CmdService Removal

[__RiP_ChAiN_]

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

 

[Skat13]

Malwarebytes' Anti-Malware 1.09
Database version: 560

Scan type: Quick Scan
Objects scanned: 28626
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{22342b44-5b98-4b30-9d53-c182ad8df217} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Daniel Johnson\Local Settings\Temporary Internet Files\Content.IE5\1NZ3PLWE\!update-4495[1].0000 (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel Johnson\Local Settings\Temporary Internet Files\Content.IE5\1OKF11WX\snapsnet[1].exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel Johnson\Local Settings\Temporary Internet Files\Content.IE5\KL67O9YF\17PHolmes[1].cmt (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel Johnson\Local Settings\Temporary Internet Files\Content.IE5\QDDUFETS\yazzsnet[1].exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel Johnson\Local Settings\Temporary Internet Files\Content.IE5\VAKFVXCX\wavvsnet[1].exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\urqom.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk (Malware.Trace) -> Quarantined and deleted successfully.

 

[__RiP_ChAiN_]

Hello Skat13,

Let's grab a new DSS log and see how things are looking.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open one Notepad main.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt in your next reply.

 

[Skat13]

Deckard's System Scanner v20071014.68
Run by Daniel Johnson on 2008-03-31 09:10:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 4.85 GiB (less than 15%) free.


-- HijackThis (run as Daniel Johnson.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:39 AM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Documents and Settings\Daniel Johnson\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\DANIEL~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5614 bytes

-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-28 13:41:36 0 d-------- C:\Logs
2008-03-28 08:39:22 0 d-------- C:\Documents and Settings\Daniel Johnson\Application Data\Malwarebytes
2008-03-28 08:39:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-28 08:39:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 08:56:52 1158 --a------ C:\WINDOWS\mozver.dat
2008-03-16 12:02:18 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-16 12:02:18 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-16 12:02:18 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-16 12:02:18 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-16 12:02:12 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-03-14 20:26:29 0 d-------- C:\WINDOWS\system32\LogFiles
2008-03-14 10:34:16 0 d-------- C:\Program Files\Trend Micro
2008-03-07 12:22:37 644 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-07 11:58:36 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-07 11:58:36 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-07 11:58:36 86016 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-07 11:58:36 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-07 11:58:36 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-07 11:58:36 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-07 11:58:36 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-07 11:53:08 0 d-------- C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla
2008-02-29 11:31:54 0 d-------- C:\Documents and Settings\Daniel Johnson\Application Data\WinRAR


-- Find3M Report ---------------------------------------------------------------

2008-03-31 08:25:25 14495 --a------ C:\WINDOWS\system32\tablet.dat
2008-03-28 13:41:14 0 d-------- C:\Program Files\World of Warcraft
2008-03-26 10:25:40 0 d-------- C:\Documents and Settings\Daniel Johnson\Application Data\AdobeUM
2008-03-18 06:15:08 0 d-------- C:\Program Files\Norton SystemWorks
2008-03-18 06:15:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-18 02:12:03 0 d-------- C:\Program Files\Canon
2008-03-18 02:11:07 0 d-------- C:\Program Files\Symantec
2008-03-18 02:06:39 0 d-------- C:\Program Files\Common Files
2008-03-17 08:56:57 0 d-------- C:\Documents and Settings\Daniel Johnson\Application Data\Adobe
2008-02-13 10:05:39 0 d-------- C:\Documents and Settings\Daniel Johnson\Application Data\U3
2008-02-12 10:55:24 3495 --a------ C:\Documents and Settings\Daniel Johnson\Application Data\evpro32.prf
2008-02-10 09:48:17 0 d-------- C:\Program Files\Dl_cats


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 04:32 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [07/11/2006 07:23 AM]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [07/11/2006 07:24 AM]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [07/11/2006 07:26 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/20/2007 10:07 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:00 AM]

C:\Documents and Settings\Daniel Johnson\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 11:04:12 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 1:19:50 AM]
DESKTOP.INI [8/10/2004 11:04:12 AM]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [1/11/2005 1:15:51 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 09/07/2004 02:08 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqono.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McafWelcome]
c:\PROGRA~1\mcafee.com\agent\mcwelcom.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks]
"C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sen]
"C:\PROGRA~1\FNTS~1\javaw.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrustyHound-TS]
C:\Program Files\TrustyHound-TS\TrustyHound-TS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1585e890-865c-11db-856d-000e3589901d}]
AutoRun\command- E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4038beb3-fa10-11dc-88e1-000e3589901d}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{437d4a30-101d-11dc-86c5-000e3589901d}]
AutoRun\command- F:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e905306-c601-11dc-887e-000e3589901d}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{937d47d0-d271-11db-863f-000e3589901d}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b538ee31-ae58-11dc-884b-000e3589901d}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5dad423-d0c1-11db-863b-000e3589901d}]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-03-31 09:10:55 ------------

 

[__RiP_ChAiN_]

Hello Skat13,

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Open notepad and copy (Ctrl C) and paste (Ctrl V) the following text in the quote:



Save it to your drive C:\ as fix131.reg and as Type "All files"

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sen]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1585e890-865c-11db-856d-000e3589901d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4038beb3-fa10-11dc-88e1-000e3589901d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{437d4a30-101d-11dc-86c5-000e3589901d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e905306-c601-11dc-887e-000e3589901d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{937d47d0-d271-11db-863f-000e3589901d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b538ee31-ae58-11dc-884b-000e3589901d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5dad423-d0c1-11db-863b-000e3589901d}]

Double click on fix131.reg and allow when prompted to let it merge with the registry.

• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [b]C:\WINDOWS\system32\rqono.dll
  C:\WINDOWS\system32\tmp.reg
  C:\WINDOWS\system32\WS2Fix.exe
  C:\WINDOWS\system32\VCCLSID.exe
  C:\WINDOWS\system32\VACFix.exe
  C:\WINDOWS\system32\SrchSTS.exe
  C:\WINDOWS\system32\Process.exe
  C:\WINDOWS\system32\IEDFix.exe
  C:\WINDOWS\system32\dumphive.exe[/b]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [b]C:\WINDOWS\system32\rqono.dll
  C:\WINDOWS\system32\tmp.reg
  C:\WINDOWS\system32\WS2Fix.exe
  C:\WINDOWS\system32\VCCLSID.exe
  C:\WINDOWS\system32\VACFix.exe
  C:\WINDOWS\system32\SrchSTS.exe
  C:\WINDOWS\system32\Process.exe
  C:\WINDOWS\system32\IEDFix.exe
  C:\WINDOWS\system32\dumphive.exe[/b]

• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[Skat13]

Vundo didn't find anything.

I tried to merge the text file into the registry (and I know that I have done this before) but this time it just keeps prompting me to "Open With" I guess there is a file association that I don't want or something.

Anyways moveit went well. Logfile

File/Folder C:\WINDOWS\system32\rqono.dll not found.
C:\WINDOWS\system32\tmp.reg moved successfully.
C:\WINDOWS\system32\WS2Fix.exe moved successfully.
C:\WINDOWS\system32\VCCLSID.exe moved successfully.
C:\WINDOWS\system32\VACFix.exe moved successfully.
C:\WINDOWS\system32\SrchSTS.exe moved successfully.
C:\WINDOWS\system32\Process.exe moved successfully.
C:\WINDOWS\system32\IEDFix.exe moved successfully.
C:\WINDOWS\system32\dumphive.exe moved successfully.
[Custom Input]
< C:\WINDOWS\system32\rqono.dll >
File/Folder C:\WINDOWS\system32\rqono.dll not found.
< C:\WINDOWS\system32\tmp.reg >
File/Folder C:\WINDOWS\system32\tmp.reg not found.
< C:\WINDOWS\system32\WS2Fix.exe >
File/Folder C:\WINDOWS\system32\WS2Fix.exe not found.
< C:\WINDOWS\system32\VCCLSID.exe >
File/Folder C:\WINDOWS\system32\VCCLSID.exe not found.
< C:\WINDOWS\system32\VACFix.exe >
File/Folder C:\WINDOWS\system32\VACFix.exe not found.
< C:\WINDOWS\system32\SrchSTS.exe >
File/Folder C:\WINDOWS\system32\SrchSTS.exe not found.
< C:\WINDOWS\system32\Process.exe >
File/Folder C:\WINDOWS\system32\Process.exe not found.
< C:\WINDOWS\system32\IEDFix.exe >
File/Folder C:\WINDOWS\system32\IEDFix.exe not found.
< C:\WINDOWS\system32\dumphive.exe >
File/Folder C:\WINDOWS\system32\dumphive.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 04012008_102815

 

[Skat13]

Okay I was able to change the registry i just had to open "regedit" and import the reg file that way.

 

[__RiP_ChAiN_]

Hello Skat13,

Ok, please post back with a new Hijackthis log, and an update on how your computer is currently running

 

[Skat13]

HJT log, thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:44 AM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5707 bytes

 

[__RiP_ChAiN_]

Hello Skat13,

Let's run DSS again.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

 

[Skat13]

DSS

Deckard's System Scanner v20071014.68
Run by Daniel Johnson on 2008-04-08 08:47:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 4.56 GiB (less than 15%) free.


-- HijackThis (run as Daniel Johnson.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:26 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Documents and Settings\Daniel Johnson\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\DANIEL~1.EXE
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5741 bytes

-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-06 18:12:03 0 d-------- C:\Program Files\Panda Security
2008-04-01 10:50:50 0 d-------- C:\VundoFix Backups
2008-03-28 14:41:36 0 d-------- C:\Logs
2008-03-28 09:39:22 0 d-------- C:\Documents and Settings\Daniel Johnson\Application Data\Malwarebytes
2008-03-28 09:39:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-28 09:39:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 09:56:52 2566 --a------ C:\WINDOWS\mozver.dat
2008-03-16 13:02:18 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-16 13:02:18 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-16 13:02:18 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-16 13:02:18 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-16 13:02:12 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-03-14 21:26:29 0 d-------- C:\WINDOWS\system32\LogFiles
2008-03-14 11:34:16 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-04-08 08:46:34 14495 --a------ C:\WINDOWS\system32\tablet.dat
2008-04-02 14:31:57 0 d-------- C:\Program Files\World of Warcraft
2008-04-01 15:09:10 0 d-------- C:\Program Files\Google
2008-03-26 11:25:40 0 d-------- C:\Documents and Settings\Daniel Johnson\Application Data\AdobeUM
2008-03-18 07:15:08 0 d-------- C:\Program Files\Norton SystemWorks
2008-03-18 07:15:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-18 03:12:03 0 d-------- C:\Program Files\Canon
2008-03-18 03:11:07 0 d-------- C:\Program Files\Symantec
2008-03-18 03:06:39 0 d-------- C:\Program Files\Common Files
2008-03-17 09:56:57 0 d-------- C:\Documents and Settings\Daniel Johnson\Application Data\Adobe
2008-03-07 12:53:08 0 d-------- C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla
2008-02-29 12:31:54 0 d-------- C:\Documents and Settings\Daniel Johnson\Application Data\WinRAR
2008-02-13 11:05:39 0 d-------- C:\Documents and Settings\Daniel Johnson\Application Data\U3
2008-02-12 11:55:24 3495 --a------ C:\Documents and Settings\Daniel Johnson\Application Data\evpro32.prf
2008-02-10 10:48:17 0 d-------- C:\Program Files\Dl_cats


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 05:32 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 02:22 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [07/11/2006 08:23 AM]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [07/11/2006 08:24 AM]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [07/11/2006 08:26 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/20/2007 11:07 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]

C:\Documents and Settings\Daniel Johnson\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 12:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 2:19:50 AM]
DESKTOP.INI [8/10/2004 12:04:12 PM]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [1/11/2005 2:15:51 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 09/07/2004 03:08 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqono.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McafWelcome]
c:\PROGRA~1\mcafee.com\agent\mcwelcom.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks]
"C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrustyHound-TS]
C:\Program Files\TrustyHound-TS\TrustyHound-TS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask




-- End of Deckard's System Scanner: finished at 2008-04-08 08:47:41 ------------

 

[Skat13]

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-04-06 18:55:52
PROTECTIONS: 0
MALWARE: 52
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.atdmt.com/]
00139535 Application/Processor HackTools No 0 Yes No C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\_OTMoveIt\MovedFiles\04012008_102815\WINDOWS\system32\Process.exe
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.247realmedia.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Cookies\daniel johnson@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.tribalfusion.com/]
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.anm.co.uk/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.com.com/]
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.perf.overture.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[ad.yieldmanager.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.bs.serving-sys.com/]
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[www.burstbeacon.com/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[server.iad.liveperson.net/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[server.iad.liveperson.net/hc/68193277]

 

[Skat13]

00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[stat.onestat.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[stat.onestat.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[stat.onestat.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.questionmarket.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.go.com/]
00202347 application/winfixer2005 HackTools No 0 Yes No c:\windows\system32\df_kme.exe
00261117 Adware/BHO Adware No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.95711
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.atwola.com/]
00271268 application/sysprotect HackTools No 0 Yes No hkey_local_machine\software\classes\appid\mmfxctrl.dll
00271268 application/sysprotect HackTools No 0 Yes No hkey_local_machine\software\classes\appid\fxcore.dll
00271268 application/sysprotect HackTools No 0 Yes No hkey_local_machine\software\classes\appid\checkproduct2_1.dll
00271268 application/sysprotect HackTools No 0 Yes No c:\program files\common files\sysprotect
00271268 application/sysprotect HackTools No 0 Yes No c:\documents and settings\all users\start menu\programs\sysprotect
00271268 application/sysprotect HackTools No 0 Yes No c:\windows\system32\drivers\sscan.sys
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Johnson\Application Data\Mozilla\Firefox\Profiles\nffb0xkc.default\cookies.txt[.ads.addynamix.com/]
00517584 Application/SuperFast HackTools No 0 Yes No C:\Program Files\Mozilla Firefox\SmitfraudFix\restart.exe
00958505 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
01716697 Application/Winantivirus2006 HackTools No 0 Yes No C:\Program Files\Common Files\SysProtect\PCheck.dll
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe
02673854 Application/ErrorSafe HackTools No 0 Yes No C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USYP_0001_N69M1703NetInstaller.exe
02673854 Application/ErrorSafe HackTools No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\USYP_0001_N69M1703NetInstaller.exe.vir
02673854 Application/ErrorSafe HackTools No 0 Yes No C:\WINDOWS\Downloaded Program Files\CONFLICT.2\USYP_0001_N69M1703NetInstaller.exe
02684897 Application/AVSystemCare HackTools No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2802NetInstaller.exe.vir
02887738 Trj/Downloader.PLF Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iDlo01\iDlo011065.exe.vir
02893214 Adware/VirusAlarma Adware No 0 Yes No C:\QooBox\Quarantine\C\Documents and Settings\Daniel Johnson\Application Data\printer.exe.vir
02895017 Adware/PurityScan Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\FNTS~1\javaw.exe.vir
02902696 Adware/ActiveXCodec2008 Adware No 0 Yes No C:\_OTMoveIt\MovedFiles\03242008_181135\cduaz0.exe
02905686 Trj/Agent.IGW Virus/Trojan No 0 Yes No C:\Documents and Settings\Daniel Johnson\Local Settings\Temporary Internet Files\Content.IE5\KN536A3D\ctxad-576[1].0000
02906137 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Daniel Johnson\Local Settings\Temporary Internet Files\Content.IE5\1OKF11WX\hctp[1]
02906340 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Daniel Johnson\Local Settings\Temporary Internet Files\Content.IE5\QDDUFETS\ptch[1]
02906397 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Daniel Johnson\Local Settings\Temporary Internet Files\Content.IE5\X18XAX3Q\iddqd[1]
02906397 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sconqawf.dll.vir
02906397 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tynlujww.dll.vir
02906420 Trj/Downloader.SYS Virus/Trojan No 0 Yes No C:\Documents and Settings\Daniel Johnson\Local Settings\Temporary Internet Files\Content.IE5\VAKFVXCX\mrofinu[1].zip[mrofinu.exe]
02907258 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Daniel Johnson\Local Settings\Temporary Internet Files\Content.IE5\KN536A3D\hctp[1]
02907258 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wrscuoni.dll.vir
02907634 Adware/PurityScan Adware No 0 Yes No C:\QooBox\Quarantine\C\Documents and Settings\Daniel Johnson\My Documents\ICROSO~1\аti2evxx.exe.vir
02907725 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uatlwccq.dll.vir
02907726 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bblmahow.dll.vir
02908064 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nohqjfdw.dll.vir
02908065 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\udomfpup.dll.vir
02908211 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\irpygddq.dll.vir
02909339 Adware/Maxifiles Adware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\s7\gbsu011.exe.vir
02910323 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tjeqghvn.dll.vir
02910537 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jvspbwby.dll.vir
02910558 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Daniel Johnson\Local Settings\Temporary Internet Files\Content.IE5\28A7N0A5\ptch[1]
02910558 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\akahpstx.dll.vir
02910558 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uuwgqhul.dll.vir
02910561 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Daniel Johnson\Local Settings\Temporary Internet Files\Content.IE5\C7RJQWDT\iddqd[1]
02910561 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ogmjchnd.dll.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location m
;===================================================================================================================================================================================

 

[__RiP_ChAiN_]

Hello Skat13

Open notepad and copy (Ctrl C) and paste (Ctrl V) the following text in the quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-hkey_local_machine\software\classes\appid\mmfxctrl.dll]

[-hkey_local_machine\software\classes\appid\fxcore.dll]

[-hkey_local_machine\software\classes\appid\checkproduct2_1.dll]

Save it to your drive C:\ as fix13.reg and as Type "All files"


Double click on fix13.reg and allow when prompted to let it merge with the registry.

----------------------------------------------- Step 2

• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [b]c:\program files\common files\sysprotect
  c:\documents and settings\all users\start menu\programs\sysprotect
  C:\Program Files\Common Files\SysProtect
  c:\windows\system32\drivers\sscan.sys
  c:\windows\system32\df_kme.exe
  C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
  C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USYP_0001_N69M1703NetInstaller.exe
  C:\WINDOWS\Downloaded Program Files\CONFLICT.2\USYP_0001_N69M1703NetInstaller.exe[/b]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

----------------------------------------------- Step 3

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main "Select Files to Delete" choose: Select All.
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

----------------------------------------------- Step 4

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

In summary, please include the following logs in your next reply:

• The OTMoveIt2 log.
• The The Panda ActiveScan log.
• A new HijackThis log.

 

[__RiP_ChAiN_]

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me a private message (pm). A valid, working link to the closed topic is required.