Inactive [InActive] spyware help

McAfree disable

When I right click on McAfree icon it dose not have exit in the window.
I can go under setting and disable real time protection wiil that do it?

 

Hi
Yes that will work.

 

combofix log

what is RECOVERY CONSOLE?


ComboFix 08-11-14.01 - john 2008-11-16 13:29:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.539 [GMT -6:00]
Running from: c:\documents and settings\john\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-13 22:02 . 2008-11-13 22:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-13 22:02 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-13 22:02 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-12 20:08 . 2008-11-12 21:31 <DIR> d-------- c:\program files\AntiMalwarePro
2008-11-11 20:54 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:54 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 10:02 . 2008-11-11 19:45 73,728 --a------ c:\windows\system32\TDSSxfum.dll
2008-11-11 10:02 . 2008-11-11 19:45 35,840 --a------ c:\windows\system32\TDSSoiqt.dll
2008-11-11 10:02 . 2008-11-13 12:59 3,349 --a------ c:\windows\system32\TDSSlxwp.dll
2008-11-11 10:02 . 2008-11-11 19:45 527 --a------ c:\windows\system32\TDSSlrvd.dat
2008-10-23 12:22 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-21 11:20 . 2008-10-21 11:21 <DIR> d-------- c:\documents and settings\Adam Kerr\Application Data\Ventrilo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 05:38 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-15 21:27 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-15 09:06 --------- d-----w c:\program files\McAfee
2008-11-14 03:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-14 03:15 --------- d-----w c:\program files\Common
2008-11-13 19:01 --------- d-----w c:\program files\World of Warcraft
2008-11-13 03:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-12 03:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-12 02:38 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-12 01:52 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 17:27 --------- d-----w c:\documents and settings\All Users\Application Data\badczido
2008-10-14 17:51 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-14 00:53 --------- d-----w c:\program files\fhuuifg
2008-10-14 00:26 --------- d-----w c:\documents and settings\john\Application Data\Malwarebytes
2008-10-14 00:26 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-11 20:17 --------- d-----w c:\program files\Lavasoft
2008-10-10 04:07 1,128 ----a-w C:\settings.dat
2008-10-04 13:39 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-29 08:08 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-06-20 02:15 61,224 ----a-w c:\documents and settings\john\GoToAssistDownloadHelper.exe
2007-03-28 19:57 18,895,728 ----a-w c:\program files\Install_Messenger.exe
2006-01-24 00:27 10,179,432 ----a-w c:\documents and settings\john\HCUpgrade3.1.exe
2005-07-30 01:39 14,651,330 ----a-w c:\program files\OldeEnglish.org_-_Deadpuppies.mov
2005-07-28 15:35 959,653,376 ----a-w c:\program files\ragnarok_setup.exe
2004-03-11 19:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2003-07-28 11:16 36,864 ----a-w c:\windows\inf\i386\Vizmicro.dll
2003-07-28 11:16 172,032 ----a-w c:\windows\inf\i386\viceo.dll
2003-07-28 11:01 36,207 ----a-w c:\windows\inf\i386\9320FW.bin
2003-07-28 11:01 274,432 ----a-w c:\windows\inf\i386\9320LLD.dll
2003-07-28 11:01 155,648 ----a-w c:\windows\inf\i386\rtscan.dll
2001-08-03 23:29 13,824 ----a-w c:\windows\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-13_21.35.26.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-14 02:56:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-16 18:46:32 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-14 02:56:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-16 18:46:32 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-14 03:09:16 64,372 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-14 03:31:16 64,372 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-14 03:09:16 409,232 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-14 03:31:17 409,232 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr "= "c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility "= "c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager "= "c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update "= "c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"RemoteControl "= "c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-22 180269]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2006-12-16 282624]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDTray "= "c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"MWLExe "= "c:\program files\Mcafee\MWL\MWLGuiSt.exe" [2007-07-28 206184]
"McENUI "= "c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD "= "c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-12 57393]
"IndexSearch "= "c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-12 40960]
"OneTouch Monitor "= "c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2004-01-20 110592]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMan "= "SOUNDMAN.EXE" [2004-05-14 c:\windows\SOUNDMAN.EXE]
"nwiz "= "nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"NvMediaCenter "= "NvMCTray.dll" [2007-12-05 c:\windows\system32\nvmctray.dll]

c:\documents and settings\Adam Kerr\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\Scott Kerr\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\evelyn\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\john\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc "= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"vidc.mpng "= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.mvjp "= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.444p "= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.dscc "= c:\progra~1\TALESA~1\dscc.dll
"vidc.dsvc "= c:\progra~1\TALESA~1\dsvc.dll
"vidc.dsfs "= c:\progra~1\TALESA~1\dsfs.dll
"msacm.divxa32 "= msaud32_divx.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager "=c:\program files\Yahoo!\Messenger\ypager.exe -quiet
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" /background
"MsnMsgr "= "c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"ctfmon.exe "=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Quake III Arena\\quake3.exe "=
"c:\\Program Files\\Valve\\Steam\\Steam.exe "=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\darkneox102\\counter-strike source\\hl2.exe "=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\McAfee\\MWL\\MwlSvc.exe "=
"c:\\WINDOWS\\system32\\mmc.exe "=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-2.2.0.7272-to-2.2.2.7318-enUS-downloader.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-2.2.2.7318-to-2.2.3.7359-enUS-downloader.exe "=
"c:\\Program Files\\Warcraft III\\War3.exe "=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0.7561-to-2.3.2.7741-enUS-downloader.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe "=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe "=
"c:\\Program Files\\Starcraft\\StarCraft.exe "=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe "=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe "=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe "=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe "=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.1-to-3.0.2-enUS-Win-Update-downloader.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009
"3724:TCP "= 3724:TCP:Blizzard Downloader: 3724

R1 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2005-02-07 1984]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; "c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-09-28 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service; "c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\DRIVERS\rt2500usb.sys [2005-06-18 140416]
S3 XPAD;XBox Controllers USB HID Mini Driver;c:\windows\system32\Drivers\xpad.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6920d68e-584d-11dd-af43-000fea6a477b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-09-19 16:36]

2008-11-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mWindow Title =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

c:\windows\system32\ASYCFILT.DLL - c:\windows\system32\MSVBVM50.DLL
c:\windows\Downloaded Program Files\INTRALAUNCH.OCX
O16 -: {072CB141-B793-11D1-89B6-0020182C1446}
file://d:\utilities\IntraLaunch.CAB
c:\windows\Downloaded Program Files\IntraLaunch.INF

c:\windows\Downloaded Program Files\ipv6cam.ocx - c:\windows\Downloaded Program Files\AudioClient.ocx
O16 -: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9}
hxxp://creatives3.lakefield.net:85/SysCamInst.cab
c:\windows\Downloaded Program Files\install.inf

c:\windows\Downloaded Program Files\kxhcm10.ocx - O16 -: {2E28242B-A689-11D4-80F2-0040266CBB8D}
hxxp://212.129.168.37:81/kxhcm10.ocx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 13:35:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\program files\McAfee\SiteAdvisor\saHook.dll

PROCESS: c:\windows\explorer.exe
-> c:\program files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2008-11-16 13:37:21
ComboFix-quarantined-files.txt 2008-11-16 19:36:49
ComboFix2.txt 2008-11-14 03:36:08

Pre-Run: 10,747,117,568 bytes free
Post-Run: 10,838,970,368 bytes free

242 --- E O F --- 2008-11-12 03:02:46

 

Hi
OK please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSlrvd.dat

Folder::
c:\program files\AntiMalwarePro
c:\program files\fhuuifg 

Thanks
Geri

 

combofix log

I downloaded RegCure is it a good program and should i run it?

ComboFix 08-11-14.01 - john 2008-11-17 20:36:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.605 [GMT -6:00]
Running from: c:\documents and settings\john\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\john\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\TDSSlrvd.dat
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSxfum.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AntiMalwarePro
c:\program files\AntiMalwarePro\SchedulePlan.txt
c:\program files\fhuuifg
c:\windows\system32\TDSSlrvd.dat
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSxfum.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))
.

2008-11-13 22:02 . 2008-11-13 22:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-13 22:02 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-13 22:02 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-11 20:54 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:54 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:22 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-21 11:20 . 2008-10-21 11:21 <DIR> d-------- c:\documents and settings\Adam Kerr\Application Data\Ventrilo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-17 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-17 02:08 --------- d-----w c:\program files\RegCure
2008-11-16 05:38 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-15 09:06 --------- d-----w c:\program files\McAfee
2008-11-14 03:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-14 03:15 --------- d-----w c:\program files\Common
2008-11-13 19:01 --------- d-----w c:\program files\World of Warcraft
2008-11-13 03:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-12 03:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-12 02:38 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-12 01:52 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 17:27 --------- d-----w c:\documents and settings\All Users\Application Data\badczido
2008-10-14 17:51 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-14 00:26 --------- d-----w c:\documents and settings\john\Application Data\Malwarebytes
2008-10-14 00:26 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-11 20:17 --------- d-----w c:\program files\Lavasoft
2008-10-10 04:07 1,128 ----a-w C:\settings.dat
2008-10-04 13:39 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-29 08:08 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-06-20 02:15 61,224 ----a-w c:\documents and settings\john\GoToAssistDownloadHelper.exe
2007-03-28 19:57 18,895,728 ----a-w c:\program files\Install_Messenger.exe
2006-01-24 00:27 10,179,432 ----a-w c:\documents and settings\john\HCUpgrade3.1.exe
2005-07-30 01:39 14,651,330 ----a-w c:\program files\OldeEnglish.org_-_Deadpuppies.mov
2005-07-28 15:35 959,653,376 ----a-w c:\program files\ragnarok_setup.exe
2004-03-11 19:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2003-07-28 11:16 36,864 ----a-w c:\windows\inf\i386\Vizmicro.dll
2003-07-28 11:16 172,032 ----a-w c:\windows\inf\i386\viceo.dll
2003-07-28 11:01 36,207 ----a-w c:\windows\inf\i386\9320FW.bin
2003-07-28 11:01 274,432 ----a-w c:\windows\inf\i386\9320LLD.dll
2003-07-28 11:01 155,648 ----a-w c:\windows\inf\i386\rtscan.dll
2001-08-03 23:29 13,824 ----a-w c:\windows\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-13_21.35.26.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-14 02:56:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-18 00:17:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-14 02:56:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-18 00:17:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-18 00:17:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-14 03:09:16 64,372 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-14 03:31:16 64,372 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-14 03:09:16 409,232 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-14 03:31:17 409,232 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr "= "c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility "= "c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager "= "c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update "= "c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"RemoteControl "= "c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-22 180269]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2006-12-16 282624]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDTray "= "c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"MWLExe "= "c:\program files\Mcafee\MWL\MWLGuiSt.exe" [2007-07-28 206184]
"McENUI "= "c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD "= "c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-12 57393]
"IndexSearch "= "c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-12 40960]
"OneTouch Monitor "= "c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2004-01-20 110592]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMan "= "SOUNDMAN.EXE" [2004-05-14 c:\windows\SOUNDMAN.EXE]
"nwiz "= "nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"NvMediaCenter "= "NvMCTray.dll" [2007-12-05 c:\windows\system32\nvmctray.dll]

c:\documents and settings\Adam Kerr\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\Scott Kerr\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\evelyn\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\john\Start Menu\Programs\Startup\
SensorsView.lnk - c:\program files\SensorsView\sview.exe [2006-01-24 967680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc "= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"vidc.mpng "= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.mvjp "= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.444p "= c:\program files\t@b\0.949\686\tabdec.dll
"vidc.dscc "= c:\progra~1\TALESA~1\dscc.dll
"vidc.dsvc "= c:\progra~1\TALESA~1\dsvc.dll
"vidc.dsfs "= c:\progra~1\TALESA~1\dsfs.dll
"msacm.divxa32 "= msaud32_divx.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager "=c:\program files\Yahoo!\Messenger\ypager.exe -quiet
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" /background
"MsnMsgr "= "c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"ctfmon.exe "=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Quake III Arena\\quake3.exe "=
"c:\\Program Files\\Valve\\Steam\\Steam.exe "=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\darkneox102\\counter-strike source\\hl2.exe "=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\McAfee\\MWL\\MwlSvc.exe "=
"c:\\WINDOWS\\system32\\mmc.exe "=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-2.2.0.7272-to-2.2.2.7318-enUS-downloader.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-2.2.2.7318-to-2.2.3.7359-enUS-downloader.exe "=
"c:\\Program Files\\Warcraft III\\War3.exe "=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0.7561-to-2.3.2.7741-enUS-downloader.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe "=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe "=
"c:\\Program Files\\Starcraft\\StarCraft.exe "=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe "=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe "=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe "=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe "=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.1-to-3.0.2-enUS-Win-Update-downloader.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009
"3724:TCP "= 3724:TCP:Blizzard Downloader: 3724

R1 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2005-02-07 1984]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; "c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-09-28 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service; "c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\DRIVERS\rt2500usb.sys [2005-06-18 140416]
S3 XPAD;XBox Controllers USB HID Mini Driver;c:\windows\system32\Drivers\xpad.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6920d68e-584d-11dd-af43-000fea6a477b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-09-19 16:36]

2008-11-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-11-18 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 15:21]

2008-11-17 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 15:21]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 20:40:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\program files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2008-11-17 20:42:16
ComboFix-quarantined-files.txt 2008-11-18 02:41:47
ComboFix2.txt 2008-11-16 19:37:23
ComboFix3.txt 2008-11-14 03:36:08

Pre-Run: 10,695,512,064 bytes free
Post-Run: 10,710,589,440 bytes free

223 --- E O F --- 2008-11-12 03:02:46

 

Hi

Please do not do so until you are clean. and then I don't recommend registry cleaners, I've seen them do harm to a system.

If you feel that you just have to use it, then download and install this before doing so, that way you can restore the registry if you need to.


Download ERUNT from Derfisch or Aumha and save it to your desktop.

Use the setup program to install ERUNT on your computer
Click ERUNT.Setup.exe to install ERUNT and backup your registry.
Uncheck the "Create NTREGOPT desktop icon” box.
In the window that comes up to Create an ERUNT entry to the Start up folder select No.

By Default the backup location is C:\windows\erunt\ (current date)
Click OK to continue with the registry backup.
If the folder does not exist then let ERUNT create the folder for you by clicking Yes
You should see a progress bar when ERUNT is backing up the Windows Registry.
After ERUNT has completed the Windows Registry backup. Click OK to exit ERUNT


OK please do the following.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now a on line scan.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Also remind me about the recovery console and we'll install it.

Thanks
Geri

 

scan report

when should I install it RECOVERY CONSOLE

You do not like any reg clean? I should not use them?


Sunday, November 23, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 23, 2008 02:00:45
Records in database: 1404358


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\

Scan statistics
Files scanned 150185
Threat name 3
Infected objects 3
Suspicious objects 0
Duration of the scan 02:29:15

File name Threat name Threats count
C:\Documents and Settings\Adam Kerr\Application Data\Sun\Java\Deployment\cache\6.0\48\6b488e30-7c82aa3a Infected: Trojan-Downloader.Java.OpenConnection.ar 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqt.dll.vir Infected: Backdoor.Win32.TDSS.blh 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSxfum.dll.vir Infected: Rootkit.Win32.Clbd.lb 1

The selected area was scanned.

 

Hi
OK great.

Please do the following.

Please download JavaRa and save the file to your desktop.

• Right click and Extract All
• Once extracted, open and run JavaRa.exe
• Click Search For Updates
• Select Update Using jucheck.exe
• Click Search
• If a newer version is found, allow it to be installed
• Uncheck the Google Toolbar option. (if you don't want the Google tool bar)
• When complete, click Remove Older Versions in the JavaRa interface and allow it to proceed
• When that is complete, click Additional Tasks, then select Remove Useless JRE Files and click Go
• Exit the tool when complete.

Read and then You can delete the gpl-2.0.txt file.


Click Start > Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.
Please check and verify that C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.


Delete RSIT.exe and this folder C:\rsit

Let me know how things are running.

Thanks
Geri

 

problem

JavaRa.exe ran but had a error when it was removing old ver of java
combofix and C:\Qoobox was removed but c:\combofix folder and C:\ComboFix.txt was not removed?
should i delete them myself?

 

Hi

OK go into Add and Remove Programs and delete the older versions

Yes. but you don't need to just yet.

OK I forgot about the Recovery Console, sorry. You will need to re-download Combofix.

Download ComboFix from Here to your Desktop.


You need to download the installation package for the Setup Disks for Floppy Boot Install from Microsoft so that we can use it to install the Recovery Console on your computer. No validation required! Please select the download link below that's appropriate for your Operating System then download and save the setup package to your desktop. If necessary, change the language version to match your installation. Do NOT change the name of the downloaded file Use the one below For XP professional SP3.

Service Pack 2
http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

Geri

 

the link that has Service Pack 2 above it is the one i should use if i have sp3?
all so i can not reboot untill you replyed to my post? this would be a problem

 

Yes the link for SP2

Can I ask why?

 

Because I do this after work and then go to bed, if I receive a replay soon after I post it would be ok. What will this do for me and why do you have look at the log before I reboot

 

I found information about RECOVERY CONSOLE on microsoft web page I know what it will do now.

 

same as next post my bad

 

Recovery console

I think that i should all ready have recovery console install already?
I have service pack 3 can i use that link?

 

Hi

Please post the link so I can look at it. I was unaware there was a link for SP3

According to Combofix it is not installed.

Thanks

 

combofix failed to install

When trying to install combofix it failed. "cannot rename combofix "

 

Hi
Did you try to rename it?

Make sure all these have been deleted and try it again.
C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.
And Combofix.exe from your Desktop.

Let me know.