Trojan help

[mla34]

Hi.
It appears that I have a Virus/Trojan issue on my computer. In trying to solve these issues on my own (and under the direction of a friend) I ran the Malwarebytes Anti-Malware program, which successfully removed 47 infected items from my system. After running it a second time, it removed 3 infected items. A third scan showed no infected items. However, I continue to have issues and am turning to you, the experts.

As I am in uncharted territory dealing with this, I have read the information in the “Before You Post” section but I am unsure how to proceed in light of the cleaning that I have already tried. I am ready to run the ERUNT and HiJack This programs on the infected computer but am unsure whether to run them while on my user account (has admin rights and appears to be unaffected by the Trojan) or on the user account that is showing symptoms of being infected by the Trojan but without admin rights.

I will include a few more pieces of information here, although I realize I will have to explain again after running the two programs you request. It was suggested by a well meaning helper to turn off System Restore while trying to deal with the Trojan removal and after reading your information I now realize that I may have inadvertently screwed something up. It has since been turned back on.

Task Manager is grayed out only in the infected user account and, although I can get Internet access on my user account, I cannot get Internet access on that account. I cannot diagnose the connection since I removed the admin rights and don’t want to change that without knowing it is ok to do so.

Thank you in advance for whatever guidance you can give me. Your help is much appreciated! :thanks:

 

[ken545]

mla34,

Welcome to the forum. Yep, a bad restore point is better than no restore point, keep it enabled.

Please download RootRepeal from one of these locations and save it to your desktop
Here
Here
Here

• Open
  
  on your desktop.
• Click the
  
  tab.
• Click the
  
  button.
• Check just these boxes:
• 
• Push Ok
• Check the box for your main system drive (Usually C:, and press Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, push the
  
  button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
  
  
  
  
  

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

 

[mla34]

No luck

Ken,
Thank you for helping me out here. I downloaded both programs onto my desktop using my user account with admin rights. When I tried to run RootRepeal I got a small information window stating "Initializing, please wait..." and absolutely nothing happened; no windows opened. I checked in the task manager and although is was on the processes list there was no activity.

When I tried to run the RSIT program I got a window saying
"C:\Documents and Settings\Maureen\Desktop\RSIT.exe not a valid Win32 application."

I am unsure about how to get around this so I will wait for your next route of attack. Thank you again for your assistance.

 

[ken545]

Try running this program and then try RootRepeal again


Please download and run the following tool to help allow other programs to run. (Thanks to Grinler of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

Rkill.exe http://download.bleepingcomputer.com/grinler/rkill.exe
Rkill.com http://download.bleepingcomputer.com/grinler/rkill.com
Rkill.scr http://download.bleepingcomputer.com/grinler/rkill.scr
Rkill.pif http://download.bleepingcomputer.com/grinler/rkill.pif

 

[mla34]

Still no luck

Hi, Ken.

I downloaded each link with the same results. Running the program opens a "DOS" looking window giving me the message "Terminating known malware processes. Please be patient." The cursor flashes and after about 30 seconds the screen disappears, along with all my desktop icons. In another few seconds the icons reappear and I have no confirmation that the program actually ran. I tried running both the RootRepeal and RSIT programs after each of the Rkill downloads hoping that maybe it had actually run but with no luck. I get the same results/messages with both of those. When I try to run RootRepeal my computer seems to be suspended with the message "initializing, please wait..." so I end up having to reboot.
Just FYI, I am using Windows XP Home edition.

 

[ken545]

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

 

[mla34]

Here's the log entry....

exeHelper by Raktor
Build 20091220
Run at 14:20:48 on 01/23/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

My antivirus program is giving me a "registry change detected" window with the options of "allow" or "block" change. I don't want to assume anything so which should I choose?

 

[ken545]

Allow , then do this

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

 

[mla34]

ok....here are both logs you asked for...

ComboFix 10-01-23.02 - Maureen 01/23/2010 16:14:38.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.621 [GMT -5:00]
Running from: c:\documents and settings\Maureen\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\MSN6
c:\documents and settings\All Users\Application Data\MSN6\au.ini
c:\documents and settings\Gregory Arnold\Application Data\MSN6
c:\documents and settings\Gregory Arnold\Application Data\MSN6\msndata.dat
c:\documents and settings\Gregory Arnold\Application Data\MSN6\msndata001.dat
c:\documents and settings\Gregory Arnold\Application Data\MSN6\msndata002.dat
c:\documents and settings\Gregory Arnold\Application Data\MSN6\msndata003.dat
c:\documents and settings\Maureen\Application Data\MSN6
c:\documents and settings\Maureen\Application Data\MSN6\msndata.dat
c:\documents and settings\Maureen\Application Data\MSN6\msndata001.dat
c:\documents and settings\Maureen\My Documents\ZbThumbnail.info
C:\s
c:\windows\EventSystem.log
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\29358.exe
c:\windows\system32\6334.exe
c:\windows\system32\Data
c:\windows\system32\logs
c:\windows\system32\logs\Events.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LSASS
-------\Service_lsass


((((((((((((((((((((((((( Files Created from 2009-12-23 to 2010-01-23 )))))))))))))))))))))))))))))))
.

2010-01-20 17:08 . 2010-01-20 17:08 -------- d-sh--w- c:\documents and settings\Carolyn\PrivacIE
2010-01-20 17:04 . 2010-01-20 17:04 -------- d-sh--w- c:\documents and settings\Carolyn\IETldCache
2010-01-18 02:19 . 2010-01-18 13:30 -------- d-----w- c:\documents and settings\Gregory Arnold\Local Settings\Application Data\dkjyqo
2010-01-17 21:22 . 2010-01-17 21:29 -------- d-----w- c:\program files\Garmin
2010-01-17 21:22 . 2010-01-17 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
2010-01-17 21:22 . 2010-01-17 21:22 -------- d-----w- C:\Garmin
2010-01-17 19:49 . 2010-01-17 20:25 -------- d-----w- c:\documents and settings\Maureen\Application Data\Download Manager
2010-01-17 19:39 . 2010-01-17 20:53 -------- d-----w- c:\documents and settings\Maureen\Application Data\GARMIN
2010-01-17 01:54 . 2010-01-17 01:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-17 01:47 . 2010-01-17 01:47 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-16 19:55 . 2010-01-16 19:55 -------- d-----w- c:\documents and settings\Maureen\Application Data\Malwarebytes
2010-01-16 19:55 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-16 19:55 . 2010-01-16 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-16 19:55 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-16 19:55 . 2010-01-17 01:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 03:16 . 2009-12-30 03:16 -------- d-sh--w- c:\documents and settings\Bob\PrivacIE
2009-12-30 03:14 . 2009-12-30 03:14 -------- d-sh--w- c:\documents and settings\Bob\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 21:31 . 2009-08-23 20:04 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-01-23 21:31 . 2009-08-23 20:02 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-01-23 02:54 . 2008-10-24 23:22 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-10 15:49 . 2004-04-20 23:23 41224 ----a-w- c:\documents and settings\Maureen\Application Data\wklnhst.dat
2010-01-10 12:39 . 2004-11-08 01:35 12086 -c--a-w- c:\documents and settings\Gregory Arnold\Application Data\wklnhst.dat
2009-12-21 19:14 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 09:31 . 2005-09-10 18:28 -------- d-----w- c:\program files\Google
2009-12-05 18:50 . 2009-08-23 20:10 -------- d-----w- c:\documents and settings\Maureen\Application Data\Skype
2009-12-05 13:05 . 2009-08-23 20:14 -------- d-----w- c:\documents and settings\Maureen\Application Data\skypePM
2009-12-02 03:14 . 2009-12-02 02:51 -------- d-----w- c:\documents and settings\Gregory Arnold\Application Data\Skype
2009-11-25 08:01 . 2009-11-25 08:01 -------- d-----w- c:\program files\MSXML 4.0
2009-11-21 15:51 . 2002-08-29 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2008-07-31 11:32 . 2008-07-31 11:32 27024112 -c--a-w- c:\program files\PowerPointViewer.exe
2008-03-10 18:35 . 2008-03-10 18:35 0 -c--a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 13:26 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-10-15 06:04 . 2008-10-15 06:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

2004-04-13 06:33 . 2004-08-25 17:52 339968 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2007-08-26 22:21 . 2007-08-26 22:21 185632 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2007-05-03 00:52 . 2006-11-23 02:10 151552 c:\program files\CyberLink\PCM4Everio\bak\EverioService.exe

2007-03-15 16:09 . 2007-03-15 16:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2007-05-14 15:23 . 2007-01-11 19:08 387152 c:\program files\Entriq\MediaSphere\Bin\bak\EntriqMediaTray.exe

2007-06-28 14:14 . 2007-06-28 14:14 270648 c:\program files\iTunes\bak\iTunesHelper.exe
2009-09-09 02:09 . 2009-09-09 02:09 305440 c:\program files\iTunes\iTunesHelper.exe

2007-07-09 16:52 . 2007-03-14 08:43 83608 c:\program files\Java\jre1.6.0_01\bin\bak\jusched.exe

2007-04-27 14:41 . 2007-04-27 14:41 282624 c:\program files\QuickTime\bak\qttask.exe
2009-09-05 06:54 . 2009-09-05 06:54 417792 c:\program files\QuickTime\QTTask.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" [N/A]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-13 8466432]
"nwiz"="nwiz.exe" [2007-08-13 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-13 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [N/A]

c:\documents and settings\Bob\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-7-8 225280]

c:\documents and settings\Carolyn\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2003-12-5 24651]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SMCWUSB-G 802.11g Wireless USB Utility.lnk - c:\program files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe [2006-6-26 610304]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
CTASIO.DLL [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2004-08-25 15:27 65536 -c--a-w- c:\windows\SYSTEM32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 06:00 45056 -c--a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 14:18 49152 -c--a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2003-06-02 18:25 270336 ----a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-08-06 06:04 114741 -c--a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 -c--a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 02:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2003-10-06 15:05 53248 -c--a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
2004-08-13 21:41 86016 -c--a-w- c:\program files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 -c----w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
c:\program files\Java\j2re1.4.2_05\bin\jusched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 05:01 110592 -c--a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 -c----w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
2007-01-04 21:38 112336 ----a-w- c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/28/2008 10:10 AM 24652]
R3 ZD1211BU(Atheros);Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros);c:\windows\SYSTEM32\DRIVERS\ZD1211BU.sys [4/11/2008 8:52 PM 722432]
S2 gupdate1c9aff7d14c6f00;Google Update Service (gupdate1c9aff7d14c6f00);c:\program files\Google\Update\GoogleUpdate.exe [3/28/2009 5:52 PM 133104]
S2 MtxVideo;Matrox WDM capture/crossbar driver;c:\windows\SYSTEM32\DRIVERS\mtxvideo.sys [5/4/2008 11:22 AM 103296]
S3 SysInfo;SysInfo;c:\program files\PlayOnline\SquareEnix\PlayOnlineViewer\polcfg\sysinfo.sys [8/29/2003 2:40 PM 6912]
.
Contents of the 'Scheduled Tasks' folder

2010-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-01-18 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\cleanmgr.exe [2002-08-29 00:12]

2010-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 22:51]

2010-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 22:51]

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-16 17:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-16 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/home.html
uInternet Settings,ProxyOverride = *.local
Trusted Zone: dslreports.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://www.gamehouse.com/games/gamehouse/ghplayer.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://webgames.d.tmsrv.com/c=fdb86f236d4106103ae39aef993e7860/aff=t_03cm_wg/p/release/playfirst/wg_dreamchronicles/dreamchronicles/dreamweb.1.0.0.9.cab
DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} - hxxp://www.shockwave.com/content/dreamchronicles2/sis/dream2web.1.0.0.13.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{E6AE90A4-1B01-47F0-AA78-E6B122E145E9} - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-23 16:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4352)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\wanmpsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2010-01-23 16:48:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-23 21:48

Pre-Run: 28,153,606,144 bytes free
Post-Run: 30,618,271,744 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 9A1077F98D7484AF066C2F5BC6094D37


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:13 PM, on 1/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.shockwave.com/gamelanding/dailymahjong.jsp"
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMCWUSB-G 802.11g Wireless USB Utility.lnk = C:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.dslreports.com
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/cabs/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://chill.comcast.net/Gameshell/online/en/abc_island/abcisland.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188277990390
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://webgames.d.tmsrv.com/c=fdb86...ronicles/dreamchronicles/dreamweb.1.0.0.9.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://chill.comcast.net/GameShell/online/en/luxor/mjolauncher.cab
O16 - DPF: {A219C6A1-B503-42A9-95DC-A84B2CC1231F} (AtlAsianataCtlAttrib Class) - http://chill.comcast.net/GameShell/online/en/Asianata/asianata.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_5_2_2_Silent.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} (NBCUniversal Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_7.cab
O16 - DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} (CPlayFirstDreamChronControl Object) - http://www.shockwave.com/content/dreamchronicles2/sis/dream2web.1.0.0.13.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup163.cab
O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate1c9aff7d14c6f00) (gupdate1c9aff7d14c6f00) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 14265 bytes

 

[ken545]

Hi,

Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, is considered Adware, uses system resources and is not needed for anything.


You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE

c:\documents and settings\Gregory Arnold\Local Settings\Application Data\dkjyqo <--Delete this folder


c:\program files\temp01 <--Can you tell me what this is ??




Please download FindAWF and save it to your desktop

• * Double-click FindAWF.exe to start the tool.
  * Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
  * When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

**Do not run any other option unless directed to do so.**

 

[mla34]

Here is the log file from AWF scan...

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sat 01/23/2010
The current time is: 22:57:25.25


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 11:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06/28/2007 09:14 AM 270,648 iTunesHelper.exe
1 File(s) 270,648 bytes

Directory of C:\PROGRA~1\MYSI\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/27/2007 09:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/25/2004 12:52 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\CYBERL~1\PCM4EV~1\BAK

11/22/2006 09:10 PM 151,552 EverioService.exe
1 File(s) 151,552 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/26/2007 05:21 PM 185,632 realsched.exe
1 File(s) 185,632 bytes

Directory of C:\PROGRA~1\ENTRIQ\MEDIAS~1\BIN\BAK

01/11/2007 02:08 PM 387,152 EntriqMediaTray.exe
1 File(s) 387,152 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

03/14/2007 03:43 AM 83,608 jusched.exe
1 File(s) 83,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
270648 Jun 28 2007 "C:\Program Files\iTunes\iTunesHelper.exe2766896034"
270648 Jun 28 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 19 2009 "C:\WINDOWS\Installer\{EC2A8F27-4FBF-4E41-B27B-FE822511B761}\iTunesIco.exe"
417792 Sep 5 2009 "C:\Program Files\QuickTime\QTTask.exe"
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
339968 Aug 25 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
151552 Nov 22 2006 "C:\Program Files\CyberLink\PCM4Everio\bak\EverioService.exe"
39792 Oct 15 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
185632 Aug 26 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
387152 Jan 11 2007 "C:\Program Files\Entriq\MediaSphere\Bin\bak\EntriqMediaTray.exe"
36975 Mar 4 2005 "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
36975 Aug 26 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe"


end of report


Also, the file you are asking about is a lone file among the folders in my program files directory. The size is 0 bytes - nothing in there?
Do you want me to delete it?

One more point I'm worried about is that while I was away from my computer, my antivirus has been disabled. It was fine after completing the last task so I am not sure what happened.

Thanks again for your help.

 

[mla34]

my bad

Ken..

oops...disregard the antivirus notice concern....I had forgotten to go back and enable the firewall, etc....so sorry.....

 

[ken545]

Good Morning,

Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, is considered Adware, uses system resources and is not needed for anything.


Then update your Java, its important that you uninstall previous versions

Download the latest version Here save it, do not install it yet.

Java SE Runtime Environment (JRE)JRE 6 Update 18 <--The wording is confusing but this is what you need

• Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
• Reboot your computer
• Install the latest version

You can verify the installation Here






Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::

Folder::
c:\program files\Viewpoint


AWF::
c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\CyberLink\PCM4Everio\bak\EverioService.exe
c:\program files\DellSupport\bak\DSAgnt.exe
c:\program files\Entriq\MediaSphere\Bin\bak\EntriqMediaTray.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

 

[mla34]

Hi, Ken.

Uninstalled the Viewpoint stuff last night and forgot to tell you...sorry.

Went to the website to download, but not install, the latest version of Java SE Runtime Environment. Downloaded to my desktop after choosing Windows as the platform. However, got a box at the top of the webpage that the website wants to run an add-on "Java Web Start ActiveX Control from SunMicrosystems, Inc. If you trust the website and add-on and want to allow it to run, click here." I did not. (Maybe I should have?)

Uninstalled the Java stuff in Add/Remove Programs. Rebooted computer.

Tried to install the new Java and got the following msg box.

C:\Documents and Settings\Maureen\Desktop\jre-6u18-windows-i586.exe is not a valid Win32 application.

Did I choose the wrong file to download? Should I have accepted the add on msg?

I will be offline most of the day - should be back this evening...just wanted to let you know why you don't get a response from me till later. Thank you!

 

[ken545]

The add on would have been ok, just delete that one and try redownloading it again

 

[mla34]

Hey, Ken.

I deleted the file, redownloaded it with no problems. Verified that it is working fine.

Copied text into Notepad and saved it to my desktop. When I went to drag it to the ComboFix icon....well, i can't find an icon for the ComboFix program. Somehow either I never saved it to my desktop or it disappeared?

I went back to your post (#8) with the download instructions to redownload it. Link 1 doesn't work and Link 2 is entirely in spanish...I don't speak spanish and I didn't see anything that remotely looked like ComboFix. Could you resend me a link? I'm sorry.....thank you!:red:

 

[ken545]

Hi,

Combofix is temporarily down for maintenance so you cant re download it .

Those AWF files may not be anything to worry about, they may just be leftover entries but running to tool to make sure can't hurt.

Double-click FindAWF.exe to start the tool.

• 
  * Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
  * A text file will open up. Please copy/paste the following bolded text into the text file:

c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\CyberLink\PCM4Everio\bak\EverioService.exe
c:\program files\DellSupport\bak\DSAgnt.exe
c:\program files\Entriq\MediaSphere\Bin\bak\EntriqMediaTray.exe


* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.

 

[mla34]

hi Ken...here is the AWF txt file

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 01/25/2010
The current time is: 8:05:24.43


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 11:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06/28/2007 09:14 AM 270,648 iTunesHelper.exe
1 File(s) 270,648 bytes

Directory of C:\PROGRA~1\MYSI\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/27/2007 09:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/25/2004 12:52 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\CYBERL~1\PCM4EV~1\BAK

11/22/2006 09:10 PM 151,552 EverioService.exe
1 File(s) 151,552 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/26/2007 05:21 PM 185,632 realsched.exe
1 File(s) 185,632 bytes

Directory of C:\PROGRA~1\ENTRIQ\MEDIAS~1\BIN\BAK

01/11/2007 02:08 PM 387,152 EntriqMediaTray.exe
1 File(s) 387,152 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

03/14/2007 03:43 AM 83,608 jusched.exe
1 File(s) 83,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
270648 Jun 28 2007 "C:\Program Files\iTunes\iTunesHelper.exe2766896034"
270648 Jun 28 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 19 2009 "C:\WINDOWS\Installer\{EC2A8F27-4FBF-4E41-B27B-FE822511B761}\iTunesIco.exe"
417792 Sep 5 2009 "C:\Program Files\QuickTime\QTTask.exe"
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
339968 Aug 25 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
151552 Nov 22 2006 "C:\Program Files\CyberLink\PCM4Everio\bak\EverioService.exe"
39792 Oct 15 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
185632 Aug 26 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
387152 Jan 11 2007 "C:\Program Files\Entriq\MediaSphere\Bin\bak\EntriqMediaTray.exe"
246504 Jan 11 2010 "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe"


end of report

just fyi....when I clicked on the awf program, McAfee popped up a potentially unwanted program msg...name is PrcViewer...is that the AWF?
options are to remove or trust...I've left it on my desktop until I know what to do with it...thanks

 

[ken545]

PrcViewer. <--Can be good or bad, if McAfee wants to remove it , let it



Double-click FindAWF.exe to start the tool.

• Select option #3 - Remove bak folders by typing 3 and press 'Enter'
• A text file will open up. Please copy/paste the following bolded text into the text file:

C:\Program Files\DellSupport\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Entriq\MediaSphere\Bin\bak
C:\Program Files\Java\jre1.6.0_01\bin\bak

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.

 

[mla34]

Here you go, Ken....

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Mon 01/25/2010
The current time is: 10:36:52.84


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MYSI\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\CYBERL~1\PCM4EV~1\BAK

11/22/2006 09:10 PM 151,552 EverioService.exe
1 File(s) 151,552 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

151552 Nov 22 2006 "C:\Program Files\CyberLink\PCM4Everio\bak\EverioService.exe"


end of report

McAfee couldn't remove the PrcViewer and told me to do it manually. I found the file and deleted it. It was identified as "Command Line Process Utility"
and also listed a website - beyondlogic.org?

Thanks.