Active Mirar removal

[Active] Mirar removal

OK this computer I'm working on has got Mirar. It has given popups for the past couple of weeks. I installed Malwarebytes and it stopped for a week, but then it started happening again. I ran MWB and it cleaned it all up but in the add-remove programs, Mirar is still there. Clicking on Remove only brings up a new window that gives a url to something like remove.mirar.com but nothing ever comes up on teh page.

OK below is a HJT log, which I'm assuming will be wanted.

Any suggestions?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:30 AM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand201013011.dll
O3 - Toolbar: Mirar - {94C3167E-0AE7-4A4C-B87A-242E380CCDD3} - C:\WINDOWS\system32\winpc77.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe "
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe "
O4 - HKLM\..\Run: [ScanSoft OmniPage 15.0-reminder] "C:\Program Files\ScanSoft\OmniPage15.0\Ereg\ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPage15.0\Ereg\ereg.ini "
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe "
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [Bar] C:\DOCUME~1\BJRITT~1\LOCALS~1\Temp\onwsmrxaec.tmp
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O20 - AppInit_DLLs: aeazhu.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 6104 bytes

 

Hi Paul,

Looks like a few other uninvited guests too.

Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix


Download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click ComboFix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

 

Dave thanks for the quick reply.

Not sure what you want me to do with ComboFix. Do you just want me to scan and then post a log? Or have it remove stuff, and hten post a log?

I know with HJT the idea is to post and let the expert make that choice...just wanted to be sure.

 

Hi Paul,

If you follow my instructions, and the prompts, ComboFix will automatically clean any rogues it finds that it targets. Regardless of what happens, post the resulting log.

 

OK here's the log from Combofix:

ComboFix 08-12-14.05 - bjrittman 2008-12-15 8:21:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.593 [GMT -8:00]
Running from: c:\documents and settings\bjrittman\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\~.exe
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-12 11:56 . 2008-12-12 11:56 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-12 11:56 . 2008-12-12 11:56 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-12 11:55 . 2008-12-12 11:55 <DIR> d-------- c:\program files\Java
2008-12-12 11:52 . 2008-12-12 11:52 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 11:16 . 2008-12-12 11:16 <DIR> d-------- c:\program files\Avira
2008-12-12 11:16 . 2008-12-12 11:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-02 10:46 . 2008-12-05 12:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-02 10:46 . 2008-12-02 10:46 <DIR> d-------- c:\documents and settings\bjrittman\Application Data\Malwarebytes
2008-12-02 10:46 . 2008-12-02 10:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-02 10:46 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-02 10:46 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-02 10:06 . 2008-12-02 10:14 <DIR> d-------- C:\Temp
2008-12-01 17:30 . 2008-12-08 07:06 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-11-29 21:57 . 2008-11-29 21:57 <DIR> d-------- c:\documents and settings\bjrittman\Application Data\FastStone
2008-11-29 21:56 . 2008-11-29 21:56 <DIR> d-------- c:\program files\FastStone Image Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 14:22 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-12-12 19:43 --------- d-----w c:\program files\RGB
2008-12-12 19:38 --------- d-----w c:\program files\GemMaster
2008-10-31 05:54 --------- d-----r c:\documents and settings\bjrittman\Application Data\Brother
2008-10-24 21:24 --------- d-----w c:\program files\Brownie
2008-10-24 21:24 --------- d-----w c:\program files\Brother
2008-10-24 21:22 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2006-04-22 00:43 2,895,168 ----a-w c:\program files\FoxitReader.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Copernic Desktop Search 2 "= "c:\program files\Copernic Desktop Search 2\DesktopSearchService.exe" [2007-08-01 1514016]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2006-06-23 282624]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"Opware15 "= "c:\program files\ScanSoft\OmniPage15.0\Opware15.exe" [2005-07-05 69632]
"ScanSoft OmniPage 15.0-reminder "= "c:\program files\ScanSoft\OmniPage15.0\Ereg\ereg.exe" [2005-06-03 729088]
"PDF3 Registry Controller "= "c:\program files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe" [2005-04-12 106496]
"BrStsWnd "= "c:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256]
"Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-12-03 399504]
"avgnt "= "c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=aeazhu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 15:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe "=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe "=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

R3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys [2008-12-02 15504]
S2 MBAMService;MBAMService; "c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-12-02 170640]
S2 WinDefend;Windows Defender; "c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-14 c:\windows\Tasks\Malwarebytes' Scheduled Update for bjrittman.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-12-03 19:52]

2008-09-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{94C3167E-0AE7-4A4C-B87A-242E380CCDD3} - c:\windows\system32\winpc77.dll
HKLM-Run-OpScheduler - c:\program files\ScanSoft\OmniPage15.0\OpScheduler.exe


.
------- Supplementary Scan -------
.
uStart Page = about:Tabs
IE: Open with Scansoft PDF Converter 3.0 - c:\program files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
FF - ProfilePath - c:\documents and settings\bjrittman\Application Data\Mozilla\Firefox\Profiles\y1nml0t2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 08:22:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-15 8:23:26
ComboFix-quarantined-files.txt 2008-12-15 16:23:11

Pre-Run: 146,228,752,384 bytes free
Post-Run: 146,258,542,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Windows XP Media Center Edition" /noexecute=optin /fastdetect

138 --- E O F --- 2008-12-09 18:19:31

 

Highlight and copy the contents of the code box below.

Code:

reg query  "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" | findstr /i  "mirar" >peek.txt
start notepad peek.txt
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own and peek.txt will open. Post it's contents here.

 

I did it twice, and both times there was nothing in the peek.txt file to paste into here.

Suggestions?

 

Please post the contents of C:\Qoobox\Add-Remove Programs.txt

 

OK, here goes:

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
Brother HL-2170W
CardRd81
CCleaner (remove only)
CCScore
CDBurnerXP Pro 3
Copernic Desktop Search 2
CR2
Dell CinePlayer
Dell ResourceCD
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
FastStone Image Viewer 3.6
Google Gmail Notifier
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
HLPIndex
HLPPDOCK
HLPSFO
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
HP PrecisionScan Pro
HP Scan-to-Web Wizard
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Jasc Paint Shop Pro 8 Dell Edition
Java Web Start
Java(TM) 6 Update 11
Kodak EasyShare software
KSU
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Word Viewer 2003
Mirar
Mozilla Firefox (3.0.1)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Otto
QuickTime
RealPlayer
Rhapsody Player Engine
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
ScanSoft OmniPage 15.0
ScanSoft PDF Converter 3.0
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SFR
SHASTA
SigmaTel Audio
SKIN0001
SKINXSDK
Smartparts Desktop
Sonic Encoders
Sonic Update Manager
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update Rollup 2 for Windows XP Media Center Edition 2005
Verizon Online Consumer DSL 6.1
VPRINTOL
WebFldrs XP
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB908250
Windows XP Service Pack 3
WIRELESS
WordPerfect Office 12

 

Lets try this.

Highlight and copy the contents of the code box below.

Code:

reg query  "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall ">temp0
type temp0 | findstr /i  "mirar" >peek.txt
del /q temp0
start notepad peek.txt
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own and peek.txt will open. Post it's contents here.

 

Sorry that didn't work either. The peek text was empty. Nothing to select, to say nothing of copying and pasting.

I don't know if this means anything or not--but at teh command prompt, as soon as I right-click, the cmd window closes and I get the peek text. I am never given an option to paste, although it appears that something is being pasted, before the cmd window closes. Same thing with the first line of code as well.

 

Open a blank notepad and paste the text from the code box into it. Save it to the desktop as;

Filename: peek.bat
Save as type: All Files (*.*)

Code:

reg query  "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall ">temp0
type temp0 | findstr /i  "mirar" >peek.txt
del /q temp0
start notepad peek.txt
cls
exit

Double click peek.bat to run it.
It should open peek.txt when complete ... please post it's contents.

 

Sorry same thing. I got the batch file created. I clicked on it, saw what looked like a DOS window open up, and then the peek text was created--but it was empty. No scroll bars on bottom or right, just an empty file.

 

Copy the contents of the code box.

Code:

regedit /e  "%userprofile%\desktop\peek.txt"  "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall "

Click Start>Run then Paste it in and hit Enter.

Send the peek.txt file on your desktop to me

 

Thanks. I got something to send you this time--pretty big actually for a txt file. Its already on teh way to that address.

 

Paste the contents of the code box into a blank notepad and save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

Code:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{94C3167E-0AE7-4A4C-B87A-242E380CCDD3}]

Double click fix.reg and allow it to merge with the registry. That should remove it from the Add/Remove programs list.

You can delete peek.txt, peek.bat and fix.reg

 

OK that took care of the entry in the add-remove programs.

Tonight, Malwarebytes detected some 40-plus instances of the Vundo trojan. The computer has been hit with a lot of adware today....

Well it seems to be back to normal, but time will tell.

Thanks for your help.

 

We better take another look. Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt

I may ask for the Attach.txt log later, so keep it handy.

 

OK I'm not at that house any more...I'll get to that tomorrow. Thanks again for all your help.

 

OK here is DDS.txt:


DDS (Version 1.1.0) - NTFSx86
Run by bjrittman at 13:08:55.73 on Mon 12/22/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.575 [GMT -8:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\bjrittman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:Tabs
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: c:\windows\system32\nehqoq.dll
TB: Copernic Desktop Search 2: {968631B6-4729-440D-9BF4-251F5593EC9A} - c:\program files\copernic desktop search 2\DesktopSearchBand201013011.dll
uRun: [Copernic Desktop Search 2] "c:\program files\copernic desktop search 2\DesktopSearchService.exe" /tray
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [Opware15] "c:\program files\scansoft\omnipage15.0\Opware15.exe "
mRun: [ScanSoft OmniPage 15.0-reminder] "c:\program files\scansoft\omnipage15.0\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipage15.0\ereg\ereg.ini "
mRun: [PDF3 Registry Controller] "c:\program files\scansoft\omnipage15.0\pdfconverter3\\RegistryController.exe "
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
IE: Open with Scansoft PDF Converter 3.0 - c:\program files\scansoft\omnipage15.0\pdfconverter3\IEShellExt.dll /100
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: aeazhu.dll nehqoq.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bjritt~1\applic~1\mozilla\firefox\profiles\y1nml0t2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;\??\c:\program files\avira\antivir personaledition classic\avgio.sys [2008-12-12 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; "c:\program files\avira\antivir personaledition classic\sched.exe" [2008-12-12 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; "c:\program files\avira\antivir personaledition classic\avguard.exe" [2008-12-12 151297]
R2 MBAMService;MBAMService; "c:\program files\malwarebytes' anti-malware\mbamservice.exe" [2008-12-2 170640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-12-12 52032]
R3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys [2008-12-2 15504]
S2 WinDefend;Windows Defender; "c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]

=============== Created Last 30 ================

2008-12-21 17:32 129,024 a------- c:\windows\system32\nehqoq.dll
2008-12-20 21:45 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-12-20 21:43 <DIR> --d----- c:\windows\system32\LogFiles
2008-12-20 12:26 <DIR> --d----- c:\program files\MozBackup
2008-12-15 08:20 <DIR> a-dshr-- C:\cmdcons
2008-12-15 08:18 161,792 a------- c:\windows\SWREG.exe
2008-12-15 08:18 98,816 a------- c:\windows\sed.exe
2008-12-15 08:18 <DIR> --d----- C:\ComboFix
2008-12-12 11:56 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 11:56 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-12 11:52 <DIR> --d----- c:\program files\Trend Micro
2008-12-12 11:16 <DIR> --d----- c:\program files\Avira
2008-12-12 11:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2008-12-02 10:46 <DIR> --d----- c:\docume~1\bjritt~1\applic~1\Malwarebytes
2008-12-02 10:46 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-02 10:46 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-02 10:46 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-02 10:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-02 10:06 <DIR> --d----- C:\Temp
2008-12-01 17:30 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-11-29 21:57 <DIR> --d----- c:\docume~1\bjritt~1\applic~1\FastStone
2008-11-29 21:56 <DIR> --d----- c:\program files\FastStone Image Viewer

==================== Find3M ====================

2008-12-22 08:18 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-24 03:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 02:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2006-04-21 16:43 2,895,168 a------- c:\program files\FoxitReader.exe

============= FINISH: 13:09:28.68 ===============