Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Antivirus 2008 Pro [RESOLVED]


  • This topic is locked This topic is locked

#1
rrussell

rrussell

    Member

  • Member
  • PipPip
  • 23 posts
Antivirus 2008 Pro has appeared to take over my PC. I followed someonec advice on this forum and ran Deckards System Scanner and Hi Jack. Below are the "extra.txt" and "main.txt" results. Please tell me what to do next.
thank you
RRUSSELL

Deckard's System Scanner v20071014.68
Run by Randy on 2008-06-28 16:39:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-06-28 23:40:41 UTC - RP492 - Deckard's System Scanner Restore Point
3: 2008-06-28 23:00:22 UTC - RP491 - Restore Operation
2: 2008-06-28 18:30:27 UTC - RP490 - System Checkpoint
1: 2008-06-28 05:11:39 UTC - RP489 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 384 MiB (512 MiB recommended).
System Drive C: has 0.13 GiB (less than 15%) free.


-- HijackThis (run as Randy.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:45: VIRUS ALERT!, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MP3 COBY USB Disk Win98 Driver\Res.EXE
C:\Program Files\Canon ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DAP\DAP.EXE
C:\Documents and Settings\Randy\Desktop\deckards sys scanner dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Randy.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {50C4C776-59ED-4751-AF88-22CC52FB24C3} - C:\WINDOWS\system32\byXrssSj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7FC6B132-EA18-4D69-86E0-423E7B940BDC} - C:\WINDOWS\system32\mlJDuroo.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Editor plugin - {9AEE9C0D-FD38-45fc-B09A-BA9B6B614780} - barka.dll (file missing)
O2 - BHO: QXK Olive - {9EBD6815-1579-4593-8020-8485B80243FB} - C:\WINDOWS\gfetqaxsnvo.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: gxvpsafm - {5EFBB043-CFEC-4A57-BFE7-38FDC518108F} - C:\WINDOWS\gxvpsafm.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\MP3 COBY USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\Canon ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [68b6af29] rundll32.exe "C:\WINDOWS\system32\kgmstbux.dll",b
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - http://63.251.81.180...ZWDLManager.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F3436EC-7864-4DEB-BA66-97920BEAE513}: NameServer = 206.63.224.5,206.63.224.6
O20 - Winlogon Notify: mlJDuroo - C:\WINDOWS\SYSTEM32\mlJDuroo.dll
O21 - SSODL: pntqkflv - {D27EE8E4-1096-487E-BB0E-D021E8FEEED7} - C:\WINDOWS\pntqkflv.dll
O21 - SSODL: qegbdmwf - {E28F8288-1A54-4D8C-9A71-0446D13A074F} - C:\WINDOWS\qegbdmwf.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\vhosts.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://l.b5z.net/i/u...SkullsB_ezr.JPG
O24 - Desktop Component 1: (no name) - http://l.b5z.net/i/u...eSkullB_ezr.JPG
O24 - Desktop Component 2: (no name) - http://l.b5z.net/i/u...olSucks_ezr.jpg
O24 - Desktop Component 3: (no name) - http://l.b5z.net/i/u...oSkullB_ezr.JPG
O24 - Desktop Component 4: (no name) - http://l.b5z.net/i/u...ategory_ezr.JPG
O24 - Desktop Component 5: (no name) - http://images.hotpro...78070-561-2.gif
O24 - Desktop Component 6: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9435 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ewido security suite driver - c:\program files\ewido anti-malware\guard.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 IJPLMSVC (PIXMA Extended Survey Program) - c:\program files\canon\ijplm\ijplmsvc.exe <Not Verified; ; IJPLMSVC>

S2 msupdate (Microsoft security update service) - c:\windows\system32\vhosts.exe (file missing)
S4 ewido security suite guard - c:\program files\ewido anti-malware\ewidoguard.exe <Not Verified; ewido networks; guard>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&268D196D&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&268D196D&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-06-28 14:55:12 254 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job


-- Files created between 2008-05-28 and 2008-06-28 -----------------------------

2008-06-28 16:43:39 0 d-------- C:\Program Files\Trend Micro
2008-06-28 15:42:02 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-28 15:42:02 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-28 15:42:02 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-28 15:42:02 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-28 15:42:02 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-28 15:42:02 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-28 15:42:02 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-28 15:42:02 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-28 15:42:02 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-28 15:42:02 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-28 15:42:01 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-28 15:42:01 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-28 15:42:01 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-28 15:42:01 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-28 15:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-28 13:09:00 0 d-------- C:\Documents and Settings\Randy\Application Data\TmpRecentIcons
2008-06-27 23:52:56 91520 --a------ C:\WINDOWS\system32\ijcnwxfe.dll
2008-06-27 22:11:22 6242304 --a------ C:\Documents and Settings\Randy\ntuser.dat
2008-06-27 18:17:48 0 d-------- C:\Program Files\Enigma Software Group
2008-06-27 17:51:24 252892 --ahs---- C:\WINDOWS\system32\jSssrXyb.ini2
2008-06-27 17:51:08 318720 --a------ C:\WINDOWS\system32\byXrssSj.dll
2008-06-27 17:24:51 43008 --a------ C:\WINDOWS\system32\clbdll.dll
2008-06-27 17:24:46 28800 --a------ C:\WINDOWS\system32\mlJDuroo.dll
2008-06-27 17:21:20 303104 --a------ C:\WINDOWS\gfetqaxsnvo.dll
2008-06-27 17:21:19 81920 --a------ C:\WINDOWS\tovafrnm.exe
2008-06-27 17:21:19 180224 --a------ C:\WINDOWS\qegbdmwf.dll
2008-06-27 17:21:19 229376 --a------ C:\WINDOWS\pntqkflv.dll
2008-06-27 17:21:19 151552 --a------ C:\WINDOWS\gxvpsafm.dll
2008-06-27 17:21:19 94208 --a------ C:\WINDOWS\ekaf.exe
2008-06-21 16:02:29 0 d-------- C:\Documents and Settings\Alicianna\Application Data\Apple Computer
2008-06-21 16:01:38 0 d-------- C:\Program Files\iPod
2008-06-21 16:01:11 0 d-------- C:\Program Files\iTunes
2008-06-21 15:59:11 0 d-------- C:\Program Files\QuickTime
2008-06-21 15:59:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-21 15:58:20 0 d-------- C:\Program Files\Apple Software Update
2008-06-21 15:57:25 0 d-------- C:\Program Files\Common Files\Apple
2008-06-21 15:57:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-18 18:14:51 0 d-------- C:\Documents and Settings\Alicianna\Application Data\Viewpoint
2008-06-04 03:01:02 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-03 17:02:24 0 d-------- C:\Program Files\Windows Live Toolbar
2008-06-03 17:02:09 0 d-------- C:\Program Files\Windows Live Favorites
2008-06-03 16:45:29 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-03 16:45:01 0 d-------- C:\Program Files\Windows Live


-- Find3M Report ---------------------------------------------------------------

2008-06-27 18:13:02 0 d-------- C:\Program Files\Coupons
2008-06-27 18:12:05 0 d-------- C:\Program Files\Canon
2008-06-27 18:11:55 0 d-------- C:\Documents and Settings\Randy\Application Data\Canon
2008-06-21 15:57:25 0 d-------- C:\Program Files\Common Files
2008-05-02 14:38:01 0 d-------- C:\Documents and Settings\Randy\Application Data\Viewpoint
2008-04-28 20:14:02 1221 --a------ C:\WINDOWS\EReg077.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50C4C776-59ED-4751-AF88-22CC52FB24C3}]
06/27/2008 17:51: VIRUS ALERT! 318720 --a------ C:\WINDOWS\system32\byXrssSj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FC6B132-EA18-4D69-86E0-423E7B940BDC}]
06/27/2008 17:24: VIRUS ALERT! 28800 --a------ C:\WINDOWS\system32\mlJDuroo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9AEE9C0D-FD38-45fc-B09A-BA9B6B614780}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9EBD6815-1579-4593-8020-8485B80243FB}]
06/27/2008 13:46: VIRUS ALERT! 303104 --a------ C:\WINDOWS\gfetqaxsnvo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [09/04/2001 16:31: VIRUS ALERT!]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [10/05/2001 17:34: VIRUS ALERT!]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [08/23/2001 14:52: VIRUS ALERT!]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [08/16/2001 21:41: VIRUS ALERT!]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 13:22: VIRUS ALERT!]
"nwiz"="nwiz.exe" [10/22/2006 13:22: VIRUS ALERT! C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 13:22: VIRUS ALERT!]
"RegistryMechanic"="" []
"USB Storage Toolbox"="C:\Program Files\MP3 COBY USB Disk Win98 Driver\Res.EXE" [09/14/2005 20:44: VIRUS ALERT!]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50: VIRUS ALERT!]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/25/2006 09:03: VIRUS ALERT!]
"OpwareSE4"="C:\Program Files\Canon ScanSoft\OmniPageSE4\OpwareSE4.exe" [02/04/2007 12:02: VIRUS ALERT!]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [04/14/2008 16:42: VIRUS ALERT!]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 20:51: VIRUS ALERT!]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 14:22: VIRUS ALERT!]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/02/2008 11:13: VIRUS ALERT!]
"68b6af29"="C:\WINDOWS\system32\kgmstbux.dll" []
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [01/23/2008 15:47: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34: VIRUS ALERT!]
"antivirus-2008pro.exe"="C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe" []

C:\Documents and Settings\Randy\Start Menu\Programs\Startup\
Mavis Beacon Teaches Typing 11.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe [4/21/2007 1:15:49 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=1 (0x1)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"DisableRegistryTools"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=1 (0x1)
"NoSetFolders"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\6]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{7FC6B132-EA18-4D69-86E0-423E7B940BDC}"= C:\WINDOWS\system32\mlJDuroo.dll [06/27/2008 17:24: VIRUS ALERT! 28800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"pntqkflv"= {D27EE8E4-1096-487E-BB0E-D021E8FEEED7} - C:\WINDOWS\pntqkflv.dll [06/27/2008 13:46: VIRUS ALERT! 229376]
"qegbdmwf"= {E28F8288-1A54-4D8C-9A71-0446D13A074F} - C:\WINDOWS\qegbdmwf.dll [06/27/2008 13:46: VIRUS ALERT! 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJDuroo]
mlJDuroo.dll 06/27/2008 17:24: VIRUS ALERT! 28800 C:\WINDOWS\system32\mlJDuroo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXrssSj

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-06-28 16:48:35 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.80GHz
Percentage of Memory in Use: 72%
Physical Memory (total/avail): 383.3 MiB / 106.35 MiB
Pagefile Memory (total/avail): 922.17 MiB / 511.75 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.16 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.24 GiB total, 0.13 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400BB-75CAA0 - 37.25 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.24 GiB - C:

\\.\PHYSICALDRIVE1 - Canon MP470 series USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Avira AntiVir PersonalEdition v8.0.1.18 (Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\BYOND\\bin\\byond.exe"="C:\\Program Files\\BYOND\\bin\\byond.exe:*:Enabled:byond"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\accelrator_DAP\\DAP.exe"="C:\\Program Files\\accelrator_DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"C:\\WINDOWS\\system32\\lxbmcoms.exe"="C:\\WINDOWS\\system32\\lxbmcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Randy\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RANDY-Z7BFIVSUP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Randy
LOGONSERVER=\\RANDY-Z7BFIVSUP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Randy\LOCALS~1\Temp
TMP=C:\DOCUME~1\Randy\LOCALS~1\Temp
USERDOMAIN=RANDY-Z7BFIVSUP
USERNAME=Randy
USERPROFILE=C:\Documents and Settings\Randy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Randy (admin)
Family
Alicianna (admin)
Olen
Alania


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.45 beta --> "C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Avira AntiVir Personal – Free Antivirus --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Canon MP470 series --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP470_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP470_series /L0x0009
Canon MP470 series User Registration --> C:\Program Files\Canon\IJEREG\MP470 series\UNINST.EXE
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Corel Applications --> C:\WINDOWS\Corel\Uninst32.exe
CouponBar --> regsvr32 /u /s "C:\WINDOWS\CouponBarIE.dll"
Download Accelerator Plus (DAP) --> C:\PROGRA~1\DAP\DAPREMOVE.EXE
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
ewido anti-malware --> C:\Program Files\ewido anti-malware\Uninstall.exe
Fisher-Price® Western Town --> .\setup.exe -funinst.ins
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Highlight Viewer (Windows Live Toolbar) --> MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}
HP PrecisionScan LTX --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan LTX\Uninst.isu" -c"C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan LTX\HPUninstallIs.dll"
IBM & Crayola Magic Princess --> C:\WINDOWS\uninst.exe -f"C:\.\Program Files\IBM and Crayola\DeIsL1.isu"
iTunes --> MsiExec.exe /I{9F70BF98-003C-491D-81FC-FF9792206AF0}
JumpStart Advanced Kindergarten --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\UNKinder2002.exe
JumpStart Animal Field Trip --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\JSAnimFTUn.exe
JumpStart Arts and Crafts --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\JSArtsCraftsUn.exe
JumpStart Kindergarten Reading v1.0 --> C:\WINDOWS\uninst.exe -fC:\KA\JSKR\DeIsL5.isu
JumpStart Music --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JumpStart\JumpStart Music\DeIsL1.isu"
JumpStart Phonics --> C:\WINDOWS\IsUninst.exe -fC:\KA\PHONICS\DeIsL2.isu
JumpStart Toddlers v1.3 --> C:\WINDOWS\IsUninst.exe -fC:\KA\TODDLER\DeIsL1.isu
JumpStart World Presents Pet Playground --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\PetPlaygroundUn.exe
Kid Pix Deluxe 3 --> C:\Program Files\Broderbund\Kid Pix Deluxe 3\uninstal.exe
Leap Ahead Second Grade --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Learning Company\Leap Ahead Second Grade\Uninst.isu"
LEGO Friends --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\LEGO Friends\Uninst.isu"
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Madeline Rainy Day Activities --> C:\CWONDERS\MRDA\CWRUN.EXE MadelineRainyDayActivities UninstallExe
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Mavis Beacon Teaches Typing 11 --> C:\PROGRA~1\BRODER~1\MAVISB~1\UNINST.EXE
Mickey Mouse Preschool --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{411C452C-7F92-405E-B9A0-EA6BD3C4A630}\setup.exe" -l0x9 Mickey Mouse Preschool
Microsoft Command & Control Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mscnc.inf, Uninstall
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Speech API 3.0 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\spchapi.inf, Uninstall
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTS.inf, Uninstall
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\
Microsoft Works 6.0 --> MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517}
Microsoft Zoo Tycoon --> "C:\Program Files\Microsoft Games\Zoo Tycoon\UNINSTAL.EXE" /runtemp /addremove
Millie and Bailey Preschool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Edmark\Millie and Bailey Preschool\Uninst.isu"
NCR Label Formats for MS Word Setup --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NCR Media Formats\Uninst.isu"
Netflix Movie Viewer --> MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
Nokia USB Drivers --> C:\PROGRA~1\NOKIAU~1\UNWISE.EXE C:\PROGRA~1\NOKIAU~1\INSTALL.LOG
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PIXMA Extended Survey Program --> C:\Program Files\Canon\IJPLM\SETUP.EXE -R
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
QuickTime for Windows (32-bit) --> C:\WINDOWS\QTW32DEL.EXE
Reader Rabbit 1st Grade --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\Reader Rabbit 1st Grade\Uninstall.xml"
Reader Rabbit 2nd Grade --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\Reader Rabbit 2nd Grade\Uninstall.xml"
Reader Rabbit Personalized Kindergarten --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Learning Company\Reader Rabbit Personalized Kindergarten\Uninst.isu"
Reader Rabbit Personalized Preschool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Learning Company\Reader Rabbit Personalized Preschool\Uninst.isu"
Registry Mechanic 6.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
ScanSoft OmniPage SE 4 --> MsiExec.exe /I{DEE88727-779B-47A9-ACEF-F87CA5F92A65}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpyHunter --> "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
Stanley Wild for Sharks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EEDB23C9-50AB-4D25-B327-EE4FCDAE265F}\Setup.exe" -l0x9 Stanley Wild for Sharks
Tonka Workshop --> C:\HASBRO\TONKA_W\TW_DEL95.EXE
USB Disk Win98 Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E79A62F-7A2D-4058-BCE0-94E6B9E2F162}\Setup.exe"
USB MP3 Player WIN98 Drivers --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MP3\U-MP3\Uninst.isu"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WebVideo Support --> C:\WINDOWS\tovafrnm.exe
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Winnie the Pooh Preschool --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDAC64EB-F3CF-47EC-AB54-42D3BD3A8633}\setup.exe" -l0x9 Winnie the Pooh Preschool
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}


-- Application Event Log -------------------------------------------------------

Event Record #/Type8153 / Warning
Event Submitted/Written: 06/28/2008 04:33:23 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{00010409-78E1-11D2-B60F-006097C998E7}', feature 'HTMLSourceEditing' failed during request for component '{9E0B2BE1-DEDA-11D1-A17E-00A0C90AB50F}'

Event Record #/Type8151 / Warning
Event Submitted/Written: 06/28/2008 04:33:13 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{00010409-78E1-11D2-B60F-006097C998E7}', feature 'HTMLSourceEditing' failed during request for component '{9E0B2BE1-DEDA-11D1-A17E-00A0C90AB50F}'

Event Record #/Type8150 / Warning
Event Submitted/Written: 06/28/2008 04:33:02 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
DR/FraudTool.AntiSpyware.AIC:\Documents and Settings\Randy\Desktop\winantivirus setupxv.exe

Event Record #/Type8149 / Warning
Event Submitted/Written: 06/28/2008 04:31:30 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
DR/FraudTool.AntiSpyware.AIC:\Documents and Settings\Randy\Desktop\winantivirus setupxv.exe

Event Record #/Type8148 / Warning
Event Submitted/Written: 06/28/2008 04:30:05 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
DR/FraudTool.AntiSpyware.AIC:\Documents and Settings\Randy\Desktop\winantivirus setupxv.exe



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type74885 / Error
Event Submitted/Written: 06/28/2008 04:00:26 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type74884 / Error
Event Submitted/Written: 06/28/2008 03:58:53 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service MSIServer with arguments ""
in order to run the server:
{000C101C-0000-0000-C000-000000000046}

Event Record #/Type74883 / Error
Event Submitted/Written: 06/28/2008 03:58:53 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service MSIServer with arguments ""
in order to run the server:
{000C101C-0000-0000-C000-000000000046}

Event Record #/Type74882 / Error
Event Submitted/Written: 06/28/2008 03:58:53 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service MSIServer with arguments ""
in order to run the server:
{000C101C-0000-0000-C000-000000000046}

Event Record #/Type74878 / Error
Event Submitted/Written: 06/28/2008 03:43:11 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Avg7Core
Avg7RsW
Avg7RsXP
avgio
avipbb
Fips
Processor
ssmdrv



-- End of Deckard's System Scanner: finished at 2008-06-28 16:48:35 ------------
  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo...


Please go to Start > Control Panel > Add or Remove Programs and remove the following (if present):

CouponBar
Viewpoint Media Player






NEXT



Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.



Regards
fenzodahl512
  • 0

#3
rrussell

rrussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Fenzodahl512,
Thank you for your notes. Things have gone good thus far. Here is the text from Combofix " log.txt", and from HiJackthis.log most current log, after running combofix. Please tell me what to do next.
RRussell

ComboFix 08-06-20.4 - Randy 2008-06-29 12:51:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.94 [GMT -7:00]
Running from: C:\Documents and Settings\Randy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Randy\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
The following files were disabled during the run:
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Randy\Application Data\FunWebProducts
C:\Documents and Settings\Randy\Application Data\FunWebProducts\Data\Randy\avatar.dat
C:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk
C:\Documents and Settings\Randy\Desktop\Error Cleaner.url
C:\Documents and Settings\Randy\Desktop\Privacy Protector.url
C:\Documents and Settings\Randy\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Randy\Favorites\Error Cleaner.url
C:\Documents and Settings\Randy\Favorites\Privacy Protector.url
C:\Documents and Settings\Randy\Favorites\Spyware&Malware Protection.url
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\0DD9038F.urr
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\ekaf.exe
C:\WINDOWS\system32\byXrssSj.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\commands.xml
C:\WINDOWS\system32\cookie.dat
C:\WINDOWS\system32\efxwncji.ini
C:\WINDOWS\system32\help.txt
C:\WINDOWS\system32\jSssrXyb.ini
C:\WINDOWS\system32\jSssrXyb.ini2
C:\WINDOWS\system32\kvdxbqht.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ps.dat
C:\WINDOWS\system32\xubtsmgk.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE
-------\Service_msupdate


((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-29 10:14 . 2008-06-29 10:14 <DIR> d-------- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP
2008-06-29 09:29 . 2008-06-29 09:29 92,032 --a------ C:\WINDOWS\system32\thqbxdvk.dll
2008-06-28 16:43 . 2008-06-28 16:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 16:39 . 2008-06-28 16:39 <DIR> d-------- C:\Deckard
2008-06-28 15:42 . 2008-06-28 15:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-28 15:32 . 2008-06-28 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-27 23:52 . 2008-06-27 23:52 91,520 --a------ C:\WINDOWS\system32\ijcnwxfe.dll
2008-06-27 18:17 . 2008-06-27 18:17 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-27 17:24 . 2008-06-27 17:24 28,800 --a------ C:\WINDOWS\system32\mlJDuroo.dll
2008-06-27 17:24 . 2001-08-18 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-27 17:21 . 2008-06-27 13:46 303,104 --a------ C:\WINDOWS\gfetqaxsnvo.dll
2008-06-27 17:21 . 2008-06-27 13:46 229,376 --a------ C:\WINDOWS\pntqkflv.dll
2008-06-27 17:21 . 2008-06-27 13:46 180,224 --a------ C:\WINDOWS\qegbdmwf.dll
2008-06-27 17:21 . 2008-06-27 13:46 151,552 --a------ C:\WINDOWS\gxvpsafm.dll
2008-06-27 17:21 . 2008-06-27 13:46 81,920 --a------ C:\WINDOWS\tovafrnm.exe
2008-06-21 21:33 . 2008-06-21 21:33 268 --ah----- C:\sqmdata03.sqm
2008-06-21 21:33 . 2008-06-21 21:33 244 --ah----- C:\sqmnoopt03.sqm
2008-06-21 16:02 . 2008-06-21 16:02 <DIR> d-------- C:\Documents and Settings\Alicianna\Application Data\Apple Computer
2008-06-21 16:01 . 2008-06-21 16:02 <DIR> d-------- C:\Program Files\iTunes
2008-06-21 16:01 . 2008-06-21 16:01 <DIR> d-------- C:\Program Files\iPod
2008-06-21 15:59 . 2008-06-21 16:00 <DIR> d-------- C:\Program Files\QuickTime
2008-06-21 15:59 . 2008-06-21 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-21 15:58 . 2008-06-21 15:58 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-21 15:57 . 2008-06-21 15:57 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-21 15:57 . 2008-06-21 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-18 18:14 . 2008-06-18 18:14 <DIR> d-------- C:\Documents and Settings\Alicianna\Application Data\Viewpoint
2008-06-10 19:03 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 11:49 . 2008-06-07 11:49 744 --a------ C:\WINDOWS\WININI.QTW
2008-06-07 11:49 . 2008-06-07 11:49 357 --a------ C:\WINDOWS\QTW.QTW
2008-06-07 11:49 . 2008-06-07 11:49 258 --a------ C:\WINDOWS\SYSINI.QTW
2008-06-04 03:01 . 2008-06-04 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-03 22:52 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-03 22:52 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-03 22:52 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-03 17:02 . 2008-06-03 17:04 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-06-03 17:02 . 2008-06-03 17:02 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-06-03 16:45 . 2008-06-03 16:57 <DIR> d-------- C:\Program Files\Windows Live
2008-06-03 16:45 . 2008-06-03 16:56 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 07:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-29 19:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-29 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-06-28 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-06-28 01:13 --------- d-----w C:\Program Files\Coupons
2008-06-28 01:12 --------- d-----w C:\Program Files\Canon
2008-06-28 01:11 --------- d-----w C:\Documents and Settings\Randy\Application Data\Canon
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-02 21:38 --------- d-----w C:\Documents and Settings\Randy\Application Data\Viewpoint
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-01 20:05 85,600 ----a-w C:\WINDOWS\~GLC0001.TMP
2007-11-23 02:00 65,536 ----a-w C:\Documents and Settings\Randy\Application Data\GDIPFONTCACHEV1.DAT
2007-04-23 01:53 24,192 ----a-w C:\Documents and Settings\Randy\usbsermptxp.sys
2007-04-23 01:53 22,768 ----a-w C:\Documents and Settings\Randy\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64813645-F8AB-4941-B283-D541E03CF54B}]
2008-06-29 13:49 317696 --a------ C:\WINDOWS\system32\hgGxXqPj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FC6B132-EA18-4D69-86E0-423E7B940BDC}]
2008-06-27 17:24 28800 --a------ C:\WINDOWS\system32\mlJDuroo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9EBD6815-1579-4593-8020-8485B80243FB}]
2008-06-27 13:46 303104 --a------ C:\WINDOWS\gfetqaxsnvo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5EFBB043-CFEC-4A57-BFE7-38FDC518108F}"= "C:\WINDOWS\gxvpsafm.dll" [2008-06-27 13:46 151552]

[HKEY_CLASSES_ROOT\clsid\{5efbb043-cfec-4a57-bfe7-38fdc518108f}]
[HKEY_CLASSES_ROOT\gxvpsafm.1]
[HKEY_CLASSES_ROOT\TypeLib\{06024E5D-2C27-49D3-B9CC-B496A55599D8}]
[HKEY_CLASSES_ROOT\gxvpsafm]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"antivirus-2008pro.exe"="C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 16:31 655360]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-05 17:34 24576]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 14:52 331830]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 21:41 28738]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"RegistryMechanic"="" []
"USB Storage Toolbox"="C:\Program Files\MP3 COBY USB Disk Win98 Driver\Res.EXE" [2005-09-14 20:44 65536]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 09:03 210472]
"OpwareSE4"="C:\Program Files\Canon ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 12:02 79400]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-14 16:42 262401]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22 3739648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"68b6af29"="C:\WINDOWS\system32\gylhiflr.dll" [2008-06-29 13:51 92032]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 15:47 847872]

C:\Documents and Settings\Alicianna\Start Menu\Programs\Startup\
MSWin-774633109.exe [2007-12-06 20:24:44 14]

C:\Documents and Settings\Randy\Start Menu\Programs\Startup\
Mavis Beacon Teaches Typing 11.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe [2007-04-21 13:15:49 2326528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7FC6B132-EA18-4D69-86E0-423E7B940BDC}"= C:\WINDOWS\system32\mlJDuroo.dll [2008-06-27 17:24 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJDuroo]
mlJDuroo.dll 2008-06-27 17:24 28800 C:\WINDOWS\system32\mlJDuroo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\hgGxXqPj

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 04:12]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-03-14 08:49]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\RTL8150.SYS [2002-02-22 04:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-29 20:55:05 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 13:42:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\jPqXxGgh.ini 347 bytes
C:\WINDOWS\system32\jPqXxGgh.ini2 347 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\mlJDuroo.dll
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
-> C:\WINDOWS\system32\gylhiflr.dll
-> C:\WINDOWS\system32\hgGxXqPj.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\guardgui.exe
.
**************************************************************************
.
Completion time: 2008-06-29 13:56:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-29 20:56:16

Pre-Run: 196,993,024 bytes free
Post-Run: 2,386,501,632 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

222 --- E O F --- 2008-06-21 10:01:50


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:02, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MP3 COBY USB Disk Win98 Driver\Res.EXE
C:\Program Files\Canon ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: gxvpsafm - {5EFBB043-CFEC-4A57-BFE7-38FDC518108F} - C:\WINDOWS\gxvpsafm.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\MP3 COBY USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\Canon ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [68b6af29] rundll32.exe "C:\WINDOWS\system32\gylhiflr.dll",b
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - http://63.251.81.180...ZWDLManager.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F3436EC-7864-4DEB-BA66-97920BEAE513}: NameServer = 206.63.224.5,206.63.224.6
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://l.b5z.net/i/u...SkullsB_ezr.JPG
O24 - Desktop Component 1: (no name) - http://l.b5z.net/i/u...eSkullB_ezr.JPG
O24 - Desktop Component 2: (no name) - http://l.b5z.net/i/u...olSucks_ezr.jpg
O24 - Desktop Component 3: (no name) - http://l.b5z.net/i/u...oSkullB_ezr.JPG
O24 - Desktop Component 4: (no name) - http://l.b5z.net/i/u...ategory_ezr.JPG
O24 - Desktop Component 5: (no name) - http://images.hotpro...78070-561-2.gif

--
End of file - 7606 bytes
  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\jPqXxGgh.ini
C:\WINDOWS\system32\jPqXxGgh.ini2
C:\WINDOWS\system32\gylhiflr.dll
C:\WINDOWS\system32\hgGxXqPj.dll
C:\WINDOWS\system32\thqbxdvk.dll
C:\WINDOWS\system32\ijcnwxfe.dll
C:\WINDOWS\system32\mlJDuroo.dll
C:\WINDOWS\gfetqaxsnvo.dll
C:\WINDOWS\pntqkflv.dll
C:\WINDOWS\qegbdmwf.dll
C:\WINDOWS\gxvpsafm.dll
C:\WINDOWS\system32\gylhiflr.dll
C:\WINDOWS\tovafrnm.exe
C:\WINDOWS\~GLC0001.TMP
C:\Documents and Settings\Alicianna\Start Menu\Programs\Startup\MSWin-774633109.exe

Folder::
C:\Program Files\Antivirus 2008 PRO

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64813645-F8AB-4941-B283-D541E03CF54B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FC6B132-EA18-4D69-86E0-423E7B940BDC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9EBD6815-1579-4593-8020-8485B80243FB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5EFBB043-CFEC-4A57-BFE7-38FDC518108F}"=-
[-HKEY_CLASSES_ROOT\clsid\{5efbb043-cfec-4a57-bfe7-38fdc518108f}]
[-HKEY_CLASSES_ROOT\gxvpsafm.1]
[-HKEY_CLASSES_ROOT\TypeLib\{06024E5D-2C27-49D3-B9CC-B496A55599D8}]
[-HKEY_CLASSES_ROOT\gxvpsafm]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"antivirus-2008pro.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"68b6af29"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7FC6B132-EA18-4D69-86E0-423E7B940BDC}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJDuroo]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
rrussell

rrussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Fenzodahl512
Below, are the two logs, after I dragged the CFScript.txt into ComboFix.exe
What should I do next ?
RRussell



ComboFix 08-06-20.4 - Randy 2008-06-30 19:10:11.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.137 [GMT -7:00]
Running from: C:\Documents and Settings\Randy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-29 10:14 . 2008-06-29 10:14 <DIR> d-------- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP
2008-06-28 16:43 . 2008-06-28 16:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 16:39 . 2008-06-28 16:39 <DIR> d-------- C:\Deckard
2008-06-28 15:42 . 2008-06-28 15:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-28 15:32 . 2008-06-28 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-27 18:17 . 2008-06-27 18:17 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-27 17:24 . 2001-08-18 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-21 21:33 . 2008-06-21 21:33 268 --ah----- C:\sqmdata03.sqm
2008-06-21 21:33 . 2008-06-21 21:33 244 --ah----- C:\sqmnoopt03.sqm
2008-06-21 16:02 . 2008-06-21 16:02 <DIR> d-------- C:\Documents and Settings\Alicianna\Application Data\Apple Computer
2008-06-21 16:01 . 2008-06-21 16:02 <DIR> d-------- C:\Program Files\iTunes
2008-06-21 16:01 . 2008-06-21 16:01 <DIR> d-------- C:\Program Files\iPod
2008-06-21 15:59 . 2008-06-21 16:00 <DIR> d-------- C:\Program Files\QuickTime
2008-06-21 15:59 . 2008-06-21 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-21 15:58 . 2008-06-21 15:58 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-21 15:57 . 2008-06-21 15:57 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-21 15:57 . 2008-06-21 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-18 18:14 . 2008-06-18 18:14 <DIR> d-------- C:\Documents and Settings\Alicianna\Application Data\Viewpoint
2008-06-10 19:03 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 11:49 . 2008-06-07 11:49 744 --a------ C:\WINDOWS\WININI.QTW
2008-06-07 11:49 . 2008-06-07 11:49 357 --a------ C:\WINDOWS\QTW.QTW
2008-06-07 11:49 . 2008-06-07 11:49 258 --a------ C:\WINDOWS\SYSINI.QTW
2008-06-04 03:01 . 2008-06-04 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-03 22:52 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-03 22:52 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-03 22:52 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-03 17:02 . 2008-06-03 17:04 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-06-03 17:02 . 2008-06-03 17:02 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-06-03 16:45 . 2008-06-03 16:57 <DIR> d-------- C:\Program Files\Windows Live
2008-06-03 16:45 . 2008-06-03 16:56 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 07:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-29 19:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-29 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-06-28 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-06-28 01:13 --------- d-----w C:\Program Files\Coupons
2008-06-28 01:12 --------- d-----w C:\Program Files\Canon
2008-06-28 01:11 --------- d-----w C:\Documents and Settings\Randy\Application Data\Canon
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-02 21:38 --------- d-----w C:\Documents and Settings\Randy\Application Data\Viewpoint
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-11-23 02:00 65,536 ----a-w C:\Documents and Settings\Randy\Application Data\GDIPFONTCACHEV1.DAT
2007-04-23 01:53 24,192 ----a-w C:\Documents and Settings\Randy\usbsermptxp.sys
2007-04-23 01:53 22,768 ----a-w C:\Documents and Settings\Randy\usbsermpt.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-29_13.53.16.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 20:31:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-01 01:29:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 16:31 655360]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-05 17:34 24576]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 14:52 331830]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 21:41 28738]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"RegistryMechanic"="" []
"USB Storage Toolbox"="C:\Program Files\MP3 COBY USB Disk Win98 Driver\Res.EXE" [2005-09-14 20:44 65536]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 09:03 210472]
"OpwareSE4"="C:\Program Files\Canon ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 12:02 79400]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-14 16:42 262401]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22 3739648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]

C:\Documents and Settings\Randy\Start Menu\Programs\Startup\
Mavis Beacon Teaches Typing 11.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe [2007-04-21 13:15:49 2326528]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 04:12]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-03-14 08:49]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\RTL8150.SYS [2002-02-22 04:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 01:55:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 19:13:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-06-30 19:18:14
ComboFix-quarantined-files.txt 2008-07-01 02:17:07
ComboFix2.txt 2008-07-01 01:50:03
ComboFix3.txt 2008-06-30 04:51:28
ComboFix4.txt 2008-06-29 20:57:05

Pre-Run: 2,717,708,288 bytes free
Post-Run: 2,707,214,336 bytes free

120 --- E O F --- 2008-06-21 10:01:50


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:20, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MP3 COBY USB Disk Win98 Driver\Res.EXE
C:\Program Files\Canon ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\MP3 COBY USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\Canon ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - http://63.251.81.180...ZWDLManager.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F3436EC-7864-4DEB-BA66-97920BEAE513}: NameServer = 206.63.224.5,206.63.224.6
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://l.b5z.net/i/u...SkullsB_ezr.JPG
O24 - Desktop Component 2: (no name) - http://l.b5z.net/i/u...olSucks_ezr.jpg
O24 - Desktop Component 3: (no name) - http://l.b5z.net/i/u...oSkullB_ezr.JPG
O24 - Desktop Component 4: (no name) - http://l.b5z.net/i/u...ategory_ezr.JPG
O24 - Desktop Component 5: (no name) - http://images.hotpro...78070-561-2.gif

--
End of file - 7399 bytes
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Please post the following logs in your next reply.. Post each log in separate post...

1. Malwarebytes' Anti-Malware
2. A fresh Deckard System Scanner log (after Malwarebytes' step)
3. Tell me about your computer behaviour..


Regards
fenzodahl512
  • 0

#7
rrussell

rrussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Greetings Fenzodahl512
Below, are the: Malwarebytes log, Deckards Sys. Scanner log. The PC performance appears to be Good, back to Normal desktop, web surfing, etc.. THANK YOU.
Please tell me what is next, if anything.
I have the free AntiVir and it has ( at least I thought ) served me quite well for the last several years. What is your recommendation on this type of software ?
RRussell


Malwarebytes' Anti-Malware 1.19
Database version: 913
Windows 5.1.2600 Service Pack 2

8:14:39 PM 7/1/2008
mbam-log-7-1-2008 (20-14-39).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 123124
Time elapsed: 1 hour(s), 6 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{7f93d861-d8aa-43d8-a406-6ae8417aa722} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d7f3635-c43b-4636-8fe6-b84d7a1ab6f5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9243c98c-e413-4bb2-9567-b8e8011a92ff} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7bfa07e7-681e-4b97-b77a-6b21a1b58e45} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gxvpsafm.bdnb (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gxvpsafm.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Deckard\System Scanner\backup\DOCUME~1\Randy\LOCALS~1\Temp\dssec.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\ekaf.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\pntqkflv.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\gylhiflr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\thqbxdvk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.





Deckard's System Scanner v20071014.68
Run by Randy on 2008-07-01 20:50:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 384 MiB (512 MiB recommended).
System Drive C: has 2.47 GiB (less than 15%) free.


-- HijackThis (run as Randy.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:50, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MP3 COBY USB Disk Win98 Driver\Res.EXE
C:\Program Files\Canon ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Documents and Settings\Randy\Desktop\deckards sys scanner dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Randy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\MP3 COBY USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\Canon ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - http://63.251.81.180...ZWDLManager.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F3436EC-7864-4DEB-BA66-97920BEAE513}: NameServer = 206.63.224.5,206.63.224.6
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://l.b5z.net/i/u...SkullsB_ezr.JPG
O24 - Desktop Component 2: (no name) - http://l.b5z.net/i/u...olSucks_ezr.jpg
O24 - Desktop Component 3: (no name) - http://l.b5z.net/i/u...oSkullB_ezr.JPG
O24 - Desktop Component 4: (no name) - http://l.b5z.net/i/u...ategory_ezr.JPG
O24 - Desktop Component 5: (no name) - http://images.hotpro...78070-561-2.gif

--
End of file - 7695 bytes

-- Files created between 2008-06-01 and 2008-07-01 -----------------------------

2008-07-01 19:03:08 0 d-------- C:\Documents and Settings\Randy\Application Data\Malwarebytes
2008-07-01 19:03:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-29 12:50:59 0 d-------- C:\cmdcons
2008-06-29 12:47:02 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-29 12:47:01 68096 --a------ C:\WINDOWS\zip.exe
2008-06-29 12:47:01 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-29 12:47:01 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-29 12:47:01 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-29 12:47:01 98816 --a------ C:\WINDOWS\sed.exe
2008-06-29 12:47:01 80412 --a------ C:\WINDOWS\grep.exe
2008-06-29 12:47:01 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-29 10:14:28 0 d--h----- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\Templates
2008-06-29 10:14:28 0 dr------- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\Start Menu
2008-06-29 10:14:28 0 dr-h----- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\SendTo
2008-06-29 10:14:28 0 d--h----- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\Recent
2008-06-29 10:14:28 0 d--h----- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\PrintHood
2008-06-29 10:14:28 786432 --ah----- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\NTUSER.DAT
2008-06-29 10:14:28 0 d--h----- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\NetHood
2008-06-29 10:14:28 0 d-------- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\My Documents
2008-06-29 10:14:28 0 d--h----- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\Local Settings
2008-06-29 10:14:28 0 d-------- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\Favorites
2008-06-29 10:14:28 0 d-------- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\Desktop
2008-06-29 10:14:28 0 d---s---- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\Cookies
2008-06-29 10:14:28 0 dr-h----- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\Application Data
2008-06-29 10:14:28 0 d---s---- C:\Documents and Settings\Administrator.RANDY-Z7BFIVSUP\Application Data\Microsoft
2008-06-28 16:43:39 0 d-------- C:\Program Files\Trend Micro
2008-06-28 15:42:02 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-28 15:42:02 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-28 15:42:02 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-28 15:42:02 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-28 15:42:02 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-28 15:42:02 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-28 15:42:02 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-28 15:42:02 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-28 15:42:02 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-28 15:42:02 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-28 15:42:01 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-28 15:42:01 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-28 15:42:01 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-28 15:42:01 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-28 15:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-27 22:11:22 6291456 --a------ C:\Documents and Settings\Randy\ntuser.dat
2008-06-27 22:11:21 708608 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-06-27 18:17:48 0 d-------- C:\Program Files\Enigma Software Group
2008-06-21 16:02:29 0 d-------- C:\Documents and Settings\Alicianna\Application Data\Apple Computer
2008-06-21 16:01:38 0 d-------- C:\Program Files\iPod
2008-06-21 16:01:11 0 d-------- C:\Program Files\iTunes
2008-06-21 15:59:11 0 d-------- C:\Program Files\QuickTime
2008-06-21 15:59:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-21 15:58:20 0 d-------- C:\Program Files\Apple Software Update
2008-06-21 15:57:25 0 d-------- C:\Program Files\Common Files\Apple
2008-06-21 15:57:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-18 18:14:51 0 d-------- C:\Documents and Settings\Alicianna\Application Data\Viewpoint
2008-06-04 03:01:02 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-03 17:02:24 0 d-------- C:\Program Files\Windows Live Toolbar
2008-06-03 17:02:09 0 d-------- C:\Program Files\Windows Live Favorites
2008-06-03 16:45:29 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-03 16:45:01 0 d-------- C:\Program Files\Windows Live


-- Find3M Report ---------------------------------------------------------------

2008-06-27 18:13:02 0 d-------- C:\Program Files\Coupons
2008-06-27 18:12:05 0 d-------- C:\Program Files\Canon
2008-06-27 18:11:55 0 d-------- C:\Documents and Settings\Randy\Application Data\Canon
2008-06-21 15:57:25 0 d-------- C:\Program Files\Common Files
2008-05-02 14:38:01 0 d-------- C:\Documents and Settings\Randy\Application Data\Viewpoint
2008-04-28 20:14:02 1221 --a------ C:\WINDOWS\EReg077.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [09/04/2001 16:31]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [10/05/2001 17:34]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [08/23/2001 14:52]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [08/16/2001 21:41]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 13:22]
"nwiz"="nwiz.exe" [10/22/2006 13:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 13:22]
"RegistryMechanic"="" []
"USB Storage Toolbox"="C:\Program Files\MP3 COBY USB Disk Win98 Driver\Res.EXE" [09/14/2005 20:44]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/25/2006 09:03]
"OpwareSE4"="C:\Program Files\Canon ScanSoft\OmniPageSE4\OpwareSE4.exe" [02/04/2007 12:02]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [04/14/2008 16:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 20:51]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 14:22]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/02/2008 11:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34]

C:\Documents and Settings\Randy\Start Menu\Programs\Startup\
Mavis Beacon Teaches Typing 11.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe [4/21/2007 1:15:49 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-01 20:50:49 ------------
  • 0

#8
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

Please tell me what is next, if anything.
I have the free AntiVir and it has ( at least I thought ) served me quite well for the last several years. What is your recommendation on this type of software


I use Avira Antivir as well, and it is an excellent free antivirus.. Its light and extremely easy to use :)

Good news is, your log looks clean to my eyes..


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between x and / is needed

    Posted Image




NEXT


Please Install/Update Sun Java

Updating Java:
  • Go to Start --> Control Panel --> Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • It should have next icon next to it: Posted Image
  • Select it and click Remove. This will uninstall the previous (outdated) version of Java.
  • Then Download and install the newest version from here: Java Runtime Environment (JRE) 6 Update 6




NEXT


I noticed that you already have:
1. Avira Antivir as your antivirus
2. Malwarebytes' as your antispyware..



However, I haven't seen any third-party firewall in your logs.. Do you have any? If you don't, please install ONLY ONE of these free and excellent firewall below:
After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.




Lastly, to keep your operating system up to date please visit the link below monthly

To learn more about how to protect yourself while on the internet read this excellent article by Tony Klein: So how did I get infected in the first place?

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512
  • 0

#9
rrussell

rrussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
AntiVirus 2008 Pro, removing this tough virus !
Fenzodahl512,
When I try to reach ComboFix, thru your instructions ( when I enter 'Combofix /u' - I believe this is for an Combofix update ) the message window says ' file corrupt, try to download again' . I have downloaded it from several of your referred sites. Also, if it double click on the combofix.exe icon on my desktop I get the same message. So, I think I still may have a virus ?
What next, please ?
R Russell
  • 0

#10
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

AntiVirus 2008 Pro, removing this tough virus !
Fenzodahl512,
When I try to reach ComboFix, thru your instructions ( when I enter 'Combofix /u' - I believe this is for an Combofix update ) the message window says ' file corrupt, try to download again' . I have downloaded it from several of your referred sites. Also, if it double click on the combofix.exe icon on my desktop I get the same message. So, I think I still may have a virus ?
What next, please ?
R Russell



Errm.. Not sure why is that happens.. Let's have a through look... Please do the following....



Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Please post the following logs in your next reply.. Post each log in separate post..

1. Deckard System Scanner
2. Kaspersky Webscanner


Regards
fenzodahl512

Edited by fenzodahl512, 03 July 2008 - 12:22 AM.

  • 0

Advertisements


#11
rrussell

rrussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
AntiVirus 2008 Pro
Fenzodahl512,
Kaperskys 'accept' button is disabled and I tried several times ?
  • 0

#12
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Lets do this instead..

Lets run F-Secure online scan for Viruses, Spyware and RootKits:
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient




Also, tell me about your computer behaviour...
  • 0

#13
rrussell

rrussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Fenzodahl512,



Scanning Report
Saturday, July 05, 2008 16:01:16 - 18:32:09
Computer name: RANDY-Z7BFIVSUP
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 2 malware found
AdWare.Win32.Coupons (spyware)
System
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 50633
System: 3990
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DECKARD\SYSTEM SCANNER\20080701202712\BACKUP\DOCUME~1\RANDY\LOCALS~1\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\9V73LB34\MYSPACEJS041[2].JS

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-07-04
F-Secure AVP: 7.0.171, 2008-07-05
F-Secure Pegasus: 1.20.0, 2008-04-14
F-Secure Blacklight: 1.0.68
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
  • 0

#14
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Well.. That result is great.. Please delete ComboFix from your Desktop and C:\combofix folder...

Do you still have any issues with your computer?
  • 0

#15
rrussell

rrussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Antivirus 2008 Pro
Fenzodahl512,
I installed Comodos' firewall first, as directed ( it told me to disable my firewall first, so I did). Windows firewall was enabled but you said you could not see it on the log info. ? I did not reboot after Comodo but did reboot after downloading both Comodo and the Windows update. It took minutes for Windows/PC to shut down ? Upon reboot, the gold shield with exclamation mark in the middle, located in the lower rt. toolbar, opened a window and said updates were ready to install. I found this odd, since I just downloaded the windows update that you provded the link to ? I right clicked but could not find out any property info.. This, is similar to how I got the Antivirus Pro 2008 Virus in the first place. How do you know if these are actual MSoft Windows alerts or a scam ?
PC seems OK but will know more in a few days. Should I disable AVG Free, since I have AntiVir & Comodo ?
Thank you,
RRussell
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP