Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

downloader.gen.a PLEASE HELP WITH HIJACKTHIS [RESOLVED]


  • This topic is locked This topic is locked

#1
srat

srat

    Member

  • Member
  • PipPip
  • 11 posts
End of file - 8017 bytes

Edited by srat, 02 August 2008 - 06:16 PM.

  • 0

Advertisements


#2
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Hi srat,

Posted ImageClick here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Edited by didom, 05 August 2008 - 11:12 AM.

  • 0

#3
srat

srat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
spysweeper finds adware virtumonde not able to stop it from coming back.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:47 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PowerPanel Personal Edition\pppeuser.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Joba Chamberlain Bobblehead] "C:\Program Files\Joba Chamberlain Bobblehead\Joba Chamberlain Bobblehead.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\PowerPanel Personal Edition\pppeuser.exe"
O4 - Startup: DMI RAID Manager.lnk = ?
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...352/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exe
O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\PowerPanel Personal Edition\ppped.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8697 bytes
  • 0

#4
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#5
srat

srat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi didom,
Thank you for your quick response. When I get home tonight I will work on getting those logs posted.
Regards,
Scott
  • 0

#6
srat

srat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi didom,
I'm posting the combofix log and a new hjt log. I have not seen any popups so far. I will wait for your response before I do anything elese. Thanks again
Scott


ComboFix 08-08-07.05 - SCOTT 2008-08-07 20:24:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.169 [GMT -4:00]
Running from: C:\Documents and Settings\SCOTT\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\BRETT\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\JOEY\Application Data\macromedia\Flash Player\#SharedObjects\9EAL5CE2\interclick.com
C:\Documents and Settings\JOEY\Application Data\macromedia\Flash Player\#SharedObjects\9EAL5CE2\interclick.com\ud.sol
C:\Documents and Settings\JOEY\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\JOEY\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\SCOTT\Application Data\inst.exe
C:\Documents and Settings\SCOTT\Application Data\macromedia\Flash Player\#SharedObjects\HNRXSY5F\interclick.com
C:\Documents and Settings\SCOTT\Application Data\macromedia\Flash Player\#SharedObjects\HNRXSY5F\interclick.com\ud.sol
C:\Documents and Settings\SCOTT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\SCOTT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\SCOTT\Application Data\Microsoft\dtsc
C:\Documents and Settings\SCOTT\Application Data\Microsoft\dtsc\Norton Ghost v5.1c SP1 for DOS by CORE.torrent
C:\Documents and Settings\SCOTT\Application Data\Microsoft\dtsc\Norton Ghost v5.1c SP1 for DOS by CORE.zip
C:\Documents and Settings\SCOTT\Application Data\Microsoft\dtsc\s
C:\WINDOWS\BM33da56fe.txt
C:\WINDOWS\BM33da56fe.xml
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\BLRCLkkj.ini
C:\WINDOWS\system32\BLRCLkkj.ini2
C:\WINDOWS\system32\gbpnnigi.dll
C:\WINDOWS\system32\jkkLCRLB.dll
C:\WINDOWS\system32\pmqmxj.dll
C:\WINDOWS\system32\x64
C:\WINDOWS\system32\yqfvcjts.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-08-07 19:44 . 2008-08-07 19:44 2,048 --a------ C:\WINDOWS\system32\kvnqqbkf.exe
2008-08-06 23:33 . 2008-08-06 23:33 2,048 --a------ C:\WINDOWS\system32\beflluar.exe
2008-08-05 23:34 . 2008-08-05 23:34 2,048 --a------ C:\WINDOWS\system32\pmqjrxmr.exe
2008-08-04 23:33 . 2008-08-04 23:33 2,048 --a------ C:\WINDOWS\system32\ntkwfyin.exe
2008-08-04 22:22 . 2004-08-04 06:00 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2008-08-04 22:22 . 2004-08-04 06:00 33,280 --a--c--- C:\WINDOWS\system32\dllcache\rundll32.exe
2008-08-04 21:10 . 2008-08-04 21:10 <DIR> d-------- C:\ADMINI~1
2008-08-04 18:45 . 2008-08-04 18:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-04 18:45 . 2008-08-04 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 20:38 . 2008-08-02 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 18:19 . 2008-08-02 18:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-01 18:04 . 2008-08-01 18:04 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-07-31 22:10 . 2008-07-31 22:10 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-07-28 22:17 . 2008-07-28 22:17 <DIR> d-------- C:\Program Files\vso
2008-07-28 21:23 . 2008-07-28 21:23 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\AVS4YOU
2008-07-28 21:22 . 2008-07-28 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-28 21:21 . 2008-07-28 22:13 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-07-28 21:20 . 2008-07-28 22:12 <DIR> d-------- C:\Program Files\AVS4YOU
2008-07-28 20:22 . 2008-07-28 23:53 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-07-28 20:21 . 2008-07-28 23:54 <DIR> d-------- C:\Program Files\Avi2Dvd
2008-07-26 19:49 . 2008-07-29 22:03 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\Vso
2008-07-26 19:49 . 2008-07-26 19:49 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-26 19:49 . 2008-07-26 19:49 47,360 --a------ C:\Documents and Settings\SCOTT\Application Data\pcouffin.sys
2008-07-26 19:48 . 2008-07-26 19:49 <DIR> d-------- C:\Program Files\DVDFab 5
2008-07-26 19:22 . 2008-07-26 19:24 <DIR> d-------- C:\NO_LABEL
2008-07-26 19:21 . 2008-07-26 19:21 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\ri4mupdater
2008-07-26 16:48 . 2008-07-26 16:49 <DIR> d-------- C:\VIDEOS TO BURN
2008-07-26 16:40 . 2008-07-26 16:41 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-07-26 13:51 . 2008-07-26 13:51 <DIR> d-------- C:\Program Files\DVD Shrink
2008-07-26 13:51 . 2008-07-26 14:17 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\RipIt4Me
2008-07-26 13:51 . 2008-07-26 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-24 22:25 . 2008-07-24 22:25 <DIR> d-------- C:\Program Files\Joba Chamberlain Bobblehead
2008-07-12 16:41 . 2008-07-12 16:41 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-12 16:38 . 2008-07-12 16:42 <DIR> d-------- C:\Program Files\Rhapsody
2008-07-12 15:24 . 2008-07-12 16:40 <DIR> d-------- C:\Program Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 00:33 --------- d-----w C:\Documents and Settings\SCOTT\Application Data\OpenOffice.org2
2008-08-08 00:32 --------- d-----w C:\Program Files\PowerPanel Personal Edition
2008-08-07 02:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-07 02:34 --------- d-----w C:\Program Files\Google
2008-08-05 23:39 --------- d-----w C:\Program Files\ZipWiz
2008-08-05 22:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-08-01 21:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\McAfee
2008-07-31 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-28 23:00 --------- d-----w C:\Program Files\DivX
2008-07-15 01:01 --------- d-----w C:\Program Files\Common Files\McAfee
2008-07-12 01:50 --------- d-----w C:\Program Files\Java
2008-06-22 18:31 --------- d-----w C:\Documents and Settings\IRWIN\Application Data\Webroot
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 20:22 --------- d-----w C:\Program Files\Common Files\Zero G Software
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"PowerPanel Personal Edition User Interaction"="C:\Program Files\PowerPanel Personal Edition\pppeuser.exe" [2007-08-09 13:40 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-02-24 20:29 196709]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-10-06 13:11 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-06 13:13 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-06 13:10 94208]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14 576320]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"Joba Chamberlain Bobblehead"="C:\Program Files\Joba Chamberlain Bobblehead\Joba Chamberlain Bobblehead.exe" [2008-06-16 22:40 3201192]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 12:22 20480]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 21:56 5367664]
"SigmatelSysTrayApp"="sttray.exe" [2006-09-07 15:23 303104 C:\WINDOWS\sttray.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

C:\Documents and Settings\SCOTT\Start Menu\Programs\Startup\
DMI RAID Manager.lnk - C:\Documents and Settings\SCOTT\Application Data\Microsoft\Installer\{D1E170A4-B6E2-42B5-B87F-D6BCF945FB06}\_7f967ff5.exe [2006-11-14 22:03:54 1078]
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=C:\WINDOWS\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--------- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--------- 2006-05-11 12:47 151552 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2006-01-16 12:46 1398272 C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
--------- 2006-09-21 11:36 9138176 C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
--------- 2003-07-07 10:29 729088 C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--------- 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--------- 2005-02-25 20:28 212992 C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 21:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-01-12 04:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 inic1622;inic1622;C:\WINDOWS\system32\DRIVERS\dmi1622.sys [2004-12-24 13:35]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 17:58]
S3 exdisk;Express Disk Service;C:\WINDOWS\system32\DRIVERS\exdisk.sys [2004-08-03 18:38]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-07-05 16:35]
S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-02-27 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-02-27 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-farstone - (no file)
ShellExecuteHooks-{EF8820EB-F11E-4DD6-BC6C-D99084691C18} - (no file)
MSConfigStartUp-BM33da56fe - C:\WINDOWS\system32\hnadgpbo.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\SCOTT\Application Data\Mozilla\Firefox\Profiles\pka5owr5.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.comcast.net/a/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 20:32:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\stacsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-08-07 20:41:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-08 00:41:24

Pre-Run: 762,473,926,656 bytes free
Post-Run: 762,748,338,176 bytes free

235 --- E O F --- 2008-07-12 01:28:30






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:50 PM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Joba Chamberlain Bobblehead] "C:\Program Files\Joba Chamberlain Bobblehead\Joba Chamberlain Bobblehead.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\PowerPanel Personal Edition\pppeuser.exe"
O4 - Startup: DMI RAID Manager.lnk = ?
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...352/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exe
O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\PowerPanel Personal Edition\ppped.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8683 bytes
  • 0

#7
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player


Then reboot your system.

Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...ml#entry1302589

Collect::
C:\WINDOWS\system32\kvnqqbkf.exe
C:\WINDOWS\system32\beflluar.exe
C:\WINDOWS\system32\pmqjrxmr.exe
C:\WINDOWS\system32\ntkwfyin.exe


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

  • Make sure all hidden files are showing
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\system32\DRIVERS\dmi1622.sys
  • Click on the submit button
  • Please post the Jotti results along with the combofix log and a fresh Hijackthis log in your next reply.

Edited by didom, 09 August 2008 - 07:35 AM.

  • 0

#8
srat

srat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi didom

I removed the viewpoint from add/remove programs
So far so good


Scan taken on 09 Aug 2008 18:35:39 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing





ComboFix 08-08-08.08 - SCOTT 2008-08-09 14:09:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.117 [GMT -4:00]
Running from: C:\Documents and Settings\SCOTT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\SCOTT\Desktop\cfscript.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-08 20:29 . 2008-08-08 20:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-07 19:44 . 2008-08-07 19:44 2,048 --a------ C:\WINDOWS\system32\kvnqqbkf.exe
2008-08-06 23:33 . 2008-08-06 23:33 2,048 --a------ C:\WINDOWS\system32\beflluar.exe
2008-08-05 23:34 . 2008-08-05 23:34 2,048 --a------ C:\WINDOWS\system32\pmqjrxmr.exe
2008-08-04 23:33 . 2008-08-04 23:33 2,048 --a------ C:\WINDOWS\system32\ntkwfyin.exe
2008-08-04 22:22 . 2004-08-04 06:00 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2008-08-04 22:22 . 2004-08-04 06:00 33,280 --a--c--- C:\WINDOWS\system32\dllcache\rundll32.exe
2008-08-04 21:10 . 2008-08-04 21:10 <DIR> d-------- C:\ADMINI~1
2008-08-04 18:45 . 2008-08-04 18:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-04 18:45 . 2008-08-04 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 20:38 . 2008-08-02 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 18:19 . 2008-08-02 18:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-01 18:04 . 2008-08-01 18:04 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-07-31 22:10 . 2008-07-31 22:10 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-07-28 22:17 . 2008-07-28 22:17 <DIR> d-------- C:\Program Files\vso
2008-07-28 21:23 . 2008-07-28 21:23 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\AVS4YOU
2008-07-28 21:22 . 2008-07-28 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-28 21:21 . 2008-07-28 22:13 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-07-28 21:20 . 2008-07-28 22:12 <DIR> d-------- C:\Program Files\AVS4YOU
2008-07-28 20:22 . 2008-07-28 23:53 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-07-28 20:21 . 2008-07-28 23:54 <DIR> d-------- C:\Program Files\Avi2Dvd
2008-07-26 19:49 . 2008-07-29 22:03 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\Vso
2008-07-26 19:49 . 2008-07-26 19:49 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-26 19:49 . 2008-07-26 19:49 47,360 --a------ C:\Documents and Settings\SCOTT\Application Data\pcouffin.sys
2008-07-26 19:48 . 2008-07-26 19:49 <DIR> d-------- C:\Program Files\DVDFab 5
2008-07-26 19:22 . 2008-07-26 19:24 <DIR> d-------- C:\NO_LABEL
2008-07-26 19:21 . 2008-07-26 19:21 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\ri4mupdater
2008-07-26 16:48 . 2008-07-26 16:49 <DIR> d-------- C:\VIDEOS TO BURN
2008-07-26 16:40 . 2008-07-26 16:41 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-07-26 13:51 . 2008-07-26 13:51 <DIR> d-------- C:\Program Files\DVD Shrink
2008-07-26 13:51 . 2008-07-26 14:17 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\RipIt4Me
2008-07-26 13:51 . 2008-07-26 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-24 22:25 . 2008-07-24 22:25 <DIR> d-------- C:\Program Files\Joba Chamberlain Bobblehead
2008-07-12 16:41 . 2008-07-12 16:41 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-12 16:38 . 2008-07-12 16:42 <DIR> d-------- C:\Program Files\Rhapsody
2008-07-12 15:24 . 2008-07-12 16:40 <DIR> d-------- C:\Program Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 17:09 --------- d-----w C:\Documents and Settings\SCOTT\Application Data\OpenOffice.org2
2008-08-09 17:08 --------- d-----w C:\Program Files\PowerPanel Personal Edition
2008-08-09 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 00:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-09 00:24 --------- d-----w C:\Program Files\McAfee
2008-08-08 22:41 --------- d-----w C:\Program Files\BFG
2008-08-08 22:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-08 01:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-08-07 02:34 --------- d-----w C:\Program Files\Google
2008-08-05 23:39 --------- d-----w C:\Program Files\ZipWiz
2008-08-01 21:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\McAfee
2008-07-28 23:00 --------- d-----w C:\Program Files\DivX
2008-07-15 01:01 --------- d-----w C:\Program Files\Common Files\McAfee
2008-07-12 01:50 --------- d-----w C:\Program Files\Java
2008-06-22 18:31 --------- d-----w C:\Documents and Settings\IRWIN\Application Data\Webroot
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 20:22 --------- d-----w C:\Program Files\Common Files\Zero G Software
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
.

((((((((((((((((((((((((((((( [email protected]_20.40.41.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-07 23:40:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-09 16:15:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-07 23:40:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-09 16:15:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-07 23:40:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-09 16:15:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-09 01:23:09 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"PowerPanel Personal Edition User Interaction"="C:\Program Files\PowerPanel Personal Edition\pppeuser.exe" [2007-08-09 13:40 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-02-24 20:29 196709]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-10-06 13:11 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-06 13:13 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-06 13:10 94208]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14 576320]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"Joba Chamberlain Bobblehead"="C:\Program Files\Joba Chamberlain Bobblehead\Joba Chamberlain Bobblehead.exe" [2008-06-16 22:40 3201192]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 12:22 20480]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 21:56 5367664]
"SigmatelSysTrayApp"="sttray.exe" [2006-09-07 15:23 303104 C:\WINDOWS\sttray.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

C:\Documents and Settings\SCOTT\Start Menu\Programs\Startup\
DMI RAID Manager.lnk - C:\Documents and Settings\SCOTT\Application Data\Microsoft\Installer\{D1E170A4-B6E2-42B5-B87F-D6BCF945FB06}\_7f967ff5.exe [2006-11-14 22:03:54 1078]
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=C:\WINDOWS\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--------- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--------- 2006-05-11 12:47 151552 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2006-01-16 12:46 1398272 C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
--------- 2006-09-21 11:36 9138176 C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
--------- 2003-07-07 10:29 729088 C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--------- 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--------- 2005-02-25 20:28 212992 C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 21:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-01-12 04:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 inic1622;inic1622;C:\WINDOWS\system32\DRIVERS\dmi1622.sys [2004-12-24 13:35]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-07-23 18:52]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 17:58]
S3 exdisk;Express Disk Service;C:\WINDOWS\system32\DRIVERS\exdisk.sys [2004-08-03 18:38]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-07-05 16:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-02-27 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-02-27 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 14:15:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2008-08-09 14:20:21
ComboFix-quarantined-files.txt 2008-08-09 18:20:06
ComboFix2.txt 2008-08-08 00:41:39

Pre-Run: 763,524,812,800 bytes free
Post-Run: 763,538,935,808 bytes free

191 --- E O F --- 2008-07-12 01:28:30





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:59 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Joba Chamberlain Bobblehead] "C:\Program Files\Joba Chamberlain Bobblehead\Joba Chamberlain Bobblehead.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\PowerPanel Personal Edition\pppeuser.exe"
O4 - Startup: DMI RAID Manager.lnk = ?
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...352/mcfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exe
O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\PowerPanel Personal Edition\ppped.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9352 bytes
  • 0

#9
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Close/disable all anti virus ( McAfee in your case) and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\kvnqqbkf.exe
C:\WINDOWS\system32\beflluar.exe
C:\WINDOWS\system32\pmqjrxmr.exe
C:\WINDOWS\system32\ntkwfyin.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#10
srat

srat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
sorry about that. i knew it just forgot it.
also sent a new hjt log.

thanks


ComboFix 08-08-08.08 - SCOTT 2008-08-10 10:49:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.192 [GMT -4:00]
Running from: C:\Documents and Settings\SCOTT\Desktop\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\SCOTT\Application Data\macromedia\Flash Player\#SharedObjects\HNRXSY5F\interclick.com
C:\Documents and Settings\SCOTT\Application Data\macromedia\Flash Player\#SharedObjects\HNRXSY5F\interclick.com\ud.sol
C:\Documents and Settings\SCOTT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\SCOTT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-08 20:29 . 2008-08-08 20:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-07 19:44 . 2008-08-07 19:44 2,048 --a------ C:\WINDOWS\system32\kvnqqbkf.exe
2008-08-06 23:33 . 2008-08-06 23:33 2,048 --a------ C:\WINDOWS\system32\beflluar.exe
2008-08-05 23:34 . 2008-08-05 23:34 2,048 --a------ C:\WINDOWS\system32\pmqjrxmr.exe
2008-08-04 23:33 . 2008-08-04 23:33 2,048 --a------ C:\WINDOWS\system32\ntkwfyin.exe
2008-08-04 22:22 . 2004-08-04 06:00 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2008-08-04 22:22 . 2004-08-04 06:00 33,280 --a--c--- C:\WINDOWS\system32\dllcache\rundll32.exe
2008-08-04 21:10 . 2008-08-04 21:10 <DIR> d-------- C:\ADMINI~1
2008-08-04 18:45 . 2008-08-04 18:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-04 18:45 . 2008-08-04 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 20:38 . 2008-08-02 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 18:19 . 2008-08-02 18:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-01 18:04 . 2008-08-01 18:04 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-07-31 22:10 . 2008-07-31 22:10 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-07-28 22:17 . 2008-07-28 22:17 <DIR> d-------- C:\Program Files\vso
2008-07-28 21:23 . 2008-07-28 21:23 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\AVS4YOU
2008-07-28 21:22 . 2008-07-28 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-28 21:21 . 2008-07-28 22:13 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-07-28 21:20 . 2008-07-28 22:12 <DIR> d-------- C:\Program Files\AVS4YOU
2008-07-28 20:22 . 2008-07-28 23:53 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-07-28 20:21 . 2008-07-28 23:54 <DIR> d-------- C:\Program Files\Avi2Dvd
2008-07-26 19:49 . 2008-07-29 22:03 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\Vso
2008-07-26 19:49 . 2008-07-26 19:49 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-26 19:49 . 2008-07-26 19:49 47,360 --a------ C:\Documents and Settings\SCOTT\Application Data\pcouffin.sys
2008-07-26 19:48 . 2008-07-26 19:49 <DIR> d-------- C:\Program Files\DVDFab 5
2008-07-26 19:22 . 2008-07-26 19:24 <DIR> d-------- C:\NO_LABEL
2008-07-26 19:21 . 2008-07-26 19:21 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\ri4mupdater
2008-07-26 16:48 . 2008-07-26 16:49 <DIR> d-------- C:\VIDEOS TO BURN
2008-07-26 16:40 . 2008-07-26 16:41 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-07-26 13:51 . 2008-07-26 13:51 <DIR> d-------- C:\Program Files\DVD Shrink
2008-07-26 13:51 . 2008-07-26 14:17 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\RipIt4Me
2008-07-26 13:51 . 2008-07-26 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-24 22:25 . 2008-07-24 22:25 <DIR> d-------- C:\Program Files\Joba Chamberlain Bobblehead
2008-07-12 16:41 . 2008-07-12 16:41 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-12 16:38 . 2008-07-12 16:42 <DIR> d-------- C:\Program Files\Rhapsody
2008-07-12 15:24 . 2008-07-12 16:40 <DIR> d-------- C:\Program Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 14:37 --------- d-----w C:\Documents and Settings\SCOTT\Application Data\OpenOffice.org2
2008-08-10 14:35 --------- d-----w C:\Program Files\PowerPanel Personal Edition
2008-08-09 23:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-09 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 00:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-09 00:24 --------- d-----w C:\Program Files\McAfee
2008-08-08 22:41 --------- d-----w C:\Program Files\BFG
2008-08-08 01:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-08-07 02:34 --------- d-----w C:\Program Files\Google
2008-08-05 23:39 --------- d-----w C:\Program Files\ZipWiz
2008-08-01 21:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\McAfee
2008-07-28 23:00 --------- d-----w C:\Program Files\DivX
2008-07-15 01:01 --------- d-----w C:\Program Files\Common Files\McAfee
2008-07-12 01:50 --------- d-----w C:\Program Files\Java
2008-06-22 18:31 --------- d-----w C:\Documents and Settings\IRWIN\Application Data\Webroot
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 20:22 --------- d-----w C:\Program Files\Common Files\Zero G Software
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
.

((((((((((((((((((((((((((((( [email protected]_20.40.41.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-07 23:40:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-10 14:41:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-07 23:40:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-10 14:41:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-07 23:40:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-10 14:41:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-10-11 19:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
- 2008-08-08 00:31:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7e4.dat
+ 2008-08-10 14:35:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"PowerPanel Personal Edition User Interaction"="C:\Program Files\PowerPanel Personal Edition\pppeuser.exe" [2007-08-09 13:40 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-02-24 20:29 196709]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-10-06 13:11 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-06 13:13 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-06 13:10 94208]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14 576320]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"Joba Chamberlain Bobblehead"="C:\Program Files\Joba Chamberlain Bobblehead\Joba Chamberlain Bobblehead.exe" [2008-06-16 22:40 3201192]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 12:22 20480]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 21:56 5367664]
"SigmatelSysTrayApp"="sttray.exe" [2006-09-07 15:23 303104 C:\WINDOWS\sttray.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

C:\Documents and Settings\SCOTT\Start Menu\Programs\Startup\
DMI RAID Manager.lnk - C:\Documents and Settings\SCOTT\Application Data\Microsoft\Installer\{D1E170A4-B6E2-42B5-B87F-D6BCF945FB06}\_7f967ff5.exe [2006-11-14 22:03:54 1078]
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=C:\WINDOWS\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--------- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--------- 2006-05-11 12:47 151552 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2006-01-16 12:46 1398272 C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
--------- 2006-09-21 11:36 9138176 C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
--------- 2003-07-07 10:29 729088 C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--------- 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--------- 2005-02-25 20:28 212992 C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 21:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-01-12 04:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 inic1622;inic1622;C:\WINDOWS\system32\DRIVERS\dmi1622.sys [2004-12-24 13:35]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-07-23 18:52]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 17:58]
S3 exdisk;Express Disk Service;C:\WINDOWS\system32\DRIVERS\exdisk.sys [2004-08-03 18:38]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-07-05 16:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-02-27 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-02-27 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 10:53:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-10 10:56:34
ComboFix-quarantined-files.txt 2008-08-10 14:55:52
ComboFix2.txt 2008-08-09 18:20:23
ComboFix3.txt 2008-08-08 00:41:39

Pre-Run: 762,683,764,736 bytes free
Post-Run: 762,722,205,696 bytes free

196 --- E O F --- 2008-07-12 01:28:30



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:22 PM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Joba Chamberlain Bobblehead] "C:\Program Files\Joba Chamberlain Bobblehead\Joba Chamberlain Bobblehead.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\PowerPanel Personal Edition\pppeuser.exe"
O4 - Startup: DMI RAID Manager.lnk = ?
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...352/mcfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exe
O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\PowerPanel Personal Edition\ppped.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9473 bytes
  • 0

Advertisements


#11
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Are you sure you used the new script I posted?

First please delete the existing CFScript.txt (it's on your desktop).

Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

File::
C:\WINDOWS\system32\kvnqqbkf.exe
C:\WINDOWS\system32\beflluar.exe
C:\WINDOWS\system32\pmqjrxmr.exe
C:\WINDOWS\system32\ntkwfyin.exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#12
srat

srat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
running it now
  • 0

#13
srat

srat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ComboFix 08-08-08.08 - SCOTT 2008-08-10 14:14:56.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223 [GMT -4:00]
Running from: C:\Documents and Settings\SCOTT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\SCOTT\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\beflluar.exe
C:\WINDOWS\system32\kvnqqbkf.exe
C:\WINDOWS\system32\ntkwfyin.exe
C:\WINDOWS\system32\pmqjrxmr.exe
.
/wow section - STAGE 46
pv: No matching processes found
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\beflluar.exe
C:\WINDOWS\system32\kvnqqbkf.exe
C:\WINDOWS\system32\ntkwfyin.exe
C:\WINDOWS\system32\pmqjrxmr.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-08 20:29 . 2008-08-08 20:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-04 22:22 . 2004-08-04 06:00 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2008-08-04 22:22 . 2004-08-04 06:00 33,280 --a--c--- C:\WINDOWS\system32\dllcache\rundll32.exe
2008-08-04 21:10 . 2008-08-04 21:10 <DIR> d-------- C:\ADMINI~1
2008-08-04 18:45 . 2008-08-04 18:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-04 18:45 . 2008-08-04 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 20:38 . 2008-08-02 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 18:19 . 2008-08-02 18:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-01 18:04 . 2008-08-01 18:04 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-07-31 22:10 . 2008-07-31 22:10 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-07-28 22:17 . 2008-07-28 22:17 <DIR> d-------- C:\Program Files\vso
2008-07-28 21:23 . 2008-07-28 21:23 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\AVS4YOU
2008-07-28 21:22 . 2008-07-28 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-28 21:21 . 2008-07-28 22:13 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-07-28 21:20 . 2008-07-28 22:12 <DIR> d-------- C:\Program Files\AVS4YOU
2008-07-28 20:22 . 2008-07-28 23:53 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-07-28 20:21 . 2008-07-28 23:54 <DIR> d-------- C:\Program Files\Avi2Dvd
2008-07-26 19:49 . 2008-07-29 22:03 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\Vso
2008-07-26 19:49 . 2008-07-26 19:49 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-26 19:49 . 2008-07-26 19:49 47,360 --a------ C:\Documents and Settings\SCOTT\Application Data\pcouffin.sys
2008-07-26 19:48 . 2008-07-26 19:49 <DIR> d-------- C:\Program Files\DVDFab 5
2008-07-26 19:22 . 2008-07-26 19:24 <DIR> d-------- C:\NO_LABEL
2008-07-26 19:21 . 2008-07-26 19:21 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\ri4mupdater
2008-07-26 16:48 . 2008-07-26 16:49 <DIR> d-------- C:\VIDEOS TO BURN
2008-07-26 16:40 . 2008-07-26 16:41 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-07-26 13:51 . 2008-07-26 13:51 <DIR> d-------- C:\Program Files\DVD Shrink
2008-07-26 13:51 . 2008-07-26 14:17 <DIR> d-------- C:\Documents and Settings\SCOTT\Application Data\RipIt4Me
2008-07-26 13:51 . 2008-07-26 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-24 22:25 . 2008-07-24 22:25 <DIR> d-------- C:\Program Files\Joba Chamberlain Bobblehead
2008-07-12 16:41 . 2008-07-12 16:41 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-12 16:38 . 2008-07-12 16:42 <DIR> d-------- C:\Program Files\Rhapsody
2008-07-12 15:24 . 2008-07-12 16:40 <DIR> d-------- C:\Program Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 18:21 --------- d-----w C:\Program Files\PowerPanel Personal Edition
2008-08-10 14:37 --------- d-----w C:\Documents and Settings\SCOTT\Application Data\OpenOffice.org2
2008-08-09 23:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-09 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 00:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-09 00:24 --------- d-----w C:\Program Files\McAfee
2008-08-08 22:41 --------- d-----w C:\Program Files\BFG
2008-08-08 01:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-08-07 02:34 --------- d-----w C:\Program Files\Google
2008-08-05 23:39 --------- d-----w C:\Program Files\ZipWiz
2008-08-01 21:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\McAfee
2008-07-28 23:00 --------- d-----w C:\Program Files\DivX
2008-07-15 01:01 --------- d-----w C:\Program Files\Common Files\McAfee
2008-07-12 01:50 --------- d-----w C:\Program Files\Java
2008-06-22 18:31 --------- d-----w C:\Documents and Settings\IRWIN\Application Data\Webroot
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 20:22 --------- d-----w C:\Program Files\Common Files\Zero G Software
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
.

((((((((((((((((((((((((((((( [email protected]_20.40.41.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-07 23:40:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-10 14:41:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-07 23:40:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-10 14:41:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-07 23:40:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-10 14:41:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-10-11 19:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-08-10 18:21:06 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_388.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"PowerPanel Personal Edition User Interaction"="C:\Program Files\PowerPanel Personal Edition\pppeuser.exe" [2007-08-09 13:40 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-02-24 20:29 196709]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-10-06 13:11 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-06 13:13 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-06 13:10 94208]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14 576320]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"Joba Chamberlain Bobblehead"="C:\Program Files\Joba Chamberlain Bobblehead\Joba Chamberlain Bobblehead.exe" [2008-06-16 22:40 3201192]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 12:22 20480]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 21:56 5367664]
"SigmatelSysTrayApp"="sttray.exe" [2006-09-07 15:23 303104 C:\WINDOWS\sttray.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

C:\Documents and Settings\SCOTT\Start Menu\Programs\Startup\
DMI RAID Manager.lnk - C:\Documents and Settings\SCOTT\Application Data\Microsoft\Installer\{D1E170A4-B6E2-42B5-B87F-D6BCF945FB06}\_7f967ff5.exe [2006-11-14 22:03:54 1078]
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=C:\WINDOWS\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--------- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--------- 2006-05-11 12:47 151552 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2006-01-16 12:46 1398272 C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
--------- 2006-09-21 11:36 9138176 C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
--------- 2003-07-07 10:29 729088 C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--------- 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--------- 2005-02-25 20:28 212992 C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 21:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-01-12 04:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 inic1622;inic1622;C:\WINDOWS\system32\DRIVERS\dmi1622.sys [2004-12-24 13:35]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-07-23 18:52]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 17:58]
S3 exdisk;Express Disk Service;C:\WINDOWS\system32\DRIVERS\exdisk.sys [2004-08-03 18:38]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-07-05 16:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-02-27 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-02-27 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 14:21:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\PowerPanel Personal Edition\ppped.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\WINDOWS\system32\stacsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-08-10 14:28:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 18:28:20
ComboFix2.txt 2008-08-09 18:20:23
ComboFix3.txt 2008-08-08 00:41:39

Pre-Run: 762,675,535,872 bytes free
Post-Run: 762,650,632,192 bytes free

230 --- E O F --- 2008-07-12 01:28:30
  • 0

#14
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
How is your system running now? :)
  • 0

#15
srat

srat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
No more unexpected popups.
maybe runing a little slow. might need to defrag.
othewise everything seeems good.

what folders should i delete?
anything else you can recommend?

thanks
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP