Solved Winantivirus Pro and Registry problems

[Resolved] Winantivirus Pro and Registry problems

Hi,

1. I use mozilla firefox but windows explorer keeps popping up with Winanti Virus Pro and other messages.

2. I have run various programs in safe mode as instructed but it doesnt seem to help (hijack this etc)

3. when I type cmd in start>run it runs cmd.com and not cmd.exe. The ping command does not work either in this window.

4. I can no longer connect to the internet on my pc at home (I am at work now). My ISP could not help me!

I'd like not to have to reformatt. Can anyone help if I post the results from hijack this etc?

Thanks

Adam

 

Welcome to WindowsBBS Adam

You will need to download some files and transfer them to your PC.

Download VundoFix (VundoFix.exe) by Atribune.

Download Brute Force Uninstaller (bfu.zip).

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As ") in order to download Alcra PLUS Remover (alcanshorty.bfu).

Move the BFU.zip and VundoFix.exe to your desktop.

• Right click the bfu.zip on your desktop, and choose Extract All
• Click "Next "
• In the box to choose where to extract the files to,
• Click "Browse "
• Click on the + sign next to "My Computer "
• Click on "Local Disk C: or whatever your primary drive is
• Click "Make New Folder "
• Type in BFU
• Click "Next ", and Uncheck the "Show Extracted Files" box and then click "Finish ".

Place the alcanshorty.bfu in the new C:\BFU folder.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
• Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

Reboot to normal mode.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

See if you can get online and post the contents of C:\vundofix.txt and a fresh HijackThis log here.

 

VundoFix V6.5.6



Checking Java version...



Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.



Java version is 1.5.0.10



Java version is 1.5.0.11



Scan started at 18:39:07 13/09/2007



Listing files found while scanning....



C:\WINDOWS\system32\edeeg.bak1

C:\WINDOWS\system32\edeeg.bak2

C:\WINDOWS\system32\edeeg.ini

C:\WINDOWS\system32\geede.dll



Beginning removal...



Attempting to delete C:\WINDOWS\system32\edeeg.bak1

C:\WINDOWS\system32\edeeg.bak1 Has been deleted!



Attempting to delete C:\WINDOWS\system32\edeeg.bak2

C:\WINDOWS\system32\edeeg.bak2 Has been deleted!



Attempting to delete C:\WINDOWS\system32\edeeg.ini

C:\WINDOWS\system32\edeeg.ini Has been deleted!



Attempting to delete C:\WINDOWS\system32\geede.dll

C:\WINDOWS\system32\geede.dll Could not be deleted.



Performing Repairs to the registry.

Done!



VundoFix V6.5.6



Checking Java version...



Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.



Java version is 1.5.0.10



Java version is 1.5.0.11



Scan started at 18:43:55 13/09/2007



Listing files found while scanning....



No infected files were found.





Beginning removal...

 

And a HijackThis log?

Can you get online now?

 

Logfile of HijackThis v1.99.1
Scan saved at 23:16:49, on 13/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Adam\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

Please respond to this question.

 

I CAN'T on line on the PC at home.

I CAN get on line at work! And I CAN get online on the mac at home!

But, now when I type cmd it executes the exe file and not the .com file and I can execute the ping command so tonight, when I get home from work, I think my ISP will be able to help me reconnect my PC to the internet.

Did the logs look ok? I suppose I won't be able to see if these windows stop popping up until I can get back online.

 

The HijackThis log looks good, but we'll need to run a few other scans to see if there's something else lurking around.

Download Winsock XP Fix. Close all open programs and connections. Run winsock XP Fix and select Fix. Reboot when complete.

See if your internet connection works and let me know either way.

 

Amazing. The internet connection worked as soon as it rebooted. Great. Been online for half an hour and no sign of winantivirus pro either.

I've now got a desktop full of cleanup software. Should I uninstall them all or keep for when it reoccurs next week.

What's the best ways to prevent it from reoccurring? I've got AVG 7.5 and avast (the free versions) but they no longer run at startup.

I've got my browsers set on high security etc.

Thanks so much,

Adam

 

Great news!

Now, let's see what else might be lurking around.

Note: You must be logged onto an account with administrator privileges to complete the following.

Download Deckard's System Scanner (dss.exe) to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

 

Thanks for that. I’ll install that and post the logs when I get home. I’ve just had a call from my wife who’s at home "“ she told me that Winantivirus Pro has just popped up again in internet explorer when using Mozilla Firefox. These people need to be reprimanded for this behaviour. Do I need to do anything else now?

 

Lets get the Deckards logs and go from there.

 

I ran the exe file and then realised the computer was logged in as my wife (all previous programs have been run logged in as me). Does it matter?

Here's the main.txt when logged in as my wife...

Deckard's System Scanner v20070905.67
Run by Genevieve on 2007-09-17 18:45:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
36: 2007-09-17 08:45:11 UTC - RP178 - Deckard's System Scanner Restore Point
35: 2007-09-17 01:00:27 UTC - RP177 - Software Distribution Service 3.0
34: 2007-09-13 13:43:55 UTC - RP176 - System Checkpoint
33: 2007-09-10 12:53:58 UTC - RP175 - Installed Windows Internet Explorer 7.
32: 2007-09-10 12:53:24 UTC - RP174 - Installed Windows IDNMitigationAPIs.


-- First Restore Point --
1: 2007-09-03 21:16:07 UTC - RP143 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Genevieve.exe) -------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 18:46:39, on 17/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VoipCheapCom\VoipCheapCom.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Genevieve\Desktop\dss.exe
C:\DOCUME~1\Adam\Desktop\Genevieve.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_HK&c=64&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3088F9C5-1615-4A0B-88B7-E818FA391A2B} - C:\WINDOWS\system32\awtqppm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7D63FBE2-3764-48AB-B26D-3D1EC8EE3D8F} - (no file)
O2 - BHO: (no name) - {8B194298-8959-4FE0-93C9-1A90D1093E14} - C:\WINDOWS\system32\geede.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O2 - BHO: WebBuying Assistant - {C318CD44-E327-4377-A28E-6EC16A921AE8} - (no file)
O2 - BHO: (no name) - {E121D4CB-2849-4482-82E4-AF6A341F0A9E} - (no file)
O2 - BHO: (no name) - {EF391FD0-01BC-4B14-AD8E-B44D242E7830} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VoipCheapCom] "C:\Program Files\VoipCheapCom\VoipCheapCom.exe" -nosplash -minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O20 - Winlogon Notify: awtqppm - C:\WINDOWS\SYSTEM32\awtqppm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


-- HijackThis Fixed Entries (C:\DOCUME~1\Adam\Desktop\backups\) ----------------

backup-20070910-222143-113 O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
backup-20070910-222143-241 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
backup-20070910-222143-248 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20070910-222143-290 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
backup-20070910-222143-380 O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
backup-20070910-222143-384 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20070910-222143-476 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
backup-20070910-222143-579 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20070910-222143-732 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
backup-20070910-222143-995 O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
backup-20070910-222329-203 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
backup-20070910-222329-402 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
backup-20070910-222329-562 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20070910-222329-626 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
backup-20070910-222329-644 O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
backup-20070910-222329-705 O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
backup-20070910-222329-897 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20070910-222329-919 O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
backup-20070910-222329-972 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
backup-20070911-003116-154 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20070911-003116-211 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
backup-20070911-003116-227 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20070911-003116-250 O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
backup-20070911-003116-459 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
backup-20070911-003116-469 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20070911-003116-542 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
backup-20070911-003116-543 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20070911-003116-693 O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
backup-20070911-003116-701 O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
backup-20070911-003116-736 O11 - Options group: [INTERNATIONAL] International*
backup-20070911-003116-759 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20070911-003116-968 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20070911-003116-976 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
backup-20070911-003116-979 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20070911-003116-987 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
backup-20070913-231948-331 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20070913-231948-642 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
backup-20070913-231948-823 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20070913-231948-851 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
backup-20070913-232316-956 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 PCANDIS5 (PCANDIS5 Protocol Driver) - c:\windows\system32\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 SNPSTD3 (USB PC Camera (SNPSTD3)) - c:\windows\system32\drivers\snpstd3.sys <Not Verified; ; PC Camera driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" (file missing)
S4 Client IP-IPX - "c:\windows\system32\svchosts.exe" -e mc-110-12-0000137 (file missing)
S4 DomainService - c:\windows\system32\qgbxsqnu.exe /service <Not Verified; ; DDC>
S4 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-08-02 18:34:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-08-17 and 2007-09-17 -----------------------------

2007-09-17 09:35:11 75328 --a------ C:\WINDOWS\system32\bqoxhjxa.exe <Not Verified; ; DDC>
2007-09-17 09:35:08 758228 ---hs---- C:\WINDOWS\system32\edeeg.bak2
2007-09-13 23:24:32 0 d-------- C:\WINDOWS\pss
2007-09-13 18:39:07 0 d-------- C:\VundoFix Backups
2007-09-13 18:37:05 0 d-------- C:\bintheredunthat
2007-09-13 18:31:54 0 d-------- C:\BFU
2007-09-11 00:36:44 0 dr-h----- C:\Documents and Settings\Adam\Recent
2007-09-10 00:17:46 75328 --a------ C:\WINDOWS\system32\hlqqsmak.exe <Not Verified; ; DDC>
2007-09-09 03:17:09 0 dr-h----- C:\Documents and Settings\Genevieve\Recent
2007-09-09 02:53:54 0 dr-h----- C:\Documents and Settings\Non admin\Recent
2007-09-09 02:47:30 0 d-------- C:\Documents and Settings\Non admin\Application Data\Mozilla
2007-09-09 02:46:58 0 d-------- C:\Documents and Settings\Non admin\Application Data\Adobe
2007-09-09 00:59:01 1092 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-09 00:32:50 0 d-------- C:\Program Files\RogueRemover FREE
2007-09-09 00:14:45 75328 --a------ C:\WINDOWS\system32\yratwtjb.exe <Not Verified; ; DDC>
2007-09-07 22:56:49 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-09-07 22:43:54 0 d-------- C:\Program Files\Yahoo!
2007-09-07 22:18:52 75328 --a------ C:\WINDOWS\system32\rmovoqqx.exe <Not Verified; ; DDC>
2007-09-06 20:06:33 0 d-------- C:\Documents and Settings\Adam\Application Data\MSNInstaller
2007-09-06 20:01:08 75328 --a------ C:\WINDOWS\system32\byspdwfm.exe <Not Verified; ; DDC>
2007-09-04 19:21:00 75328 --a------ C:\WINDOWS\system32\oxdesoef.exe <Not Verified; ; DDC>
2007-09-04 07:16:25 75328 --a------ C:\WINDOWS\system32\bbbxjnpj.exe <Not Verified; ; DDC>
2007-09-04 07:15:20 244832 -----n--- C:\WINDOWS\system32\geede.dll
2007-08-30 19:26:17 75328 --a------ C:\WINDOWS\system32\ungjjcvg.exe <Not Verified; ; DDC>
2007-08-29 10:49:24 75328 --a------ C:\WINDOWS\system32\qgbxsqnu.exe <Not Verified; ; DDC>
2007-08-24 14:39:59 43542 --a------ C:\WINDOWS\system32\awtqppm.dll
2007-08-24 14:36:44 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-08-24 14:16:07 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-24 08:53:57 0 d-------- C:\Program Files\Albumprinter Australia
2007-08-24 08:47:38 0 d-------- C:\Program Files\My Reflections
2007-08-24 08:47:21 0 d-------- C:\Program Files\Microsoft WSE


-- Find3M Report ---------------------------------------------------------------

2007-09-09 23:43:59 0 d-------- C:\Program Files\VoipCheapCom
2007-09-09 15:15:45 0 d-------- C:\Program Files\oneworldflights
2007-09-09 02:44:33 0 d-------- C:\Program Files\Common Files
2007-09-09 01:15:34 0 d-------- C:\Program Files\Gabest
2007-09-05 18:38:47 0 d-------- C:\Documents and Settings\Genevieve\Application Data\AVG7
2007-09-04 08:15:41 0 d-------- C:\Program Files\Google
2007-08-29 10:48:58 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-24 14:29:17 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-02 18:44:28 0 d-------- C:\Program Files\iTunes
2007-08-02 18:44:16 0 d-------- C:\Program Files\iPod
2007-08-02 18:42:54 0 d-------- C:\Program Files\Common Files\Apple
2007-08-02 18:41:04 0 d-------- C:\Program Files\QuickTime
2007-08-02 18:03:47 0 d-------- C:\Program Files\Java
2007-08-02 11:23:28 0 d-------- C:\Documents and Settings\Genevieve\Application Data\Canon
2007-07-17 13:56:39 0 d-------- C:\Program Files\Picasa2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3088F9C5-1615-4A0B-88B7-E818FA391A2B}]
24/08/2007 14:39 43542 --a------ C:\WINDOWS\system32\awtqppm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D63FBE2-3764-48AB-B26D-3D1EC8EE3D8F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B194298-8959-4FE0-93C9-1A90D1093E14}]
04/09/2007 07:15 244832 --------- C:\WINDOWS\system32\geede.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1B4DEC2-2623-438e-9CA2-C9043AB28508}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C318CD44-E327-4377-A28E-6EC16A921AE8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E121D4CB-2849-4482-82E4-AF6A341F0A9E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF391FD0-01BC-4B14-AD8E-B44D242E7830}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [25/08/2006 04:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [16/03/2006 14:00]
"VoipCheapCom "= "C:\Program Files\VoipCheapCom\VoipCheapCom.exe" [21/02/2007 10:04]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/10/2006 20:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{3902B43C-0710-1033-1018-06061506002c} "= "C:\Program Files\Common Files\{3902B43C-0710-1033-1018-06061506002c}\Update.exe" mc-110-12-0000137

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{3902B43C-0710-1033-1018-06061506002c} "= "C:\Program Files\Common Files\{3902B43C-0710-1033-1018-06061506002c}\Update.exe" mc-110-12-0000137
"{3902B43C-070F-1033-1018-06061506002c} "= "C:\Program Files\Common Files\{3902B43C-070F-1033-1018-06061506002c}\Update.exe" mc-110-12-0000137

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3088F9C5-1615-4A0B-88B7-E818FA391A2B} "= C:\WINDOWS\system32\awtqppm.dll [24/08/2007 14:39 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqppm]
awtqppm.dll 24/08/2007 14:39 43542 C:\WINDOWS\system32\awtqppm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\\WINDOWS\\system32\\geede

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service "=2 (0x2)




-- End of Deckard's System Scanner: finished at 2007-09-17 18:47:15 ------------

 

I then logged out and logged in as me and ran the file again. There was no extra.txt this time though. Here's the log when logged in as me...

Deckard's System Scanner v20070905.67
Run by Adam on 2007-09-17 18:53:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Adam.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 18:53:55, on 17/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Adam\Desktop\dss.exe
C:\DOCUME~1\Adam\Desktop\Adam.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3088F9C5-1615-4A0B-88B7-E818FA391A2B} - C:\WINDOWS\system32\awtqppm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7D63FBE2-3764-48AB-B26D-3D1EC8EE3D8F} - (no file)
O2 - BHO: (no name) - {8B194298-8959-4FE0-93C9-1A90D1093E14} - C:\WINDOWS\system32\geede.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O2 - BHO: WebBuying Assistant - {C318CD44-E327-4377-A28E-6EC16A921AE8} - (no file)
O2 - BHO: (no name) - {E121D4CB-2849-4482-82E4-AF6A341F0A9E} - (no file)
O2 - BHO: (no name) - {EF391FD0-01BC-4B14-AD8E-B44D242E7830} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: awtqppm - C:\WINDOWS\SYSTEM32\awtqppm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


-- Files created between 2007-08-17 and 2007-09-17 -----------------------------

2007-09-17 09:35:11 75328 --a------ C:\WINDOWS\system32\bqoxhjxa.exe <Not Verified; ; DDC>
2007-09-17 09:35:08 758228 ---hs---- C:\WINDOWS\system32\edeeg.bak2
2007-09-13 23:24:32 0 d-------- C:\WINDOWS\pss
2007-09-13 18:39:07 0 d-------- C:\VundoFix Backups
2007-09-13 18:37:05 0 d-------- C:\bintheredunthat
2007-09-13 18:31:54 0 d-------- C:\BFU
2007-09-11 00:36:44 0 dr-h----- C:\Documents and Settings\Adam\Recent
2007-09-10 00:17:46 75328 --a------ C:\WINDOWS\system32\hlqqsmak.exe <Not Verified; ; DDC>
2007-09-09 03:17:09 0 dr-h----- C:\Documents and Settings\Genevieve\Recent
2007-09-09 02:53:54 0 dr-h----- C:\Documents and Settings\Non admin\Recent
2007-09-09 02:47:30 0 d-------- C:\Documents and Settings\Non admin\Application Data\Mozilla
2007-09-09 02:46:58 0 d-------- C:\Documents and Settings\Non admin\Application Data\Adobe
2007-09-09 00:59:01 1092 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-09 00:32:50 0 d-------- C:\Program Files\RogueRemover FREE
2007-09-09 00:14:45 75328 --a------ C:\WINDOWS\system32\yratwtjb.exe <Not Verified; ; DDC>
2007-09-07 22:56:49 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-09-07 22:43:54 0 d-------- C:\Program Files\Yahoo!
2007-09-07 22:18:52 75328 --a------ C:\WINDOWS\system32\rmovoqqx.exe <Not Verified; ; DDC>
2007-09-06 20:06:33 0 d-------- C:\Documents and Settings\Adam\Application Data\MSNInstaller
2007-09-06 20:01:08 75328 --a------ C:\WINDOWS\system32\byspdwfm.exe <Not Verified; ; DDC>
2007-09-04 19:21:00 75328 --a------ C:\WINDOWS\system32\oxdesoef.exe <Not Verified; ; DDC>
2007-09-04 07:16:25 75328 --a------ C:\WINDOWS\system32\bbbxjnpj.exe <Not Verified; ; DDC>
2007-09-04 07:15:20 244832 -----n--- C:\WINDOWS\system32\geede.dll
2007-08-30 19:26:17 75328 --a------ C:\WINDOWS\system32\ungjjcvg.exe <Not Verified; ; DDC>
2007-08-29 10:49:24 75328 --a------ C:\WINDOWS\system32\qgbxsqnu.exe <Not Verified; ; DDC>
2007-08-24 14:39:59 43542 --a------ C:\WINDOWS\system32\awtqppm.dll
2007-08-24 14:36:44 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-08-24 14:16:07 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-24 08:53:57 0 d-------- C:\Program Files\Albumprinter Australia
2007-08-24 08:47:38 0 d-------- C:\Program Files\My Reflections
2007-08-24 08:47:21 0 d-------- C:\Program Files\Microsoft WSE


-- Find3M Report ---------------------------------------------------------------

2007-09-14 19:00:18 0 d-------- C:\Documents and Settings\Adam\Application Data\AVG7
2007-09-09 23:43:59 0 d-------- C:\Program Files\VoipCheapCom
2007-09-09 15:15:45 0 d-------- C:\Program Files\oneworldflights
2007-09-09 02:44:33 0 d-------- C:\Program Files\Common Files
2007-09-09 01:15:34 0 d-------- C:\Program Files\Gabest
2007-09-04 08:15:41 0 d-------- C:\Program Files\Google
2007-08-29 10:48:58 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-24 14:44:35 0 d-------- C:\Documents and Settings\Adam\Application Data\Adobe
2007-08-24 14:29:17 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-24 14:11:22 0 d-------- C:\Documents and Settings\Adam\Application Data\Skype
2007-08-04 14:22:59 0 d-------- C:\Documents and Settings\Adam\Application Data\Apple Computer
2007-08-02 18:44:28 0 d-------- C:\Program Files\iTunes
2007-08-02 18:44:16 0 d-------- C:\Program Files\iPod
2007-08-02 18:42:54 0 d-------- C:\Program Files\Common Files\Apple
2007-08-02 18:41:04 0 d-------- C:\Program Files\QuickTime
2007-08-02 18:03:47 0 d-------- C:\Program Files\Java
2007-07-17 13:56:39 0 d-------- C:\Program Files\Picasa2
2007-07-17 06:05:47 0 d-------- C:\Documents and Settings\Adam\Application Data\Canon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3088F9C5-1615-4A0B-88B7-E818FA391A2B}]
24/08/2007 14:39 43542 --a------ C:\WINDOWS\system32\awtqppm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D63FBE2-3764-48AB-B26D-3D1EC8EE3D8F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B194298-8959-4FE0-93C9-1A90D1093E14}]
04/09/2007 07:15 244832 --------- C:\WINDOWS\system32\geede.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1B4DEC2-2623-438e-9CA2-C9043AB28508}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C318CD44-E327-4377-A28E-6EC16A921AE8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E121D4CB-2849-4482-82E4-AF6A341F0A9E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF391FD0-01BC-4B14-AD8E-B44D242E7830}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [25/08/2006 04:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [16/03/2006 14:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{3902B43C-0710-1033-1018-06061506002c} "= "C:\Program Files\Common Files\{3902B43C-0710-1033-1018-06061506002c}\Update.exe" mc-110-12-0000140

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{3902B43C-0710-1033-1018-06061506002c} "= "C:\Program Files\Common Files\{3902B43C-0710-1033-1018-06061506002c}\Update.exe" mc-110-12-0000137
"{3902B43C-070F-1033-1018-06061506002c} "= "C:\Program Files\Common Files\{3902B43C-070F-1033-1018-06061506002c}\Update.exe" mc-110-12-0000137

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3088F9C5-1615-4A0B-88B7-E818FA391A2B} "= C:\WINDOWS\system32\awtqppm.dll [24/08/2007 14:39 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqppm]
awtqppm.dll 24/08/2007 14:39 43542 C:\WINDOWS\system32\awtqppm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\\WINDOWS\\system32\\geede

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service "=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480




-- End of Deckard's System Scanner: finished at 2007-09-17 18:54:11 ------------

 

Should I have run all the scans and fixes logged in as all users? Do we all have different registries?

 

Attn: Willyontour

I just wanted to quickly step in to encourage you to stay with this forum and espicially to stay with Noahdfear in his attempts to fix your computer and to do your best from calling your ISP as you mentioned in one of your previous postings (#7)...

To the best of my knowledge they do not have the knowledge Noahdfear (and a couple of others) have here plus because of the time factor involved it's not usually the type of tech support they provide...

Keep up the good work, even though it can be tedious and time consuming it will all be worth it at the end...Good Luck.

 

Lets get that machine cleaned up!

From either account, download ComboFix by sUBs from here, saving the file to your Desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Ok thanks, I'll do that later on. Should have have run the other fixes from both accounts? Would it be better for my computer for me and my wife to use one account from now on and delete one account?

 

Nothing wrong with having separate accounts. In this case, it wasn't necessary to run the scans from each account, only because the infections present are global, affecting all users. Doesn't always happen that way. No harm done in doing them from both.

I missed something too. In addition to what I've already instructed, do this first. You have a flash drive infection. Please download Flash_Disinfector by sUBs and save it to your desktop:

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

Plug in your USB flash drive.
Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Your desktop will vanish for a while, and then reappear. This is normal.
Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

 

ComboFix 07-09-19.8 - "Adam" 2007-09-20 18:29:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.630 [GMT 10:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\DOCUME~1\Adam\APPLIC~1\CURITY~1
C:\DOCUME~1\Adam\APPLIC~1\SSEMBL~1
C:\DOCUME~1\Adam\MYDOCU~1\TSKS~1
C:\DOCUME~1\GENEVI~1\APPLIC~1\Dxcknwrd.dll
C:\DOCUME~1\GENEVI~1\MYDOCU~1\FNTS~1
C:\Program Files\Common Files\{3902B~1
C:\Program Files\Common Files\{3902B~2
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\pcast
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\whAgent.ini
C:\WINDOWS\curity~1
C:\WINDOWS\mbols~1
C:\WINDOWS\NDNuninstall7_48.exe
C:\WINDOWS\ppatch~1
C:\WINDOWS\system32\awtqppm.dll
C:\WINDOWS\system32\bbbxjnpj.exe
C:\WINDOWS\system32\bqoxhjxa.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\byspdwfm.exe
C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\hlqqsmak.exe
C:\WINDOWS\system32\oxdesoef.exe
C:\WINDOWS\system32\qgbxsqnu.exe
C:\WINDOWS\system32\rmovoqqx.exe
C:\WINDOWS\system32\ungjjcvg.exe
C:\WINDOWS\system32\wahrfyyc.exe
C:\WINDOWS\system32\wnsintsv.exe
C:\WINDOWS\system32\yratwtjb.exe
C:\WINDOWS\wnsxs~1
C:\WINDOWS\ymbols~1
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_DOMAINSERVICE
-------\Client IP-IPX
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-20 to 2007-09-20 )))))))))))))))))))))))))))))))
.

2007-09-20 18:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-17 18:44 <DIR> d-------- C:\Deckard
2007-09-13 23:24 <DIR> d-------- C:\WINDOWS\pss
2007-09-13 18:39 <DIR> d-------- C:\VundoFix Backups
2007-09-13 18:37 <DIR> d-------- C:\bintheredunthat
2007-09-13 18:31 <DIR> d-------- C:\BFU
2007-09-09 00:59 1,092 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-09 00:32 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-09-07 22:56 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-09-07 22:43 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-06 20:06 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\MSNInstaller
2007-08-24 14:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-24 14:16 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-24 08:53 <DIR> d-------- C:\Program Files\Albumprinter Australia
2007-08-24 08:47 <DIR> d-------- C:\Program Files\My Reflections
2007-08-24 08:47 <DIR> d-------- C:\Program Files\Microsoft WSE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-09 23:43 --------- d-------- C:\Program Files\VoipCheapCom
2007-09-09 15:15 --------- d-------- C:\Program Files\oneworldflights
2007-09-09 02:30 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-09 01:15 --------- d-------- C:\Program Files\Gabest
2007-09-04 08:15 --------- d-------- C:\Program Files\Google
2007-09-04 08:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-24 14:11 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Skype
2007-08-04 14:22 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Apple Computer
2007-08-02 18:44 --------- d-------- C:\Program Files\iTunes
2007-08-02 18:44 --------- d-------- C:\Program Files\iPod
2007-08-02 18:42 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-02 18:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-02 18:41 --------- d-------- C:\Program Files\QuickTime
2007-08-02 11:23 --------- d-------- C:\DOCUME~1\GENEVI~1\APPLIC~1\Canon
2007-07-28 08:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 08:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 08:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-28 07:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-28 07:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-04 22:48 87608 --a------ C:\DOCUME~1\Adam\APPLIC~1\ezpinst.exe
2007-04-04 22:48 47360 --a------ C:\DOCUME~1\Adam\APPLIC~1\pcouffin.sys
2007-03-29 00:39 192 --a------ C:\Program Files\2IN07A7I.bat
2007-03-22 12:19 201 --a------ C:\DOCUME~1\Adam\q.bat
2007-03-22 08:25 201 --a------ C:\DOCUME~1\GENEVI~1\q.bat
2007-03-16 17:30 114 --a------ C:\DOCUME~1\Adam\hhjj.bat
2007-03-09 08:07 63 --a------ C:\DOCUME~1\Adam\yyd.bat
2007-03-09 08:06 75 --a------ C:\DOCUME~1\Adam\n.bat
2007-03-08 07:26 105 --a------ C:\DOCUME~1\GENEVI~1\yyd.bat
2007-03-08 07:25 77 --a------ C:\DOCUME~1\GENEVI~1\n.bat
2006-12-09 07:52 251 --a------ C:\Program Files\wt3d.ini
2004-08-09 23:30 40960 --a------ C:\Program Files\Uninstall_CDS.exe
2007-02-04 13:21:41 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D63FBE2-3764-48AB-B26D-3D1EC8EE3D8F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C318CD44-E327-4377-A28E-6EC16A921AE8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E121D4CB-2849-4482-82E4-AF6A341F0A9E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF391FD0-01BC-4B14-AD8E-B44D242E7830}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2006-08-25 04:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 14:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service "=2 (0x2)

R2 MSMQ;Message Queuing;C:\WINDOWS\system32\mqsvc.exe
R2 MSMQTriggers;Message Queuing Triggers;C:\WINDOWS\system32\mqtgsvc.exe
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 MQAC;Message Queuing access control;\??\C:\WINDOWS\system32\drivers\mqac.sys
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys
R3 RMCAST;Reliable Multicast Protocol driver;\??\C:\WINDOWS\system32\drivers\RMCast.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-09-20 08:34:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-20 18:36:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-20 18:37:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-20 18:37
.
--- E O F ---