Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware Found in ThreatFire Can't Get Rid of It [RESOLVED]


  • This topic is locked This topic is locked

#1
VidenTheColdOne

VidenTheColdOne

    Member

  • Member
  • PipPip
  • 53 posts
i recently downloaded threat fire, and have been using it for a bit, it's a very good tool. I did a full scan the other day, and it came up with 4 instances. I click the quarantine option, but it just sits there and says "processing" and will not get rid of the problems. I fear these may be causing my computer harm, and i need to get rid of them. How would you suggest i go about getting rid of these? I have Avast, and it doesn't seem to find them, i also have spyware doctor, and it finds nothing, also ad-aware, and spybot S&D, none of them are finding what TF is. I would include some screenshots, but they don't display the info well. It said there was some kind of Trojan gen. Here are the details:

System Scan Detected a threat
Triggered on 6/19/2008 at 12:56:53 AM
Triggered by I:\programs\Writers Tools-11in1-\WT.rar

Triggered by E:\Documents and Settings\Viden\My Documents\My Music\downloads\01498A8C\protected_07_19_2006_20_54_29.asf

Triggered by E:\Documents and Settings\Viden\My Documents\My Music\Downloads\023COBE8\protected_08_10_2006_13_35_01.asf

Triggered by E:\Documents and Settings\Viden\My Documents\My Music\Downloads\0263886D\protected_08_10_2006_14_18_08.asf


Now, i don't know what those files are in the "My Music" folder. I never use that folder, and i don't know why those files are there. Any help would be appreciated. Thanks If you need any more info let me know. Ty
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK HERE to download the HijackThis Installer:
  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click "Save log" to save the log file and then the log will open in Notepad.
  • Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste the log in your next reply.
  • Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#3
VidenTheColdOne

VidenTheColdOne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Ok, i got the HijackThis file. I went to the Kaspersky site, and clicked "accept" I waited for like 10 minutes, and nothing happened. I reloaded and tried again, but nothing no activeX thing comes up. Am i doing something wrong? Or is there something wrong with my browser settings? Thanks.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:22 PM, on 6/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Comodo\Firewall\cmdagent.exe
E:\Program Files\LogMeIn\x86\RaMaint.exe
E:\Program Files\LogMeIn\x86\LogMeIn.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
E:\WINDOWS\system32\nvsvc32.exe
D:\Programs\PrfldSvc.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\ThreatFire\TFService.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\System32\alg.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Windows Defender\MSASCui.exe
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
E:\Program Files\Comodo\Firewall\CPF.exe
E:\WINDOWS\system32\BtUsrBdg.exe
E:\WINDOWS\system32\BTSetBootKey.exe
e:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\Program Files\Ideazon\ZEngine\Zboard.exe
E:\Program Files\ThreatFire\TFTray.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - E:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IntelliPoint] "e:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O5 "LPT1:" /M "Stylus C88"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [NBKeyScan] "E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Zboard] E:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [ThreatFire] E:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C88 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P32 "EPSON Stylus C88 Series (Copy 1)" /O6 "USB001" /M "Stylus C88"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "e:\progra~1\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Uniblue SpyEraser] "E:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - E:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://game1.pogo.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206990587437
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard....des/cabs/si.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.f...bal/msc3121.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCC5573-1720-4710-BE2C-FE210F2EE059}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - E:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Programs\PrfldSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: ThreatFire - PC Tools - E:\Program Files\ThreatFire\TFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11259 bytes
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.




Click here to use the F-Secure Online Scanner
  • Then click the Start Scanning button below.
  • You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and copy and paste what's present under results in your next reply.

  • 0

#5
VidenTheColdOne

VidenTheColdOne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
I will ost the scanner results when they are finished.



Deckard's System Scanner v20071014.68
Run by Viden on 2008-06-22 16:22:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Viden.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:39 PM, on 6/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Comodo\Firewall\cmdagent.exe
E:\Program Files\LogMeIn\x86\RaMaint.exe
E:\Program Files\LogMeIn\x86\LogMeIn.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
E:\WINDOWS\system32\nvsvc32.exe
D:\Programs\PrfldSvc.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\ThreatFire\TFService.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\System32\alg.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Windows Defender\MSASCui.exe
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
E:\Program Files\Comodo\Firewall\CPF.exe
E:\WINDOWS\system32\BtUsrBdg.exe
E:\WINDOWS\system32\BTSetBootKey.exe
e:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\Program Files\Ideazon\ZEngine\Zboard.exe
E:\Program Files\ThreatFire\TFTray.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Documents and Settings\Viden\Desktop\dss.exe
E:\PROGRA~1\TRENDM~1\HIJACK~1\Viden.exe
E:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - E:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IntelliPoint] "e:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O5 "LPT1:" /M "Stylus C88"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [NBKeyScan] "E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Zboard] E:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [ThreatFire] E:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C88 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P32 "EPSON Stylus C88 Series (Copy 1)" /O6 "USB001" /M "Stylus C88"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "e:\progra~1\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Uniblue SpyEraser] "E:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - E:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://game1.pogo.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206990587437
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard....des/cabs/si.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.f...bal/msc3121.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCC5573-1720-4710-BE2C-FE210F2EE059}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - E:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Programs\PrfldSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: ThreatFire - PC Tools - E:\Program Files\ThreatFire\TFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11293 bytes

-- Files created between 2008-05-22 and 2008-06-22 -----------------------------

2008-06-21 13:06:52 0 d-------- E:\Program Files\World of Warcraft Trial
2008-06-21 12:59:47 0 dr-h----- E:\Documents and Settings\Viden\Recent
2008-06-05 15:24:17 0 d-------- E:\Program Files\PlayOnline
2008-06-03 01:44:04 0 d-------- E:\Program Files\Rockstar Games
2008-05-31 22:42:34 0 d-------- E:\Documents and Settings\All Users\Application Data\Uniblue
2008-05-31 20:21:58 0 d-------- E:\Program Files\Max Payne
2008-05-30 04:51:00 0 d-------- E:\Program Files\Black Isle
2008-05-30 03:13:33 0 d-------- E:\Program Files\ThreatFire
2008-05-30 03:13:33 0 d-------- E:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-25 23:36:06 98304 --a------ E:\WINDOWS\system32CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-05-25 03:23:41 0 d-------- E:\Program Files\Thief - Deadly Shadows
2008-05-24 00:42:45 0 d-------- E:\Program Files\Uniblue
2008-05-24 00:00:20 0 d-------- E:\Documents and Settings\Viden\Application Data\Uniblue


-- Find3M Report ---------------------------------------------------------------

2008-06-22 13:36:43 0 d-------- E:\Program Files\LogMeIn
2008-06-21 13:06:54 0 d-------- E:\Program Files\Common Files\Blizzard Entertainment
2008-06-20 23:13:27 0 d-------- E:\Program Files\Malwarebytes' Anti-Malware
2008-06-20 12:28:24 0 d-------- E:\Program Files\Spyware Doctor
2008-06-18 19:54:44 0 d-------- E:\Documents and Settings\Viden\Application Data\Auslogics
2008-06-08 18:41:31 0 d-------- E:\Program Files\SpeedFan
2008-06-05 15:56:19 0 d--h----- E:\Program Files\InstallShield Installation Information
2008-05-29 15:10:03 0 d-------- E:\Documents and Settings\Viden\Application Data\Mozilla
2008-05-29 00:10:11 0 d-------- E:\Documents and Settings\Viden\Application Data\Ideazon
2008-05-29 00:09:38 0 d-------- E:\Program Files\Ideazon
2008-05-24 01:21:42 0 d-------- E:\Program Files\Common Files\Totem Shared
2008-05-21 18:54:29 0 d-------- E:\Documents and Settings\Viden\Application Data\Vso
2008-05-21 18:54:28 668 --a------ E:\Documents and Settings\Viden\Application Data\vso_ts_preview.xml
2008-05-21 01:08:35 0 d-------- E:\Program Files\EA GAMES
2008-05-21 01:04:43 0 d-------- E:\Program Files\Firaxis Games
2008-05-21 01:02:03 0 d-------- E:\Program Files\Panda Security
2008-05-21 01:00:19 0 d-------- E:\Program Files\Ubisoft
2008-05-21 00:24:10 0 d-------- E:\Documents and Settings\Viden\Application Data\My Games
2008-05-19 23:12:21 0 d-------- E:\Documents and Settings\Viden\Application Data\Adobe
2008-05-19 11:37:44 0 d-------- E:\Program Files\The Weather Channel FW
2008-05-17 03:45:35 0 d-------- E:\Documents and Settings\Viden\Application Data\Nero
2008-05-17 03:43:47 0 d-------- E:\Program Files\Common Files\Nero
2008-05-17 03:42:15 0 d-------- E:\Program Files\Nero
2008-05-17 03:42:15 0 d-------- E:\Program Files\Common Files
2008-05-16 15:40:20 409600 --a------ E:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-05-16 15:40:20 114688 --a------ E:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-05-16 15:40:20 0 d-------- E:\Program Files\OpenAL
2008-05-16 01:17:49 0 d-------- E:\Program Files\Rock Tour
2008-05-15 02:05:14 0 d-------- E:\Program Files\Bonjour
2008-05-15 02:05:10 0 d-------- E:\Program Files\Common Files\Adobe
2008-05-15 01:53:53 0 d-------- E:\Program Files\Common Files\Macrovision Shared
2008-05-12 22:54:26 0 d-------- E:\Program Files\Activision
2008-05-12 22:53:30 0 d-------- E:\Program Files\BC-Mod Packager
2008-05-12 22:52:19 0 d-------- E:\Program Files\Lavasoft
2008-05-12 22:52:17 0 d-------- E:\Documents and Settings\Viden\Application Data\Lavasoft
2008-05-09 16:40:18 0 d-------- E:\Program Files\Common Files\Bcgsoft
2008-05-09 16:40:16 0 d-------- E:\Documents and Settings\Viden\Application Data\Awasu
2008-05-08 17:12:23 0 d-------- E:\Program Files\Messenger
2008-05-08 17:12:13 0 d-------- E:\Program Files\Movie Maker
2008-05-08 17:10:02 0 d-------- E:\Program Files\Windows NT
2008-05-04 22:14:46 0 d-------- E:\Program Files\Trend Micro
2008-05-04 17:32:10 2457 --a------ E:\WINDOWS\mozver.dat
2008-05-04 17:19:57 0 d-------- E:\Documents and Settings\Viden\Application Data\Malwarebytes
2008-05-04 17:19:32 0 d-------- E:\Program Files\Common Files\Download Manager
2008-05-04 17:16:40 0 d-------- E:\Program Files\RegCure
2008-05-03 14:24:56 0 d-------- E:\Program Files\eggtimer
2008-04-30 16:02:29 98304 --a------ E:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-04-28 16:34:13 0 d-------- E:\Documents and Settings\Viden\Application Data\PC Tools
2008-04-25 14:37:22 0 d-------- E:\Program Files\CCP
2008-04-15 18:20:21 75845 --a------ E:\WINDOWS\War3Unin.dat
2008-04-15 18:18:11 2829 --a------ E:\WINDOWS\War3Unin.pif
2008-04-15 18:18:11 139264 --a------ E:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-04-11 16:30:15 33 --a------ E:\Documents and Settings\Viden\Application Data\pcouffin.log
2008-04-11 16:30:14 47360 --a------ E:\Documents and Settings\Viden\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-11 16:30:14 1144 --a------ E:\Documents and Settings\Viden\Application Data\pcouffin.inf
2008-04-11 16:30:14 7887 --a------ E:\Documents and Settings\Viden\Application Data\pcouffin.cat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 07:19 PM]
"Windows Defender"="E:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"RTHDCPL"="RTHDCPL.EXE" [09/11/2007 05:54 PM E:\WINDOWS\RTHDCPL.exe]
"PHIME2002ASync"="E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 AM]
"PHIME2002A"="E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 AM]
"IntelliPoint"="e:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 12:01 PM]
"IMJPMIG8.1"="E:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 08:00 AM]
"EPSON Stylus C88 Series"="E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [01/27/2005 05:00 AM]
"COMODO Firewall Pro"="E:\Program Files\Comodo\Firewall\CPF.exe" [11/01/2007 04:47 PM]
"BTUSRBDG"="BtUsrBdg.exe" [11/05/2003 11:21 PM E:\WINDOWS\system32\BtUsrBdg.exe]
"BTSETBOOTKEY"="BTSetBootKey.exe" [04/15/2003 11:48 AM E:\WINDOWS\system32\BTSetBootKey.exe]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [10/28/2007 05:52 PM]
"ISTray"="E:\Program Files\Spyware Doctor\pctsTray.exe" [06/19/2008 02:01 AM]
"NBKeyScan"="E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [12/03/2007 02:21 PM]
"Zboard"="E:\Program Files\Ideazon\ZEngine\Zboard.exe" [05/21/2008 02:59 PM]
"ThreatFire"="E:\Program Files\ThreatFire\TFTray.exe" [04/24/2008 04:52 PM]
"EPSON Stylus C88 Series (Copy 1)"="E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [01/27/2005 05:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [04/14/2008 05:42 AM]
"Steam"="e:\progra~1\valve\steam\steam.exe" [03/27/2008 08:54 PM]
"Uniblue SpyEraser"="E:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [04/02/2008 09:50 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"=0 (0x0)
"NoStrCmpLogical"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"=0 (0x0)
"NoStrCmpLogical"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
E:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 04/30/2008 06:08 PM 87352 E:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XCOMM"=2 (0x2)
"MPS9"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McProxy"=2 (0x2)
"mcpromgr"=2 (0x2)
"McODS"=2 (0x2)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"mcmispupdmgr"=3 (0x3)
"McAfee HackerWatch Service"=2 (0x2)
"LIVESRV"=2 (0x2)
"Emproxy"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
bdx scan
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a8b6ae5-f80f-11db-b2d9-001921747f61}]




-- End of Deckard's System Scanner: finished at 2008-06-22 16:25:39 ------------
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Do this after it

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a8b6ae5-f80f-11db-b2d9-001921747f61}
    purity 
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • 0

#7
VidenTheColdOne

VidenTheColdOne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Scanning Report
Sunday, June 22, 2008 16:33:06 - 17:57:42

Computer name: RAHL
Scanning type: Scan system for malware, rootkits
Target: D:\ E:\ I:\
Result: 23 malware found
RemoteAdmin.Win32.RemotelyAnywhere (spyware)

* System

Trojan.Win32.Qhost.hi (virus)

* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{14DB0F6C-C02F-4A6F-AADB-D7F80D40B9DA} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{1A4B68F9-5178-4BA3-BAD6-581695D94934} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{26F42C9C-D2E2-4DA2-A80E-E3595E7F6412} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{32F20B07-B798-4ACE-B3A4-48AC42C3E14F} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{3386E7A2-3657-482A-8007-FE54B06E0392} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{3A6B455F-52BB-4E33-A445-FDF78C9ACCD9} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{49EF25DE-937F-4F8B-941A-3C4EA7E4979B} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{6AD65CF6-B3D4-48CC-90E0-647F74025C01} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{72673BDD-0BB3-4B80-BA29-D7623BFD6CBF} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{84B8DB1E-3B60-4C46-AD07-0E846483DC7A} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{A8BD0F00-90A6-4C35-ADEB-8CE4A333C97A} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{B17AC662-78DE-44EA-A77C-F74DEFBEB455} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{CD1702FB-472A-45C1-BA36-F760AB6C25C3} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{D05B91D3-EF53-4985-BC13-CE3B1EC05D0E} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{D25EED6C-7266-4186-975F-0A1EB2675BFA} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{D53DC93C-1D6C-45CA-8FED-3EE11729D1B3} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{F42F2F0D-94EE-42A1-A783-CDBAB89A14CE} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{F5868550-BC99-4200-BBAC-4BC645A0CAE8} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{F757F071-3448-4B78-8159-AE17D082AF6B} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{FB3CD2D5-D885-429F-B55C-2305DFBBD3BB} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{FDB5B8E5-9AC4-4164-B6C1-0B812281EC2E} (Renamed & Submitted)
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{FEE38886-3DFE-44DB-A61F-B6750D23B6EB} (Renamed & Submitted)

Statistics
Scanned:

* Files: 60608
* System: 5286
* Not scanned: 8

Actions:

* Disinfected: 0
* Renamed: 22
* Deleted: 0
* None: 1
* Submitted: 22

Files not scanned:

* E:\HIBERFIL.SYS
* E:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* E:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* E:\WINDOWS\SYSTEM32\CONFIG\SAM
* E:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* E:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* E:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* E:\DOCUMENTS AND SETTINGS\VIDEN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{ECC893CE-3BAE-4C9B-93EB-A73D3391BD87}

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Blacklight: 1.0.68
* F-Secure Hydra: 2.8.8110, 2008-06-20
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure AVP: 7.0.171, 2008-06-20

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics
  • 0

#8
VidenTheColdOne

VidenTheColdOne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
so, can u see what might have been wrong yet?




Explorer killed successfully
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a8b6ae5-f80f-11db-b2d9-001921747f61} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a8b6ae5-f80f-11db-b2d9-001921747f61}\\ deleted successfully.
< purity >
< EmptyTemp >
File delete failed. E:\DOCUME~1\Viden\LOCALS~1\Temp\JET783.tmp scheduled to be deleted on reboot.
File delete failed. E:\DOCUME~1\Viden\LOCALS~1\Temp\~DF9B83.tmp scheduled to be deleted on reboot.
File delete failed. E:\WINDOWS\temp\Perflib_Perfdata_73c.dat scheduled to be deleted on reboot.
File delete failed. E:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06222008_185708
Unable to kill explorer.exe

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06222008_185705

Files moved on Reboot...
File E:\DOCUME~1\Viden\LOCALS~1\Temp\JET783.tmp not found!
E:\DOCUME~1\Viden\LOCALS~1\Temp\~DF9B83.tmp moved successfully.
File E:\WINDOWS\temp\Perflib_Perfdata_73c.dat not found!
File move failed. E:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Just a little malware

Your logs are clean

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here




  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#10
VidenTheColdOne

VidenTheColdOne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Thanks for all of your help. I am already seeing a difference in performance. I also was able to get rid of those strange files i mentioned as a result of these steps. I will continue with the rest next time i get onto my desktop.

I do run Firefox, i found out a while ago that it was much more secure than internet explorer, that and it looks nice too. Thats why i was having a problem running the online scans, they require IE, so i had to use IE to get the scan done.

For security i use Avast! Threat Fire, Spyware Doctor, Comodo Firewall, Windows Defender, Ad-Aware, and Spybot S&D.
I try to keep everything secure, but i download a lot of files from the internet, so it's always hard to tell whats safe, and what isn't.
  • 0

#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP