[Ten Angstroms]

Hello,

Let me start by saying I think what you guys do here is awesome. It is comforting to know there are good folks out there fighting these menaces.

Summary:
I think Malwarebytes' Anti-Malware (MBAM) has already done the heavy lifting, and McAfee quarantined the rest. Have not had any reoccurring symptoms since restarting after running MBAM. However I would greatly appreciate it if someone knowledgeable would have a look to let me know everything is spic & span (I'd like to feel comfortable using my computer for online banking, work, etc again).

Symptoms:
On my Dell Dimension 8200, Windows XP Home (sp3) machine, I was getting popups and randomly opening IE windows with sites such as:

bestantivirusscanner.com, newser.com, adtechus.com, mevio.com, searchfeed.com

I'm sure I saw the words "Antivirus 2009" as well.
I think this all started appearing (Sat. 1-10-09) soon after visiting a less-than-reputable website (while searching with Yahoo, trying to remember the name for the Daemon Tools forum, I'm sure I was directed to some not so clean sites). I've been using IE for websurfing (I think I will be moving on to Firefox in the near future because of this experience).
I was also seeing warnings from Windows XP indicating that automatic updates was turned off, and I saw that McAfee SystemGuard was turned off as well, and I could not turn either one back on.

I ran Spybot - Search & Destroy, and it came up with the following problems:

AdRevolver, DoubleClick, FastClick, HitsLink, MediaPlex, RightMedia, Smitfraud-C, Statcounter, Virtumonde, Win32.TDSS.rtk

.

Cleanup:
Once I had time (earlier this week), I finally got serious and followed the Malware cleaning guide on this site:
ATF cleaner ran fine. SysRestorePoint.exe gave the message "Restore Point Creation failed!" followed by "New Restore Point Successfully Created." I decided to move on, if things got to hairy I figured I would just reformat.

MBAM found (and removed) the following:

Trojan.Vundo.H, Trojan.Vundo, Trojan.Agent, Malware.Trace, Rootkit.Agent

MBAM asked for a reboot, during which I saw Windows ran CHKDSK (not a normal occurrence for me, maybe normal for MBAM?). Upon restart, McAfee finally began to pull its weight and popped up with multiple "Trojan Quarantined" messages that mentioned "Generic!Artemis" mainly.

I re-ran MBAM's quick scan and it came up empty.
McAfee's SystemGuard stays "on" now, I think this allowed the quarantines to take place.
Windows Automatic Update is turned on and once again set to run every night.
I ran a McAfee update and full system scan that also came up clean.
I ran HJT and will post the log below.
Spybot S&D was just run again and came up mostly with some cookies:

AdRevolver, BurstMedia, DoubleClick, MediaPlex, Microsoft.WindowsSecurityCenter_disabled, Right Media, WebTrends live, Win32.TDSS.rtk

Sec Center is probably disabled by McAfee. Most are cookies. But Win32.TDSS.rtk is catagorized as "TrojansC", which worries me. Three registry keys are listed:

Win32.TDSS.rtk: [SBI $881E41BA] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Win32.TDSS.rtk: [SBI $7B4E031F] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys
Win32.TDSS.rtk: [SBI $C8DA2EDC] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:22 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\Games\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\program files\timbuktu pro\tb2launch.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [AlcoholAutomount] "D:\Games\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - Startup: Registration .LNK = F:\Register\RegistrationReminder.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223019158201
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223098540062
O16 - DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} (DmDragDrop Class) - http://elnwebtop.es.dupont.com:8080/webtop/wdk/native/WdkPluginCab.CAB
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: lcccai.dll
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Games\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6205 bytes

Hopefully all that verbiage is understandable and I gave you what you need to know. Certainly let me know if you need more info.

Thanks in advance for any insight you can provide!

[Advertisements]

Hi Ten Angstroms,

Welcome to Geeks to Go!
I am sage5, and I will be helping you with this problem.

Please download the following & save to your Desktop:
ComboFix from one of these locations:
Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the text from C:\ComboFix.txt in your next reply.

[sage5]

Hi Ten Angstroms,

Welcome to Geeks to Go!
I am sage5, and I will be helping you with this problem.

Please download the following & save to your Desktop:
ComboFix from one of these locations:
Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the text from C:\ComboFix.txt in your next reply.

[Ten Angstroms]

Thanks for your help sage5!

I ran Combofix.exe and it prompted me to install the windows recovery console as you described.
After the recovery console installation, Combofix scanned, then rebooted the PC, then continued running and finally opened notepad containing log.txt (I assume all this is normal for combofix).

Here is the log:

ComboFix 09-01-17.02 - Michael Moseley 2009-01-17 14:21:45.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1023.453 [GMT -5:00]
Running from: d:\my documents\My Downloads\Program Backups\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hrbgmvmk.ini
c:\windows\system32\uyilkpqw.ini
c:\windows\Tasks\dihfusye.job

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka
-------\Service_TDSSserv.sys


(((((((((((((((((((((((((   Files Created from 2008-12-17 to 2009-01-17  )))))))))))))))))))))))))))))))
.

2009-01-16 00:55 . 2009-01-16 00:55	<DIR>	d--------	c:\documents and settings\All Users\Application Data\TEMP
2009-01-16 00:54 . 2009-01-16 00:55	<DIR>	d--------	c:\program files\SpywareBlaster
2009-01-15 23:17 . 2009-01-15 23:17	<DIR>	d--------	c:\program files\Trend Micro
2009-01-13 13:21 . 2009-01-13 13:21	<DIR>	d--------	c:\documents and settings\Michael Moseley\Application Data\Malwarebytes
2009-01-13 13:21 . 2009-01-04 18:38	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2009-01-13 13:20 . 2009-01-13 13:21	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2009-01-13 13:20 . 2009-01-13 13:20	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-13 13:20 . 2009-01-04 18:38	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 13:16 . 2009-01-13 13:16	<DIR>	d--------	c:\program files\ERUNT
2009-01-10 21:25 . 2009-01-10 21:28	<DIR>	d--------	c:\program files\Spybot - Search & Destroy
2009-01-10 21:25 . 2009-01-10 21:59	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-10 20:55 . 2009-01-10 20:55	<DIR>	d--------	c:\documents and settings\LocalService\Application Data\SACore
2009-01-10 20:54 . 2009-01-10 20:54	<DIR>	d--------	c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-10 18:09 . 2009-01-10 18:09	717,296	--a------	c:\windows\system32\drivers\sptd.sys
2009-01-02 00:55 . 2008-04-13 14:45	10,368	--a------	c:\windows\system32\drivers\hidusb.sys
2009-01-02 00:55 . 2008-04-13 14:45	10,368	--a--c---	c:\windows\system32\dllcache\hidusb.sys
2009-01-02 00:52 . 2001-08-17 14:02	8,576	--a------	c:\windows\system32\drivers\hidgame.sys
2009-01-02 00:52 . 2001-08-17 14:02	8,576	--a--c---	c:\windows\system32\dllcache\hidgame.sys
2009-01-02 00:18 . 2009-01-02 00:18	<DIR>	d--------	c:\documents and settings\Michael Moseley\Application Data\InstallShield

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 04:47	---------	d-----w	c:\program files\McAfee
2009-01-11 01:54	---------	d-----w	c:\documents and settings\All Users\Application Data\McAfee
2009-01-02 05:19	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-12-17 04:41	---------	d-----w	c:\program files\IBM PC Camera
2008-12-17 03:57	---------	d-----w	c:\program files\Canon
2008-12-17 03:56	---------	d-----w	c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-17 03:45	---------	d-----w	c:\program files\Common Files\Canon
2008-12-07 04:22	---------	d-----w	c:\program files\ATI Technologies
2008-12-02 02:19	---------	d-----w	c:\documents and settings\Michael Moseley\Application Data\Peachtree
2008-12-02 02:18	---------	d-----w	c:\program files\Common Files\Peach
2008-12-02 02:16	---------	d-----w	c:\program files\Sage Software
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Update Service"="c:\progra~1\COMMON~1\TEKNUM~1\update.exe" [2008-11-07 19456]
"AlcoholAutomount"="d:\games\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-11-22 203208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2003-06-23 290816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2002-06-05 12:55 81973 c:\program files\timbuktu pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lcccai.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TLogonPath]
--a------ 2002-06-05 12:51 65536 c:\program files\timbuktu pro\minitb2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R3 Astdi;Astdi;c:\program files\Aventail\Connect\asnttdi.sys [2005-08-19 126917]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2003-06-23 149632]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2003-06-23 554304]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-10 206096]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-10-15 24652]
S0 ktkvtd;ktkvtd;c:\windows\system32\drivers\yxlj.sys --> c:\windows\system32\drivers\yxlj.sys [?]
S3 Ascrypto;Ascrypto;c:\program files\Aventail\Connect\ascrypto.sys [2005-08-19 219299]
S3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itNT.sys [2008-12-16 899884]
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\WdkPlugin.dll - O16 -: {759FD3DE-F0EF-4A76-909C-88CF840D4173}
hxxp://elnwebtop.es.dupont.com:8080/webtop/wdk/native/WdkPluginCab.CAB
c:\windows\Downloaded Program Files\WdkPluginCab.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 14:26:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ
*]
"DisplayName"="\[u]0[/u]9"
"DeviceDesc"="\[u]0[/u]9"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.6143"
"DeviceInstanceIds"=multi:"\[u]0[/u]0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Aventail\Connect\as32svc.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
d:\games\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\windows\system32\searchindexer.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\timbuktu pro\tb2launch.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-01-17 14:30:43 - machine was rebooted
ComboFix-quarantined-files.txt  2009-01-17 19:30:25

Pre-Run: 72,384,897,024 bytes free
Post-Run: 72,470,380,544 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

180	--- E O F ---	2008-12-18 08:00:49

[sage5]

Hi Ten Angstroms,

Using the Add/remove Programs page in the Control Panel, please remove any entries that have Viewpoint in their names.

The last bits require a second run with Combofix:

Create a CombFix Script:

• Please open Notepad
  
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
• Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
ktkvtd

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

• Save the above as CFScript.txt
• Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
  
  
  
• After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  
• Combofix.txt

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below, to download and install the latest vesion.

Upgrading Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11".
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download jre-6u11-windows-i586-p.exe & save to your Desktop.
• Close all programs you may have running - especially your web browser, then double click on the jre-6u11-windows-i586-p.exe
  Note: this version shoul uninstall all the previous versions from your PC
  (Vista users, right cklick on the jre-6u11-windows-i586-p.exe and select "Run as an Administrator.")

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place, like C:\kasper.txt

Please post me the text from the following as your next reply:

• latest [b]Combofix.txt
• [b]C:\kasper.txt

Also, there is no need to put your replies in code boxes, it can actually make them harder to read.

Cheers,

sage5

Edited by sage5, 17 January 2009 - 04:23 PM.

[Ten Angstroms]

Ok, Viewpoint Media Player was uninstalled.

Ran Combofix by dropping script onto it, please note that Combofix updated and restarted itself after this. I forgot to shut of McAfee so it warned me about that and I shut it off before letting it proceed.

I did need to install the JRE, which allowed me to run Kaspersky's webscanner.

Here is the comobfix log:

ComboFix 09-01-19.01 - Michael Moseley 2009-01-19 12:37:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.658 [GMT -5:00]
Running from: c:\documents and settings\Michael Moseley\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael Moseley\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ktkvtd


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-16 00:55 . 2009-01-16 00:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-01-16 00:54 . 2009-01-16 00:55 <DIR> d-------- c:\program files\SpywareBlaster
2009-01-15 23:17 . 2009-01-15 23:17 <DIR> d-------- c:\program files\Trend Micro
2009-01-13 13:21 . 2009-01-13 13:21 <DIR> d-------- c:\documents and settings\Michael Moseley\Application Data\Malwarebytes
2009-01-13 13:21 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-13 13:20 . 2009-01-13 13:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 13:20 . 2009-01-13 13:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-13 13:20 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 13:16 . 2009-01-13 13:16 <DIR> d-------- c:\program files\ERUNT
2009-01-10 21:25 . 2009-01-10 21:28 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-10 21:25 . 2009-01-10 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-10 20:55 . 2009-01-10 20:55 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-10 20:54 . 2009-01-10 20:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-10 18:09 . 2009-01-10 18:09 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2009-01-02 00:55 . 2008-04-13 14:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-02 00:55 . 2008-04-13 14:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2009-01-02 00:52 . 2001-08-17 14:02 8,576 --a------ c:\windows\system32\drivers\hidgame.sys
2009-01-02 00:52 . 2001-08-17 14:02 8,576 --a--c--- c:\windows\system32\dllcache\hidgame.sys
2009-01-02 00:18 . 2009-01-02 00:18 <DIR> d-------- c:\documents and settings\Michael Moseley\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 17:30 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-11 04:47 --------- d-----w c:\program files\McAfee
2009-01-11 01:54 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-02 05:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-17 04:41 --------- d-----w c:\program files\IBM PC Camera
2008-12-17 03:57 --------- d-----w c:\program files\Canon
2008-12-17 03:56 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-17 03:45 --------- d-----w c:\program files\Common Files\Canon
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 04:22 --------- d-----w c:\program files\ATI Technologies
2008-12-02 02:19 --------- d-----w c:\documents and settings\Michael Moseley\Application Data\Peachtree
2008-12-02 02:18 --------- d-----w c:\program files\Common Files\Peach
2008-12-02 02:16 --------- d-----w c:\program files\Sage Software
2008-11-07 07:32 26,624 ----a-w c:\windows\system32\ssmenu.dll
2008-10-29 02:23 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-10-29 02:22 314,880 ----a-w c:\windows\system32\ati2dvag.dll
2008-10-29 02:11 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-10-29 02:11 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-10-29 02:11 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-10-29 02:11 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-10-29 02:10 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-10-29 02:10 10,973,184 ----a-w c:\windows\system32\atioglxx.dll
2008-10-29 02:09 585,728 ----a-w c:\windows\system32\ati2evxx.exe
2008-10-29 02:07 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-10-29 02:05 593,920 ----a-w c:\windows\system32\ati2sgag.exe
2008-10-29 01:57 4,041,472 ----a-w c:\windows\system32\ati3duag.dll
2008-10-29 01:49 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-10-29 01:41 2,472,832 ----a-w c:\windows\system32\ativvaxx.dll
2008-10-29 01:25 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-10-29 01:21 389,120 ----a-w c:\windows\system32\atikvmag.dll
2008-10-29 01:19 44,032 ----a-w c:\windows\system32\atiadlxx.dll
2008-10-29 01:19 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-10-29 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-10-29 01:12 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-21 17:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-17_14.29.10.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-12 08:05:27 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-01-18 08:03:03 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-12-12 08:05:27 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-01-18 08:03:03 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-12-12 08:05:27 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2009-01-18 08:03:03 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-12-12 08:05:27 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-01-18 08:03:03 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-12-12 08:05:27 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-01-18 08:03:03 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-12-12 08:05:27 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-01-18 08:03:03 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-12-12 08:05:27 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-01-18 08:03:03 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-12-12 08:05:27 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-01-18 08:03:04 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-12-12 08:05:27 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-01-18 08:03:03 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-12-12 08:05:27 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-01-18 08:03:03 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-12-12 08:05:28 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-01-18 08:03:04 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-12-12 08:05:27 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-01-18 08:03:03 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-12-12 08:05:26 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-01-18 08:03:03 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2009-01-17 17:51:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-19 15:14:17 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-17 17:51:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-19 15:14:17 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Update Service"="c:\progra~1\COMMON~1\TEKNUM~1\update.exe" [2008-11-07 19456]
"AlcoholAutomount"="d:\games\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-11-22 203208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2003-06-23 290816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2002-06-05 12:55 81973 c:\program files\timbuktu pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TLogonPath]
--a------ 2002-06-05 12:51 65536 c:\program files\timbuktu pro\minitb2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R3 Astdi;Astdi;c:\program files\Aventail\Connect\asnttdi.sys [2005-08-19 126917]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2003-06-23 149632]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2003-06-23 554304]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-10 206096]
S3 Ascrypto;Ascrypto;c:\program files\Aventail\Connect\ascrypto.sys [2005-08-19 219299]
S3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itNT.sys [2008-12-16 899884]
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} - hxxp://elnwebtop.es.dupont.com:8080/webtop/wdk/native/WdkPluginCab.CAB
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 12:42:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ
*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.6143"
"DeviceInstanceIds"=multi:"\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Aventail\Connect\as32svc.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
d:\games\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\windows\system32\searchindexer.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\timbuktu pro\tb2launch.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-01-19 12:45:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-19 17:45:12
ComboFix2.txt 2009-01-17 19:30:47

Pre-Run: 72,382,005,248 bytes free
Post-Run: 72,382,291,968 bytes free

226 --- E O F --- 2009-01-18 08:03:06



And here is Kaspersky's report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, January 19, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 19, 2009 17:10:23
Records in database: 1648886
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 141377
Threat name: 14
Infected objects: 18
Suspicious objects: 0
Duration of the scan: 02:38:32


File name / Threat name / Threats count
D:\My Documents\My Downloads\decoder_setup.exe Infected: Trojan-Downloader.Win32.Agent.ac 1
D:\My Documents\My Downloads\decoder_setup.exe Infected: Trojan-Downloader.Win32.Turown.i 2
D:\My Documents\My Downloads\decoder_setup.exe Infected: Trojan-Downloader.Win32.Turown.g 1
D:\My Documents\My Downloads\decoder_setup.exe Infected: Trojan-Downloader.Win32.VB.cw 1
D:\My Documents\My Downloads\decoder_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d 1
D:\My Documents\My Downloads\decoder_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b 2
D:\My Documents\My Downloads\decoder_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel 1
D:\My Documents\My Downloads\decoder_setup.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.h 2
D:\My Documents\My Downloads\decoder_setup.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.e 1
D:\My Documents\My Downloads\decoder_setup.exe Infected: not-a-virus:AdWare.Win32.MyWay.c 1
D:\My Documents\My Downloads\decoder_setup.exe Infected: not-a-virus:AdWare.Win32.EZula.a 1
D:\My Documents\My Downloads\decoder_setup.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c 1
D:\My Documents\My Downloads\decoder_setup.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af 1
D:\My Documents\My Downloads\decoder_setup.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v 2

The selected area was scanned.



I take it I should probably delete decoder_setup.exe (I'll wait for your say-so before I mess with it)? I have no recollection of what I used this for, though it looks like an MP3 to WAV converter. Looks like the creation date is Feb. 22, 2008. I'm pretty sure I've reformatted once or even twice since that date, and I've not run this file since those formats. This file followed along with the rest of mydocs since I backed it all up before the reformats.

Note: the reformats were due to what I guessed was trouble with a new hard drive's boot sector (data remained fine, but disk would unexpectedly stop booting to windows, just gave me a black screen with a white blinking cursor). Since the old hard drive never gave me such trouble, and the new one had that same problem 2 or 3 times: I am now using the old 80gig hard disk for windows & booting, and using the new 250gig for mydocs & games. Probably more history than you need, but there it is.

Thanks for the continued assistance, I had no idea how much still remained hidden on this machine.

-Mike

[sage5]

Hi Ten Angstroms,

Please download the following & save to your Desktop:
OTMoveIt3 by OldTimer.

Run OTMoveIt3:

• Please double-click OTMoveIt3.exe to run it.
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  explorer.exe
  
  :Files
  D:\My Documents\My Downloads\decoder_setup.exe
  
  :Commands
  
  [Start Explorer]

• Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Cheers,

sage5

[Ten Angstroms]

sage5,

Thats ran fairly smoothly. Note, no reboot occured.
Here's the log:


========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
D:\My Documents\My Downloads\decoder_setup.exe moved successfully.
========== COMMANDS ==========
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01202009_130122

Regards,

-Mike

[sage5]

Hi Ten Angstroms

Congratulations, your new log looks clear, so we can now deal with some final clean up jobs.

Clean out cookies, temp files etc:
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
  
  If you use Firefox browser
  
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Cleanup with OTMoveIt:

• Please double-click OTMoveIt3.exe to run it.
• Click the Clean up button
• Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
• Click Yes to the reboot.

To Clear Restore points, please do the following:

• Go to Start > Control Panel.
• Double-click the System icon.
  
  • NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.
• Click the System Restore tab.
• Put a check by Disable System Restore.
• Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.

After reboot, you must turn System Restore back on:

• Go back to the Troubleshooting tab.
• UNcheck Disable System Restore.
• Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.

Lastly, some extra or better security for your PC:

The programs recommended below are freeware alternatives to some of your security software & might reduce the potential for spyware infection in the future:-

Spyware Prevention:
Spyware Blaster by JavaCool Software, prevents spyware installing and consumes no system resources.
IE/SpyAd, stops suspect sites loading ActiveX, popups etc onto your PC. An excellent tutorial is Here

Spyware Detection:
[url="http://"http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.htm"]Malwarebytes Anti-Malware[/url] is my favourite here.

Anti-Virus:
The first line of defence, especially since some will now detect trojans as well.
Avira's Antivir PersonalEdition Classic and Grisoft's Avast! Free Edition are among the best freebies.
*Please note* You should never install more than one anti-virus program on a PC, as it will cause conflicts.

Firewall:
A Firewall is an essential tool in the security of any PC connected to the Internet.
Sunbelt Personal Firewall and Comodo are both excellent freeware.

Alternate Browsers:
Thankfully, there are now some excellent alternatives to MS Internet Explorer. They offer better security, more stability, and better speed.
A couple of good examples are: Firefox and Opera

Other Updates:
Vital security patches and updates are available for Microsoft Windows and Internet Explorer at the Windows Update Site
It is equally important to update the other security software you use, on a regular basis.

Further reading about these issues is available in a very good article: How did I get infected in the first place ? (by Tony Klein and dvk01)

All the best & safe surfing in the future,

sage5

[Ten Angstroms]

sage5,

Once again, thank you so much for your help. The cleanup steps have been performed.

A question though: when I toggled the System Restore off, it did not require a reboot, is this different for sp3 maybe? I rebooted anyway and then turned System Restore back on before proceeding.

I've installed Firefox, and am kicking myself for not having made the switch sooner, I've already noticed several features that I like better than IE.

I've got SpywareBlaster and MBAM installed, and have them in the task scheduler to help me remember to update & run them weekly.
(Note: your MBAM link appears to be broken)

Windows Update has been set to Automatic.

I would like to know your opinion of McAfee. I made the switch to it because I was fed up with Norton's annual subscription fee & resource drain. McAfee Internet Security is free to Comcast subscribers, so I went ahead and made the switch. The firewall appears to be popping up & working as well as any other I've had (previously used ZoneAlarm & Norton). Also it appears to be a bit less of a resource hog. However, I was a bit dismayed at how easily the bugs were able to turn off McAfee's SystemGuard. Just curious to hear an expert opinion.

Thank you and good luck in your never ending crusade!

-Mike

[sage5]

Hi Ten Angstroms,
Sorry for the delay in responding.

I would like to know your opinion of McAfee. I made the switch to it because I was fed up with Norton's annual subscription fee & resource drain. McAfee Internet Security is free to Comcast subscribers, so I went ahead and made the switch. The firewall appears to be popping up & working as well as any other I've had (previously used ZoneAlarm & Norton). Also it appears to be a bit less of a resource hog. However, I was a bit dismayed at how easily the bugs were able to turn off McAfee's SystemGuard. Just curious to hear an expert opinion.

I am no great fan of either McAfee or Nortons, because of the reasons you state:
1. Resource use
2. Failure due to being circumvented by malware.
Neither am I a big fan of the "security suites" that most companies now promote, but rather have seperate applications for each job.
My current apps are:
Comodo - firewall (free)
Anitvir - anti-virus. There is no difference between the functionality of the free & paid versions, but I used the paid one because it updates itself
MBAM - used once a week, or as necessary

Hope that helps.
Cheers,

sage5

[sage5]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.