Jump to content
Sign in to follow this  
leftydrummrr

cheater checker/limewire help?(Resolved)

Recommended Posts

Juliet suggested I post this HijackThis log if "Cheater Checker" showed up on my PC after opening LimeWire. This is the third time it has happened. I've been able to use System Restore to make Cheater checker go away each time,but I'm curious where it really comes from. thanks for your help,

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:34:38 PM, on 2/13/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\r_server.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Yahoo!\browser\ybrowser.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O8 - Extra context menu item: &Search - ?p=ZRxdm185YYUS

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...881/mcfscan.cab

O20 - Winlogon Notify: modget32 - C:\WINDOWS\SYSTEM32\modget32.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

 

--

End of file - 8940 bytes

Share this post


Link to post
Share on other sites
Juliet   

Hi and welcome

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

 

 

 

NEXT

 

Please go to: VirusTotal

  • Posted Image

     

  • Click the Browse button and search for the following file: C:\WINDOWS\SYSTEM32\modget32.dll
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.

 

 

NEXT

 

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

[*]Close all applications and windows.

[*]Double-click on dss.exe to run it, and follow the prompts.

[*]When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized

Use Save As to save both Notepad files to your Desktop and post them in your next reply.

Note:A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

 

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

 

 

In your next reply post:

File requested scanned

DSS log

New HJT log taken after the above scans have run

Share this post


Link to post
Share on other sites

I hope I followed your instructions correctly. Here are the scans. thanks for your help,

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:39:10 PM, on 2/13/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\r_server.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\cidaemon.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O8 - Extra context menu item: &Search - ?p=ZRxdm185YYUS

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...881/mcfscan.cab

O20 - Winlogon Notify: modget32 - C:\WINDOWS\SYSTEM32\modget32.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

 

--

End of file - 7766 bytes

Deckard's System Scanner v20071014.68

Run by Mark Gisi on 2008-02-13 14:20:11

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

-- System Restore --------------------------------------------------------------

 

Successfully created a Deckard's System Scanner Restore Point.

 

 

-- Last 5 Restore Point(s) --

44: 2008-02-13 20:20:26 UTC - RP868 - Deckard's System Scanner Restore Point

43: 2008-02-13 18:50:14 UTC - RP867 - Software Distribution Service 3.0

42: 2008-02-13 18:42:50 UTC - RP866 - Restore Operation

41: 2008-02-13 18:00:27 UTC - RP865 - Software Distribution Service 3.0

40: 2008-02-13 17:51:22 UTC - RP864 - Ad-Aware Restore Point 2008-02-13 11:51:06

 

 

-- First Restore Point --

1: 2008-01-28 19:57:27 UTC - RP825 - System Checkpoint

 

 

Backed up registry hives.

Performed disk cleanup.

 

Total Physical Memory: 510 MiB (512 MiB recommended).

System Drive C: has 0.78 GiB (less than 15%) free.

 

 

-- HijackThis (run as Mark Gisi.exe) ------------------------------------------

 

logfile has no content; running clone.

-- HijackThis Clone ------------------------------------------------------------

 

 

Emulating logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2008-02-13 14:23:20

Platform: Windows XP Service Pack 2 (5.01.2600)

MSIE: Internet Explorer (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\SYSTEM32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\SYSTEM32\services.exe

C:\WINDOWS\SYSTEM32\lsass.exe

C:\WINDOWS\SYSTEM32\svchost.exe

C:\WINDOWS\SYSTEM32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\SYSTEM32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\SYSTEM32\cisvc.exe

C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\SYSTEM32\svchost.exe

C:\WINDOWS\SYSTEM32\svchost.exe

C:\WINDOWS\SYSTEM32\svchost.exe

C:\WINDOWS\SYSTEM32\r_server.exe

C:\WINDOWS\SYSTEM32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\SYSTEM32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\SYSTEM32\ctfmon.exe

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\WINDOWS\SYSTEM32\wuauclt.exe

C:\WINDOWS\SYSTEM32\CIDAEMON.EXE

C:\Program Files\Yahoo!\browser\ycommon.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Mark Gisi\Local Settings\Temporary Internet Files\Content.IE5\RLDF9YP3\dss[1].exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O8 - Extra context menu item: &Search - ?p=ZRxdm185YYUS

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} () - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...881/mcfscan.cab

O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL

O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll

O20 - Winlogon Notify: modget32 - C:\WINDOWS\system32\modget32.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\SYSTEM32\r_server.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPcservice.exe

 

 

--

End of file - 8758 bytes

 

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

 

backup-20080213-140305-198 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

backup-20080213-140305-209 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

backup-20080213-140305-288 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

backup-20080213-140305-292 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

backup-20080213-140305-384 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

backup-20080213-140305-989 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

 

-- File Associations -----------------------------------------------------------

 

All associations okay.

 

 

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

 

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)

R0 IFP800 (iriver Internet Audio Player IFP-800) - c:\windows\system32\drivers\ifp800.sys <Not Verified; iRiver, Inc.; IFP-100>

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

R1 SbcpHid - c:\windows\system32\drivers\sbcphid.sys

R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>

 

S3 DrvFltIp - c:\program files\bulletproofsoft.com\advancedpersonalfirewall\drvfltip.sys (file missing)

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)

 

 

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

 

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

R2 r_server (Remote Administrator Service) - "c:\windows\system32\r_server.exe" /service <Not Verified; ; Remote Administrator>

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

 

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>

 

 

-- Device Manager: Disabled ----------------------------------------------------

 

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems VPN Adapter

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter

PNP Device ID: ROOT\NET\0000

Service: CVirtA

 

 

-- Scheduled Tasks -------------------------------------------------------------

 

2004-12-06 15:50:07 294 --a------ C:\WINDOWS\Tasks\XoftSpy.job

 

 

-- Files created between 2008-01-13 and 2008-02-13 -----------------------------

 

2008-02-13 12:55:34 0 d-------- C:\WINDOWS\LastGood

2008-02-13 12:43:00 1093632 --a------ C:\WINDOWS\system32\{C4263C4A-B015-3BD9-B5C3-D93BC0C6D33B}.dat

2008-02-13 12:40:33 1093632 --a------ C:\WINDOWS\system32\{5E1CD7C0-3FC4-A1E3-3F28-E3A14F2DE9A1}.dat

2008-02-13 12:33:52 0 d-------- C:\Program Files\Trend Micro

2008-02-13 11:35:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-02-10 20:43:34 2177024 --a------ C:\WINDOWS\system32\{78499390-6C64-87B6-6F6C-B6871B3CBC87}.dat

2008-02-10 20:43:33 1093632 --a------ C:\WINDOWS\system32\{E59EAB29-54DD-1A61-D654-611AA5046B1A}.dat

2008-02-10 20:43:33 8693760 --a------ C:\WINDOWS\system32\{DA3A1CD2-E326-25C5-2DE3-C52544B3CF25}.dat

2008-02-08 21:32:22 1093632 --a------ C:\WINDOWS\system32\{380CD53C-2AC3-C7F3-C32A-F3C7B44EF9C7}.dat

2008-02-07 21:58:30 9699328 --a------ C:\Documents and Settings\Mark Gisi\ntuser.dat

2008-01-28 11:30:08 106 ---hs---- C:\WINDOWS\WSYS049.SYS

2008-01-21 18:50:50 0 d-------- C:\Program Files\iTunes

2008-01-21 18:41:40 0 d-------- C:\Program Files\Bonjour

 

 

-- Find3M Report ---------------------------------------------------------------

 

2008-02-13 12:52:22 0 d-------- C:\Program Files\LimeWire

2008-02-13 11:35:23 0 d-------- C:\Program Files\Lavasoft

2008-02-13 11:34:29 0 d-------- C:\Program Files\Common Files

2008-02-13 11:07:01 0 d-------- C:\Documents and Settings\Mark Gisi\Application Data\Lavasoft

2008-02-12 18:33:26 43746 --a------ C:\Documents and Settings\Mark Gisi\Application Data\wklnhst.dat

2008-02-12 13:21:40 0 d-------- C:\Program Files\SpywareBlaster

2008-02-08 20:54:38 0 d-------- C:\Documents and Settings\Mark Gisi\Application Data\Move Networks

2008-01-28 18:18:44 0 d-------- C:\Documents and Settings\Mark Gisi\Application Data\Image Zone Express

2008-01-23 11:19:22 0 d-------- C:\Program Files\RegistryFix

2008-01-21 18:51:16 0 d-------- C:\Program Files\iPod

2008-01-21 18:41:18 0 d-------- C:\Program Files\QuickTime

2007-12-30 17:56:54 0 d-------- C:\Documents and Settings\Mark Gisi\Application Data\Adobe

2007-12-30 14:51:59 0 d-------- C:\Program Files\Apple Software Update

2007-12-30 14:51:09 0 d-------- C:\Program Files\Common Files\Apple

2007-12-30 12:58:55 0 d--h----- C:\Program Files\InstallShield Installation Information

2007-12-06 20:21:46 267776 --a------ C:\WINDOWS\system32\iertutil(2).dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 07:00 AM]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [10/26/2006 09:21 PM]

 

C:\Documents and Settings\Mark Gisi\Start Menu\Programs\Startup\

DESKTOP.INI [9/3/2002 8:00:00 AM]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

DESKTOP.INI [9/3/2002 8:00:00 AM]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

@=

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\modget32]

modget32.dll 04/16/2007 09:52 AM 519430 C:\WINDOWS\SYSTEM32\modget32.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk

backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk

backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark Gisi^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=C:\Documents and Settings\Mark Gisi\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Security Console]

C:\Program Files\BulletProofSoft.com\BPS Security Console\SecCon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Spyware Remover]

C:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPSF]

C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\BPS Firewall.lnk

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]

"C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

C:\WINDOWS\system32\igfxpers.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

C:\WINDOWS\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]

"C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]

\Updater.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

Logi_MwX.Exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]

"C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

C:\Program Files\MySpace\IM\MySpaceIM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

"C:\Program Files\Dell\Media Experience\PCMService.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]

C:\Program Files\PCPitstop\Optimize\Reminder.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]

C:\Program Files\Norton Internet Security\UrlLstCk.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]

C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt hpqcxs08 hpqddsvc

 

 

 

 

-- End of Deckard's System Scanner: finished at 2008-02-13 14:24:23 ------------

 

| Slovenšcina | Dansk | ??????? | Româna | Türkçe | Nederlands | ???????? | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Cesky | Polski | Español

Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

File modget32.dll received on 02.13.2008 21:08:38 (CET)

Current status: finished

 

Result: 3/31 (9.68%)

Compact Print results

Antivirus Version Last Update Result

AhnLab-V3 2008.2.14.10 2008.02.13 -

AntiVir 7.6.0.65 2008.02.13 -

Authentium 4.93.8 2008.02.13 -

Avast 4.7.1098.0 2008.02.13 -

AVG 7.5.0.516 2008.02.13 -

BitDefender 7.2 2008.02.13 -

CAT-QuickHeal None 2008.02.13 -

ClamAV 0.92 2008.02.13 -

DrWeb 4.44.0.09170 2008.02.13 -

eSafe 7.0.15.0 2008.02.13 -

eTrust-Vet 31.3.5533 2008.02.13 -

Ewido 4.0 2008.02.13 -

FileAdvisor 1 2008.02.13 -

Fortinet 3.14.0.0 2008.02.13 -

F-Prot 4.4.2.54 2008.02.12 W32/Heuristic-KPP!Eldorado

F-Secure 6.70.13260.0 2008.02.13 -

Ikarus T3.1.1.20 2008.02.13 -

Kaspersky 7.0.0.125 2008.02.13 -

McAfee 5229 2008.02.13 -

Microsoft 1.3204 2008.02.13 -

NOD32v2 2872 2008.02.13 -

Norman 5.80.02 2008.02.13 -

Panda 9.0.0.4 2008.02.13 Suspicious file

Prevx1 V2 2008.02.13 -

Rising 20.31.10.00 2008.02.13 -

Sophos 4.26.0 2008.02.13 Sus/Dropper-A

Sunbelt 2.2.907.0 2008.02.13 -

TheHacker 6.2.9.219 2008.02.13 -

VBA32 3.12.6.1 2008.02.13 -

VirusBuster 4.3.26:9 2008.02.13 -

Webwasher-Gateway 6.6.2 2008.02.13 -

Additional information

File size: 519430 bytes

MD5: 7f3d2d63f3965215bba75da07da605b7

SHA1: 7cae51e4b5104a42168bb6254621b888d566ef71

PEiD: -

 

 

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

 

VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com

Share this post


Link to post
Share on other sites
Juliet   

Welcome back

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O8 - Extra context menu item: &Search - ?p=ZRxdm185YYUS

O20 - Winlogon Notify: modget32 - C:\WINDOWS\SYSTEM32\modget32.dll

 

Reboot

 

 

 

 

 

Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

 

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to

 

Locate the below files, right click and and open with Notepad, tell me what these files are?

 

 

C:\WINDOWS\system32\{C4263C4A-B015-3BD9-B5C3-D93BC0C6D33B}.dat

C:\WINDOWS\system32\{5E1CD7C0-3FC4-A1E3-3F28-E3A14F2DE9A1}.dat

C:\WINDOWS\system32\{78499390-6C64-87B6-6F6C-B6871B3CBC87}.dat

C:\WINDOWS\system32\{E59EAB29-54DD-1A61-D654-611AA5046B1A}.dat

C:\WINDOWS\system32\{DA3A1CD2-E326-25C5-2DE3-C52544B3CF25}.dat

C:\WINDOWS\system32\{380CD53C-2AC3-C7F3-C32A-F3C7B44EF9C7}.dat

 

 

Also see if any of these files are present

 

C:\Program Files\Common Files\Cheater Checker

C:\WINDOWS\system32\Cheater Checker

C:\Documents and Settings\All Users\Application Data\Cheater Checker

C:\Documents and Settings\Owner\Application Data\Cheater Checker

C:\Program Files\Common Files\Cheater Checker

 

 

 

NEXT

 

Download Combofix from any of the links below, and save it to your desktop.<--Important

 

Link 1

Link 2

Link 3

 

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

 

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

 

 

 

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including the quotes, and change the "Save as type" to "All Files" and place it on your desktop.

 

KILLALL::

File::
C:\WINDOWS\SYSTEM32\modget32.dll
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\modget32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

 

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

 

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Please be patient while the scan runs, at times it may appear to stall.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

After rebooting ensure your Security applications have been re-enabled.

 

 

 

 

 

We need to close the security issue with your older version of Java

 

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4
  • Scroll to Java Runtime Environment (JRE) 6 Update 4 and click on the download button
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.

     

    Go to Start > Control Panel double-click on the Software icon > add/remove programs.

    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have this icon next to it: Posted Image

    Select it and click Remove.

  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

 

 

 

NEXT

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

 

Click Yes, when prompted to install its ActiveX component.

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives

      Scan Mail Bases

  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information on the report.

Posted Image

 

Posted Image

 

 

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

======================================================

 

 

In your next reply post:

 

Any inforamtion on the requested files

ComboFix.txt

Kaspersky log

New HJT log

 

Tell me how your computer is running now

Share this post


Link to post
Share on other sites

Here are the scans from ComboFix,Kaspersky,and the new HTL. Hope this helps,thanks.

 

ComboFix 08-02-14.1 - Mark Gisi 2008-02-13 18:02:42.1 - NTFSx86

 

Running from: C:\Documents and Settings\Mark Gisi\My Documents\ComboFix.exe

Command switches used :: C:\Documents and Settings\Mark Gisi\Desktop\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL

C:\WINDOWS\SYSTEM32\modget32.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\Downloaded Program Files\Quarantine

C:\WINDOWS\SYSTEM32\modget32.dll

 

.

((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))

.

 

2008-02-13 17:42 . 2004-08-04 01:56 388,608 --a------ C:\kmd.exe

2008-02-13 14:19 . 2008-02-13 14:19 <DIR> d-------- C:\Deckard

2008-02-13 13:27 . 2008-02-13 13:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-02-13 13:27 . 2008-02-13 13:27 1,409 --a------ C:\WINDOWS\QTFont.for

2008-02-13 12:43 . 2008-02-13 12:43 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{C4263C4A-B015-3BD9-B5C3-D93BC0C6D33B}.dat

2008-02-13 12:40 . 2008-02-13 12:40 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{5E1CD7C0-3FC4-A1E3-3F28-E3A14F2DE9A1}.dat

2008-02-13 12:33 . 2008-02-13 12:33 <DIR> d-------- C:\Program Files\Trend Micro

2008-02-13 11:35 . 2008-02-13 11:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-02-10 20:43 . 2008-02-13 12:38 8,693,760 --a------ C:\WINDOWS\SYSTEM32\{DA3A1CD2-E326-25C5-2DE3-C52544B3CF25}.dat

2008-02-10 20:43 . 2008-02-13 12:38 2,177,024 --a------ C:\WINDOWS\SYSTEM32\{78499390-6C64-87B6-6F6C-B6871B3CBC87}.dat

2008-02-10 20:43 . 2008-02-13 12:38 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{E59EAB29-54DD-1A61-D654-611AA5046B1A}.dat

2008-02-08 21:32 . 2008-02-13 12:38 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{380CD53C-2AC3-C7F3-C32A-F3C7B44EF9C7}.dat

2008-01-28 11:30 . 2002-07-31 19:55 106 ---hs---- C:\WINDOWS\WSYS049.SYS

2008-01-28 11:30 . 2001-09-05 12:28 41 ---h----- C:\WINDOWS\trfntw32.cfg

2008-01-21 18:50 . 2008-01-21 18:51 <DIR> d-------- C:\Program Files\iTunes

2008-01-21 18:41 . 2008-01-21 18:41 <DIR> d-------- C:\Program Files\Bonjour

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-13 21:14 43,746 ----a-w C:\Documents and Settings\Mark Gisi\Application Data\wklnhst.dat

2008-02-13 18:52 --------- d-----w C:\Program Files\LimeWire

2008-02-13 17:35 --------- d-----w C:\Program Files\Lavasoft

2008-02-13 17:07 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Lavasoft

2008-02-12 19:21 --------- d-----w C:\Program Files\SpywareBlaster

2008-02-09 02:54 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Move Networks

2008-01-29 00:18 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Image Zone Express

2008-01-23 17:19 --------- d-----w C:\Program Files\RegistryFix

2008-01-22 00:51 --------- d-----w C:\Program Files\iPod

2008-01-22 00:41 --------- d-----w C:\Program Files\QuickTime

2007-12-30 20:51 --------- d-----w C:\Program Files\Common Files\Apple

2007-12-30 20:51 --------- d-----w C:\Program Files\Apple Software Update

2007-12-30 18:58 --------- d--h--w C:\Program Files\InstallShield Installation Information

2004-12-12 22:50 251,040 ----a-w C:\Documents and Settings\Mark Gisi\Application Data\GDIPFONTCACHEV1.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Fatdll]

@={2574C284-194B-43B3-A057-E188849BA5CC}

 

[HKEY_CLASSES_ROOT\CLSID\{2574C284-194B-43B3-A057-E188849BA5CC}]

2007-04-16 09:52 1290347 --a------ C:\WINDOWS\system32\micwiz.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 21:21 4662776]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk

backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk

backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Gisi^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=C:\Documents and Settings\Mark Gisi\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

C:\PROGRA~1\AIM\aim.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

C:\Program Files\AIM6\aim6.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Security Console]

C:\Program Files\BulletProofSoft.com\BPS Security Console\SecCon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Spyware Remover]

C:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPSF]

C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\BPS Firewall.lnk

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]

C:\Program Files\ClamWin\bin\ClamTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2006-12-10 20:52 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

--a------ 2005-09-20 08:36 114688 C:\WINDOWS\system32\igfxpers.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2005-09-20 08:35 94208 C:\WINDOWS\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]

--a------ 2003-09-03 19:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]

--a------ 2003-07-14 13:30 98304 C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]

--a------ 2004-07-01 15:20 212992 C:\Updater.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

--------- 2003-03-04 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

--------- 2003-12-05 21:08 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

--a------ 2003-06-18 11:00 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]

C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

C:\Program Files\MySpace\IM\MySpaceIM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

--------- 2003-08-26 18:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]

C:\Program Files\PCPitstop\Optimize\Reminder.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]

--a------ 2005-06-03 07:16 81920 C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]

C:\Program Files\Norton Internet Security\UrlLstCk.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2006-10-26 21:21 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]

--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]

--a------ 2005-04-22 19:49 397312 C:\PROGRA~1\Yahoo!\YOP\yop.exe

 

R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2005-06-21 14:16]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]

S3 DrvFltIp;DrvFltIp;C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\DrvFltIp.sys []

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2004-03-30 10:29]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

 

.

Contents of the 'Scheduled Tasks' folder

"2004-12-06 21:50:07 C:\WINDOWS\Tasks\XoftSpy.job"

- C:\Program Files\XoftSpy\XoftSpy.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-13 18:09:54

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]

-> C:\WINDOWS\system32\micwiz.dll

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Completion time: 2008-02-13 18:15:31 - machine was rebooted [Mark Gisi]

ComboFix-quarantined-files.txt 2008-02-14 00:15:27

.

2008-02-13 18:53:00 --- E O F ---

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Wednesday, February 13, 2008 9:29:21 PM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 13/02/2008

Kaspersky Anti-Virus database records: 564373

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

E:\

F:\

 

Scan Statistics:

Total number of scanned objects: 112088

Number of viruses found: 4

Number of infected objects: 25

Number of suspicious objects: 0

Duration of the scan process: 01:37:24

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Mark Gisi\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-549a9cbf.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped

C:\Documents and Settings\Mark Gisi\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-549a9cbf.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Mark Gisi\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Mark Gisi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Mark Gisi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Mark Gisi\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Mark Gisi\Local Settings\History\History.IE5\MSHist012008021320080214\index.dat Object is locked skipped

C:\Documents and Settings\Mark Gisi\Local Settings\Temp\Perflib_Perfdata_e40.dat Object is locked skipped

C:\Documents and Settings\Mark Gisi\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Mark Gisi\My Documents\radmin22\RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Documents and Settings\Mark Gisi\My Documents\radmin22\RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Documents and Settings\Mark Gisi\My Documents\radmin22\RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Documents and Settings\Mark Gisi\My Documents\radmin22\RADMIN22.EXE Gentee: infected - 3 skipped

C:\Documents and Settings\Mark Gisi\My Documents\radmin22.zip/RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Documents and Settings\Mark Gisi\My Documents\radmin22.zip/RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Documents and Settings\Mark Gisi\My Documents\radmin22.zip/RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Documents and Settings\Mark Gisi\My Documents\radmin22.zip/RADMIN22.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Documents and Settings\Mark Gisi\My Documents\radmin22.zip ZIP: infected - 4 skipped

C:\Documents and Settings\Mark Gisi\ntuser.dat Object is locked skipped

C:\Documents and Settings\Mark Gisi\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped

C:\Program Files\filesubmit\calhobbes.exe\atoolbar400134.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

C:\Program Files\filesubmit\calhobbes.exe\atoolbar400134.exe WiseSFX: infected - 1 skipped

C:\Program Files\filesubmit\calhobbes.exe\atoolbar400134.exe WiseSFXDropper: infected - 1 skipped

C:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Program Files\Remote Administrator Viewer\RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Program Files\Remote Administrator Viewer\RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Program Files\Remote Administrator Viewer\RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Program Files\Remote Administrator Viewer\RADMIN22.EXE Gentee: infected - 3 skipped

C:\Program Files\SELFHEAL\VPN-RA Combo 3.0\VPN-RA Combo 3.0.msi/Data1.cab/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Program Files\SELFHEAL\VPN-RA Combo 3.0\VPN-RA Combo 3.0.msi/Data1.cab/admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped

C:\Program Files\SELFHEAL\VPN-RA Combo 3.0\VPN-RA Combo 3.0.msi/Data1.cab Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped

C:\Program Files\SELFHEAL\VPN-RA Combo 3.0\VPN-RA Combo 3.0.msi Embedded: infected - 3 skipped

C:\Program Files\Yahoo!\Messenger\logs\billing_Mark Gisi.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\client_Mark Gisi.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\network_Mark Gisi.log Object is locked skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP872\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_5ec.dat Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

 

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:22:25 PM, on 2/13/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\r_server.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...881/mcfscan.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

 

--

End of file - 7480 bytes

Share this post


Link to post
Share on other sites
Juliet   

Welcome back

 

Did you find or see any of these files

Also see if any of these files are present

 

C:\Program Files\Common Files\Cheater Checker

C:\WINDOWS\system32\Cheater Checker

C:\Documents and Settings\All Users\Application Data\Cheater Checker

C:\Documents and Settings\Owner\Application Data\Cheater Checker

C:\Program Files\Common Files\Cheater Checker

 

 

 

Look in Add/Remove programs NewdotNet uninstall it if found.

 

If there is no entry to remove NewDotNet in the control panel there is also an uninstaller located in the folder C:\Program Files\NewDotNet called NDUninstall which can be used in case there is no uninstaller located in Add or Remove Programs.

If nothing is found, no problem.

 

 

 

Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

 

 

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

 

 

C:\Documents and Settings\Mark Gisi\My Documents\radmin22.zip

C:\Program Files\filesubmit\calhobbes.exe\atoolbar400134.exe

 

 

NEXT

 

Next, launch Notepad, (Start > Run, type in: notepad)

copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

 

 

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards

 

 

Reboot your machine

 

 

While files/folders are still unhidden, do this next

 

Please go to: VirusTotal

  • Posted Image

  • Click the Browse button and search for the following file: C:\WINDOWS\system32\micwiz.dll

  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.

 

 

We need to to close a security issue with your older version of Java

 

Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4
  • Scroll to Java Runtime Environment (JRE) 6 Update 4 and click on the download button
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.

     

    Go to Start > Control Panel double-click on the Software icon > add/remove programs.

    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have this icon next to it: Posted Image

    Select it and click Remove.

  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
================================================================

Clearing Java Cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)Posted Image

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are three options in the window to clear the cache - Leave all Checked
    • Applications

      Applets

      Trace and Log Files

  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

 

 

 

Is Cheater Checker still popping up at boot up?

 

Download & extract this file to it's own folder - http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip

 

Launch Registry Search

In the search box, enter Cheater Checker & click "Ok".

Notepad will open with some text in it (the file will also be saved in the program's folder as well).

Post this text in your next reply

 

 

In your next reply post

File requested scanned

Registry Search log

New HJT log

 

Tell me whats happening on the computer at the moment

Share this post


Link to post
Share on other sites

Juliet,

I didnt find any "Cheater Checker" files anywhere. The computer is faster after working through the tests.I have upgraded Java.Cheater Checker has not shown up,but I have deleted LimeWire. Reinstalling Limewire and using it might be a good way to test the changes that have been made so far. I'll work through these tests and report back,thanks.

Edited by leftydrummrr

Share this post


Link to post
Share on other sites
Juliet   

I didnt find any "Cheater Checker" files anywhere. The computer is faster after working through the tests.I have upgraded Java.Cheater Checker has not shown up,but I have deleted LimeWire. Reinstalling Limewire and using it might be a good way to test the changes that have been made so far. I'll work through these tests and report back,thanks.

Good to hear the computer runs better!

 

 

I've not heard of a program like that being installed with Limewire but I'm sure there could always be that first....

From what little info I could find stated it was a program that had to be manually installed, I didn't read anything that suggested it was installed in a bundle of others from one specific.

 

If it should show up again after reinstalling limewire.....I'd say let's stay away from Limewire.

 

Post back with the test you haven't completed.

 

 

Happy Valentines Day

Share this post


Link to post
Share on other sites

Juliet,Here are the scans. The computer is quicker,but we seem to get more junk email now. I'll watch the email over the next few days to see if it continues. I also have desktop.ini on the desktop.I dont know how that got there,can I delete it? After you look at these scan results,let me know if I could try the limewire test.

Hope you had a Happy Valentines Day!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:39:20 PM, on 2/14/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\r_server.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Yahoo!\browser\ybrowser.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...881/mcfscan.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

 

--

End of file - 7863 bytes

Windows Registry Editor Version 5.00

 

; Registry Search 2.0 by Bobbi Flekman © 2005

; Version: 2.0.5.0

 

; Results at 2/14/2008 4:36:20 PM for strings:

; 'cheater checker'

; Strings excluded from search:

; (None)

; Search in:

; Registry Keys Registry Values Registry Data

; HKEY_LOCAL_MACHINE HKEY_USERS

 

 

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="cheater checker"

 

; End Of The Log... | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español

 

 

Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

 

File micwiz.dll received on 02.14.2008 21:51:02 (CET)

Current status: finished

Result: 3/32 (9.38%)

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2008.2.15.10 2008.02.14 -

AntiVir 7.6.0.65 2008.02.14 -

Authentium 4.93.8 2008.02.14 -

Avast 4.7.1098.0 2008.02.14 -

AVG 7.5.0.516 2008.02.14 -

BitDefender 7.2 2008.02.14 -

CAT-QuickHeal None 2008.02.14 -

ClamAV 0.92.1 2008.02.14 -

DrWeb 4.44.0.09170 2008.02.14 -

eSafe 7.0.15.0 2008.02.14 -

eTrust-Vet 31.3.5536 2008.02.14 -

Ewido 4.0 2008.02.14 -

FileAdvisor 1 2008.02.14 -

Fortinet 3.14.0.0 2008.02.14 -

F-Prot 4.4.2.54 2008.02.14 -

F-Secure 6.70.13260.0 2008.02.14 -

Ikarus T3.1.1.20 2008.02.14 -

Kaspersky 7.0.0.125 2008.02.14 -

McAfee 5230 2008.02.14 -

Microsoft 1.3204 2008.02.14 -

NOD32v2 2876 2008.02.14 -

Norman 5.80.02 2008.02.14 -

Panda 9.0.0.4 2008.02.14 -

Prevx1 V2 2008.02.14 Heuristic: Suspicious File With Mass Email Capabilities

Rising 20.31.30.00 2008.02.14 -

Sophos 4.26.0 2008.02.14 Sus/Dropper-A

Sunbelt 2.2.907.0 2008.02.14 -

Symantec 10 2008.02.14 Spyware.CheaterChecker

TheHacker 6.2.9.220 2008.02.14 -

VBA32 3.12.6.1 2008.02.14 -

VirusBuster 4.3.26:9 2008.02.14 -

Webwasher-Gateway 6.6.2 2008.02.14 -

Additional information

File size: 1290347 bytes

MD5: 33a3e77be71ddcc7dd232724f4d32a53

SHA1: 095aaccc53f4c50bccd6a5e140b4e017add8c6c7

PEiD: -

Prevx info: http://info.prevx.com/aboutprogramtext.asp...BA58E004623CC05

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

 

VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com

Share this post


Link to post
Share on other sites
Juliet   

Welcome back

 

Juliet,Here are the scans. The computer is quicker,but we seem to get more junk email now. I'll watch the email over the next few days to see if it continues. I also have desktop.ini on the desktop.I dont know how that got there,can I delete it? After you look at these scan results,let me know if I could try the limewire test.

Hope you had a Happy Valentines Day!

 

 

Locate the desktop.ini file you have on your desktop>right click and open with notepad

Check what the info inside says and let me know.

 

Happy Valentines Day to you to!!

 

 

Virustotal is a service that analyzes suspicious files

 

File micwiz.dll received on 02.14.2008 21:51:02 (CET)

Current status: finished

Result: 3/32 (9.38%)

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2008.2.15.10 2008.02.14 -

AntiVir 7.6.0.65 2008.02.14 -

Authentium 4.93.8 2008.02.14 -

Avast 4.7.1098.0 2008.02.14 -

AVG 7.5.0.516 2008.02.14 -

BitDefender 7.2 2008.02.14 -

CAT-QuickHeal None 2008.02.14 -

ClamAV 0.92.1 2008.02.14 -

DrWeb 4.44.0.09170 2008.02.14 -

eSafe 7.0.15.0 2008.02.14 -

eTrust-Vet 31.3.5536 2008.02.14 -

Ewido 4.0 2008.02.14 -

FileAdvisor 1 2008.02.14 -

Fortinet 3.14.0.0 2008.02.14 -

F-Prot 4.4.2.54 2008.02.14 -

F-Secure 6.70.13260.0 2008.02.14 -

Ikarus T3.1.1.20 2008.02.14 -

Kaspersky 7.0.0.125 2008.02.14 -

McAfee 5230 2008.02.14 -

Microsoft 1.3204 2008.02.14 -

NOD32v2 2876 2008.02.14 -

Norman 5.80.02 2008.02.14 -

Panda 9.0.0.4 2008.02.14 -

Prevx1 V2 2008.02.14 Heuristic: Suspicious File With Mass Email Capabilities

Rising 20.31.30.00 2008.02.14 -

Sophos 4.26.0 2008.02.14 Sus/Dropper-A

Sunbelt 2.2.907.0 2008.02.14 -

Symantec 10 2008.02.14 Spyware.CheaterChecker <--looky looky here

TheHacker 6.2.9.220 2008.02.14 -

VBA32 3.12.6.1 2008.02.14 -

VirusBuster 4.3.26:9 2008.02.14 -

Webwasher-Gateway 6.6.2 2008.02.14 -

 

 

 

 

 

Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

 

 

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

 

C:\WINDOWS\system32\micwiz.dll

 

 

If this file resists deletion drop into safe....

 

Then reboot your computer.

 

Post back and let me know whats inside the Desktop.ini file

 

If we disabled any security programs while running scans and tools you can re-enable those now.

Share this post


Link to post
Share on other sites

Juliet,

Here is the content of Desktop.ini There is also a copy in my documents,ok to delete? I couldnt delete micwiz.dll,a screen popped up with... Access Denied make sure disc not in use...etc. How do I drop this file into safe? Havent done that before. It appears that might be where Cheater Checker is? I didnt delete the radmin file yet.Is radmin a component of the Remote Administrator to use my wife's computer at work? ok to delete with out causing any other problems? thanks,

 

[.ShellClassInfo]

LocalizedResourceName=@shell32.dll,-21786

Share this post


Link to post
Share on other sites
Juliet   

Welcome back

 

Here is the content of Desktop.ini There is also a copy in my documents,ok to delete?

That file is OK..Nothing odd. .........re-name it to something like "desktop.old"

leave it for a while to see if any programs need it and if not you can delete it. If something has a problem go back and name it back.

 

I didnt delete the radmin file yet.Is radmin a component of the Remote Administrator to use my wife's computer at work? ok to delete with out causing any other problems? thanks,

It's the zip that help all the executables <sp that held the .exe's for the service, actually you can leave it.

I couldnt delete micwiz.dll,a screen popped up with... Access Denied make sure disc not in use...etc. How do I drop this file into safe? Havent done that before. It appears that might be where Cheater Checker is?

The Virus Total scan revealed to us that was were the exe for the program is held.

 

What we can try next

 

 

Reboot your computer into SafeMode

You can do this by restarting your computer and continually tapping the F8 key until a menu appears.

Use your up arrow key to highlight SafeMode then hit enter.

http://www.bleepingcomputer.com/tutorials/tutorial61.html

How to start Windows in Safe Mode

 

 

 

 

Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

 

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

 

 

C:\WINDOWS\system32\micwiz.dll

 

 

Then reboot

 

Post back and let me know what happens.

Share this post


Link to post
Share on other sites
Juliet   

Let's see if ComboFix can take it out

 

 

Download Combofix from any of the links below, and save it to your desktop.

 

Link 1

Link 2

Link 3

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

 

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including the quotes, and change the "Save as type" to "All Files" and place it on your desktop.

 

 

KILLALL::

File::C:\WINDOWS\system32\micwiz.dll
Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

Post back with the ComboFix.txt

Share this post


Link to post
Share on other sites

Juliet,

Here is the Combofix scan.

thanks,

 

ComboFix 08-02-14.1 - Mark Gisi 2008-02-15 10:09:28.2 - NTFSx86

 

Running from: C:\Documents and Settings\Mark Gisi\My Documents\ComboFix.exe

Command switches used :: C:\Documents and Settings\Mark Gisi\Desktop\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE

File::C:\WINDOWS\system32\micwiz.dll

.

 

((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))

.

 

2008-02-13 18:49 . 2008-02-13 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab

2008-02-13 18:49 . 2008-02-13 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-02-13 18:43 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl

2008-02-13 18:42 . 2008-02-13 18:42 <DIR> d-------- C:\Program Files\Common Files\Java

2008-02-13 17:42 . 2004-08-04 01:56 388,608 --a------ C:\kmd.exe

2008-02-13 14:19 . 2008-02-13 14:19 <DIR> d-------- C:\Deckard

2008-02-13 12:43 . 2008-02-13 12:43 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{C4263C4A-B015-3BD9-B5C3-D93BC0C6D33B}.dat

2008-02-13 12:40 . 2008-02-13 12:40 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{5E1CD7C0-3FC4-A1E3-3F28-E3A14F2DE9A1}.dat

2008-02-13 12:33 . 2008-02-13 12:33 <DIR> d-------- C:\Program Files\Trend Micro

2008-02-13 11:35 . 2008-02-13 11:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-02-10 20:43 . 2008-02-13 12:38 8,693,760 --a------ C:\WINDOWS\SYSTEM32\{DA3A1CD2-E326-25C5-2DE3-C52544B3CF25}.dat

2008-02-10 20:43 . 2008-02-13 12:38 2,177,024 --a------ C:\WINDOWS\SYSTEM32\{78499390-6C64-87B6-6F6C-B6871B3CBC87}.dat

2008-02-10 20:43 . 2008-02-13 12:38 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{E59EAB29-54DD-1A61-D654-611AA5046B1A}.dat

2008-02-08 21:32 . 2008-02-13 12:38 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{380CD53C-2AC3-C7F3-C32A-F3C7B44EF9C7}.dat

2008-01-28 11:30 . 2002-07-31 19:55 106 ---hs---- C:\WINDOWS\WSYS049.SYS

2008-01-28 11:30 . 2001-09-05 12:28 41 ---h----- C:\WINDOWS\trfntw32.cfg

2008-01-21 18:50 . 2008-01-21 18:51 <DIR> d-------- C:\Program Files\iTunes

2008-01-21 18:41 . 2008-01-21 18:41 <DIR> d-------- C:\Program Files\Bonjour

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-15 00:21 --------- d-----w C:\Program Files\LimeWire

2008-02-14 22:58 43,742 ----a-w C:\Documents and Settings\Mark Gisi\Application Data\wklnhst.dat

2008-02-14 20:40 --------- d-----w C:\Program Files\filesubmit

2008-02-14 00:43 --------- d-----w C:\Program Files\Java

2008-02-13 17:35 --------- d-----w C:\Program Files\Lavasoft

2008-02-13 17:07 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Lavasoft

2008-02-12 19:21 --------- d-----w C:\Program Files\SpywareBlaster

2008-02-09 02:54 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Move Networks

2008-01-29 00:18 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Image Zone Express

2008-01-23 17:19 --------- d-----w C:\Program Files\RegistryFix

2008-01-22 00:51 --------- d-----w C:\Program Files\iPod

2008-01-22 00:41 --------- d-----w C:\Program Files\QuickTime

2007-12-30 20:51 --------- d-----w C:\Program Files\Common Files\Apple

2007-12-30 20:51 --------- d-----w C:\Program Files\Apple Software Update

2007-12-30 18:58 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys

2004-12-12 22:50 251,040 ----a-w C:\Documents and Settings\Mark Gisi\Application Data\GDIPFONTCACHEV1.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Fatdll]

@={2574C284-194B-43B3-A057-E188849BA5CC}

 

[HKEY_CLASSES_ROOT\CLSID\{2574C284-194B-43B3-A057-E188849BA5CC}]

2007-04-16 09:52 1290347 --a------ C:\WINDOWS\system32\micwiz.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 21:21 4662776]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk

backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk

backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Gisi^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=C:\Documents and Settings\Mark Gisi\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

C:\PROGRA~1\AIM\aim.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

C:\Program Files\AIM6\aim6.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Security Console]

C:\Program Files\BulletProofSoft.com\BPS Security Console\SecCon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Spyware Remover]

C:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPSF]

C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\BPS Firewall.lnk

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]

C:\Program Files\ClamWin\bin\ClamTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2006-12-10 20:52 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

--a------ 2005-09-20 08:36 114688 C:\WINDOWS\system32\igfxpers.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2005-09-20 08:35 94208 C:\WINDOWS\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]

--a------ 2003-09-03 19:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]

--a------ 2003-07-14 13:30 98304 C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]

--a------ 2004-07-01 15:20 212992 C:\Updater.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

--------- 2003-03-04 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

--------- 2003-12-05 21:08 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

--a------ 2003-06-18 11:00 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]

C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

C:\Program Files\MySpace\IM\MySpaceIM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

--------- 2003-08-26 18:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]

C:\Program Files\PCPitstop\Optimize\Reminder.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]

--a------ 2005-06-03 07:16 81920 C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]

C:\Program Files\Norton Internet Security\UrlLstCk.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2006-10-26 21:21 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]

--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]

--a------ 2005-04-22 19:49 397312 C:\PROGRA~1\Yahoo!\YOP\yop.exe

 

R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2005-06-21 14:16]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]

S3 DrvFltIp;DrvFltIp;C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\DrvFltIp.sys []

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2004-03-30 10:29]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

 

.

Contents of the 'Scheduled Tasks' folder

"2004-12-06 21:50:07 C:\WINDOWS\Tasks\XoftSpy.job"

- C:\Program Files\XoftSpy\XoftSpy.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-15 10:16:22

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]

-> C:\WINDOWS\system32\micwiz.dll

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Completion time: 2008-02-15 10:22:07 - machine was rebooted

ComboFix-quarantined-files.txt 2008-02-15 16:22:03

ComboFix2.txt 2008-02-14 00:15:31

.

2008-02-14 18:01:50 --- E O F ---

Share this post


Link to post
Share on other sites
Juliet   

Right click on your task bar

Look for this entry and end task

C:\WINDOWS\system32\micwiz.dll <--it maybe listed as just micwiz.dll

 

Next, launch Notepad, (Start > Run, type in: notepad)

copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

 

[-HKEY_CLASSES_ROOT\CLSID\{2574C284-194B-43B3-A057-E188849BA5CC}]

 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Fatdll]

 

 

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards

 

Reboot your computer

 

 

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

 

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including the quotes, and change the "Save as type" to "All Files" and place it on your desktop.

KILLALL::

File::

C:\WINDOWS\system32\micwiz.dll

 

drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

 

Post back with the ComboFix.txt

Share this post


Link to post
Share on other sites

Juliet,

Here is the latest scan. I didnt know how to look for that file in the taskbar,I've never done that before.

thanks,

 

ComboFix 08-02-14.1 - Mark Gisi 2008-02-15 13:41:52.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.282 [GMT -6:00]

Running from: C:\Documents and Settings\Mark Gisi\My Documents\ComboFix.exe

Command switches used :: C:\Documents and Settings\Mark Gisi\Desktop\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE

C:\WINDOWS\system32\micwiz.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\micwiz.dll

 

.

((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))

.

 

2008-02-13 18:49 . 2008-02-13 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab

2008-02-13 18:49 . 2008-02-13 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-02-13 18:43 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl

2008-02-13 18:42 . 2008-02-13 18:42 <DIR> d-------- C:\Program Files\Common Files\Java

2008-02-13 17:42 . 2004-08-04 01:56 388,608 --a------ C:\kmd.exe

2008-02-13 14:19 . 2008-02-13 14:19 <DIR> d-------- C:\Deckard

2008-02-13 12:43 . 2008-02-13 12:43 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{C4263C4A-B015-3BD9-B5C3-D93BC0C6D33B}.dat

2008-02-13 12:40 . 2008-02-13 12:40 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{5E1CD7C0-3FC4-A1E3-3F28-E3A14F2DE9A1}.dat

2008-02-13 12:33 . 2008-02-13 12:33 <DIR> d-------- C:\Program Files\Trend Micro

2008-02-13 11:35 . 2008-02-13 11:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-02-10 20:43 . 2008-02-13 12:38 8,693,760 --a------ C:\WINDOWS\SYSTEM32\{DA3A1CD2-E326-25C5-2DE3-C52544B3CF25}.dat

2008-02-10 20:43 . 2008-02-13 12:38 2,177,024 --a------ C:\WINDOWS\SYSTEM32\{78499390-6C64-87B6-6F6C-B6871B3CBC87}.dat

2008-02-10 20:43 . 2008-02-13 12:38 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{E59EAB29-54DD-1A61-D654-611AA5046B1A}.dat

2008-02-08 21:32 . 2008-02-13 12:38 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{380CD53C-2AC3-C7F3-C32A-F3C7B44EF9C7}.dat

2008-01-28 11:30 . 2002-07-31 19:55 106 ---hs---- C:\WINDOWS\WSYS049.SYS

2008-01-28 11:30 . 2001-09-05 12:28 41 ---h----- C:\WINDOWS\trfntw32.cfg

2008-01-21 18:50 . 2008-01-21 18:51 <DIR> d-------- C:\Program Files\iTunes

2008-01-21 18:41 . 2008-01-21 18:41 <DIR> d-------- C:\Program Files\Bonjour

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-15 00:21 --------- d-----w C:\Program Files\LimeWire

2008-02-14 22:58 43,742 ----a-w C:\Documents and Settings\Mark Gisi\Application Data\wklnhst.dat

2008-02-14 20:40 --------- d-----w C:\Program Files\filesubmit

2008-02-14 00:43 --------- d-----w C:\Program Files\Java

2008-02-13 17:35 --------- d-----w C:\Program Files\Lavasoft

2008-02-13 17:07 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Lavasoft

2008-02-12 19:21 --------- d-----w C:\Program Files\SpywareBlaster

2008-02-09 02:54 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Move Networks

2008-01-29 00:18 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Image Zone Express

2008-01-23 17:19 --------- d-----w C:\Program Files\RegistryFix

2008-01-22 00:51 --------- d-----w C:\Program Files\iPod

2008-01-22 00:41 --------- d-----w C:\Program Files\QuickTime

2007-12-30 20:51 --------- d-----w C:\Program Files\Common Files\Apple

2007-12-30 20:51 --------- d-----w C:\Program Files\Apple Software Update

2007-12-30 18:58 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys

2004-12-12 22:50 251,040 ----a-w C:\Documents and Settings\Mark Gisi\Application Data\GDIPFONTCACHEV1.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 21:21 4662776]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk

backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk

backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Gisi^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=C:\Documents and Settings\Mark Gisi\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

C:\PROGRA~1\AIM\aim.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

C:\Program Files\AIM6\aim6.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Security Console]

C:\Program Files\BulletProofSoft.com\BPS Security Console\SecCon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Spyware Remover]

C:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPSF]

C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\BPS Firewall.lnk

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]

C:\Program Files\ClamWin\bin\ClamTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2006-12-10 20:52 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

--a------ 2005-09-20 08:36 114688 C:\WINDOWS\system32\igfxpers.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2005-09-20 08:35 94208 C:\WINDOWS\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]

--a------ 2003-09-03 19:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]

--a------ 2003-07-14 13:30 98304 C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]

--a------ 2004-07-01 15:20 212992 C:\Updater.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

--------- 2003-03-04 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

--------- 2003-12-05 21:08 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

--a------ 2003-06-18 11:00 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]

C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

C:\Program Files\MySpace\IM\MySpaceIM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

--------- 2003-08-26 18:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]

C:\Program Files\PCPitstop\Optimize\Reminder.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]

--a------ 2005-06-03 07:16 81920 C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]

C:\Program Files\Norton Internet Security\UrlLstCk.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2006-10-26 21:21 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]

--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]

--a------ 2005-04-22 19:49 397312 C:\PROGRA~1\Yahoo!\YOP\yop.exe

 

R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2005-06-21 14:16]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]

S3 DrvFltIp;DrvFltIp;C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\DrvFltIp.sys []

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2004-03-30 10:29]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

 

.

Contents of the 'Scheduled Tasks' folder

"2004-12-06 21:50:07 C:\WINDOWS\Tasks\XoftSpy.job"

- C:\Program Files\XoftSpy\XoftSpy.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-15 13:48:44

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Completion time: 2008-02-15 13:54:24 - machine was rebooted

ComboFix-quarantined-files.txt 2008-02-15 19:54:20

ComboFix2.txt 2008-02-15 16:22:07

ComboFix3.txt 2008-02-14 00:15:31

.

2008-02-15 18:01:32 --- E O F ---

Share this post


Link to post
Share on other sites
Juliet   

IT'S GONE!

 

LOL

 

All I can think of now and if you haven't done so is reboot your computer if ComboFix didn't.

 

Post back and let me know what issues remain.

Share this post


Link to post
Share on other sites
Juliet   

Let me make a suggestion please....

Since this program had capabilities that we are unsure of.....

 

If you do any type of personal transactions on this computer such as financial transactions, any other sensitive information, please get to a known clean computer and change all passwords where applicable, Pin numbers, credit card numbers, account numbers, etc.

 

 

Do this step next

 

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.

     

    Example below

    Posted Image

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Set a new, clean Restore Point.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×