Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Desperate for help with this virus... [RESOLVED]

Started by Cadiebri , Mar 25 2008 04:35 PM

This topic is locked

#1
Cadiebri

Posted 25 March 2008 - 04:35 PM

Member

Member
12 posts

I have tried about everything I can think of and what others have suggested I do to get rid of this virus. Here is my Hijack log. Thank You in advance for your help.

Cadiebri

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:06 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.c...p/*http://www.y

ahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.comcast.n...p;attr=channels
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL

= http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant

= http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} -

C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: IE - {D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E} - C:\Program

Files\eSoftware\studio.dll
O3 - Toolbar: Comcast Toolbar -

{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} -

C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType

Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft

IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe

/server /startmonitor /deaf
O4 - HKLM\..\Run: [mcagent_exe] C:\Program

Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program

Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program

Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program

Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI

Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program

Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot -

Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: EmpirePoker -

{77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program

Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker -

{77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program

Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}

- C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration

- {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}

- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com

Configuration Class) -

https://activatemyfi...FIOS/tgctlcm.ca

b
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control)

- https://horizons.ist...ls/launcher.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation

Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live

Safety Center Base Module) -

http://cdn.scan.onec...nner/wlscbase37

0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class)

-

http://download.mcaf...,0,5252/mcfscan.

cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis -

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Unknown owner - C:\Program

Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc.

- C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. -

c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

--
End of file - 8524 bytes

#2
Cadiebri

Posted 25 March 2008 - 09:55 PM

Member

Topic Starter
Member
12 posts

Bump..Please can anyone help?

#3
JSntgRvr

Posted 28 March 2008 - 06:11 AM

Global Moderator

Global Moderator
11,579 posts

Hi, Cadiebri

Welcome.

Lets take a deeper look, but first, open notepad. Select Format from the menu and deselect WordWrap. Close Notepad.

Posted Image

Download Deckard's System Scanner (DSS) from here or here to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the main.txt and the extra.txt in your next reply.

If the files are too long, attach them to a reply:

Scroll down and click the [Manage Attachments] button
Browse to the following folder:
- C:\Deckard\System Scanner
Click Upload to upload these files one by one
Submit your reply

#4
Cadiebri

Posted 28 March 2008 - 06:38 AM

Member

Topic Starter
Member
12 posts

Deckard's System Scanner v20071014.68
Run by Carol on 2008-03-28 08:32:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2008-03-28 12:32:54 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Carol.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:57 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SiSUSBrg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Carol\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Carol.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.n...p;attr=channels
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: IE - {D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E} - C:\Program Files\eSoftware\studio.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.ist...ls/launcher.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...252/mcfscan.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

--
End of file - 8662 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sisidex - c:\windows\system32\drivers\sisidex.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R0 sisperf (Add Performance Filter Driver) - c:\windows\system32\drivers\sisperf.sys <Not Verified; Silicon Integrated Systems Corp.; SiS Filer Driver>
R0 timounter (Acronis True Image Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R2 tifsfilter (Acronis True Image FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>

S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S3 AC2003 - c:\windows\system32\drivers\ac2003.sys <Not Verified; ABIT Computer Corp.; AC2003 Device Driver>
S3 RadProbe (Radeon Probe Driver) - c:\windows\system32\drivers\radprobe.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)
S3 WmcCds (Windows Media Connect (WMC)) - c:\program files\windows media connect\mswmccds.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WmcCdsLs (Windows Media Connect (WMC) Helper) - c:\program files\windows media connect\mswmcls.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-03-15 01:20:01 350 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-03-01 02:00:21 352 --a------ C:\WINDOWS\Tasks\McQcTask.job

-- Files created between 2008-02-28 and 2008-03-28 -----------------------------

2008-03-28 07:59:20 0 d-------- C:\WINDOWS\LastGood
2008-03-26 08:15:13 0 d-------- C:\Documents and Settings\Carol\Application Data\Grisoft
2008-03-25 17:54:52 0 d-------- C:\Program Files\SpywareBlaster
2008-03-25 16:38:59 0 d-------- C:\wowaddon2
2008-03-25 08:48:21 0 d-------- C:\Logs
2008-03-18 10:34:42 0 d-------- C:\Program Files\Windows Live Safety Center
2008-03-18 09:43:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-15 22:13:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-15 21:36:24 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-15 21:36:19 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-15 21:36:19 0 d-------- C:\Documents and Settings\Carol\Application Data\SUPERAntiSpyware.com
2008-03-15 12:48:24 0 d-------- C:\Documents and Settings\Carol\Application Data\Uniblue
2008-03-15 12:03:18 0 d-------- C:\Program Files\Trend Micro
2008-03-15 06:37:48 0 d-------- C:\WINDOWS\McAfee.com
2008-03-15 05:22:36 0 d-------- C:\Documents and Settings\Carol\Application Data\McAfee
2008-03-10 20:08:27 0 d-------- C:\Program Files\eSoftware

-- Find3M Report ---------------------------------------------------------------

2008-03-28 08:17:28 0 d-------- C:\Documents and Settings\Carol\Application Data\ComcastToolbar
2008-03-28 07:56:16 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-28 07:53:46 0 d-------- C:\Documents and Settings\Carol\Application Data\AdobeUM
2008-03-25 17:01:12 128380 --a------ C:\Documents and Settings\Carol\Application Data\Cosmos Prefs
2008-03-25 11:18:31 0 d-------- C:\Program Files\Chill
2008-03-25 08:21:48 0 d-------- C:\Program Files\World of Warcraft
2008-03-18 11:52:04 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 12:03:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-16 03:20:57 4456 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-15 11:36:46 0 d-------- C:\Program Files\Java
2008-03-12 14:19:47 0 d-------- C:\Program Files\Common Files\Scanner
2008-02-26 10:58:51 0 d-------- C:\Program Files\StarWarsGalaxies
2008-02-26 09:31:42 0 d-------- C:\Documents and Settings\Carol\Application Data\Gaijin Ent
2008-02-26 09:26:01 0 d-------- C:\Program Files\GamesBar
2008-02-26 09:25:45 0 d-------- C:\Program Files\Common Files
2008-02-26 09:25:45 0 d-------- C:\Program Files\Common Files\Oberon Media
2008-02-25 09:30:07 0 d-------- C:\Program Files\McAfee
2008-02-24 09:24:48 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2008-02-24 09:24:48 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-02-24 09:22:47 14348 --a------ C:\WINDOWS\SiSUSBrg.exe
2008-02-19 19:57:39 0 d-------- C:\Documents and Settings\Carol\Application Data\ATI
2008-02-19 19:50:31 0 d-------- C:\Program Files\ATI Technologies
2008-02-19 12:13:44 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-02-19 10:46:03 0 d-------- C:\Program Files\Runtime Software
2008-02-19 02:49:25 0 d-------- C:\Program Files\Common Files\Seagate
2008-02-19 02:48:58 0 d-------- C:\Program Files\Seagate
2008-02-17 15:03:10 0 d-------- C:\Program Files\Belarc
2008-02-07 19:08:46 0 d-------- C:\Documents and Settings\Carol\Application Data\Yahoo!
2008-02-07 16:40:18 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-07 16:40:13 0 d-------- C:\Documents and Settings\Carol\Application Data\Mozilla
2008-02-07 16:27:22 0 d-------- C:\Program Files\Yahoo!
2008-02-07 10:07:21 0 d-------- C:\Program Files\WinBudget
2008-02-01 00:13:07 0 d-------- C:\Documents and Settings\Carol\Application Data\Adobe
2008-01-31 22:23:08 0 d-------- C:\Documents and Settings\Carol\Application Data\Intuit
2008-01-31 22:18:42 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-01-31 21:47:07 0 d-------- C:\Program Files\TurboTax
2008-01-28 13:02:11 45 --a------ C:\WINDOWS\popcinfo.dat
2008-01-28 11:36:26 0 d-------- C:\Program Files\Sony

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E}]
03/10/2008 08:08 PM 282636 --a------ C:\Program Files\eSoftware\studio.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [02/24/2008 09:22 AM]
"SoundMan"="SOUNDMAN.EXE" [07/01/2004 06:23 AM C:\WINDOWS\SOUNDMAN.EXE]
"@"="" []
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [02/24/2008 09:22 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [02/24/2008 09:22 AM]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [02/24/2008 09:22 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 11:33 PM]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [04/19/2007 10:24 PM]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [04/19/2007 10:38 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [02/24/2008 09:22 AM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [01/02/2006 04:41 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [02/24/2008 09:22 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8075 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-03-28 08:35:03 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
CPU 1: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 25%
Physical Memory (total/avail): 2047.48 MiB / 1532.54 MiB
Pagefile Memory (total/avail): 4969.52 MiB / 4519.47 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.81 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 298.09 GiB total, 255.36 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3320620A - 298.09 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 298.09 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\World of Warcraft\\WoW-1.2.1-patch-enUS-Downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.2.1-patch-enUS-Downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Sony\\Station\\Launchpad\\_aunchPad.exe"="C:\\Program Files\\Sony\\Station\\Launchpad\\_aunchPad.exe:*:Enabled:_aunchPad"
"C:\\World of Warcraft\\WoW-1.2.3-patch-enUS-Downloader.exe"="C:\\World of Warcraft\\WoW-1.2.3-patch-enUS-Downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\World of Warcraft\\WoW-1.2.4-to-1.3.0-enUS-downloader.exe"="C:\\World of Warcraft\\WoW-1.2.4-to-1.3.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"\\\\Tim1\\C\\T1downloads\\WOW stuff\\finished\\Repair.exe"="\\\\Tim1\\C\\T1downloads\\WOW stuff\\finished\\Repair.exe:*:Enabled:Repair.exe"
"C:\\World of Warcraft\\WoW-1.3.1.4297-to-1.4.0-enUS-downloader.exe"="C:\\World of Warcraft\\WoW-1.3.1.4297-to-1.4.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\World of Warcraft\\WoW-1.7.0-enUS-downloader.exe"="C:\\World of Warcraft\\WoW-1.7.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enUS-downloader.exe"="C:\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Charter High-Speed Security Suite\\backweb\\3528733\\Program\\fspex.exe"="C:\\Program Files\\Charter High-Speed Security Suite\\backweb\\3528733\\Program\\fspex.exe:*:Enabled:Charter High-Speed Security Suite"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"="C:\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"="C:\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\My Games\\Wheel of Fortune\\Wheel of Fortune.exe"="C:\\My Games\\Wheel of Fortune\\Wheel of Fortune.exe:*:Enabled:Wheel of Fortune"
"C:\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"="C:\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"="C:\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\World of Warcraft\\BackgroundDownloader.exe"="C:\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Tulga Games\\Horizons\\horizons.exe"="C:\\Program Files\\Tulga Games\\Horizons\\horizons.exe:*:Enabled:horizons"
"C:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"="C:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe:*:Enabled:Dungeon Siege 2 Game Executable"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Carol\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CAROL1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Carol
LOGONSERVER=\\CAROL1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Carol\LOCALS~1\Temp
TMP=C:\DOCUME~1\Carol\LOCALS~1\Temp
USERDOMAIN=CAROL1
USERNAME=Carol
USERPROFILE=C:\Documents and Settings\Carol
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Carol (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Comcast Toolbar --> C:\Program Files\ComcastToolbar\uninstall.exe
Desktop Doctor --> "C:\Program Files\Support.com\providerComcast\Uninstall.exe" /c "Remove Desktop Doctor?"
Dungeon Siege 2 --> "C:\Program Files\Microsoft Games\Dungeon Siege 2\UNINSTAL.EXE" /runtemp /uninstall
EQ2MAP Updater 1.0.6 --> C:\Program Files\EQ2MAP Updater\uninst.exe
EverQuest II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B2ED6DAA-31AA-49E4-BFA1-AF3388D90F7D}\Setup.exe" -l0x9 -removeonly
EverQuest Titanium --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32714287-4234-412A-877B-D33AFABFDE2B}\setup.exe" -l0x9
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hoyle Card Games 3 --> C:\WINDOWS\IsUninst.exe -fC:\SIERRA\CARD3\Uninst.isu
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Lexmark Z600 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBCUN5C.EXE -dLexmark Z600 Series
Mahjongg Artifacts 2 --> "C:\Program Files\Chill\Mahjongg Artifacts 2\Uninstall.exe" "C:\Program Files\Chill\Mahjongg Artifacts 2\install.log"
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
RealArcade --> C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Registry Mechanic 7.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Seagate DiscWizard --> MsiExec.exe /X{81A60A13-224D-4637-8203-3EAC03B121A4}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Star Wars Galaxies: The Total Experience --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B257C09-6A05-4308-9A6D-E8A2CAE21EA9}\setup.exe" -l0x9
TurboTax Basic 2006 --> C:\Program Files\TurboTax\Basic 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Basic 2006\Uninstall.log" -NoGui
TurboTax Deluxe 2007 --> C:\Program Files\TurboTax\Deluxe 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2007\Uninstall.log" -NoGui
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Connect --> msiexec.exe /I {F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Connect --> MsiExec.exe /I{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type10523 / Error
Event Submitted/Written: 03/28/2008 08:13:24 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16608, faulting module studio.dll, version 2.0.0.0, fault address 0x00018840.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type10522 / Error
Event Submitted/Written: 03/28/2008 08:08:18 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application install_flash_player.exe, version 9.0.115.0, faulting module nsisarray.dll, version 0.0.0.0, fault address 0x00003a6b.
Processing media-specific event for [install_flash_player.exe!ws!]

Event Record #/Type10511 / Error
Event Submitted/Written: 03/28/2008 07:04:28 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20080.31114, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type10499 / Error
Event Submitted/Written: 03/26/2008 03:02:29 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application rundll32.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type10476 / Error
Event Submitted/Written: 03/24/2008 03:16:26 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20080.20121, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type61756 / Error
Event Submitted/Written: 03/28/2008 07:59:15 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Event Record #/Type61752 / Error
Event Submitted/Written: 03/28/2008 07:57:48 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {6A972E27-93E2-4F98-8367-4101B2073814} did not register with DCOM within the required timeout.

Event Record #/Type61747 / Error
Event Submitted/Written: 03/28/2008 07:56:16 AM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The McAfee SystemGuards service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Event Record #/Type61745 / Error
Event Submitted/Written: 03/28/2008 07:54:35 AM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The McAfee SystemGuards service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Event Record #/Type61714 / Error
Event Submitted/Written: 03/28/2008 07:13:53 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
SASKUTIL

-- End of Deckard's System Scanner: finished at 2008-03-28 08:35:03

#5
JSntgRvr

Posted 28 March 2008 - 10:54 AM

Global Moderator

Global Moderator
11,579 posts

Hi, Cadiebri

I do not see a problem in this log, except for the contents of the C:\Program Files\eSoftware, from where a Browser Helper Object is being ran. Can you identify this program?

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#6
Cadiebri

Posted 28 March 2008 - 11:21 AM

Member

Topic Starter
Member
12 posts

Hi JSntgRvr

Here is the log that you last requested, and as for the esoftware I had never seen that before .. but I believe that this last scan took it out. Another thing I've noticed is IE is taking a very long time to load, but when I use Mozilla Firefox its like almost instant. Any Idea what that might be? Should I scan again with Windows MRT to see if the Backdoor:Win32/Zonebac.gen!F is gone? Thank You, Cadie.

Malwarebytes' Anti-Malware 1.09
Database version: 560

Scan type: Quick Scan
Objects scanned: 34042
Time elapsed: 10 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d83a7b12-a4d4-4984-8f72-d41c6b4c1e6e} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d83a7b12-a4d4-4984-8f72-d41c6b4c1e6e} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\eSoftware\studio.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin\tempzor (Adware.AdMedia) -> Quarantined and deleted successfully.

#7
JSntgRvr

Posted 28 March 2008 - 04:48 PM

Global Moderator

Global Moderator
11,579 posts

Hi, Cadiebri

Please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\eSoftware
C:\Program Files\WinBudget

Restart the computer.

Please re-scan with Hijackthis and post a fresh log.

How is the computer doing?

#8
Cadiebri

Posted 28 March 2008 - 06:32 PM

Member

Topic Starter
Member
12 posts

Hi JSntgRvr

Here is the new HiJack log. Well, when I use Mozilla FireFox Browser its zooming! very nice and smooth. However, IE is soooo slow and can't download flash_player 9 for some reason when I go to download it .. there is no button there to download, just an x in a box. Also when I play World of Warcraft or one of my Mahjong games the game will minimize for no reason what so ever. I re-did a Windows MRT and it says the back door is still there. but some of the other files that were infected are now gone.. this is what windows is showing as potential viral. Just thought I would add this for you to look at. Cadiebri

C:\WINDOWS\SISUSBrg.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\support.com\bin\start tgcmd.lnk
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:55 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SiSUSBrg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.n...p;attr=channels
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.ist...ls/launcher.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...252/mcfscan.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

--
End of file - 8578 bytes

#9
JSntgRvr

Posted 29 March 2008 - 12:49 PM

Global Moderator

Global Moderator
11,579 posts

Hi, Cadiebri

It could be a setting in IE. How do you connect to the Internet?

Open the Internet Options in the Control Panel. Select the Security tab. Set all Ranges to Default by clicking on each range individually and then on Default. Clck OK out of the properties window and restart the computer if prompted.

Concerning the backdoor, there is no sign of it in your logs. Can you provide me with more information on the MRT report? The files you mention above are legit files.

#10
Cadiebri

Posted 31 March 2008 - 05:12 AM

Member

Topic Starter
Member
12 posts

Hi JSntgRvr

I did the IE settings like you suggested and it did nothing to change it. It's very weird how it happens too, I can be playing a game for literally hours and then all of a sudden it will start minimizing like crazy. If I reboot my comp then it will go hours some more and then start up again. As for the windows MRT it just shows that the Backdoor:Win32/Zonebac.gen!F virus are in those 7 files that I showed in the post before this one, but it says (that the followin files may be infected by malicious software. The entire contents of the selected files will be sent to microsoft for analysis). Something keeps corrupting my flash_player as well. I have to keep uninstalling it and installing again. I have it working now on both browsers at the moment. I just can't seem to understand what is causing the minimizing and it's maddening!

Cadie.

#11
JSntgRvr

Posted 31 March 2008 - 06:43 AM

Global Moderator

Global Moderator
11,579 posts

Hi, Cadiebri

MRT could be right. All these files seem to have been patched at the same date and time:

"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [<strong class='bbc'>02/24/2008 09:22 AM</strong>]"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [<strong class='bbc'>02/24/2008 09:22 AM</strong>]"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [<strong class='bbc'>02/24/2008 09:22 AM</strong>]"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [<strong class='bbc'>02/24/2008 09:22 AM</strong>]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [<strong class='bbc'>02/24/2008 09:22 AM</strong>]"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [<strong class='bbc'>02/24/2008 09:22 AM</strong>

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

#12
Cadiebri

Posted 31 March 2008 - 08:28 AM

Member

Topic Starter
Member
12 posts

Hi Again

Here are the logs you were requesting.

ComboFix 08-03-30.3 - Carol 2008-03-31 10:18:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1636 [GMT -4:00]
Running from: C:\Documents and Settings\Carol\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-28 13:03 . 2008-03-28 13:03 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\Malwarebytes
2008-03-28 13:02 . 2008-03-28 13:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-28 13:02 . 2008-03-28 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-28 08:32 . 2008-03-28 08:32 <DIR> d-------- C:\Deckard
2008-03-26 08:15 . 2008-03-26 08:15 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\Grisoft
2008-03-26 08:14 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-25 17:54 . 2008-03-31 10:16 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-25 17:54 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-03-25 16:38 . 2008-03-27 08:37 <DIR> d-------- C:\wowaddon2
2008-03-25 08:48 . 2008-03-25 08:48 <DIR> d-------- C:\Logs
2008-03-18 10:34 . 2008-03-18 10:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-18 09:43 . 2008-03-31 10:11 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-18 09:43 . 2008-03-31 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-15 22:13 . 2008-03-15 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-15 21:36 . 2008-03-18 11:52 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-15 21:36 . 2008-03-18 11:52 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\SUPERAntiSpyware.com
2008-03-15 21:36 . 2008-03-15 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-15 12:48 . 2008-03-15 12:48 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\Uniblue
2008-03-15 12:03 . 2008-03-15 12:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-15 06:37 . 2008-03-15 06:37 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-03-15 05:31 . 2008-03-15 05:31 61,224 --a------ C:\Documents and Settings\Carol\GoToAssistDownloadHelper.exe
2008-03-15 05:22 . 2008-03-15 05:22 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\McAfee
2008-03-12 13:09 . 2008-03-12 13:09 2,323 --a------ C:\WINDOWS\system32\MRT.INI
2008-02-26 14:35 . 2003-10-13 16:30 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-02-26 14:35 . 2003-09-26 00:28 31,930 --a------ C:\WINDOWS\system32\GTNDIS3.VXD
2008-02-26 14:35 . 2003-09-25 23:15 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys
2008-02-26 09:31 . 2008-02-26 09:31 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\Gaijin Ent
2008-02-26 09:26 . 2008-02-26 09:26 <DIR> d-------- C:\Program Files\GamesBar
2008-02-26 09:25 . 2008-02-26 09:25 <DIR> d-------- C:\Program Files\Common Files\Oberon Media
2008-02-26 09:25 . 2008-03-25 11:18 <DIR> d-------- C:\Program Files\Chill
2008-02-26 09:22 . 2008-02-27 16:15 <DIR> d-------- C:\chillgamestrial
2008-02-21 09:53 . 2008-03-25 17:33 <DIR> d-------- C:\wowaddon
2008-02-19 19:57 . 2008-02-19 19:57 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\ATI
2008-02-19 19:49 . 2008-02-19 19:50 <DIR> d-------- C:\Program Files\ATI Technologies
2008-02-19 19:49 . 2006-05-03 11:57 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-02-19 11:56 . 2008-03-25 08:21 <DIR> d-------- C:\Program Files\World of Warcraft
2008-02-19 02:57 . 2008-02-19 02:57 1,430,048 --a------ C:\WINDOWS\system32\AutoPartNt.exe
2008-02-19 02:57 . 2008-02-19 02:59 1,024 --a------ C:\WINDOWS\system32\AutoPartNt.let
2008-02-19 02:54 . 2008-02-19 02:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2008-02-19 02:50 . 2008-02-19 02:50 392,320 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2008-02-19 02:50 . 2008-02-19 02:50 32,768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-02-19 02:49 . 2008-02-19 02:49 120,992 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-02-19 02:48 . 2008-02-19 02:48 <DIR> d-------- C:\Program Files\Seagate
2008-02-19 02:48 . 2008-02-19 02:49 <DIR> d-------- C:\Program Files\Common Files\Seagate
2008-02-19 02:41 . 2008-02-19 02:41 29,512 --a------ C:\WINDOWSSerifastd-black.otf
2008-02-19 02:41 . 2008-02-19 02:41 28,260 --a------ C:\WINDOWSSerifastd-lightitalic.otf
2008-02-19 02:41 . 2008-02-19 02:41 28,252 --a------ C:\WINDOWSSerifastd-italic.otf
2008-02-19 02:41 . 2008-02-19 02:41 27,772 --a------ C:\WINDOWSSerifastd-bold.otf
2008-02-19 02:41 . 2008-02-19 02:41 27,452 --a------ C:\WINDOWSSerifastd-roman.otf
2008-02-19 02:41 . 2008-02-19 02:41 27,440 --a------ C:\WINDOWSSerifastd-light.otf
2008-02-17 15:03 . 2008-02-17 15:03 <DIR> d-------- C:\Program Files\Belarc
2008-02-17 15:03 . 2005-04-07 17:18 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-02-17 14:55 . 2008-02-19 10:46 <DIR> d-------- C:\Program Files\Runtime Software
2008-02-08 11:25 . 2008-02-29 21:28 <DIR> d-------- C:\reciepes
2008-02-07 17:03 . 2008-02-07 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-07 16:40 . 2008-02-07 16:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-07 16:27 . 2008-02-07 19:08 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\Yahoo!
2008-02-07 16:27 . 2008-02-07 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-05 21:06 . 2008-02-05 21:06 <DIR> d-------- C:\WINDOWS\system32\bak
2008-02-05 21:06 . 2008-02-05 21:06 <DIR> d-------- C:\WINDOWS\bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 14:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-31 14:12 --------- d-----w C:\Documents and Settings\Carol\Application Data\ComcastToolbar
2008-03-28 11:56 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-28 11:53 --------- d-----w C:\Documents and Settings\Carol\Application Data\AdobeUM
2008-03-18 15:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 16:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-15 15:36 --------- d-----w C:\Program Files\Java
2008-03-15 09:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-12 18:19 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-26 14:58 --------- d-----w C:\Program Files\StarWarsGalaxies
2008-02-25 13:30 --------- d-----w C:\Program Files\McAfee
2008-02-24 13:24 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-02-24 13:24 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-24 13:22 14,348 ----a-w C:\WINDOWS\SiSUSBrg.exe
2008-02-19 16:13 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-07 20:27 --------- d-----w C:\Program Files\Yahoo!
2008-02-01 02:23 --------- d-----w C:\Documents and Settings\Carol\Application Data\Intuit
2008-02-01 02:18 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-01 01:47 --------- d-----w C:\Program Files\TurboTax
2008-01-28 15:36 --------- d-----w C:\Program Files\Sony
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2008-02-24 09:22 14348]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 06:23 67584 C:\WINDOWS\SOUNDMAN.EXE]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2008-02-24 09:22 14348]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2008-02-24 09:22 14348]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2008-02-24 09:22 14348]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 22:24 1169744]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 22:38 1945688]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-02-24 09:22 14348]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-02-24 09:22 14348]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2003-12-10 03:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 05:20:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-03-01 06:00:21 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 10:22:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-31 10:24:48 - machine was rebooted [Carol]
ComboFix-quarantined-files.txt 2008-03-31 14:24:44
Pre-Run: 274,001,002,496 bytes free
Post-Run: 273,932,771,328 bytes free
.
2008-03-12 17:09:42 --- E O F ---

HIJACK LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:37 AM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.n...p;attr=channels
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.ist...ls/launcher.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...252/mcfscan.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

--
End of file - 7849 bytes

#13
JSntgRvr

Posted 31 March 2008 - 08:38 AM

Global Moderator

Global Moderator
11,579 posts

Download FindAWF.exe from here or here, and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1, then press Enter
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.

#14
Cadiebri

Posted 31 March 2008 - 10:03 AM

Member

Topic Starter
Member
12 posts

Here ya go

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 03/31/2008
The current time is: 12:00:18.28

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\BAK

07/12/2002 06:15 AM 106,496 SiSUSBrg.exe
1 File(s) 106,496 bytes

Directory of C:\PROGRA~1\MICROS~2\BAK

06/03/2004 04:51 AM 172,032 type32.exe
1 File(s) 172,032 bytes

Directory of C:\PROGRA~1\MICROS~3\BAK

06/03/2004 04:50 AM 204,800 point32.exe
1 File(s) 204,800 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\BAK

01/02/2006 05:41 PM 45,056 cli.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

08/04/2007 02:33 AM 582,992 mcagent.exe
1 File(s) 582,992 bytes

Directory of C:\PROGRA~1\SEAGATE\DISCWI~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

03/07/2007 10:58 AM 1,773,568 tgcmd.exe
1 File(s) 1,773,568 bytes

Directory of C:\PROGRA~1\COMMON~1\SEAGATE\SCHEDU~1\BAK

04/19/2007 10:29 PM 149,024 schedhlp.exe
1 File(s) 149,024 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 Feb 24 2008 "C:\WINDOWS\SiSUSBrg.exe"
106496 Jul 12 2002 "C:\WINDOWS\bak\SiSUSBrg.exe"
14348 Feb 24 2008 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
14348 Feb 24 2008 "C:\Program Files\Microsoft IntelliPoint\point32.exe"
204800 Jun 3 2004 "C:\Program Files\Microsoft IntelliPoint\bak\point32.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
45056 Jan 2 2006 "C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe"
45056 Jan 2 2006 "C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe"
582992 Aug 3 2007 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
582992 Aug 4 2007 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
14348 Feb 24 2008 "C:\Program Files\support.com\bin\tgcmd.exe"
1773568 Mar 7 2007 "C:\Program Files\support.com\bin\bak\tgcmd.exe"
14348 Feb 24 2008 "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
149024 Apr 19 2007 "C:\Program Files\Common Files\Seagate\Schedule2\bak\schedhlp.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
14348 Feb 24 2008 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

end of report

#15
JSntgRvr

Posted 31 March 2008 - 01:30 PM

Global Moderator

Global Moderator
11,579 posts

Hi, Cadiebri

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\WINDOWS\BAK\SiSUSBrg.exe"
"C:\PROGRAM FILES\Microsoft IntelliType Pro\BAK\type32.exe"
"C:\PROGRAM FILES\Microsoft IntelliPoint\BAK\point32.exe"
"C:\WINDOWS\SYSTEM32\BAK\ctfmon.exe"
"C:\PROGRAM FILES\ATI Technologies\ATI.ACE\BAK\cli.exe"
"C:\PROGRAM FILES\MCAFEE.COM\AGENT\BAK\mcagent.exe"
"C:\PROGRAM FILES\SUPPORT.COM\BIN\BAK\tgcmd.exe"
"C:\PROGRAM FILES\Common Files\SEAGATE\Schedule2\BAK\schedhlp.exe"
"C:\PROGRAM FILES\JAVA\jre1.6.0_02\BIN\BAK\jusched.exe"
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 2, then press Enter.
Press any key to continue.
A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
The program will proceed to move the legit files and will perform another scan for .bak folder
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.