Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Reoccuring pop up ads [CLOSED]


  • This topic is locked This topic is locked

#1
Brubur

Brubur

    New Member

  • Member
  • Pip
  • 5 posts
:) Somehow I downloaded something that pops an ad up everytime I change web pages. I have WinPatrol, panicware, IEpal as well as McAfee on board but none can get rid of it. I think I have isolated the culprits as being found in windows/system32. They are listed as vtUlBrQh.dll and efcPGyW.dll. I have tried deleting them but they come back immediately. I have tried to have WinPatrol isolate and kill process but no luck. Can you help me? Thanks, Brubur
  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Brubur

welcome to geekstogo :)

ok, lets get started on this straight away:

====STEP 1====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 2====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 3====
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


In your next reply could i see:
1. the malwarebytes log
2. the 2 DSS logs (though there may only be one)

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#3
Brubur

Brubur

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Andrewuk tried to help me clean up my system for trojans etc..after downloading and running malware program ( I will copy & paste log ) I downloaded the Deckards program. Upon trying to run, it gets to events and errors out stating it has to shut down. Also my WinPatrol program is warning me of attempted change of the registry editor from REGEDIT.EXE %1 to REGEDIT.EXE %1 %*. Also the .SCR ( whatever that is ) is trying to change from
%1/s to %1%*. Thank you for the help. Brubur. Here is the log: Malwarebytes' Anti-Malware 1.21
Database version: 967
Windows 5.1.2600 Service Pack 2

12:09:03 AM 7/20/2008
mbam-log-7-20-2008 (00-09-03).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 106028
Time elapsed: 53 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 21
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\bgcolifl.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\efcYPGyW.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{53d2b243-c8df-460c-a3ff-745870147415} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53d2b243-c8df-460c-a3ff-745870147415} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcypgyw (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{015c64ae-44b0-4cc3-bae3-ba9108254304} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b1bb799a-3f7b-465b-82e8-1554b8dde968} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{77aa25e8-6083-4949-a831-9cb11861dc10} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb01042.ietoolbar (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb01042.ietoolbar.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb01042.tbsb01042 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb01042.tbsb01042.3 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b0fdc513-46b9-46fc-8e70-d575ee546dae} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5d341b1a-25ea-4777-a68e-6a938b933ba7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SecuriSoft SARL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{53d2b243-c8df-460c-a3ff-745870147415} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b0fdc513-46b9-46fc-8e70-d575ee546dae} (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users.WINDOWS\Application Data\SecuriSoft SARL (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\SecuriSoft SARL\WinSpywareProtect (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\SecuriSoft SARL\WinSpywareProtect\BASE (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\SecuriSoft SARL\WinSpywareProtect\DELETED (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\SecuriSoft SARL\WinSpywareProtect\SAVED (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\bgcolifl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lfilocgb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lcgqkqij.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jiqkqgcl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nckfwwan.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nawwfkcn.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcYPGyW.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\searsc.SEARSC-2792CFDE\Desktop\vtULBrQh.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\searsc.SEARSC-2792CFDE\Local Settings\Temporary Internet Files\Content.IE5\7NM5S6EH\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\searsc.SEARSC-2792CFDE\Local Settings\Temporary Internet Files\Content.IE5\8HI1TBXQ\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Premium Booster\RdvChk.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C9429B1D-04E0-4C29-9BDF-26390B28806A}\RP49\A0031743.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C9429B1D-04E0-4C29-9BDF-26390B28806A}\RP49\A0031746.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C9429B1D-04E0-4C29-9BDF-26390B28806A}\RP49\A0031749.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnlliIA.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gbtbdpah.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zwspjt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080718085358375.log (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK

"%userprofile%\desktop\dss.exe" /config

This will open up DSS configuration
click on everything under the Main Log, i.e. everything down the left hand side.
make sure everything under Extra Log is unchecked
in the options part, click on Whitelist output and Check File Signatures
click Scan
DSS will now run again when finished
Please post back the log that opens in notepad
  • 0

#5
Brubur

Brubur

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Andrewuk, thank you, it worked. I am pasting the report to this reply, thanks for getting back with me. brubur
Deckard's System Scanner v20071014.68
Run by searsc on 2008-07-20 16:13:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
42: 2008-07-20 04:36:28 UTC - RP88 - Deckard's System Scanner Restore Point
41: 2008-07-19 20:53:48 UTC - RP87 - System Checkpoint
40: 2008-07-18 13:01:00 UTC - RP86 - Last known good configuration
39: 2008-07-18 13:00:52 UTC - RP85 - Installed TextMessagePLUS
38: 2008-07-18 13:00:52 UTC - RP84 - System Checkpoint


-- First Restore Point --
1: 2008-07-18 13:00:43 UTC - RP47 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as searsc.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:16 PM, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Privacy Mantra 2.04\privacymantra.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\honestech Video Patrol 4.0\scheduler.exe
C:\Program Files\honestech Video Patrol 4.0\UPnPAgent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\searsc.SEARSC-2792CFDE\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\searsc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
O2 - BHO: (no name) - {01F2C3AE-D697-42E9-85C0-06DFF3FE6B31} - C:\WINDOWS\system32\vtULBrQh.dll (file missing)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [com.codeode.privacymantra] "C:\Program Files\Privacy Mantra 2.04\privacymantra.exe" -minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - Global Startup: honestech Video Patrol 4.0 Trial Scheduler.lnk = C:\Program Files\honestech Video Patrol 4.0\scheduler.exe
O8 - Extra context menu item: CallClerk Dial - file://C:\Program Files\CallClerk\callclerkdial.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.co...?BundleId=23100
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6944 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 PCASp50 (PCASp50 NDIS Protocol Driver) - c:\windows\system32\drivers\pcasp50.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_8086&DEV_2592&SUBSYS_01821028&REV_03\3&61AAA01&0&10
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_8086&DEV_2592&SUBSYS_01821028&REV_03\3&61AAA01&0&10
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller
Device ID: PCI\VEN_8086&DEV_2792&SUBSYS_01821028&REV_03\3&61AAA01&0&11
Manufacturer:
Name: Video Controller
PNP Device ID: PCI\VEN_8086&DEV_2792&SUBSYS_01821028&REV_03\3&61AAA01&0&11
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth Device (RFCOMM Protocol TDI)
Device ID: BTH\MS_RFCOMM\6&373D5EDD&0&0
Manufacturer: Microsoft
Name: Bluetooth Device (RFCOMM Protocol TDI)
PNP Device ID: BTH\MS_RFCOMM\6&373D5EDD&0&0
Service: RFCOMM

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth Device (Personal Area Network)
Device ID: BTH\MS_BTHPAN\6&373D5EDD&0&2
Manufacturer: Microsoft
Name: Bluetooth Device (Personal Area Network)
PNP Device ID: BTH\MS_BTHPAN\6&373D5EDD&0&2
Service: BthPan

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_104C&DEV_8038&SUBSYS_01821028&REV_00\4&2FA23535&0&0DF0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_104C&DEV_8038&SUBSYS_01821028&REV_00\4&2FA23535&0&0DF0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3
Service:


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 844)
2007-03-16 22:10:26 770048 --a------ C:\WINDOWS\system32\BCMLogon.dll <Not Verified; Dell Inc.; Wireless Network Logon Provider>

C:\WINDOWS\explorer.exe (pid 1564)
2005-03-10 16:33:48 53248 --a------ C:\Program Files\Panicware\Pop-Up Stopper Professional\XAHook.dll <Not Verified; Panicware, Inc.; XAHook Dynamic Link Library>
2005-05-12 10:24:38 32768 --a------ C:\Program Files\Zoner\Photo Studio 7\Program\ShellExt7.dll <Not Verified; ZONER software; Zoner Photo Studio 7>
2008-04-11 08:43:56 43520 --a------ C:\Program Files\Common Files\Pointstone\Shredder\SDShlExt.dll <Not Verified; Pointstone Software, LLC; Pointstone Shredder>
2007-06-13 21:34:48 32768 --a------ C:\Program Files\VCOM\SystemSuite\MXCtxMnu.dll <Not Verified; Avanquest Software USA, Inc.; SystemSuite>


-- Scheduled Tasks -------------------------------------------------------------

2008-03-19 16:20:13 342 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-03-19 16:20:11 334 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-06-20 and 2008-07-20 -----------------------------

2008-07-20 07:45:34 0 d-------- C:\WINDOWS\LastGood
2008-07-20 00:53:57 0 d-------- C:\Program Files\Trend Micro
2008-07-19 21:22:10 0 d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\Malwarebytes
2008-07-19 21:22:00 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-07-19 21:21:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-19 15:05:24 116864 --a------ C:\WINDOWS\system32\vdazqo.dll
2008-07-19 15:05:22 116864 --a------ C:\WINDOWS\system32\vepeymnt.dll
2008-07-18 13:07:58 0 d-------- C:\Program Files\Panicware
2008-07-18 10:26:14 0 d-------- C:\Program Files\a-squared Free
2008-07-18 09:01:38 116864 --a------ C:\WINDOWS\system32\owevvi.dll
2008-07-18 09:01:36 116864 --a------ C:\WINDOWS\system32\yybxwskg.dll
2008-07-18 09:00:32 396593 --ahs---- C:\WINDOWS\system32\hQrBLUtv.ini2
2008-07-17 09:32:14 352 -r-h----- C:\WINDOWS\ecerkgye2.dat
2008-07-17 09:26:05 0 d-------- C:\Program Files\Cellular Essentials 2.0
2008-07-17 09:25:27 0 d-------- C:\WINDOWS\uninstall
2008-07-17 09:16:03 0 d-------- C:\Program Files\SAFCo Software
2008-07-16 21:41:21 0 d-------- C:\Program Files\APAstyle.info
2008-07-15 22:07:07 0 d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\lceps
2008-07-15 22:05:51 0 d-------- C:\Program Files\PTrainer_Japanese_Trial
2008-07-15 22:01:04 0 d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\Google
2008-07-15 21:59:09 0 d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\Sun
2008-07-15 21:58:54 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
2008-07-14 21:40:05 0 d-------- C:\Program Files\Premium Booster
2008-07-14 21:36:03 0 d-------- C:\Program Files\Registry Defragmentation
2008-07-14 21:32:00 0 d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\SeriousBit
2008-07-14 21:31:21 0 d-------- C:\Program Files\EnhanceMyXP
2008-07-14 08:30:00 0 d-------- C:\Program Files\JPGPhotoConverter
2008-06-22 10:53:14 0 d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\GetRightToGo
2008-06-20 07:19:18 0 d-------- C:\Program Files\Magic Picture Converter


-- Find3M Report ---------------------------------------------------------------

2008-07-20 16:00:40 0 d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\ComcastToolbar
2008-07-16 05:48:48 0 d-------- C:\Program Files\Google
2008-07-15 21:58:28 0 d-------- C:\Program Files\Java
2008-07-05 14:42:27 0 d-------- C:\Program Files\Common Files\Scanner
2008-06-29 19:38:48 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-06-22 10:56:27 0 d-------- C:\Program Files\MyFantasyMaker
2008-06-21 15:49:28 0 d-------- C:\Program Files\McAfee
2008-06-21 13:08:46 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-20 06:47:27 0 d-------- C:\Program Files\NCH Software
2008-06-19 13:43:45 0 d-------- C:\Program Files\ABF software
2008-06-19 07:40:36 0 d-------- C:\Program Files\Zeallsoft
2008-06-19 07:06:50 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-18 22:38:20 0 d-------- C:\Program Files\NCH Swift Sound
2008-06-18 22:38:16 0 d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\NCH Swift Sound
2008-06-18 22:38:11 0 d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\NCH Software
2008-06-17 08:31:15 0 d-------- C:\Program Files\Personal Stock Streamer
2008-06-17 08:24:19 0 d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\WinRAR
2008-06-16 18:40:13 0 d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\DTLink Software
2008-05-15 13:09:38 392704 --a------ C:\WINDOWS\CSS.scr <Not Verified; ABF software, Inc.; The Clock Screen Saver is a screen saver that displays current time using either analog or digital clock face.>
2008-05-03 01:25:41 2 --a------ C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\7zip_progress_EC5988D0-589B-4BAE-8A86-7979FFAE7BED.txt
2008-05-03 01:25:31 2 --a------ C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\7zip_progress_B36211CF-6A23-407D-BE8A-B2CD185AED5B.txt
2008-05-03 01:25:27 2 --a------ C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\7zip_progress_D0B179E0-9295-49EA-8D27-8DF3514CAA06.txt
2008-04-22 06:48:35 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-21 15:42:55 0 --a------ C:\WINDOWS\dvdsnapshot.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01F2C3AE-D697-42E9-85C0-06DFF3FE6B31}]
C:\WINDOWS\system32\vtULBrQh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 06:00 AM C:\WINDOWS\system32\bthprops.cpl]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [02/21/2007 03:17 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/12/2008 01:16 AM]
"EarthLink Installer"=" /C" []
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [05/17/2008 12:40 PM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [01/27/2008 01:38 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"com.codeode.privacymantra"="C:\Program Files\Privacy Mantra 2.04\privacymantra.exe" [07/07/2007 10:39 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [07/15/2008 10:01 PM]
"PopUpStopperProfessional"="C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE" [06/01/2005 04:09 PM]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
honestech Video Patrol 4.0 Trial Scheduler.lnk - C:\Program Files\honestech Video Patrol 4.0\scheduler.exe [4/2/2008 12:14:37 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtULBrQh

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- Iexplores.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0833ae7e-08e2-11dd-a688-0010c6eed7f6}]
AutoRun\command- Iexplores.exe




-- End of Deckard's System Scanner: finished at 2008-07-20 16:15:19 ------------
  • 0

#6
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
if you have already downloaded combofix then could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. (All the instructions for installing the Recovery Console are in the above link, but for more information on the Windows XP Recovery Console read http://support.micro...com/kb/314058.)

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#7
Brubur

Brubur

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Andrewuk, ran combofix. everything seemed to run well. here is the report. Thank you again for all of your help. Brubur. ComboFix 08-07-20.5 - searsc 2008-07-21 3:48:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1621 [GMT -4:00]
Running from: C:\Documents and Settings\searsc.SEARSC-2792CFDE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\searsc.SEARSC-2792CFDE\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hQrBLUtv.ini
C:\WINDOWS\system32\hQrBLUtv.ini2
C:\WINDOWS\system32\owevvi.dll
C:\WINDOWS\system32\vdazqo.dll
C:\WINDOWS\system32\vepeymnt.dll
C:\WINDOWS\system32\yybxwskg.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-20 00:53 . 2008-07-20 00:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 00:35 . 2008-07-20 00:35 <DIR> d-------- C:\Deckard
2008-07-19 21:22 . 2008-07-19 21:22 <DIR> d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\Malwarebytes
2008-07-19 21:22 . 2008-07-19 21:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-07-19 21:22 . 2008-07-18 19:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-19 21:21 . 2008-07-19 21:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-19 21:21 . 2008-07-18 19:15 36,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-18 13:07 . 2008-07-18 13:07 <DIR> d-------- C:\Program Files\Panicware
2008-07-18 10:26 . 2008-07-18 12:35 <DIR> d-------- C:\Program Files\a-squared Free
2008-07-17 09:32 . 2008-07-17 09:32 352 -r-h----- C:\WINDOWS\ecerkgye2.dat
2008-07-17 09:26 . 2008-07-17 09:32 <DIR> d-------- C:\Program Files\Cellular Essentials 2.0
2008-07-17 09:25 . 2008-07-17 09:26 <DIR> d-------- C:\WINDOWS\uninstall\Cellular Essentials
2008-07-17 09:25 . 2008-07-17 09:25 <DIR> d-------- C:\WINDOWS\uninstall
2008-07-17 09:16 . 2008-07-17 09:16 <DIR> d-------- C:\Program Files\SAFCo Software
2008-07-16 21:41 . 2008-07-16 21:41 <DIR> d-------- C:\Program Files\APAstyle.info
2008-07-15 22:07 . 2008-07-15 22:07 <DIR> d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\lceps
2008-07-15 22:05 . 2008-07-15 22:05 <DIR> d-------- C:\Program Files\PTrainer_Japanese_Trial
2008-07-15 21:58 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-14 21:40 . 2008-07-14 21:42 <DIR> d-------- C:\Program Files\Premium Booster
2008-07-14 21:36 . 2008-07-14 21:36 <DIR> d-------- C:\Program Files\Registry Defragmentation
2008-07-14 21:32 . 2008-07-14 21:32 <DIR> d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\SeriousBit
2008-07-14 21:31 . 2008-07-14 21:31 <DIR> d-------- C:\Program Files\EnhanceMyXP
2008-07-14 08:31 . 2008-07-14 08:34 31,124 --a------ C:\cindy and rob_out.jpg
2008-07-14 08:30 . 2008-07-14 08:30 <DIR> d-------- C:\Program Files\JPGPhotoConverter
2008-06-22 10:53 . 2008-06-22 11:02 <DIR> d-------- C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 07:20 --------- d-----w C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\ComcastToolbar
2008-07-20 14:52 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-07-20 13:49 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-07-16 09:48 --------- d-----w C:\Program Files\Google
2008-07-16 01:58 --------- d-----w C:\Program Files\Java
2008-07-05 18:42 --------- d-----w C:\Program Files\Common Files\Scanner
2008-06-29 23:38 --------- d-----w C:\Program Files\a-squared Anti-Malware
2008-06-22 14:56 --------- d-----w C:\Program Files\MyFantasyMaker
2008-06-21 19:49 --------- d-----w C:\Program Files\McAfee
2008-06-21 17:08 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-20 11:19 --------- d-----w C:\Program Files\Magic Picture Converter
2008-06-20 10:47 --------- d-----w C:\Program Files\NCH Software
2008-06-20 10:47 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\NCH Software
2008-06-19 17:43 --------- d-----w C:\Program Files\ABF software
2008-06-19 11:40 --------- d-----w C:\Program Files\Zeallsoft
2008-06-19 11:06 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-19 02:38 --------- d-----w C:\Program Files\NCH Swift Sound
2008-06-19 02:38 --------- d-----w C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\NCH Swift Sound
2008-06-19 02:38 --------- d-----w C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\NCH Software
2008-06-19 02:38 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\NCH Swift Sound
2008-06-17 12:31 --------- d-----w C:\Program Files\Personal Stock Streamer
2008-06-16 22:40 --------- d-----w C:\Documents and Settings\searsc.SEARSC-2792CFDE\Application Data\DTLink Software
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-15 17:09 392,704 ----a-w C:\WINDOWS\CSS.scr
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"com.codeode.privacymantra"="C:\Program Files\Privacy Mantra 2.04\privacymantra.exe" [2007-07-07 10:39 917504]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-15 22:01 171448]
"PopUpStopperProfessional"="C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE" [2005-06-01 16:09 516096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EarthLink Installer"="/C" [X]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 15:17 970752]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 01:16 39792]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-05-17 12:40 1961104]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-27 01:38 316728]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
honestech Video Patrol 4.0 Trial Scheduler.lnk - C:\Program Files\honestech Video Patrol 4.0\scheduler.exe [2008-04-02 12:14:37 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"86:TCP"= 86:TCP:BroadCam Web Server

S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2006-03-27 19:02]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - Iexplores.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0833ae7e-08e2-11dd-a688-0010c6eed7f6}]
\Shell\AutoRun\command - Iexplores.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-19 20:20:13 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-19 20:20:11 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{01F2C3AE-D697-42E9-85C0-06DFF3FE6B31} - C:\WINDOWS\system32\vtULBrQh.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.comcast.net/comcast.html
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: CallClerk Dial - file://C:\Program Files\CallClerk\callclerkdial.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 03:52:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\honestech Video Patrol 4.0\UPnPAgent.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-07-21 3:58:29 - machine was rebooted [searsc]
ComboFix-quarantined-files.txt 2008-07-21 07:58:11

Pre-Run: 39,833,497,600 bytes free
Post-Run: 39,787,159,552 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

185 --- E O F --- 2008-07-13 21:06:18
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will clear the malware i can see and do a couple more scans to see if there is anything else lurking on your machine.

the scans will likely take about 3 hours, possibly longer. so just let them run.

====STEP 1====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0833ae7e-08e2-11dd-a688-0010c6eed7f6}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

====STEP 2====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

====STEP 3====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


In your enxt reply could i see:
1. the combofix log
2. the SUPERantispyware log
3. the kaspersky log
4. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#9
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP