1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Having Problems with Smitfraud errors

Discussion in 'Malware and Virus Removal Archive' started by rabah, 2008/05/25.

  1. 2008/05/25
    rabah

    rabah Inactive Thread Starter

    Joined:
    2008/05/24
    Messages:
    13
    Likes Received:
    0
    [Resolved]Having Problems with Smitfraud errors

    Greetings I pray that you are able to help me.

    I have encountered a blue screen with red and white letters that start off saying the following: " WARNING! YOUR'RE IN DANGER! YOUR COMPUTER IS INFECTED WITH SPYWARE!...."

    There is more commentary but it will not fit in this post. In addition, there is a pop-up that appears in the bottom of the right corner that states: "WARNING: your computer is infected, windows has detected spyware infection! Click this message to install last update of windows security software. "

    I ran spyware doctor and it indicated that I had smitfraud, so I attempted to remove it by using "smitRem ", and "SmitfraudFix ", unfortunately this did not help. Your help in this matter is greatly appreciated.

    The main.txt from Deckards is as follows:


    Deckard's System Scanner v20071014.68
    Run by user on 2008-05-25 01:19:37
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    System Drive C: has 5.06 GiB (less than 15%) free.


    -- HijackThis (run as user.exe) ------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:20:44 AM, on 5/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\sysragfchqs.exe
    C:\WINDOWS\sysnwqdfbta.exe
    C:\WINDOWS\syscdupretn.exe
    C:\WINDOWS\sysgycnafek.exe
    C:\WINDOWS\sysuxvmschr.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Cox\Applications\App\syssvcnt.exe
    C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\VirusScan\McShield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\SiteAdvisor\6172\SAService.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\verizon wireless\venturi\Client\ventc.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\M33840I0\dss[1].exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\Program Files\Alwil Software\Avast4\setup\setup.ovr

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [{7D5C078D-6337-46a1-852E-D1A97B8EBB8C}] "C:\WINDOWS\sysragfchqs.exe "
    O4 - HKLM\..\Run: [{B774C456-2718-417d-AC6E-E0049682876F}] "C:\WINDOWS\sysnwqdfbta.exe "
    O4 - HKLM\..\Run: [{6739EFCB-69CF-41db-ADD7-79047E1BB2C0}] "C:\WINDOWS\syscdupretn.exe "
    O4 - HKLM\..\Run: [{1989CEB5-CC50-4314-9FD6-597E6F7CC50F}] "C:\WINDOWS\sysgycnafek.exe "
    O4 - HKLM\..\Run: [{F93D8433-BFDA-4e2c-ABB9-EBA2716CD140}] "C:\WINDOWS\sysuxvmschr.exe "
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe "
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.pw.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab
    O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.pw.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab
    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\App\syssvcnt.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --
    End of file - 12858 bytes

    -- Files created between 2008-04-25 and 2008-05-25 -----------------------------

    2008-05-25 00:48:00 0 d-------- C:\Program Files\Alwil Software
    2008-05-25 00:02:18 0 d-------- C:\Program Files\Trend Micro
    2008-05-24 21:09:12 0 d-------- C:\Program Files\Spyware Doctor
    2008-05-24 21:09:12 0 d-------- C:\Documents and Settings\user\Application Data\PC Tools
    2008-05-24 19:10:01 0 d-------- C:\Program Files\Enigma Software Group
    2008-05-24 18:31:43 0 dr-h----- C:\Documents and Settings\user\Recent
    2008-05-24 17:35:24 3798 --a------ C:\WINDOWS\system32\tmp.reg
    2008-05-24 17:03:36 0 d-------- C:\Program Files\RogueRemover FREE
    2008-05-24 12:34:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-05-24 12:15:02 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-05-24 03:36:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
    2008-05-24 03:36:46 0 d-------- C:\Program Files\SiteAdvisor
    2008-05-24 03:36:46 0 d-------- C:\Documents and Settings\user\Application Data\SiteAdvisor
    2008-05-24 03:36:46 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
    2008-05-24 03:36:33 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
    2008-05-24 03:33:02 0 d-------- C:\Program Files\Common Files\McAfee
    2008-05-24 03:32:52 0 d-------- C:\Program Files\McAfee
    2008-05-24 03:28:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
    2008-05-24 02:11:55 85568 --a------ C:\WINDOWS\sysuxvmschr.exe
    2008-05-24 02:11:54 73280 --a------ C:\WINDOWS\sysragfchqs.exe
    2008-05-24 02:11:53 82496 --a------ C:\WINDOWS\sysnwqdfbta.exe
    2008-05-24 02:11:53 83520 --a------ C:\WINDOWS\sysgycnafek.exe
    2008-05-24 02:11:52 1409 --a------ C:\WINDOWS\zysrsetdhmz.exe
    2008-05-24 02:11:52 3072 --a------ C:\WINDOWS\zyscfutkqew.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
    2008-05-24 02:11:52 80448 --a------ C:\WINDOWS\syscdupretn.exe
    2008-05-13 17:51:22 0 d-------- C:\Program Files\eMini-Master.com
    2008-05-13 17:51:21 61440 --a------ C:\WINDOWS\UnDeploy.exe <Not Verified; JGsoft - Just Great Software; DeployMaster>
    2008-05-11 00:35:27 0 d-------- C:\Documents and Settings\user\Application Data\Google
    2008-05-10 22:46:00 0 d-------- C:\Program Files\Common Files\xing shared
    2008-05-10 22:43:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
    2008-05-10 22:43:20 0 d-------- C:\Program Files\Google
    2008-05-07 00:14:34 0 d-------- C:\Documents and Settings\user\Application Data\HTML Executable
    2008-05-07 00:14:22 0 d-------- C:\Program Files\Common Files\HTML Executable Viewer


    -- Find3M Report ---------------------------------------------------------------

    2008-05-25 01:11:34 11242 --a------ C:\WINDOWS\system32\nvModes.dat
    2008-05-24 04:00:40 0 d-------- C:\Program Files\Common Files\{3038E54A-0573-1033-0331-041120030001}
    2008-05-24 03:33:18 0 d-------- C:\Program Files\mcafee.com
    2008-05-24 03:33:02 0 d-------- C:\Program Files\Common Files
    2008-05-24 03:25:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-05-13 17:51:23 2045 --a------ C:\Program Files\Deploy.log
    2008-05-13 14:00:07 0 d-------- C:\Documents and Settings\user\Application Data\Adobe
    2008-05-10 22:45:49 0 d-------- C:\Program Files\Common Files\Real
    2008-04-20 16:20:09 0 d-------- C:\Program Files\fxsolutions
    2008-04-20 01:02:36 0 d-------- C:\Program Files\IZArc
    2008-04-18 13:42:55 0 d-------- C:\Program Files\FXDD - MetaTrader 4
    2008-04-02 07:58:03 0 d-------- C:\Documents and Settings\user\Application Data\Image Zone Express
    2008-04-01 05:05:50 0 d-------- C:\Documents and Settings\user\Application Data\Professional
    2008-04-01 05:03:26 0 d-------- C:\Program Files\Rio
    2008-04-01 05:02:42 0 d-------- C:\Program Files\verizon
    2008-04-01 04:19:35 0 d-------- C:\Program Files\WHC Trader 4
    2008-03-26 10:51:22 0 d-------- C:\Documents and Settings\user\Application Data\Real
    2008-03-24 01:36:02 3746957 --a------ C:\Program Files\mt4setup.exe <Not Verified; MetaQuotes Software Corp.; MetaQuotes Installer>


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmaTel StacMon "= "C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [04/29/2004 05:15 PM]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [10/26/2004 03:01 PM]
    "nwiz "= "nwiz.exe" [10/26/2004 03:01 PM C:\WINDOWS\system32\nwiz.exe]
    "AdaptecDirectCD "= "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 03:28 PM]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [03/20/2005 01:06 AM]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [11/09/2006 03:07 PM]
    "HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 02:12 AM]
    "ESP "= "C:\Program Files\Cox\Applications\app\start.exe" [12/11/2006 08:31 AM]
    "MSConfig "= "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 03:56 AM]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/10/2008 10:45 PM]
    "{7D5C078D-6337-46a1-852E-D1A97B8EBB8C} "= "C:\WINDOWS\sysragfchqs.exe" [05/24/2008 02:11 AM]
    "{B774C456-2718-417d-AC6E-E0049682876F} "= "C:\WINDOWS\sysnwqdfbta.exe" [05/24/2008 02:11 AM]
    "{6739EFCB-69CF-41db-ADD7-79047E1BB2C0} "= "C:\WINDOWS\syscdupretn.exe" [05/24/2008 02:11 AM]
    "{1989CEB5-CC50-4314-9FD6-597E6F7CC50F} "= "C:\WINDOWS\sysgycnafek.exe" [05/24/2008 02:11 AM]
    "{F93D8433-BFDA-4e2c-ABB9-EBA2716CD140} "= "C:\WINDOWS\sysuxvmschr.exe" [05/24/2008 02:11 AM]
    "mcagent_exe "= "C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
    "SiteAdvisor "= "C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [08/24/2007 04:57 PM]
    "SDTray "= "C:\Program Files\Spyware Doctor\SDTrayApp.exe" [06/27/2007 01:54 PM]
    "avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 06:19 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
    "Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [03/01/2007 05:11 PM]
    "updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 03:45 PM]
    "SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

    C:\Documents and Settings\user\Start Menu\Programs\Startup\
    VZAccess Manager.lnk - C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [5/25/2006 1:19:58 AM]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 2:23:26 AM]
    InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [1/25/2005 2:36:16 PM]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 4:01:04 AM]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "=0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @= "Volume shadow copy "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "RasMan "=3 (0x3)
    "RasAuto "=3 (0x3)
    "mnmsrvc "=3 (0x3)
    "cisvc "=3 (0x3)


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0839b10-4fbf-11db-b0f1-00038a000015}]
    AutoRun\command- rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

    *Newly Created Service* - AAVMKER4
    *Newly Created Service* - ASWFSBLK
    *Newly Created Service* - ASWMON2
    *Newly Created Service* - ASWRDR
    *Newly Created Service* - ASWSP
    *Newly Created Service* - ASWTDI
    *Newly Created Service* - ASWUPDSV
    *Newly Created Service* - AVAST!_ANTIVIRUS
    *Newly Created Service* - AVAST!_MAIL_SCANNER
    *Newly Created Service* - AVAST!_WEB_SCANNER



    -- End of Deckard's System Scanner: finished at 2008-05-25 01:25:17 ------------
     
    rabah,
    #1
  2. 2008/05/25
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi rabah
    Welcome to Windowsbbs. :)

    You are running two anti-virus programs, this is not a good idea, they can conflict with each other and actually give you less protection
    Please remove one ( 1 ) of them.
    avast
    McAfee
    If you are removing McAfee please see this.
    McAfee Removal instructions here.

    http://service.mcafee.com/FAQDocument.aspx?id=107083&lc=1033

    I would like some files scanned, Please do this.

    Jotti File Submission:
    • Please go to Jotti's malware scan
    • Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
      • C:\WINDOWS\sysragfchqs.exe
        C:\WINDOWS\sysnwqdfbta.exe
        C:\WINDOWS\syscdupretn.exe
        C:\WINDOWS\sysgycnafek.exe
        C:\WINDOWS\sysuxvmschr.exe
    • Click on the submit button
    • Please post the results in your next reply.

    Please post the Jotti results and a new HJT log.

    Thanks
    Geri
     
    Geri,
    #2


  3. to hide this advert.

  4. 2008/05/25
    rabah

    rabah Inactive Thread Starter

    Joined:
    2008/05/24
    Messages:
    13
    Likes Received:
    0
    Jotti results and HJT results

    Thanks Gerri,

    here are the Jotti Results:

    File: sysragfchqs.exe
    Status: OK
    MD5: ecc3d78b5879b28cee3da57eab407e30
    Packers detected: -
    Scan taken on 25 May 2008 18:34:54 (GMT)
    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing

    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found nothing
    Fortinet Found nothing
    Ikarus Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing



    File: sysnwqdfbta.exe
    Status: INFECTED/MALWARE
    MD5: 674951071490111cc40cd713b24bfd31
    Packers detected: -
    Scan taken on 25 May 2008 18:40:57 (GMT)
    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found Trojan-Clicker.Win32.Agent.akc
    Fortinet Found nothing
    Ikarus Found nothing
    Kaspersky Anti-Virus Found Trojan-Clicker.Win32.Agent.akc
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing




    File: syscdupretn.exe
    Status: INFECTED/MALWARE
    MD5: 9844faff5aa251d9e5565db075da675f
    Packers detected: -
    Scan taken on 25 May 2008 18:44:05 (GMT)
    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found Trojan-Downloader.Win32.Zlob.nuo
    Fortinet Found nothing
    Ikarus Found nothing
    Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Zlob.nuo
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing




    File: sysgycnafek.exe
    Status: INFECTED/MALWARE
    MD5: 0c1679ba464ed95f3f2f8a080579c1cf
    Packers detected: -
    Scan taken on 25 May 2008 18:50:35 (GMT)
    A-Squared Found nothing
    AntiVir Found TR/PSW.Wow.bac
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found Trojan-PSW.Win32.WOW.bac
    Fortinet Found W32/WOW.BAC!tr.pws
    Ikarus Found Trojan-PWS.Win32.WOW.bac
    Kaspersky Anti-Virus Found Trojan-PSW.Win32.WOW.bac
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing



    File: sysuxvmschr.exe_
    Status: INFECTED/MALWARE
    MD5: ce2be784706ca4d3c415d07c297810a4
    Scan taken on 25 May 2008 18:52:56 (GMT)
    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found Trojan-Clicker.Win32.Agent.ajs
    Fortinet Found Adware/Agent
    Ikarus Found nothing
    Kaspersky Anti-Virus Found Trojan-Clicker.Win32.Agent.ajs
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing


    HJT results

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:59:46 PM, on 5/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cox\Applications\App\syssvcnt.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\VirusScan\McShield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\sysragfchqs.exe
    C:\WINDOWS\sysnwqdfbta.exe
    C:\WINDOWS\syscdupretn.exe
    C:\WINDOWS\sysgycnafek.exe
    C:\WINDOWS\sysuxvmschr.exe
    C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\System32\svchost.exe
    c:\program files\verizon wireless\venturi\Client\ventc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\wltrysvc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [{7D5C078D-6337-46a1-852E-D1A97B8EBB8C}] "C:\WINDOWS\sysragfchqs.exe "
    O4 - HKLM\..\Run: [{B774C456-2718-417d-AC6E-E0049682876F}] "C:\WINDOWS\sysnwqdfbta.exe "
    O4 - HKLM\..\Run: [{6739EFCB-69CF-41db-ADD7-79047E1BB2C0}] "C:\WINDOWS\syscdupretn.exe "
    O4 - HKLM\..\Run: [{1989CEB5-CC50-4314-9FD6-597E6F7CC50F}] "C:\WINDOWS\sysgycnafek.exe "
    O4 - HKLM\..\Run: [{F93D8433-BFDA-4e2c-ABB9-EBA2716CD140}] "C:\WINDOWS\sysuxvmschr.exe "
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe "
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.pw.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab
    O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.pw.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab
    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\App\syssvcnt.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --
    End of file - 12726 bytes


    Again many thanks
     
    rabah,
    #3
  5. 2008/05/25
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi rabah

    Thanks for the Jotti results.

    I'm still seeing 2 AV's in your log.

    One needs to be removed. Please do so then post a new HJT log.

    Thanks
    Geri
     
    Geri,
    #4
  6. 2008/05/25
    rabah

    rabah Inactive Thread Starter

    Joined:
    2008/05/24
    Messages:
    13
    Likes Received:
    0
    Sorry about that,

    I removed AVAST, here are the new HJT results

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:52:03 PM, on 5/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cox\Applications\App\syssvcnt.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\VirusScan\McShield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\sysragfchqs.exe
    C:\WINDOWS\sysnwqdfbta.exe
    C:\WINDOWS\syscdupretn.exe
    C:\WINDOWS\sysgycnafek.exe
    C:\WINDOWS\sysuxvmschr.exe
    C:\Program Files\SiteAdvisor\6261\SAService.exe
    C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    c:\program files\verizon wireless\venturi\Client\ventc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [{7D5C078D-6337-46a1-852E-D1A97B8EBB8C}] "C:\WINDOWS\sysragfchqs.exe "
    O4 - HKLM\..\Run: [{B774C456-2718-417d-AC6E-E0049682876F}] "C:\WINDOWS\sysnwqdfbta.exe "
    O4 - HKLM\..\Run: [{6739EFCB-69CF-41db-ADD7-79047E1BB2C0}] "C:\WINDOWS\syscdupretn.exe "
    O4 - HKLM\..\Run: [{1989CEB5-CC50-4314-9FD6-597E6F7CC50F}] "C:\WINDOWS\sysgycnafek.exe "
    O4 - HKLM\..\Run: [{F93D8433-BFDA-4e2c-ABB9-EBA2716CD140}] "C:\WINDOWS\sysuxvmschr.exe "
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe "
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.pw.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab
    O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.pw.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab
    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)
    O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\App\syssvcnt.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --
    End of file - 11615 bytes
     
    rabah,
    #5
  7. 2008/05/25
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi rabah
    OK Good.

    Now please do this.

    Download ComboFix from Here to your Desktop.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.


    Please post the Cf log.

    Thanks
    Geri
     
    Geri,
    #6
  8. 2008/05/25
    rabah

    rabah Inactive Thread Starter

    Joined:
    2008/05/24
    Messages:
    13
    Likes Received:
    0
    combofix log and latest HJT log

    Combofix log

    ComboFix 08-05-25.3 - user 2008-05-25 21:14:07.1 - NTFSx86
    Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\user\Application Data\RACLE~1
    C:\Program Files\Common Files\{3038E~1
    C:\Program Files\Common Files\{7038E~1
    C:\WINDOWS\mywallpaper.bmp
    C:\WINDOWS\zystmxcgfqz.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_CLIENT_IP-IPX


    ((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
    .

    2008-05-25 19:24 . 2006-11-09 15:07 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
    2008-05-25 13:12 . 2008-05-25 13:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-05-25 13:12 . 2008-05-25 13:12 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
    2008-05-25 13:12 . 2008-05-25 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-05-25 13:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-05-25 13:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-05-25 00:48 . 2008-05-25 00:48 <DIR> d-------- C:\Program Files\Alwil Software
    2008-05-25 00:09 . 2008-05-25 00:09 <DIR> d-------- C:\Deckard
    2008-05-25 00:02 . 2008-05-25 00:02 <DIR> d-------- C:\Program Files\Trend Micro
    2008-05-24 21:09 . 2008-05-24 23:20 <DIR> d-------- C:\Program Files\Spyware Doctor
    2008-05-24 21:09 . 2008-05-24 21:09 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Tools
    2008-05-24 21:09 . 2007-05-23 16:58 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2008-05-24 21:09 . 2007-05-23 16:58 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2008-05-24 21:09 . 2007-05-23 16:58 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2008-05-24 21:09 . 2007-05-23 16:58 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
    2008-05-24 21:09 . 2007-05-23 16:58 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2008-05-24 20:41 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2008-05-24 19:10 . 2008-05-24 21:03 <DIR> d-------- C:\Program Files\Enigma Software Group
    2008-05-24 17:35 . 2008-05-24 23:21 3,798 --a------ C:\WINDOWS\system32\tmp.reg
    2008-05-24 17:03 . 2008-05-24 18:00 <DIR> d-------- C:\Program Files\RogueRemover FREE
    2008-05-24 12:34 . 2008-05-24 12:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-05-24 12:34 . 2008-05-24 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-05-24 12:15 . 2008-05-24 23:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-05-24 03:37 . 2008-05-25 21:24 20,469 --a------ C:\WINDOWS\system32\Config.MPF
    2008-05-24 03:36 . 2008-05-25 14:45 <DIR> d-------- C:\Program Files\SiteAdvisor
    2008-05-24 03:36 . 2008-05-25 19:03 <DIR> d-------- C:\Documents and Settings\user\Application Data\SiteAdvisor
    2008-05-24 03:36 . 2008-05-24 03:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
    2008-05-24 03:36 . 2008-05-24 03:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
    2008-05-24 03:36 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
    2008-05-24 03:33 . 2008-05-24 03:33 <DIR> d-------- C:\Program Files\Common Files\McAfee
    2008-05-24 03:33 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
    2008-05-24 03:33 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
    2008-05-24 03:33 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
    2008-05-24 03:33 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
    2008-05-24 03:33 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
    2008-05-24 03:33 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
    2008-05-24 03:32 . 2008-05-24 09:54 <DIR> d-------- C:\Program Files\McAfee
    2008-05-24 03:28 . 2008-05-24 03:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
    2008-05-24 02:11 . 2008-05-24 02:11 85,568 --a------ C:\WINDOWS\sysuxvmschr.exe
    2008-05-24 02:11 . 2008-05-24 02:11 83,520 --a------ C:\WINDOWS\sysgycnafek.exe
    2008-05-24 02:11 . 2008-05-24 02:11 82,496 --a------ C:\WINDOWS\sysnwqdfbta.exe
    2008-05-24 02:11 . 2008-05-24 02:11 80,448 --a------ C:\WINDOWS\syscdupretn.exe
    2008-05-24 02:11 . 2008-05-24 02:11 73,280 --a------ C:\WINDOWS\sysragfchqs.exe
    2008-05-24 02:11 . 2008-05-24 02:12 3,072 --a------ C:\WINDOWS\zyscfutkqew.exe
    2008-05-24 02:11 . 2008-05-24 02:12 1,409 --a------ C:\WINDOWS\zysrsetdhmz.exe
    2008-05-24 02:11 . 2008-05-24 02:12 1,272 --a------ C:\WINDOWS\zysqargtzkf.exe
    2008-05-21 18:07 . 2008-05-21 18:07 303 --a------ C:\WINDOWS\ST6UNST.001
    2008-05-21 18:07 . 2008-05-21 18:07 303 --a------ C:\WINDOWS\ST6UNST.000
    2008-05-13 17:51 . 2008-05-13 17:51 <DIR> d-------- C:\Program Files\eMini-Master.com
    2008-05-13 17:51 . 2004-02-17 02:06 61,440 --a------ C:\WINDOWS\UnDeploy.exe
    2008-05-10 22:46 . 2008-05-10 22:46 <DIR> d-------- C:\Program Files\Common Files\xing shared
    2008-05-10 22:43 . 2008-05-10 22:43 <DIR> d-------- C:\Program Files\Google
    2008-05-07 00:14 . 2008-05-07 00:14 <DIR> d-------- C:\Program Files\Common Files\HTML Executable Viewer
    2008-05-07 00:14 . 2008-05-07 00:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\HTML Executable

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-26 00:29 --------- d-----w C:\Program Files\Java
    2008-05-24 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
    2008-05-24 08:33 --------- d-----w C:\Program Files\mcafee.com
    2008-05-24 08:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-05-13 22:51 2,045 ----a-w C:\Program Files\Deploy.log
    2008-05-11 03:45 --------- d-----w C:\Program Files\Common Files\Real
    2008-04-20 21:20 --------- d-----w C:\Program Files\fxsolutions
    2008-04-20 06:02 --------- d-----w C:\Program Files\IZArc
    2008-04-18 18:42 --------- d-----w C:\Program Files\FXDD - MetaTrader 4
    2008-04-02 12:58 --------- d-----w C:\Documents and Settings\user\Application Data\Image Zone Express
    2008-04-01 10:05 --------- d-----w C:\Documents and Settings\user\Application Data\Professional
    2008-04-01 10:03 --------- d-----w C:\Program Files\Rio
    2008-04-01 10:02 --------- d-----w C:\Program Files\verizon
    2008-04-01 09:19 --------- d-----w C:\Program Files\WHC Trader 4
    2008-03-24 06:36 3,746,957 ----a-w C:\Program Files\mt4setup.exe
    2007-03-25 08:11 19,864 -c--a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
    2004-11-03 21:25 2,238 ----a-w C:\Program Files\Common Files\emini.ico
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
    "Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 17:11 4670968]
    "updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
    "SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmaTel StacMon "= "C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2004-04-29 17:15 90169]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 15:01 4632576]
    "nwiz "= "nwiz.exe" [2004-10-26 15:01 921600 C:\WINDOWS\system32\nwiz.exe]
    "AdaptecDirectCD "= "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 15:28 684032]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-03-20 01:06 98304]
    "HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 02:12 49152]
    "ESP "= "C:\Program Files\Cox\Applications\app\start.exe" [2006-12-11 08:31 62952]
    "MSConfig "= "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:56 158208]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-10 22:45 185896]
    "{7D5C078D-6337-46a1-852E-D1A97B8EBB8C} "= "C:\WINDOWS\sysragfchqs.exe" [2008-05-24 02:11 73280]
    "{B774C456-2718-417d-AC6E-E0049682876F} "= "C:\WINDOWS\sysnwqdfbta.exe" [2008-05-24 02:11 82496]
    "{6739EFCB-69CF-41db-ADD7-79047E1BB2C0} "= "C:\WINDOWS\syscdupretn.exe" [2008-05-24 02:11 80448]
    "{1989CEB5-CC50-4314-9FD6-597E6F7CC50F} "= "C:\WINDOWS\sysgycnafek.exe" [2008-05-24 02:11 83520]
    "{F93D8433-BFDA-4e2c-ABB9-EBA2716CD140} "= "C:\WINDOWS\sysuxvmschr.exe" [2008-05-24 02:11 85568]
    "mcagent_exe "= "C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
    "SiteAdvisor "= "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 16:57 36640]
    "SDTray "= "C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 13:54 1051464]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07 49263]
    "combofix "= "C:\WINDOWS\system32\CF26215.exe" [2004-08-04 03:56 388608]

    C:\Documents and Settings\user\Start Menu\Programs\Startup\
    VZAccess Manager.lnk - C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2006-05-25 01:19:58 1220608]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 02:23:26 282624]
    InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-01-25 14:36:16 102400]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04 83360]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "RasMan "=3 (0x3)
    "RasAuto "=3 (0x3)
    "mnmsrvc "=3 (0x3)
    "cisvc "=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001
    "FirewallDisableNotify "=dword:00000001
    "UpdatesDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "C:\\WINDOWS\\system32\\java.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\Yserver.exe "= C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
    "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

    R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2006-07-30 11:05]
    R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-09-20 11:26]
    R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2006-12-11 08:24]
    S2 IcRecUsb;IC Recorder Driver;C:\WINDOWS\system32\Drivers\IcRecUsb.sys [2001-10-02 00:37]
    S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pwi_bus.sys [2005-05-04 11:59]
    S3 pwi_mdfl;Curitel PC Card Filter;C:\WINDOWS\system32\DRIVERS\pwi_mdfl.sys [2005-05-04 12:00]
    S3 pwi_mdm;Curitel PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pwi_mdm.sys [2005-05-04 12:00]
    S3 pwi_oflt;Curitel PC Card OHCI Filter;C:\WINDOWS\system32\DRIVERS\pwi_oflt.sys [2005-05-04 12:01]
    S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pwi_serd.sys [2005-05-04 12:01]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0839b10-4fbf-11db-b0f1-00038a000015}]
    \Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-05-24 08:33:24 C:\WINDOWS\Tasks\McDefragTask.job "
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
    "2008-05-24 08:33:23 C:\WINDOWS\Tasks\McQcTask.job "
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
    "2008-05-26 02:28:31 C:\WINDOWS\Tasks\User_Feed_Synchronization-{670E72B4-9DBA-446F-A4DF-9561BBAB15BA}.job "
    - C:\WINDOWS\system32\msfeedssync.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-25 21:27:48
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Cox\Applications\App\syssvcnt.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
    C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
    C:\Program Files\McAfee\VirusScan\Mcshield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\McAfee\MPF\MpfSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Program Files\SiteAdvisor\6261\SAService.exe
    C:\Program Files\Verizon Wireless\venturi\Client\VentC.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\PROGRA~1\mcafee.com\Agent\mcagent.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    .
    **************************************************************************
    .
    Completion time: 2008-05-25 21:35:16 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-05-26 02:35:08

    Pre-Run: 5,359,443,968 bytes free
    Post-Run: 5,315,575,808 bytes free

    226 --- E O F --- 2008-05-17 06:04:54



    HJT Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:53:32 PM, on 5/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Cox\Applications\App\syssvcnt.exe
    C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\sysragfchqs.exe
    C:\WINDOWS\sysnwqdfbta.exe
    C:\WINDOWS\syscdupretn.exe
    C:\WINDOWS\sysgycnafek.exe
    C:\WINDOWS\sysuxvmschr.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\VirusScan\McShield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\SiteAdvisor\6261\SAService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\System32\svchost.exe
    c:\program files\verizon wireless\venturi\Client\ventc.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [{7D5C078D-6337-46a1-852E-D1A97B8EBB8C}] "C:\WINDOWS\sysragfchqs.exe "
    O4 - HKLM\..\Run: [{B774C456-2718-417d-AC6E-E0049682876F}] "C:\WINDOWS\sysnwqdfbta.exe "
    O4 - HKLM\..\Run: [{6739EFCB-69CF-41db-ADD7-79047E1BB2C0}] "C:\WINDOWS\syscdupretn.exe "
    O4 - HKLM\..\Run: [{1989CEB5-CC50-4314-9FD6-597E6F7CC50F}] "C:\WINDOWS\sysgycnafek.exe "
    O4 - HKLM\..\Run: [{F93D8433-BFDA-4e2c-ABB9-EBA2716CD140}] "C:\WINDOWS\sysuxvmschr.exe "
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe "
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.pw.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab
    O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.pw.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab
    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)
    O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\App\syssvcnt.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --
    End of file - 12011 bytes
     
    rabah,
    #7
  9. 2008/05/26
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi rabah

    Please do this.

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    [​IMG]
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Code:
    File::
C:\WINDOWS\sysuxvmschr.exe
C:\WINDOWS\sysgycnafek.exe
C:\WINDOWS\sysnwqdfbta.exe
C:\WINDOWS\syscdupretn.exe
C:\WINDOWS\sysragfchqs.exe
C:\WINDOWS\zyscfutkqew.exe
C:\WINDOWS\zysrsetdhmz.exe
C:\WINDOWS\zysqargtzkf.exe

Folder::
C:\Documents and Settings\All Users\Application Data\Avg7

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "{7D5C078D-6337-46a1-852E-D1A97B8EBB8C} "=-
 "{B774C456-2718-417d-AC6E-E0049682876F} "=-
 "{6739EFCB-69CF-41db-ADD7-79047E1BB2C0} "=-
 "{1989CEB5-CC50-4314-9FD6-597E6F7CC50F} "=-
 "{F93D8433-BFDA-4e2c-ABB9-EBA2716CD140} "=-
    Please post the combofix log and a new HJT log.

    Thanks
    Geri
     
    Geri,
    #8
  10. 2008/05/26
    rabah

    rabah Inactive Thread Starter

    Joined:
    2008/05/24
    Messages:
    13
    Likes Received:
    0
    latest combofix and HJT log

    Combofix

    ComboFix 08-05-25.3 - user 2008-05-26 7:28:34.2 - NTFSx86
    Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\syscdupretn.exe
    C:\WINDOWS\sysgycnafek.exe
    C:\WINDOWS\sysnwqdfbta.exe
    C:\WINDOWS\sysragfchqs.exe
    C:\WINDOWS\sysuxvmschr.exe
    C:\WINDOWS\zyscfutkqew.exe
    C:\WINDOWS\zysqargtzkf.exe
    C:\WINDOWS\zysrsetdhmz.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Avg7
    C:\WINDOWS\mywallpaper.bmp
    C:\WINDOWS\syscdupretn.exe
    C:\WINDOWS\sysgycnafek.exe
    C:\WINDOWS\sysnwqdfbta.exe
    C:\WINDOWS\sysragfchqs.exe
    C:\WINDOWS\sysuxvmschr.exe
    C:\WINDOWS\zyscfutkqew.exe
    C:\WINDOWS\zysqargtzkf.exe
    C:\WINDOWS\zysrsetdhmz.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
    .

    2008-05-25 19:24 . 2006-11-09 15:07 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
    2008-05-25 13:12 . 2008-05-25 13:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-05-25 13:12 . 2008-05-25 13:12 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
    2008-05-25 13:12 . 2008-05-25 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-05-25 13:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-05-25 13:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-05-25 00:48 . 2008-05-25 00:48 <DIR> d-------- C:\Program Files\Alwil Software
    2008-05-25 00:09 . 2008-05-25 00:09 <DIR> d-------- C:\Deckard
    2008-05-25 00:02 . 2008-05-25 00:02 <DIR> d-------- C:\Program Files\Trend Micro
    2008-05-24 21:09 . 2008-05-25 21:49 <DIR> d-------- C:\Program Files\Spyware Doctor
    2008-05-24 21:09 . 2008-05-24 21:09 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Tools
    2008-05-24 21:09 . 2007-05-23 16:58 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2008-05-24 21:09 . 2007-05-23 16:58 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2008-05-24 21:09 . 2007-05-23 16:58 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2008-05-24 21:09 . 2007-05-23 16:58 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
    2008-05-24 21:09 . 2007-05-23 16:58 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2008-05-24 20:41 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2008-05-24 19:10 . 2008-05-24 21:03 <DIR> d-------- C:\Program Files\Enigma Software Group
    2008-05-24 17:35 . 2008-05-24 23:21 3,798 --a------ C:\WINDOWS\system32\tmp.reg
    2008-05-24 17:03 . 2008-05-24 18:00 <DIR> d-------- C:\Program Files\RogueRemover FREE
    2008-05-24 12:34 . 2008-05-24 12:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-05-24 12:34 . 2008-05-24 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-05-24 12:15 . 2008-05-24 23:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-05-24 03:37 . 2008-05-26 07:10 20,469 --a------ C:\WINDOWS\system32\Config.MPF
    2008-05-24 03:36 . 2008-05-25 14:45 <DIR> d-------- C:\Program Files\SiteAdvisor
    2008-05-24 03:36 . 2008-05-25 19:03 <DIR> d-------- C:\Documents and Settings\user\Application Data\SiteAdvisor
    2008-05-24 03:36 . 2008-05-24 03:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
    2008-05-24 03:36 . 2008-05-24 03:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
    2008-05-24 03:36 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
    2008-05-24 03:33 . 2008-05-24 03:33 <DIR> d-------- C:\Program Files\Common Files\McAfee
    2008-05-24 03:33 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
    2008-05-24 03:33 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
    2008-05-24 03:33 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
    2008-05-24 03:33 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
    2008-05-24 03:33 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
    2008-05-24 03:33 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
    2008-05-24 03:32 . 2008-05-24 09:54 <DIR> d-------- C:\Program Files\McAfee
    2008-05-21 18:07 . 2008-05-21 18:07 303 --a------ C:\WINDOWS\ST6UNST.001
    2008-05-21 18:07 . 2008-05-21 18:07 303 --a------ C:\WINDOWS\ST6UNST.000
    2008-05-13 17:51 . 2008-05-13 17:51 <DIR> d-------- C:\Program Files\eMini-Master.com
    2008-05-13 17:51 . 2004-02-17 02:06 61,440 --a------ C:\WINDOWS\UnDeploy.exe
    2008-05-10 22:46 . 2008-05-10 22:46 <DIR> d-------- C:\Program Files\Common Files\xing shared
    2008-05-10 22:43 . 2008-05-10 22:43 <DIR> d-------- C:\Program Files\Google
    2008-05-07 00:14 . 2008-05-07 00:14 <DIR> d-------- C:\Program Files\Common Files\HTML Executable Viewer
    2008-05-07 00:14 . 2008-05-07 00:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\HTML Executable

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-26 00:29 --------- d-----w C:\Program Files\Java
    2008-05-24 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
    2008-05-24 08:33 --------- d-----w C:\Program Files\mcafee.com
    2008-05-24 08:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-05-13 22:51 2,045 ----a-w C:\Program Files\Deploy.log
    2008-05-11 03:45 --------- d-----w C:\Program Files\Common Files\Real
    2008-04-20 21:20 --------- d-----w C:\Program Files\fxsolutions
    2008-04-20 06:02 --------- d-----w C:\Program Files\IZArc
    2008-04-18 18:42 --------- d-----w C:\Program Files\FXDD - MetaTrader 4
    2008-04-02 12:58 --------- d-----w C:\Documents and Settings\user\Application Data\Image Zone Express
    2008-04-01 10:05 --------- d-----w C:\Documents and Settings\user\Application Data\Professional
    2008-04-01 10:03 --------- d-----w C:\Program Files\Rio
    2008-04-01 10:02 --------- d-----w C:\Program Files\verizon
    2008-04-01 09:19 --------- d-----w C:\Program Files\WHC Trader 4
    2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
    2008-03-24 06:36 3,746,957 ----a-w C:\Program Files\mt4setup.exe
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2007-03-25 08:11 19,864 -c--a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
    2004-11-03 21:25 2,238 ----a-w C:\Program Files\Common Files\emini.ico
    .

    ((((((((((((((((((((((((((((( snapshot@2008-05-25_21.34.34.72 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-05-26 02:21:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-05-26 12:06:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    - 2008-05-25 18:03:44 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2008-05-26 12:14:53 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2008-05-25 18:03:44 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-05-26 12:14:53 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-05-25 18:03:44 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-05-26 12:14:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
    "Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 17:11 4670968]
    "updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
    "SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmaTel StacMon "= "C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2004-04-29 17:15 90169]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 15:01 4632576]
    "nwiz "= "nwiz.exe" [2004-10-26 15:01 921600 C:\WINDOWS\system32\nwiz.exe]
    "AdaptecDirectCD "= "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 15:28 684032]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-03-20 01:06 98304]
    "HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 02:12 49152]
    "ESP "= "C:\Program Files\Cox\Applications\app\start.exe" [2006-12-11 08:31 62952]
    "MSConfig "= "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:56 158208]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-10 22:45 185896]
    "{7D5C078D-6337-46a1-852E-D1A97B8EBB8C} "= "C:\WINDOWS\sysragfchqs.exe" [ ]
    "{B774C456-2718-417d-AC6E-E0049682876F} "= "C:\WINDOWS\sysnwqdfbta.exe" [ ]
    "{6739EFCB-69CF-41db-ADD7-79047E1BB2C0} "= "C:\WINDOWS\syscdupretn.exe" [ ]
    "{1989CEB5-CC50-4314-9FD6-597E6F7CC50F} "= "C:\WINDOWS\sysgycnafek.exe" [ ]
    "{F93D8433-BFDA-4e2c-ABB9-EBA2716CD140} "= "C:\WINDOWS\sysuxvmschr.exe" [ ]
    "mcagent_exe "= "C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
    "SiteAdvisor "= "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 16:57 36640]
    "SDTray "= "C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 13:54 1051464]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07 49263]

    C:\Documents and Settings\user\Start Menu\Programs\Startup\
    VZAccess Manager.lnk - C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2006-05-25 01:19:58 1220608]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 02:23:26 282624]
    InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-01-25 14:36:16 102400]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "RasMan "=3 (0x3)
    "RasAuto "=3 (0x3)
    "mnmsrvc "=3 (0x3)
    "cisvc "=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001
    "UpdatesDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "C:\\WINDOWS\\system32\\java.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\Yserver.exe "= C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
    "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

    R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2006-07-30 11:05]
    R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-09-20 11:26]
    R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2006-12-11 08:24]
    S2 IcRecUsb;IC Recorder Driver;C:\WINDOWS\system32\Drivers\IcRecUsb.sys [2001-10-02 00:37]
    S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pwi_bus.sys [2005-05-04 11:59]
    S3 pwi_mdfl;Curitel PC Card Filter;C:\WINDOWS\system32\DRIVERS\pwi_mdfl.sys [2005-05-04 12:00]
    S3 pwi_mdm;Curitel PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pwi_mdm.sys [2005-05-04 12:00]
    S3 pwi_oflt;Curitel PC Card OHCI Filter;C:\WINDOWS\system32\DRIVERS\pwi_oflt.sys [2005-05-04 12:01]
    S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pwi_serd.sys [2005-05-04 12:01]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0839b10-4fbf-11db-b0f1-00038a000015}]
    \Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-05-24 08:33:24 C:\WINDOWS\Tasks\McDefragTask.job "
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
    "2008-05-24 08:33:23 C:\WINDOWS\Tasks\McQcTask.job "
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
    "2008-05-26 12:11:34 C:\WINDOWS\Tasks\User_Feed_Synchronization-{670E72B4-9DBA-446F-A4DF-9561BBAB15BA}.job "
    - C:\WINDOWS\system32\msfeedssync.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-26 07:33:15
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-05-26 7:35:12
    ComboFix-quarantined-files.txt 2008-05-26 12:34:57
    ComboFix2.txt 2008-05-26 02:35:18

    Pre-Run: 5,291,339,776 bytes free
    Post-Run: 5,291,515,904 bytes free

    220 --- E O F --- 2008-05-17 06:04:54



    HJT Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:46:37 AM, on 5/26/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cox\Applications\App\syssvcnt.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\VirusScan\McShield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\SiteAdvisor\6261\SAService.exe
    C:\WINDOWS\System32\svchost.exe
    c:\program files\verizon wireless\venturi\Client\ventc.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe "
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.pw.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab
    O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.pw.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab
    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)
    O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\App\syssvcnt.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --
    End of file - 11338 bytes


    Again many thanks,

    Rabah
     
    rabah,
    #9
  11. 2008/05/26
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi rabah

    OK lets try this again.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.


    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    [​IMG]
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Code:
    Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "{7D5C078D-6337-46a1-852E-D1A97B8EBB8C} "=-
 "{B774C456-2718-417d-AC6E-E0049682876F} "=-
 "{6739EFCB-69CF-41db-ADD7-79047E1BB2C0} "=-
 "{1989CEB5-CC50-4314-9FD6-597E6F7CC50F} "=-
 "{F93D8433-BFDA-4e2c-ABB9-EBA2716CD140} "=-
    Please post the combofix log.

    Thanks
    Geri
     
    Geri,
    #10
  12. 2008/05/26
    rabah

    rabah Inactive Thread Starter

    Joined:
    2008/05/24
    Messages:
    13
    Likes Received:
    0
    latest combofix log

    Geri,

    thanks for everything. After the first recommendation, I was helped tremendously. There was no more blue screen, nor pop-up in the right hand tray.

    here is the latest combofix

    Again many thanks

    ComboFix 08-05-25.3 - user 2008-05-26 16:24:58.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.185 [GMT -5:00]
    Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
    .

    2008-05-25 19:24 . 2006-11-09 15:07 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
    2008-05-25 13:12 . 2008-05-25 13:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-05-25 13:12 . 2008-05-25 13:12 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
    2008-05-25 13:12 . 2008-05-25 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-05-25 13:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-05-25 13:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-05-25 00:48 . 2008-05-25 00:48 <DIR> d-------- C:\Program Files\Alwil Software
    2008-05-25 00:09 . 2008-05-25 00:09 <DIR> d-------- C:\Deckard
    2008-05-25 00:02 . 2008-05-25 00:02 <DIR> d-------- C:\Program Files\Trend Micro
    2008-05-24 20:41 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2008-05-24 19:10 . 2008-05-24 21:03 <DIR> d-------- C:\Program Files\Enigma Software Group
    2008-05-24 17:35 . 2008-05-24 23:21 3,798 --a------ C:\WINDOWS\system32\tmp.reg
    2008-05-24 17:03 . 2008-05-24 18:00 <DIR> d-------- C:\Program Files\RogueRemover FREE
    2008-05-24 12:34 . 2008-05-24 12:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-05-24 12:34 . 2008-05-24 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-05-24 12:15 . 2008-05-24 23:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-05-24 03:37 . 2008-05-26 16:18 20,979 --a------ C:\WINDOWS\system32\Config.MPF
    2008-05-24 03:36 . 2008-05-25 14:45 <DIR> d-------- C:\Program Files\SiteAdvisor
    2008-05-24 03:36 . 2008-05-26 08:27 <DIR> d-------- C:\Documents and Settings\user\Application Data\SiteAdvisor
    2008-05-24 03:36 . 2008-05-24 03:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
    2008-05-24 03:36 . 2008-05-24 03:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
    2008-05-24 03:36 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
    2008-05-24 03:33 . 2008-05-24 03:33 <DIR> d-------- C:\Program Files\Common Files\McAfee
    2008-05-24 03:33 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
    2008-05-24 03:33 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
    2008-05-24 03:33 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
    2008-05-24 03:33 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
    2008-05-24 03:33 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
    2008-05-24 03:33 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
    2008-05-24 03:32 . 2008-05-24 09:54 <DIR> d-------- C:\Program Files\McAfee
    2008-05-21 18:07 . 2008-05-21 18:07 303 --a------ C:\WINDOWS\ST6UNST.001
    2008-05-21 18:07 . 2008-05-21 18:07 303 --a------ C:\WINDOWS\ST6UNST.000
    2008-05-13 17:51 . 2008-05-13 17:51 <DIR> d-------- C:\Program Files\eMini-Master.com
    2008-05-13 17:51 . 2004-02-17 02:06 61,440 --a------ C:\WINDOWS\UnDeploy.exe
    2008-05-10 22:46 . 2008-05-10 22:46 <DIR> d-------- C:\Program Files\Common Files\xing shared
    2008-05-10 22:43 . 2008-05-10 22:43 <DIR> d-------- C:\Program Files\Google
    2008-05-07 00:14 . 2008-05-07 00:14 <DIR> d-------- C:\Program Files\Common Files\HTML Executable Viewer
    2008-05-07 00:14 . 2008-05-07 00:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\HTML Executable

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-26 14:27 --------- d-----w C:\Documents and Settings\user\Application Data\Professional
    2008-05-26 13:35 --------- d-----w C:\Program Files\fxsolutions
    2008-05-26 00:29 --------- d-----w C:\Program Files\Java
    2008-05-24 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
    2008-05-24 08:33 --------- d-----w C:\Program Files\mcafee.com
    2008-05-24 08:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-05-13 22:51 2,045 ----a-w C:\Program Files\Deploy.log
    2008-05-11 03:45 --------- d-----w C:\Program Files\Common Files\Real
    2008-04-20 06:02 --------- d-----w C:\Program Files\IZArc
    2008-04-18 18:42 --------- d-----w C:\Program Files\FXDD - MetaTrader 4
    2008-04-02 12:58 --------- d-----w C:\Documents and Settings\user\Application Data\Image Zone Express
    2008-04-01 10:03 --------- d-----w C:\Program Files\Rio
    2008-04-01 10:02 --------- d-----w C:\Program Files\verizon
    2008-04-01 09:19 --------- d-----w C:\Program Files\WHC Trader 4
    2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
    2008-03-24 06:36 3,746,957 ----a-w C:\Program Files\mt4setup.exe
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2007-03-25 08:11 19,864 -c--a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
    2004-11-03 21:25 2,238 ----a-w C:\Program Files\Common Files\emini.ico
    .

    ((((((((((((((((((((((((((((( snapshot@2008-05-25_21.34.34.72 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-05-26 02:21:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-05-26 21:17:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-05-26 14:26:54 22,486 ----a-r C:\WINDOWS\Installer\{783FBDAA-3842-05E8-F1E4-4D44F8CA64D9}\ARPPRODUCTICON.exe
    - 2008-05-25 18:03:44 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2008-05-26 17:13:34 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2008-05-25 18:03:44 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-05-26 17:13:34 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-05-25 18:03:44 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-05-26 17:13:34 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2001-09-06 02:00:58 1,700,352 ----a-w C:\WINDOWS\system32\gdiplus.dll
    + 2006-12-02 03:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
    + 2006-12-02 03:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
    + 2006-12-02 03:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
    + 2006-12-02 05:25:52 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
    + 2006-12-02 05:25:56 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
    + 2006-12-02 05:25:58 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
    + 2006-12-02 05:26:00 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
    + 2006-12-02 05:08:00 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
    + 2006-12-02 05:08:00 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
    + 2006-12-02 05:08:00 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
    + 2006-12-02 05:08:00 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
    + 2006-12-02 05:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
    + 2006-12-02 05:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
    + 2006-12-02 05:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
    + 2006-12-02 05:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
    + 2006-12-02 05:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
    "Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 17:11 4670968]
    "updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmaTel StacMon "= "C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2004-04-29 17:15 90169]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 15:01 4632576]
    "nwiz "= "nwiz.exe" [2004-10-26 15:01 921600 C:\WINDOWS\system32\nwiz.exe]
    "AdaptecDirectCD "= "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 15:28 684032]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-03-20 01:06 98304]
    "HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 02:12 49152]
    "ESP "= "C:\Program Files\Cox\Applications\app\start.exe" [2006-12-11 08:31 62952]
    "MSConfig "= "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:56 158208]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-10 22:45 185896]
    "mcagent_exe "= "C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
    "SiteAdvisor "= "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 16:57 36640]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07 49263]

    C:\Documents and Settings\user\Start Menu\Programs\Startup\
    VZAccess Manager.lnk - C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2006-05-25 01:19:58 1220608]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 02:23:26 282624]
    InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-01-25 14:36:16 102400]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "RasMan "=3 (0x3)
    "RasAuto "=3 (0x3)
    "mnmsrvc "=3 (0x3)
    "cisvc "=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001
    "UpdatesDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "C:\\WINDOWS\\system32\\java.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\Yserver.exe "= C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
    "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

    R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2006-07-30 11:05]
    R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-09-20 11:26]
    R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2006-12-11 08:24]
    S2 IcRecUsb;IC Recorder Driver;C:\WINDOWS\system32\Drivers\IcRecUsb.sys [2001-10-02 00:37]
    S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pwi_bus.sys [2005-05-04 11:59]
    S3 pwi_mdfl;Curitel PC Card Filter;C:\WINDOWS\system32\DRIVERS\pwi_mdfl.sys [2005-05-04 12:00]
    S3 pwi_mdm;Curitel PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pwi_mdm.sys [2005-05-04 12:00]
    S3 pwi_oflt;Curitel PC Card OHCI Filter;C:\WINDOWS\system32\DRIVERS\pwi_oflt.sys [2005-05-04 12:01]
    S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pwi_serd.sys [2005-05-04 12:01]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0839b10-4fbf-11db-b0f1-00038a000015}]
    \Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-05-24 08:33:24 C:\WINDOWS\Tasks\McDefragTask.job "
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
    "2008-05-24 08:33:23 C:\WINDOWS\Tasks\McQcTask.job "
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
    "2008-05-26 12:11:34 C:\WINDOWS\Tasks\User_Feed_Synchronization-{670E72B4-9DBA-446F-A4DF-9561BBAB15BA}.job "
    - C:\WINDOWS\system32\msfeedssync.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-26 16:29:20
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\explorer.exe
    -> C:\Program Files\SiteAdvisor\6261\saHook.dll
    .
    Completion time: 2008-05-26 16:31:38
    ComboFix-quarantined-files.txt 2008-05-26 21:31:11
    ComboFix2.txt 2008-05-26 12:35:14
    ComboFix3.txt 2008-05-26 02:35:18

    Pre-Run: 5,128,372,224 bytes free
    Post-Run: 5,159,436,288 bytes free

    207 --- E O F --- 2008-05-17 06:04:54
     
    rabah,
    #11
  13. 2008/05/26
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi rabah
    OK That looks better.

    Now please do this.

    Download ATF Cleaner by Atribune and save it to your Desktop.
    This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
    Double click ATF-Cleaner.exe to run the program.
    Check the boxes to the left of:

    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache
    Recycle bin

    The rest are optional - if you want it to remove everything check "Select All ".
    Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


    Now lets get a on-line scan.

    Please do an online scan with Kaspersky WebScanner

    Click on "Accept" If your pop "“up blocker blocks the ActiveX download, allow it, click on "Accept" again

    You will be prompted to install an ActiveX component from Kaspersky, Click Yes or Install.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will start the program and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.

    Please post the Kaspersky results.

    Thanks
    Geri
     
    Geri,
    #12
  14. 2008/05/26
    rabah

    rabah Inactive Thread Starter

    Joined:
    2008/05/24
    Messages:
    13
    Likes Received:
    0
    Kaspersky scan

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Monday, May 26, 2008 10:28:19 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 27/05/2008
    Kaspersky Anti-Virus database records: 801145
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 64212
    Number of viruses found: 5
    Number of infected objects: 9
    Number of suspicious objects: 0
    Duration of the scan process: 01:42:10

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{3DB1A088-0CCB-4E0E-84D5-BB7093A29B43}.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{B9B9F799-0FF1-40FB-974B-85D0F42161F8}.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR5.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\user\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012008052620080527\index.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\hpodvd09.log Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DF547.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DFF7D0.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DFF7DE.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Verizon Wireless\venturi\Client\vent2.log Object is locked skipped
    C:\QooBox\Quarantine\C\WINDOWS\syscdupretn.exe.vir Infected: Trojan-Downloader.Win32.Zlob.nuo skipped
    C:\QooBox\Quarantine\C\WINDOWS\sysgycnafek.exe.vir Infected: Trojan-PSW.Win32.WOW.bac skipped
    C:\QooBox\Quarantine\C\WINDOWS\sysnwqdfbta.exe.vir Infected: Trojan-Clicker.Win32.Agent.akc skipped
    C:\QooBox\Quarantine\C\WINDOWS\sysuxvmschr.exe.vir Infected: Trojan-Clicker.Win32.Agent.ajs skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{20DEC605-7D95-4171-9737-D2B752032664}\RP992\A0190539.exe Infected: Trojan-Downloader.Win32.Zlob.nuo skipped
    C:\System Volume Information\_restore{20DEC605-7D95-4171-9737-D2B752032664}\RP992\A0190540.exe Infected: Trojan-PSW.Win32.WOW.bac skipped
    C:\System Volume Information\_restore{20DEC605-7D95-4171-9737-D2B752032664}\RP992\A0190541.exe Infected: Trojan-Clicker.Win32.Agent.akc skipped
    C:\System Volume Information\_restore{20DEC605-7D95-4171-9737-D2B752032664}\RP992\A0190543.exe Infected: Trojan-Clicker.Win32.Agent.ajs skipped
    C:\System Volume Information\_restore{20DEC605-7D95-4171-9737-D2B752032664}\RP996\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{DDCF6B44-12F3-432B-AE50-917072395F83}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\Temp\mcafee_PGfinZwg5mpUvVs Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_LpnSoaazc9cvJlr Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_SDeVmNEeADo74Ot Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_uyYnCchl7DouT0B Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_ZUkHU3zPCofsE3f Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
     
    rabah,
    #13
  15. 2008/05/26
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK please do this.

    You can delete any tools you were asked to download and the files/folders or logs they created, There will be newer versions if ever needed again any way.

    Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.

    This Tool.
    Smitfraudfix.exe

    These files.
    C:\WINDOWS\system32\dumphive.exe
    C:\WINDOWS\SYSTEM32\Process.exe
    C:\WINDOWS\SYSTEM32\SrchSTS.exe
    C:\WINDOWS\system32\VCCLSID.exe
    C:\WINDOWS\system32\WS2Fix.exe
    C:\WINDOWS\system32\tmp.reg
    C:\WINDOWS\system32\IEDFix.exe
    C:\WINDOWS\system32\VACFix.exe


    We need to turn off and on system restore. There are infections in it and by using system restore you would reinfect yourself.

    You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
    Turning off System Restore will clear out all previous restore points.

    To turn off Windows XP System Restore:
    NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    8. Restart the computer and follow the instructions in the next section to turn on System Restore.

    To turn on Windows XP System Restore:
    1. Click Start.
    2. Right-click My Computer, and then click Properties.
    3. Click the System Restore tab.
    4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
    5. Click Apply, and then click OK
    6. Make a new restore point.
    7. Click Start, All Programs, Accessories, System Tools, System Restore.
    Choose Create a restore point and clicked Next, Under "Type a description for your restore point…â€put a name in the box,. Click Create. In the next window click Close.


    Now please run another Kaspersky scan and post the log.

    Thanks
    Geri
     
    Geri,
    #14
  16. 2008/05/27
    rabah

    rabah Inactive Thread Starter

    Joined:
    2008/05/24
    Messages:
    13
    Likes Received:
    0
    Latest Kaspersky

    Geri,

    I followed your recommendations, and here is the latest Kaspersky scan.

    Thanks


    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Tuesday, May 27, 2008 2:40:35 AM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 27/05/2008
    Kaspersky Anti-Virus database records: 801245
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 54873
    Number of viruses found: 1
    Number of infected objects: 1
    Number of suspicious objects: 0
    Duration of the scan process: 01:33:38

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFRB.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012008052720080528\index.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\Acr123F.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\hpodvd09.log Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DF9058.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DF9066.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DFAA31.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DFB463.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Verizon Wireless\venturi\Client\vent2.log Object is locked skipped
    C:\RECYCLER\S-1-5-21-57989841-842925246-839522115-1003\Dc2\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{20DEC605-7D95-4171-9737-D2B752032664}\RP2\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{0A276DEA-6288-416E-AD8F-C82FC215073E}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\Temp\mcafee_eaegzIrNYQePRs1 Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_UmHOehH9gsrdkF0 Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_vdDC8Ajmd1ApWX6 Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_voQet7y3axl81OA Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
     
    rabah,
    #15
  17. 2008/05/27
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi rabah
    Ok That's good.

    The one that's showing is in your recycle bin,so empty your recycle bin and you're good to go.

    Let me know how things are running.

    Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Spyware and Virus Removal Forums.
    http://www.windowsbbs.com/showthread.php?t=67958

    Surf Safely
    Geri
     
    Geri,
    #16
  18. 2008/05/27
    rabah

    rabah Inactive Thread Starter

    Joined:
    2008/05/24
    Messages:
    13
    Likes Received:
    0
    Thanks

    Geri,

    Thank you!! And I will definitely follow the advice.

    I am so grateful for the work that you did.

    Again many thanks

    Rabah
     
    rabah,
    #17
  19. 2008/05/27
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi rabah
    Glad to have helped out. :)

    I'll mark this one resolved.

    Geri
     
    Geri,
    #18

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...