C:\WINDOWS\system32\drivers\sscdwh.sys
2008-01-24 20:11 . 2008-02-04 21:32 1,609,728 --a------ C:\WINDOWS\MEDB.mdb
2008-01-20 23:24 . 2008-01-21 12:34 <DIR> d-------- C:\Program Files\Audiosurf
2008-01-15 22:04 . 2008-01-15 22:04 <DIR> d-------- C:\Program Files\SMART Technologies Inc
2008-01-14 19:00 . 2008-01-14 19:00 17,144 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-09 21:24 . 2008-01-09 21:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-09 21:23 . 2008-01-09 21:23 <DIR> d-------- C:\Program Files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 15:14 --------- d-----w C:\Program Files\Google
2008-02-08 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-08 22:40 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-08 22:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-08 20:03 --------- d-----w C:\Program Files\McAfee
2008-02-07 01:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-02-05 01:06 --------- d-----w C:\Program Files\Windows Defender
2008-02-05 01:06 --------- d-----w C:\Program Files\AIM6
2008-02-05 01:04 14,860 ----a-w C:\WINDOWS\system32\NeroCheck.exe
2008-02-03 14:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-02 16:23 --------- d-----w C:\Program Files\Norton Security Scan
2008-02-01 22:36 --------- d-----w C:\Program Files\DivX
2008-02-01 02:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-25 22:22 --------- d-----w C:\Program Files\World of Warcraft
2008-01-13 16:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-01-13 15:39 --------- d-----w C:\Program Files\Azureus
2008-01-06 22:26 --------- d-----w C:\Program Files\Apple Software Update
2008-01-06 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-06 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-31 21:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2007-12-31 21:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
2007-12-31 20:46 --------- d-----w C:\Program Files\Skype
2007-12-31 20:45 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-31 20:43 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-31 20:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-26 19:27 --------- d-----w C:\Program Files\Java
2007-12-18 02:44 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-17 19:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-16 15:52 --------- d-----w C:\Program Files\There
2007-12-15 17:31 --------- d-----w C:\Program Files\Steam
2007-12-11 02:55 --------- d-----w C:\Program Files\LimeWire
2007-12-11 02:54 --------- d-----w C:\Program Files\Common Files\Java
2007-12-09 21:44 --------- d-----w C:\Program Files\VideoLAN
2007-12-09 21:35 --------- d-----w C:\Program Files\Combined Community Codec Pack
2007-12-09 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-04 02:19 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2007-11-29 23:08 50,688 ----a-w C:\WINDOWS\system32\wbhelp2.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 39,792 2007-10-11 00:51:56 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

----a-w 50,528 2007-10-04 15:20:54 C:\Program Files\AIM6\bak\aim6.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\AIM6\aim6.exe

----a-w 267,048 2008-01-15 08:22:56 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-09-25 06:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

----a-w 582,992 2007-08-04 03:33:14 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
----a-w 582,992 2007-08-04 03:33:14 C:\Program Files\McAfee.com\Agent\mcagent.exe

----a-w 385,024 2008-01-10 20:27:36 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\QuickTime\qttask.exe

----a-w 36,640 2007-08-24 21:57:48 C:\Program Files\SiteAdvisor\6172\bak\SiteAdv.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\SiteAdvisor\6172\SiteAdv.exe

----a-w 866,584 2006-11-04 00:20:12 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\Windows Defender\MSASCui.exe

----a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe
----a-w 14,860 2008-02-05 01:04:32 C:\WINDOWS\system32\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{71043D18-3FC1-46BD-B1AF-2342E18DBAE3}

[HKEY_CLASSES_ROOT\clsid\{71043d18-3fc1-46bd-b1af-2342e18dbae3}]
[HKEY_CLASSES_ROOT\emotrlq.1]
[HKEY_CLASSES_ROOT\TypeLib\{AD1759A5-8FE6-461C-B426-7FF31442430F}]
[HKEY_CLASSES_ROOT\emotrlq]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-02-04 20:04 14860]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [2002-11-13 02:34 73728 C:\WINDOWS\system32\sstray.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-02-04 20:04 14860]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-02-04 20:04 14860]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-04 20:04 14860]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2008-02-04 20:04 14860]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-02-04 20:04 14860]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 20:04 14860]
"SBI"="C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WXKF0V4J\install_sbd_en[1].exe" [ ]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-12-03 16:35:53 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bdmnopx"= {F8A8D50E-7EA7-4328-A9AF-FF90624512B1} - C:\WINDOWS\bdmnopx.dll [ ]
"admggxp"= {856391CB-3E48-4110-BF52-37675306CDC7} - C:\WINDOWS\admggxp.dll [ ]

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2004-08-27 03:18]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2004-05-20 04:35]
R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 23:26:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-04 02:39:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 06:06:25 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-02-09 23:39:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-01 20:03:36 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 18:45:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SBI = C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WXKF0V4J\install_sbd_en[1].exe???/?? ???"???????????4????&?|?????%?|????t?p?Ha<?????????????????)??|\?A~???????????????| ?????????B~??B~????????????????????t?p?????x?@????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-09 18:45:38
ComboFix-quarantined-files.txt 2008-02-09 23:45:30
ComboFix2.txt 2008-02-09 13:10:27
.
2008-02-07 19:55:45 --- E O F ---

AWF:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sat 02/09/2008
The current time is: 18:47:17.87


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM6\BAK

10/04/2007 10:20 AM 50,528 aim6.exe
1 File(s) 50,528 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

01/15/2008 03:22 AM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

01/10/2008 03:27 PM 385,024 qttask.exe
1 File(s) 385,024 bytes

Directory of C:\PROGRA~1\WINDOW~4\BAK

11/03/2006 07:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 10:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

08/03/2007 10:33 PM 582,992 mcagent.exe
1 File(s) 582,992 bytes

Directory of C:\PROGRA~1\SITEAD~1\6172\BAK

08/24/2007 04:57 PM 36,640 SiteAdv.exe
1 File(s) 36,640 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14860 Feb 4 2008 "C:\Program Files\AIM6\aim6.exe"
50528 Oct 4 2007 "C:\Program Files\AIM6\bak\aim6.exe"
14860 Feb 4 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
267048 Jan 15 2008 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jan 30 2008 "C:\WINDOWS\Installer\{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}\iTunesIco.exe"
79144 Jan 30 2008 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.0.29\iTunesSetupAdmin.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\qttask.exe"
385024 Jan 10 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14860 Feb 4 2008 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
14860 Feb 4 2008 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
582992 Aug 3 2007 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
582992 Aug 3 2007 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
14860 Feb 4 2008 "C:\Program Files\SiteAdvisor\6172\SiteAdv.exe"
36640 Aug 24 2007 "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
36640 Aug 24 2007 "C:\Program Files\SiteAdvisor\6172\bak\SiteAdv.exe"
14860 Feb 4 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
132760 Dec 8 2007 "C:\Program Files\Azureus\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
14860 Feb 4 2008 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report
  • 0

#8
kahdah
Posted 09 February 2008 - 08:07 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hmmm the code scrambled up the files I wanted to delete.
Let's try that again.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\emotrlq.dll
C:\WINDOWS\fsxloqf.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WXKF0V4J\install_sbd_en[1].exe
Folder::
C:\Program Files\TrustedAntivirus
C:\Program Files\Common Files\TrustedAntivirus
C:\Program Files\MediaEntertainmentCodec
C:\Program Files\Viewpoint
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{71043D18-3FC1-46BD-B1AF-2342E18DBAE3}"=-
[-HKEY_CLASSES_ROOT\clsid\{71043d18-3fc1-46bd-b1af-2342e18dbae3}]
[-HKEY_CLASSES_ROOT\emotrlq.1]
[-HKEY_CLASSES_ROOT\TypeLib\{AD1759A5-8FE6-461C-B426-7FF31442430F}]
[-HKEY_CLASSES_ROOT\emotrlq]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBI"=-
"TrustedAntivirus"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bdmnopx"=-
"admggxp"=-
 Driver::
Viewpoint Manager Service


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt
  • 0

#9
Rensu
Posted 09 February 2008 - 09:37 PM

Rensu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
There we go. That worked.

ComboFix 08-02.05.3 - Owner 2008-02-09 22:30:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.248 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\My Documents\My Received Files\antehvirus\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WXKF0V4J\install_sbd_en[1].exe
C:\WINDOWS\emotrlq.dll
C:\WINDOWS\fsxloqf.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MediaEntertainmentCodec
C:\Program Files\MediaEntertainmentCodec\install.ico
C:\Program Files\MediaEntertainmentCodec\MediaEntertainmentCodec.ocx
C:\Program Files\MediaEntertainmentCodec\Uninstall.exe
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Common\VistaBoot.sdll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt
C:\WINDOWS\emotrlq.dll
C:\WINDOWS\fsxloqf.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_VIEWPOINT_MANAGER_SERVICE
-------\Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-09 16:05 . 2008-02-09 16:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-09 16:05 . 2008-02-09 16:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-09 15:14 . 2003-09-02 05:30 388,608 --a------ C:\kmd.exe
2008-02-09 02:06 . 2008-02-09 02:06 <DIR> d-------- C:\_OTMoveIt
2008-02-08 22:22 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-08 22:22 . 2004-10-07 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-08 22:22 . 2004-10-07 13:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-02-08 22:22 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-08 19:14 . 2008-02-08 19:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-04 19:59 . 2008-02-04 19:59 <DIR> d-------- C:\WINDOWS\system32\bak
2008-01-31 15:52 . 2008-01-31 15:52 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-01-31 15:52 . 2003-07-19 10:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-01-31 15:52 . 2005-01-03 01:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-01-31 15:46 . 2008-01-31 15:46 <DIR> d-------- C:\Nexon
2008-01-30 18:51 . 2008-02-04 20:06 <DIR> d-------- C:\Program Files\iTunes
2008-01-30 18:51 . 2008-01-30 18:51 <DIR> d-------- C:\Program Files\iPod
2008-01-30 18:49 . 2008-02-04 20:06 <DIR> d-------- C:\Program Files\QuickTime
2008-01-29 21:39 . 2008-01-29 21:45 <DIR> d-------- C:\Program Files\PeerCast
2008-01-27 18:10 . 2008-01-27 18:10 <DIR> d-------- C:\Program Files\Gameforge4D
2008-01-27 18:10 . 2004-05-10 13:14 118,272 --a------ C:\WINDOWS\system32\SX5363S.DLL
2008-01-27 18:10 . 2004-05-10 13:14 102,400 --a------ C:\WINDOWS\system32\RV32RTP.dll
2008-01-27 18:10 . 2004-05-10 13:15 40 --a------ C:\WINDOWS\system32\Sx5363.ini
2008-01-24 20:12 . 2008-01-24 20:12 <DIR> d-------- C:\Program Files\Samsung
2008-01-24 20:12 . 2005-08-17 08:46 93,872 --a------ C:\WINDOWS\system32\drivers\sscdmdm.sys
2008-01-24 20:12 . 2005-08-17 08:47 73,696 --a------ C:\WINDOWS\system32\drivers\sscdserd.sys
2008-01-24 20:12 . 2005-08-17 08:45 58,352 --a------ C:\WINDOWS\system32\drivers\sscdbus.sys
2008-01-24 20:12 . 2005-08-17 08:46 8,272 --a------ C:\WINDOWS\system32\drivers\sscdmdfl.sys
2008-01-24 20:12 . 2005-08-17 08:47 6,176 --a------ C:\WINDOWS\system32\drivers\sscdcmnt.sys
2008-01-24 20:12 . 2005-08-17 08:47 6,176 --a------ C:\WINDOWS\system32\drivers\sscdcm.sys
2008-01-24 20:12 . 2005-08-17 08:44 5,840 --a------ C:\WINDOWS\system32\drivers\sscdwhnt.sys
2008-01-24 20:12 . 2005-08-17 08:44 5,840 --a------ C:\WINDOWS\system32\drivers\sscdwh.sys
2008-01-24 20:11 . 2008-02-04 21:32 1,609,728 --a------ C:\WINDOWS\MEDB.mdb
2008-01-20 23:24 . 2008-01-21 12:34 <DIR> d-------- C:\Program Files\Audiosurf
2008-01-15 22:04 . 2008-01-15 22:04 <DIR> d-------- C:\Program Files\SMART Technologies Inc
2008-01-14 19:00 . 2008-01-14 19:00 17,144 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 23:17 --------- d-----w C:\Program Files\Google
2008-02-08 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-08 22:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-08 20:03 --------- d-----w C:\Program Files\McAfee
2008-02-07 01:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-02-05 01:06 --------- d-----w C:\Program Files\Windows Defender
2008-02-05 01:06 --------- d-----w C:\Program Files\AIM6
2008-02-03 14:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-02 16:23 --------- d-----w C:\Program Files\Norton Security Scan
2008-02-01 22:36 --------- d-----w C:\Program Files\DivX
2008-02-01 02:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-25 22:22 --------- d-----w C:\Program Files\World of Warcraft
2008-01-13 16:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-01-13 15:39 --------- d-----w C:\Program Files\Azureus
2008-01-10 02:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-10 02:23 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-06 22:26 --------- d-----w C:\Program Files\Apple Software Update
2008-01-06 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-06 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-31 21:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2007-12-31 21:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
2007-12-31 20:46 --------- d-----w C:\Program Files\Skype
2007-12-31 20:45 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-31 20:43 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-31 20:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-26 19:27 --------- d-----w C:\Program Files\Java
2007-12-18 02:44 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-17 19:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-16 15:52 --------- d-----w C:\Program Files\There
2007-12-15 17:31 --------- d-----w C:\Program Files\Steam
2007-12-11 02:55 --------- d-----w C:\Program Files\LimeWire
2007-12-11 02:54 --------- d-----w C:\Program Files\Common Files\Java
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 39,792 2007-10-11 00:51:56 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

----a-w 50,528 2007-10-04 15:20:54 C:\Program Files\AIM6\bak\aim6.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\AIM6\aim6.exe

----a-w 267,048 2008-01-15 08:22:56 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-09-25 06:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

----a-w 582,992 2007-08-04 03:33:14 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
----a-w 582,992 2007-08-04 03:33:14 C:\Program Files\McAfee.com\Agent\mcagent.exe

----a-w 385,024 2008-01-10 20:27:36 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\QuickTime\qttask.exe

----a-w 36,640 2007-08-24 21:57:48 C:\Program Files\SiteAdvisor\6172\bak\SiteAdv.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\SiteAdvisor\6172\SiteAdv.exe

----a-w 866,584 2006-11-04 00:20:12 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 14,860 2008-02-05 01:04:32 C:\Program Files\Windows Defender\MSASCui.exe

----a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe
----a-w 14,860 2008-02-05 01:04:32 C:\WINDOWS\system32\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-02-04 20:04 14860]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [2002-11-13 02:34 73728 C:\WINDOWS\system32\sstray.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-02-04 20:04 14860]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-02-04 20:04 14860]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-04 20:04 14860]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2008-02-04 20:04 14860]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-02-04 20:04 14860]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 20:04 14860]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-12-03 16:35:53 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2004-08-27 03:18]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2004-05-20 04:35]
R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 23:26:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-04 02:39:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 06:06:25 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-02-09 23:39:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-01 20:03:36 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 22:33:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
.
**************************************************************************
.
Completion time: 2008-02-09 22:36:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-10 03:36:15
ComboFix2.txt 2008-02-09 23:45:39
ComboFix3.txt 2008-02-09 13:10:27
.
2008-02-07 19:55:45 --- E O F ---
  • 0

#10
kahdah
Posted 09 February 2008 - 09:51 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    "C:\Program Files\AIM6\bak\aim6.exe"
    "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    "C:\Program Files\QuickTime\bak\qttask.exe"
    "C:\Program Files\Windows Defender\bak\MSASCui.exe"
    "C:\WINDOWS\system32\bak\NeroCheck.exe"
    "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
    "C:\Program Files\SiteAdvisor\6172\bak\SiteAdv.exe"
    "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
    "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

Advertisements

#11
Rensu
Posted 09 February 2008 - 10:00 PM

Rensu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sat 02/09/2008
The current time is: 22:58:59.29


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM6\BAK

10/04/2007 10:20 AM 50,528 aim6.exe
1 File(s) 50,528 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

01/15/2008 03:22 AM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

01/10/2008 03:27 PM 385,024 qttask.exe
1 File(s) 385,024 bytes

Directory of C:\PROGRA~1\WINDOW~4\BAK

11/03/2006 07:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 10:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

08/03/2007 10:33 PM 582,992 mcagent.exe
1 File(s) 582,992 bytes

Directory of C:\PROGRA~1\SITEAD~1\6172\BAK

08/24/2007 04:57 PM 36,640 SiteAdv.exe
1 File(s) 36,640 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

50528 Oct 4 2007 "C:\Program Files\AIM6\aim6.exe"
50528 Oct 4 2007 "C:\Program Files\AIM6\bak\aim6.exe"
267048 Jan 15 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
267048 Jan 15 2008 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jan 30 2008 "C:\WINDOWS\Installer\{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}\iTunesIco.exe"
79144 Jan 30 2008 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.0.29\iTunesSetupAdmin.exe"
385024 Jan 10 2008 "C:\Program Files\QuickTime\qttask.exe"
385024 Jan 10 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
582992 Aug 3 2007 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
582992 Aug 3 2007 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
36640 Aug 24 2007 "C:\Program Files\SiteAdvisor\6172\SiteAdv.exe"
36640 Aug 24 2007 "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
36640 Aug 24 2007 "C:\Program Files\SiteAdvisor\6172\bak\SiteAdv.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
132760 Dec 8 2007 "C:\Program Files\Azureus\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report
  • 0

#12
kahdah
Posted 09 February 2008 - 10:03 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\Program Files\AIM6\bak
    C:\Program Files\iTunes\bak
    C:\Program Files\QuickTime\bak
    C:\Program Files\Windows Defender\bak
    C:\WINDOWS\system32\bak
    C:\Program Files\McAfee.com\Agent\bak
    C:\Program Files\SiteAdvisor\6172\bak
    C:\Program Files\Adobe\Reader 8.0\Reader\bak
    C:\Program Files\Java\jre1.6.0_03\bin\bak

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 3, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the bad folders and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#13
Rensu
Posted 09 February 2008 - 11:23 PM

Rensu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Sun 02/10/2008
The current time is: 0:22:01.32


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

Thank you for the help, again. :3
  • 0

#14
kahdah
Posted 10 February 2008 - 06:33 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as an html document button:
  • Save the file to your desktop.
  • Attach that information in your next post.

  • 0

#15
Rensu
Posted 11 February 2008 - 03:32 PM

Rensu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Attached File  scanner.html   67.27KB   9 downloads

Not sure what you meant by 'attach'..so here's it in copy-paste AND html format! Wheee.

KASPERSKY ONLINE SCANNER REPORT
Monday, February 11, 2008 4:30:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/02/2008
Kaspersky Anti-Virus database records: 558085


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 76942
Number of viruses found 8
Number of infected objects 47
Number of suspicious objects 0
Duration of the scan process 01:15:45

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\ProductPath\pgs.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped

C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\~uga6psetup.exe/file14 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped

C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\~uga6psetup.exe/file20 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped

C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\~uga6psetup.exe/file23 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped

C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\~uga6psetup.exe/file24 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped

C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\~uga6psetup.exe/file26 Infected: not-a-virus:FraudTool.Win32.BestSeller.c skipped

C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\~uga6psetup.exe/file34 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped

C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\~uga6psetup.exe/file36 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped

C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\~uga6psetup.exe Inno: infected - 7 skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR10.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11292007-133601.log Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\AOL OCP\AIM\Storage\data\flodafox\localStorage\common.cls Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{063C0EB7-83E8-4A00-AAB2-4979B40145A8} Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008021120080212\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\1988 Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\mirc631.exe/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped

C:\Documents and Settings\Owner\Local Settings\Temp\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped

C:\Documents and Settings\Owner\Local Settings\Temp\mirc631.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Owner\Local Settings\Temp\sqlite_YF7EkMsb7Pj4z2e Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF4F5D.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GH0SK0AB\mirc631[1].exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GH0SK0AB\mirc631[1].exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GH0SK0AB\mirc631[1].exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GH0SK0AB\mirc631[1].exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GH0SK0AB\mirc631[1].exe NSIS: infected - 4 skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped

C:\QooBox\Quarantine\C\Program Files\MediaEntertainmentCodec\MediaEntertainmentCodec.ocx.vir Infected: Trojan.Win32.Agent.fdr skipped

C:\QooBox\Quarantine\C\WINDOWS\emotrlq.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.awv skipped

C:\QooBox\Quarantine\C\WINDOWS\fsxloqf.exe.vir Infected: not-a-virus:AdWare.Win32.Vapsup.awv skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP74\A0068889.exe Infected: Packed.Win32.PolyCrypt.g skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP74\A0068890.exe Infected: Packed.Win32.PolyCrypt.g skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP83\A0069560.exe Infected: Trojan.Win32.KillAV.oh skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP85\A0069708.exe/stream/Script Infected: not-a-virus:AdWare.Win32.Vapsup.avv skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP85\A0069708.exe/stream Infected: not-a-virus:AdWare.Win32.Vapsup.avv skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP85\A0069708.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP85\A0069711.exe/stream/Script Infected: not-a-virus:AdWare.Win32.Vapsup.avv skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP85\A0069711.exe/stream Infected: not-a-virus:AdWare.Win32.Vapsup.avv skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP85\A0069711.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP85\A0069712.exe/stream/Script Infected: not-a-virus:AdWare.Win32.Vapsup.avv skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP85\A0069712.exe/stream Infected: not-a-virus:AdWare.Win32.Vapsup.avv skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP85\A0069712.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP91\A0071054.ocx Infected: Trojan.Win32.Agent.fdr skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP91\A0071076.dll Infected: not-a-virus:AdWare.Win32.Vapsup.awv skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP91\A0071077.exe Infected: not-a-virus:AdWare.Win32.Vapsup.awv skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP91\A0071125.exe Infected: Trojan.Win32.KillAV.oh skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP91\A0071126.exe Infected: Trojan.Win32.KillAV.oh skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP91\A0071127.exe Infected: Trojan.Win32.KillAV.oh skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP91\A0071128.exe Infected: Trojan.Win32.KillAV.oh skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP91\A0071129.exe Infected: Trojan.Win32.KillAV.oh skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP91\A0071131.exe Infected: Trojan.Win32.KillAV.oh skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP91\A0071132.exe Infected: Trojan.Win32.KillAV.oh skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP91\A0071133.exe Infected: Trojan.Win32.KillAV.oh skipped

C:\System Volume Information\_restore{7092F39F-BA42-4F20-93E5-737F07F0591A}\RP91\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Prefetch\Layout.ini Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{BCC7C7B0-DE5B-4788-99F7-4E12F4C6EBB1}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcmsc_SpMzQMOphepSMG3 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_WzWmJdn7j1OMZxh Object is locked skipped

C:\WINDOWS\Temp\sqlite_8vF2hmfgYNI15pG Object is locked skipped

C:\WINDOWS\Temp\sqlite_Ln6rrhwdF5vrp4B Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\_OTMoveIt\MovedFiles\02092008_020622\WINDOWS\bdmnopx.dll Infected: not-a-virus:AdWare.Win32.Vapsup.awv skipped

C:\_OTMoveIt\MovedFiles\02092008_020622\WINDOWS\dmdqdrxglr.dll Infected: not-a-virus:AdWare.Win32.Vapsup.awv skipped

C:\_OTMoveIt\MovedFiles\02092008_020901\WINDOWS\admggxp.dll Infected: not-a-virus:AdWare.Win32.Vapsup.awv skipped

Scan process completed.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP