1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Computer infected by unknown trojan

Discussion in 'Malware and Virus Removal Archive' started by Bobby Baldwin, 2008/03/01.

  1. 2008/03/01
    Bobby Baldwin

    Bobby Baldwin Inactive Thread Starter

    Joined:
    2008/02/27
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    [Resolved]Computer infected by unknown trojan

    All right, I was online a few days ago and I was trying to watch a video on a web site, and it said I needed to download something before I could watch the video, so like an idiot I did, and pretty much instantly I started getting a popup that says,

    "Your computer was infected by unknown trojan. It's dangerous for your system (Critical files can be lost)! Click OK to download the antispyware program to clean your system! (Recommended) "

    Since it doesn't look like a normal windows vista type popup, I've just been exiting it, and not downloading what it seems to want me to.

    I've run my McAfee antivirus and also AVG free, but they don't come up with anything... When I ran spybot it came up with something called win32.Agent.gvu and when I tried to get rid of it, spybot never showed it again...but the popups still aren't going away, so I'm not sure if that's my problem or not.

    I'm kinda worthless when it comes to computers, besides doing the basic stuff, so if anyone who knows a bit more about them would be willing to give me some ideas, and help me out, I'd really appreciate it. My computer is running slow, both in booting up and when I'm on the internet....and yeah, I have no idea what I'm doing...hopefully someone out there can help me get this straightened out.

    Thanks, Bobby
     
  2. 2008/03/01
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Trophy Points:
    608
    Location:
    Washington State
    Computer Experience:
    Often it's like Taz
    Hi Bobby Baldwin
    Welcome to Windowsbbs. :)

    Please download and install HijackThis and Run a scan then close HJT, then run Deckard's System Scanner and post the main.txt log here. Links and instructions here.

    Thanks
    Geri
     
    Geri,
    #2

  3. to hide this advert.

  4. 2008/03/01
    Bobby Baldwin

    Bobby Baldwin Inactive Thread Starter

    Joined:
    2008/02/27
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    Hi Geri, thanks for getting back to me so quickly. Here is the main.txt that popped up after I ran Deckard's System Scanner.

    Deckard's System Scanner v20071014.68
    Run by Stealth on 2008-03-01 22:37:13
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- Last 5 Restore Point(s) --
    28: 2008-02-29 09:38:50 UTC - RP123 - Windows Update
    27: 2008-02-28 18:55:27 UTC - RP122 - Scheduled Checkpoint
    26: 2008-02-28 03:13:27 UTC - RP121 - Scheduled Checkpoint
    25: 2008-02-27 10:34:08 UTC - RP120 - Installed AVG 7.5
    24: 2008-02-27 10:28:32 UTC - RP119 - Installed Ad-Aware 2007


    -- First Restore Point --
    1: 2008-02-07 19:22:36 UTC - RP96 - Scheduled Checkpoint


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis (run as Stealth.exe) ---------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:39:23 PM, on 3/1/2008
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16609)
    Boot mode: Normal

    Running processes:
    C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Spare Backup\SpareBackup.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\System32\mobsync.exe
    C:\Users\Stealth\Desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Stealth.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5622
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5622
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5622
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5622
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
    O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: MS Video Control 1.0 - {54629298-47B2-4F79-BC62-7B3648D70020} - C:\Windows\msvidc32.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
    O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
    O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O13 - Gopher Prefix:
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
    O23 - Service: McAfee Application Installer Cleanup (0299511204423447) (0299511204423447mcinstcleanup) - Unknown owner - C:\Windows\TEMP\029951~1.EXE (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 9763 bytes

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

    S2 0299511204423447mcinstcleanup (McAfee Application Installer Cleanup (0299511204423447)) - c:\windows\temp\029951~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)


    -- Device Manager: Disabled ----------------------------------------------------

    No disabled devices found.


    -- Scheduled Tasks -------------------------------------------------------------

    2008-03-01 18:11:33 422 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{21B7F24B-840F-473A-9777-6A9CB099AD4C}.job
    2008-03-01 01:00:00 368 --a------ C:\Windows\Tasks\McQcTask.job
    2008-02-15 01:00:00 366 --a------ C:\Windows\Tasks\McDefragTask.job


    -- Files created between 2008-02-01 and 2008-03-01 -----------------------------

    2008-02-28 23:23:30 0 d-------- C:\Program Files\LimeWire
    2008-02-27 02:34:20 0 d-------- C:\Users\All Users\Grisoft
    2008-02-27 02:34:20 0 d-------- C:\Users\All Users\avg7
    2008-02-27 02:33:02 0 d-------- C:\Program Files\Trend Micro
    2008-02-27 02:28:55 0 d-------- C:\Users\All Users\Lavasoft
    2008-02-27 02:28:55 0 d-------- C:\Program Files\Lavasoft
    2008-02-27 02:28:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-02-25 23:14:37 0 d-------- C:\Users\Stealth\.housecall6.6
    2008-02-25 19:08:32 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
    2008-02-25 09:53:10 230400 --a------ C:\Windows\msvidc32.dll <Not Verified; Adobe; >
    2008-02-25 09:53:09 53 --a------ C:\tmp.bat
    2008-02-18 09:04:55 88 -r-hs---- C:\Windows\system32\FD65D32AF2.sys
    2008-02-17 14:30:08 0 d-------- C:\Users\All Users\Corel
    2008-02-17 14:27:02 0 d-------- C:\Program Files\Common Files\Corel
    2008-02-17 14:16:47 2672 --ahs---- C:\Windows\system32\KGyGaAvL.sys
    2008-02-17 14:15:47 0 d-------- C:\Program Files\Corel
    2008-02-17 10:20:22 0 d-------- C:\cabs
    2008-02-05 00:43:57 0 d-------- C:\Program Files\UltimateBet


    -- Find3M Report ---------------------------------------------------------------

    2008-03-01 21:22:42 0 d-------- C:\Users\Stealth\AppData\Roaming\LimeWire
    2008-03-01 18:04:04 0 d-------- C:\Program Files\McAfee
    2008-03-01 17:34:15 0 d-------- C:\Users\Stealth\AppData\Roaming\Spare Backup
    2008-03-01 14:29:19 0 d-------- C:\Users\Stealth\AppData\Roaming\AVG7
    2008-02-27 02:28:11 0 d-------- C:\Program Files\Common Files
    2008-02-18 20:06:06 4 --a------ C:\Windows\system32\3A5E92
    2008-02-18 09:04:56 0 d-------- C:\Users\Stealth\AppData\Roaming\Corel
    2008-02-17 14:15:37 0 d-------- C:\Users\Stealth\AppData\Roaming\InstallShield
    2008-02-10 12:02:14 0 d-------- C:\Users\Stealth\AppData\Roaming\Adobe
    2008-01-30 23:30:59 0 d-------- C:\Program Files\Best Buy Rhapsody
    2008-01-30 23:30:21 0 d-------- C:\Program Files\Common Files\Real
    2008-01-30 23:30:15 0 d-------- C:\Users\Stealth\AppData\Roaming\Real
    2008-01-28 20:57:28 0 d-------- C:\Program Files\Real
    2008-01-28 20:56:11 0 d-------- C:\Program Files\Common Files\ArcSoft
    2008-01-28 20:56:10 0 d-------- C:\Program Files\ArcSoft
    2008-01-28 20:56:07 0 d--h----- C:\Program Files\InstallShield Installation Information
    2008-01-19 17:45:09 0 d-------- C:\Program Files\Windows Messaging
    2008-01-19 17:39:47 0 -rahs---- C:\MSDOS.SYS
    2008-01-19 17:39:47 0 -rahs---- C:\IO.SYS
    2008-01-18 23:58:14 136 --a------ C:\Users\Stealth\AppData\Roaming\wklnhst.dat
    2008-01-18 02:11:05 0 d-------- C:\Users\Stealth\AppData\Roaming\Template
    2008-01-15 16:05:43 0 d-------- C:\Users\Stealth\AppData\Roaming\SiteAdvisor
    2008-01-15 14:09:42 24064 --a------ C:\Users\Stealth\AppData\Roaming\UserTile.png
    2008-01-15 11:56:22 0 d-------- C:\Users\Stealth\AppData\Roaming\DivX
    2008-01-15 11:56:12 0 d-------- C:\Program Files\DivX
    2008-01-11 00:01:01 0 d-------- C:\Program Files\SiteAdvisor
    2008-01-10 12:38:37 0 d-------- C:\Program Files\Common Files\McAfee
    2008-01-09 22:07:22 174 --ahs---- C:\Program Files\desktop.ini
    2008-01-09 22:03:42 0 d-------- C:\Program Files\Windows Calendar
    2008-01-09 22:03:34 0 d-------- C:\Program Files\Windows Mail
    2008-01-09 22:03:20 0 d-------- C:\Program Files\Windows Sidebar
    2008-01-09 21:49:28 0 d-------- C:\Program Files\MSXML 4.0
    2008-01-09 16:23:37 0 d-------- C:\Users\Stealth\AppData\Roaming\SampleView
    2008-01-09 15:48:47 0 d-------- C:\Users\Stealth\AppData\Roaming\Macromedia
    2008-01-09 15:47:37 0 d-------- C:\Program Files\AIMTunes
    2008-01-09 15:47:35 0 d-------- C:\Users\Stealth\AppData\Roaming\acccore
    2008-01-09 15:47:15 0 d-------- C:\Program Files\AIM6
    2008-01-09 15:46:31 0 d-------- C:\Program Files\Viewpoint
    2008-01-09 15:45:07 0 d-------- C:\Program Files\Common Files\AOL
    2008-01-09 15:41:45 0 --a------ C:\Windows\nsreg.dat
    2008-01-09 15:41:42 0 d-------- C:\Users\Stealth\AppData\Roaming\Mozilla
    2008-01-09 15:39:28 0 d-------- C:\Users\Stealth\AppData\Roaming\Google
    2008-01-09 15:30:55 0 d-------- C:\Program Files\Support.com
    2008-01-09 15:10:23 0 d-------- C:\Users\Stealth\AppData\Roaming\Identities
    2007-12-03 17:33:18 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
    2007-12-03 17:33:18 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
    2007-12-03 17:33:18 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
    2007-12-03 17:33:16 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
    09/19/2007 06:15 AM 329032 --a------ C:\Program Files\McAfee\MSK\mcapbho.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54629298-47B2-4F79-BC62-7B3648D70020}]
    02/25/2008 09:53 AM 230400 --a------ C:\Windows\msvidc32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [08/25/2007 09:22 AM]
    "IgfxTray "= "C:\Windows\system32\igfxtray.exe" [06/05/2007 06:52 PM]
    "HotKeysCmds "= "C:\Windows\system32\hkcmd.exe" [06/05/2007 06:52 PM]
    "Persistence "= "C:\Windows\system32\igfxpers.exe" [06/05/2007 06:52 PM]
    "RtHDVCpl "= "RtHDVCpl.exe" [07/06/2007 10:06 AM C:\Windows\RtHDVCpl.exe]
    "Google Desktop Search "= "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/25/2007 08:55 AM]
    "Spare Backup "= "C:\Program Files\Spare Backup\SpareBackup.exe" [07/12/2007 08:27 PM]
    "NapsterShell "= "C:\Program Files\Napster\napster.exe" [09/06/2006 11:12 AM]
    "BigFix "= "c:\program files\Bigfix\bigfix.exe" [11/16/2006 03:04 PM]
    "SiteAdvisor "= "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [02/08/2007 06:39 PM]
    "mcagent_exe "= "C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 10:33 PM]
    "Corel Photo Downloader "= "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [08/28/2007 12:00 PM]
    "AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/27/2008 02:36 AM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsWelcomeCenter "= "oobefldr.dll,ShowWelcomeCenter" []
    "Aim6 "= "C:\Program Files\AIM6\aim6.exe" [01/03/2008 08:15 AM]
    "ehTray.exe "= "C:\Windows\ehome\ehTray.exe" [11/02/2006 04:35 AM]
    "Sidebar "= "C:\Program Files\Windows Sidebar\sidebar.exe" [01/09/2008 09:51 PM]
    "WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 04:36 AM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
    "Launcher "=%WINDIR%\SMINST\launcher.exe

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
    Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [7/11/1997]
    Microsoft Office Shortcut Bar.lnk - C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE [7/11/1997]
    Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [7/11/1997]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin "=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
    avgwlntf.dll 02/27/2008 02:34 AM 9216 C:\Windows\System32\avgwlntf.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
    @= "Driver "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
    @= "Driver "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @= "Volume shadow copy "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
    @= "IEEE 1394 Bus host controllers "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
    @= "SBP2 IEEE 1394 Devices "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
    @= "SecurityDevices "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    C:\Windows\system32\unregmp2.exe /ShowWMP

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    %SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



    -- End of Deckard's System Scanner: finished at 2008-03-01 22:40:34 ------------
     
  5. 2008/03/01
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Trophy Points:
    608
    Location:
    Washington State
    Computer Experience:
    Often it's like Taz
    Hi Bobby

    Having any p2p file sharing apps such as Limewire, BitTorrent uTorrent etc.. is almost like inviting malware into your computer. There is absolutely no way for you to know which of the hundreds of thousands of users you are sharing files with are infected or not.
    I strongly recommend removing any P2P applications.


    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new dss log


    You are running two anti-virus programs, this is not a good idea, they can conflict with each other and actually give you less protection
    Please remove one 1 of them.

    Thanks
    Geri
     
    Geri,
    #4
  6. 2008/03/01
    Bobby Baldwin

    Bobby Baldwin Inactive Thread Starter

    Joined:
    2008/02/27
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    All right, I downloaded SDFix and installed it and everything... Then I got rid of Limewire, as you suggested, and I also got rid of AVG, so now I've just got McAfee... However, when I rebooted and went into safe mode, when I tried to open RunThis.bat a window would pop up, and then it would go away less than a second later...so I never got to type in Y to start everything... I tried this three times, and the same thing happened every time. And when I rebooted again, the popup is still coming up... So I guess I'm not sure what went wrong.
     
  7. 2008/03/01
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Trophy Points:
    608
    Location:
    Washington State
    Computer Experience:
    Often it's like Taz
    Hi
    OK when in safe mode right click on RunThis.bat and select Run As Administrator.

    See if that will run it.

    Geri
     
    Geri,
    #6
  8. 2008/03/02
    Bobby Baldwin

    Bobby Baldwin Inactive Thread Starter

    Joined:
    2008/02/27
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    Ok I'm back, but unfortunately I had more of the same thing happen, even when I clicked run as administrator. Should I try uninstalling SDFix and then reinstalling it or is that probably not the problem?...
     
  9. 2008/03/02
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Trophy Points:
    608
    Location:
    Washington State
    Computer Experience:
    Often it's like Taz
    Hi
    Yeah, Try deleting SDFix and redownloading it.

    Let me know if that helped.

    Thanks
    Geri
     
    Geri,
    #8
  10. 2008/03/02
    Bobby Baldwin

    Bobby Baldwin Inactive Thread Starter

    Joined:
    2008/02/27
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    Well Geri, I'm still not having any luck... Deleting it and reinstalling didn't fix it... When I try to open RunThis.bat as the administrator, the command prompt window closes before the menu even clears the screen...it only flashes briefly and it's gone...if you blinked at the right time you might not even know it did anything...

    When I hit F8 it gives me a big list of things, and it has a few choices for safe mode...
    Safe Mode
    Safe Mode With Networking
    Safe Mode With Command Prompt

    I've been picking just plain old safe mode...should I be choosing one of the other ones?
     
  11. 2008/03/02
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Trophy Points:
    608
    Location:
    Washington State
    Computer Experience:
    Often it's like Taz
    Hi Bobby

    OK it's not going to run on Vista at the moment, I just checked the developers site.

    So please delete it and well use this. make sure you use the Vista instruction.

    Download ComboFix from [color= "Red"]Here[/color] to your Desktop.
    It's best to disable realtime protection applications as they sometimes interfere with the tool. Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post that log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Please post the Combofix log.

    Thanks
    Geri
     
  12. 2008/03/02
    Bobby Baldwin

    Bobby Baldwin Inactive Thread Starter

    Joined:
    2008/02/27
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    All right, that seemed to work better, although that link you gave me to disable realtime protection applications didn't work for my McAfee... It said to right click and go to exit, but when I tried that it didn't give me exit as an option...so I did the best I could by just turning things off... Anyway, here's my log...and yes, I turned everything back on after it was done scanning. I don't know if that was supposed to fix anything, or if it was just checking stuff out, but I rebooted my computer, and I'm still getting that popup... And my computer seems to be thinking about something...it hasn't stopped since I turned my computer on, and that was like ten minutes ago now...

    ComboFix 08-03-01.3 - Stealth 2008-03-02 1:30:07.1 - NTFSx86
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.1.1033.18.2075 [GMT -8:00]
    Running from: C:\Users\Stealth\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 )))))))))))))))))))))))))))))))
    .

    2008-03-01 23:10 . 2008-03-01 23:10 <DIR> d-------- C:\Users\All Users\Avg7
    2008-03-01 23:10 . 2008-03-01 23:10 <DIR> d-------- C:\ProgramData\Avg7
    2008-03-01 22:36 . 2008-03-01 22:36 <DIR> d-------- C:\Deckard
    2008-02-28 23:23 . 2008-03-01 21:22 <DIR> d-------- C:\Users\Stealth\AppData\Roaming\LimeWire
    2008-02-27 02:33 . 2008-02-27 02:33 <DIR> d-------- C:\Program Files\Trend Micro
    2008-02-27 02:28 . 2008-02-27 02:29 <DIR> d-------- C:\Users\All Users\Lavasoft
    2008-02-27 02:28 . 2008-02-27 02:29 <DIR> d-------- C:\ProgramData\Lavasoft
    2008-02-27 02:28 . 2008-02-27 02:28 <DIR> d-------- C:\Program Files\Lavasoft
    2008-02-27 02:28 . 2008-02-27 02:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-02-25 23:14 . 2008-02-25 23:16 <DIR> d-------- C:\Users\Stealth\.housecall6.6
    2008-02-25 19:08 . 2008-02-25 22:58 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
    2008-02-25 19:08 . 2008-02-25 22:58 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
    2008-02-25 19:08 . 2008-02-27 01:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-02-25 09:53 . 2008-02-25 09:53 230,400 --a------ C:\Windows\msvidc32.dll
    2008-02-25 09:53 . 2008-02-25 09:53 53 --a------ C:\tmp.bat
    2008-02-18 09:04 . 2008-02-26 22:26 88 -r-hs---- C:\Windows\System32\FD65D32AF2.sys
    2008-02-17 14:30 . 2008-02-18 09:04 <DIR> d-------- C:\Users\Stealth\AppData\Roaming\Corel
    2008-02-17 14:30 . 2008-02-17 14:30 <DIR> d-------- C:\Users\All Users\Corel
    2008-02-17 14:30 . 2008-02-17 14:30 <DIR> d-------- C:\ProgramData\Corel
    2008-02-17 14:27 . 2008-02-17 14:28 <DIR> d-------- C:\Program Files\Common Files\Corel
    2008-02-17 14:16 . 2008-02-26 22:27 2,672 --ahs---- C:\Windows\System32\KGyGaAvL.sys
    2008-02-17 14:15 . 2008-02-17 14:15 <DIR> d-------- C:\Users\Stealth\AppData\Roaming\InstallShield
    2008-02-17 14:15 . 2008-02-17 14:27 <DIR> d-------- C:\Program Files\Corel
    2008-02-17 10:20 . 2008-02-17 10:20 <DIR> d-------- C:\cabs
    2008-02-17 02:34 . 2008-01-09 21:50 1,244,672 --a------ C:\Windows\System32\mcmde.dll
    2008-02-13 03:08 . 2008-02-13 03:08 194,560 --a------ C:\Windows\System32\WebClnt.dll
    2008-02-13 03:08 . 2008-02-13 03:08 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
    2008-02-13 03:07 . 2008-02-13 03:07 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
    2008-02-13 03:07 . 2008-02-13 03:07 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
    2008-02-13 03:07 . 2008-02-13 03:07 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
    2008-02-13 03:07 . 2008-02-13 03:07 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
    2008-02-13 03:07 . 2008-02-13 03:07 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
    2008-02-13 03:07 . 2008-02-13 03:07 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
    2008-02-13 03:07 . 2008-02-13 03:07 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
    2008-02-13 03:06 . 2008-02-13 03:06 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
    2008-02-13 03:06 . 2008-02-13 03:06 1,686,528 --a------ C:\Windows\System32\gameux.dll
    2008-02-13 03:06 . 2008-02-13 03:06 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
    2008-02-13 03:06 . 2008-02-13 03:06 216,632 --a------ C:\Windows\System32\drivers\netio.sys
    2008-02-13 03:06 . 2008-02-13 03:06 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
    2008-02-13 03:06 . 2008-02-13 03:06 24,064 --a------ C:\Windows\System32\netcfg.exe
    2008-02-13 03:06 . 2008-02-13 03:06 22,016 --a------ C:\Windows\System32\netiougc.exe
    2008-02-05 00:44 . 2002-03-25 10:30 995,383 --a------ C:\Windows\System32\temp.001
    2008-02-05 00:44 . 2002-03-25 10:31 295,000 --a------ C:\Windows\System32\temp.000
    2008-02-05 00:43 . 2008-02-05 00:44 <DIR> d-------- C:\Program Files\UltimateBet

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-02 08:54 --------- d-----w C:\Users\Stealth\AppData\Roaming\Spare Backup
    2008-03-02 02:04 --------- d-----w C:\Program Files\McAfee
    2008-02-13 11:06 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
    2008-02-13 11:06 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
    2008-02-13 11:06 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
    2008-02-13 11:06 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
    2008-02-13 11:02 824,832 ----a-w C:\Windows\System32\wininet.dll
    2008-02-13 11:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
    2008-02-13 11:02 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
    2008-02-13 11:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
    2008-01-31 07:30 8,413 ----a-w C:\Windows\system32\drivers\mcstrm.sys
    2008-01-31 07:30 --------- d-----w C:\Program Files\Common Files\Real
    2008-01-31 07:30 --------- d-----w C:\Program Files\Best Buy Rhapsody
    2008-01-30 23:59 --------- d-----w C:\ProgramData\Microsoft Help
    2008-01-29 04:57 --------- d-----w C:\Program Files\Real
    2008-01-29 04:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-01-29 04:56 --------- d-----w C:\Program Files\Common Files\ArcSoft
    2008-01-29 04:56 --------- d-----w C:\Program Files\ArcSoft
    2008-01-20 01:45 --------- d-----w C:\Program Files\Windows Messaging
    2008-01-19 07:58 136 ----a-w C:\Users\Stealth\AppData\Roaming\wklnhst.dat
    2008-01-18 10:11 --------- d-----w C:\Users\Stealth\AppData\Roaming\Template
    2008-01-16 00:05 --------- d-----w C:\Users\Stealth\AppData\Roaming\SiteAdvisor
    2008-01-15 19:56 --------- d-----w C:\Users\Stealth\AppData\Roaming\DivX
    2008-01-15 19:56 --------- d-----w C:\Program Files\DivX
    2008-01-11 08:01 --------- d-----w C:\Program Files\SiteAdvisor
    2008-01-11 08:00 --------- d-----w C:\ProgramData\SiteAdvisor
    2008-01-10 20:38 --------- d-----w C:\Program Files\Common Files\McAfee
    2008-01-10 06:07 174 --sha-w C:\Program Files\desktop.ini
    2008-01-10 06:03 --------- d-----w C:\Program Files\Windows Sidebar
    2008-01-10 06:03 --------- d-----w C:\Program Files\Windows Mail
    2008-01-10 06:03 --------- d-----w C:\Program Files\Windows Calendar
    2008-01-10 05:57 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
    2008-01-10 05:57 7,680 ----a-w C:\Windows\System32\spwmp.dll
    2008-01-10 05:57 4,096 ----a-w C:\Windows\System32\dxmasf.dll
    2008-01-10 05:57 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
    2008-01-10 05:55 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
    2008-01-10 05:54 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
    2008-01-10 05:54 223,232 ----a-w C:\Windows\System32\WMASF.DLL
    2008-01-10 05:54 1,327,104 ----a-w C:\Windows\System32\quartz.dll
    2008-01-10 05:53 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
    2008-01-10 05:51 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
    2008-01-10 05:51 11,776 ----a-w C:\Windows\System32\sbunattend.exe
    2008-01-10 05:51 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
    2008-01-10 05:49 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
    2008-01-10 05:49 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
    2008-01-10 05:49 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
    2008-01-10 05:49 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
    2008-01-10 05:49 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
    2008-01-10 05:49 --------- d-----w C:\Program Files\MSXML 4.0
    2008-01-10 05:48 750,080 ----a-w C:\Windows\System32\qmgr.dll
    2008-01-10 05:34 53,080 ----a-w C:\Windows\System32\wuauclt.exe
    2008-01-10 05:34 43,352 ----a-w C:\Windows\System32\wups2.dll
    2008-01-10 05:34 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
    2008-01-10 05:34 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
    2008-01-10 05:32 80,896 ----a-w C:\Windows\System32\wudriver.dll
    2008-01-10 05:32 549,720 ----a-w C:\Windows\System32\wuapi.dll
    2008-01-10 05:32 33,624 ----a-w C:\Windows\System32\wups.dll
    2008-01-10 05:32 31,232 ----a-w C:\Windows\System32\wuapp.exe
    2008-01-10 05:32 163,000 ----a-w C:\Windows\System32\wuwebv.dll
    2008-01-10 00:23 --------- d-----w C:\Users\Stealth\AppData\Roaming\SampleView
    2008-01-09 23:48 --------- d-----w C:\ProgramData\AOL OCP
    2008-01-09 23:47 --------- d-----w C:\Users\Stealth\AppData\Roaming\acccore
    2008-01-09 23:47 --------- d-----w C:\Program Files\AIMTunes
    2008-01-09 23:47 --------- d-----w C:\Program Files\AIM6
    2008-01-09 23:46 --------- d-----w C:\ProgramData\AOL Downloads
    2008-01-09 23:46 --------- d-----w C:\Program Files\Viewpoint
    2008-01-09 23:45 --------- d-----w C:\ProgramData\Viewpoint
    2008-01-09 23:45 --------- d-----w C:\ProgramData\AOL
    2008-01-09 23:45 --------- d-----w C:\Program Files\Common Files\AOL
    2008-01-09 23:30 --------- d-----w C:\Program Files\Support.com
    2008-01-09 23:05 --------- d-sh--w C:\ProgramData\Templates
    2008-01-09 23:05 --------- d-sh--w C:\ProgramData\Start Menu
    2008-01-09 23:05 --------- d-sh--w C:\ProgramData\Favorites
    2008-01-09 23:05 --------- d-sh--w C:\ProgramData\Documents
    2008-01-09 23:05 --------- d-sh--w C:\ProgramData\Desktop
    2008-01-09 23:05 --------- d-sh--w C:\ProgramData\Application Data
    2007-12-14 19:32 12,632 ----a-w C:\Windows\System32\lsdelete.exe
    2007-12-04 01:33 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
    2007-12-04 01:33 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
    2007-12-04 01:33 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
    2007-12-04 01:33 682,496 ----a-w C:\Windows\System32\DivX.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54629298-47B2-4F79-BC62-7B3648D70020}]
    2008-02-25 09:53 230400 --a------ C:\Windows\msvidc32.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsWelcomeCenter "= "oobefldr.dll" [2006-11-02 04:34 2159104 C:\Windows\System32\oobefldr.dll]
    "Aim6 "= "C:\Program Files\AIM6\aim6.exe" [2008-01-03 08:15 50528]
    "ehTray.exe "= "C:\Windows\ehome\ehTray.exe" [2006-11-02 04:35 125440]
    "Sidebar "= "C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 21:51 1232896]
    "WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 04:36 201728]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-25 09:22 1006264]
    "IgfxTray "= "C:\Windows\system32\igfxtray.exe" [2007-06-05 18:52 142104]
    "HotKeysCmds "= "C:\Windows\system32\hkcmd.exe" [2007-06-05 18:52 154392]
    "Persistence "= "C:\Windows\system32\igfxpers.exe" [2007-06-05 18:52 138008]
    "RtHDVCpl "= "RtHDVCpl.exe" [2007-07-06 10:06 4669440 C:\Windows\RtHDVCpl.exe]
    "Google Desktop Search "= "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-25 08:55 240640]
    "Spare Backup "= "C:\Program Files\Spare Backup\SpareBackup.exe" [2007-07-12 20:27 5252936]
    "NapsterShell "= "C:\Program Files\Napster\napster.exe" [2006-09-06 11:12 323216]
    "BigFix "= "c:\program files\Bigfix\bigfix.exe" [2006-11-16 15:04 2348584]
    "SiteAdvisor "= "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-08 18:39 36904]
    "mcagent_exe "= "C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
    "Corel Photo Downloader "= "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 12:00 531272]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher "= "%WINDIR%\SMINST\launcher.exe" [ ]

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
    Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11 111376]
    Microsoft Office Shortcut Bar.lnk - C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE [1997-07-11 333824]
    Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 51984]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    "LoadAppInit_DLLs "=1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{60D0BC26-FE6D-4C7A-BC98-BF7A8FFBFA6B} "= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{125A1131-A7B7-43BB-8007-93D9CDCA33E8} "= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{BE4B1399-73C9-4DA9-B2AE-F2EEFD8AE4F4} "= Profile=Private|Profile=Public|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent|Desc=McAfee Network Agent
    "{6858AE01-C0B8-4E4B-B972-3502271D2634} "= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
    "{C813B80C-4FDE-4162-B83C-5CB046E9AB38} "= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
    "{872DA9BA-EAF2-405C-9A5E-974653E39E91} "= UDP:C:\Program Files\AIM6\aim6.exe:AIM
    "{6162078C-6AE4-44CE-B7CA-EE94F305D252} "= TCP:C:\Program Files\AIM6\aim6.exe:AIM

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
    "DFSR-1 "= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
    "EnableFirewall "= 0 (0x0)

    R2 Viewpoint Manager Service;Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
    R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 17:39]
    R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-05-30 17:51]
    R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-06-25 12:37]
    S2 0299511204423447mcinstcleanup;McAfee Application Installer Cleanup (0299511204423447);C:\Windows\TEMP\029951~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
    S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-01 23:30]

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-02-15 09:00:00 C:\Windows\Tasks\McDefragTask.job "
    - c:\program files\mcafee\mqc\QcConsol.exe'
    "2008-03-01 09:00:00 C:\Windows\Tasks\McQcTask.job "
    - c:\program files\mcafee\mqc\QcConsol.exe
    "2008-03-02 02:11:33 C:\Windows\Tasks\User_Feed_Synchronization-{21B7F24B-840F-473A-9777-6A9CB099AD4C}.job "
    - C:\Windows\system32\msfeedssync.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-02 01:32:10
    Windows 6.0.6000 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-03-02 1:32:59
    ComboFix-quarantined-files.txt 2008-03-02 09:32:57
    .
    2008-02-29 09:39:20 --- E O F ---
     
  13. 2008/03/02
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Trophy Points:
    608
    Location:
    Washington State
    Computer Experience:
    Often it's like Taz
    Hi Bobby

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    Click here to see how to use CFScript.txt
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Code:
    File::
    C:\Windows\msvidc32.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54629298-47B2-4F79-BC62-7B3648D70020}] 
    Please post the log it creates, and a new HJT log.

    Let me know if the pop-ups stopped.

    Thanks
    Geri
     
  14. 2008/03/02
    Bobby Baldwin

    Bobby Baldwin Inactive Thread Starter

    Joined:
    2008/02/27
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    I'm not having any luck doing that... I copied and pasted the title CFScript.txt right from here, and it's telling me...

    "Were you trying to run CFScript? The name CFScript appears to be incorrectly spelt "

    I dragged it onto combofix using the left mouse button and everything too.
     
  15. 2008/03/02
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Trophy Points:
    608
    Location:
    Washington State
    Computer Experience:
    Often it's like Taz
    Hi Bobby Baldwin

    OK lets do it manually.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

    C:\Windows\msvidc32.dll

    Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

    O2 - BHO: MS Video Control 1.0 - {54629298-47B2-4F79-BC62-7B3648D70020} - C:\Windows\msvidc32.dll

    Now close all windows other than HiJackThis, then click Fix Checked.

    Close HJT.

    After that, Reboot.

    Please post a New HJT Log into this Thread.

    Let me know if the pop-ups have stopped.

    Thanks
    Geri
     
  16. 2008/03/02
    Bobby Baldwin

    Bobby Baldwin Inactive Thread Starter

    Joined:
    2008/02/27
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    Hi Geri, it looks like my computer does have C:\Windows\msvidc32.dll so I tried to delete it, and it tells me I need to confirm this operation. Then my computer tells me that windows needs my permission to continue, so I click on approve, and a window that's almost identical to the first one pops up, and gives me Try Again or Cancel for options...and no matter how many times I click try again it doesn't seem to want to do it for me.

    I don't know if it really makes a difference if I'm doing this in Windows Explorer or not, but when I tried looking for it that way, I couldn't find anything. So just to be safe I did a search for msvidc32.dll, and it showed that I have it. So I just opened C:\Windows without windows explorer, and I did find it that way.
     
  17. 2008/03/02
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Trophy Points:
    608
    Location:
    Washington State
    Computer Experience:
    Often it's like Taz
    Hi Bobby

    OK we need to disable your UAC.

    To disable the UAC, enter the Control Panel and type UAC in the search box.

    The first result returned by the search will be User Accounts "“ Turn User Account Control (UAC) on or off.
    Click on it and the UAC window will open. Deselect the option Use User Account Control (UAC) to help protect your computer and press the OK button.
    Windows Vista will ask you to restart your computer. After the restart, UAC will be disabled
    It is very important to turn this back on after deleting the file.


    Now go to C:\Windows and delete the file msvidc32.dll

    Close the windows and return to your DeskTop.

    Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

    O2 - BHO: MS Video Control 1.0 - {54629298-47B2-4F79-BC62-7B3648D70020} - C:\Windows\msvidc32.dll

    Now close all windows other than HiJackThis, then click Fix Checked.

    Close HJT.

    Go back and reinable UAC

    After the reboot, scan again with HJT and post the log.

    Let me know if the pop-ups have stopped.

    Thanks
    Geri
     
  18. 2008/03/02
    Bobby Baldwin

    Bobby Baldwin Inactive Thread Starter

    Joined:
    2008/02/27
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    Hi Geri, I've managed to get msvidc32.dll deleted. When I ran HijackThis though, it's not coming up with O2 - BHO: MS Video Control 1.0 - {54629298-47B2-4F79-BC62-7B3648D70020} - C:\Windows\msvidc32.dll

    Is this a good thing? Should I just reboot and scan and post the log back here?
     
  19. 2008/03/02
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Trophy Points:
    608
    Location:
    Washington State
    Computer Experience:
    Often it's like Taz
    Hi Bobby

    Yes that's a good thing.

    and yes please reboot and post a new HJT log.

    Have the pop-ups stopped?

    Thanks
    Geri
     
  20. 2008/03/02
    Bobby Baldwin

    Bobby Baldwin Inactive Thread Starter

    Joined:
    2008/02/27
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    All right, I've rebooted, and the popup does seem to have gone away, it didn't come up when I logged into my account, and it's also not coming up when I open folders, and it used to do that every time I'd open a folder, so it seems like it's history. Anyway, I just ran hijackthis, and here's the new log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:09, on 2008-03-02
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16609)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Spare Backup\SpareBackup.exe
    C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5622
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5622
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
    O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
    O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
    O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O13 - Gopher Prefix:
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 8237 bytes
     
  21. 2008/03/02
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Trophy Points:
    608
    Location:
    Washington State
    Computer Experience:
    Often it's like Taz
    Hi Bobby
    OK Good to hear. Your HJT log is clean. :)

    You can delete any tools you were asked to download and the files/folders or logs they created, There will be newer versions if ever needed again any way.

    HJT you can keep.

    Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.

    Empty your recycle Bin.


    This would be a good time to set a new system restore point for your machine.
    Set New System Restore Point Windows XP. - Set New System Restore Point Windows Vista


    Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Spyware and Virus Removal Forms.
    http://www.windowsbbs.com/showthread.php?t=67958


    Let me know that everything is running OK and I'll mark this one resolved.

    Also, Napster is not a good idea.
    Having any p2p file sharing apps such as Limewire, BitTorrent uTorrent etc.. is almost like inviting malware into your computer. There is absolutely no way for you to know which of the hundreds of thousands of users you are sharing files with are infected or not.
    I strongly recommend removing any P2P applications.


    Surf Safely
    Geri
     

Share This Page