SpywareInfo Forum: Active Security virus - SpywareInfo Forum

Jump to content

  • (5 Pages)
  • +
  • 1
  • 2
  • 3
  • Last »
  • You cannot start a new topic
  • This topic is locked

Active Security virus

#1 User is offline   cmonamonamona Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 31
  • Joined: 28-October 09

Posted 28 October 2009 - 03:26 PM

I think I have a virus called Active Security. I found a description of it here.
http://www.bleepingc...active-security

The problem is that I did have Malware on my computer but the virus seems to have disabled it. Now, I can't reload it or anything else.

First the virus was a bunch of pop ups that asked me to buy a new virus security tool. But now, the pop ups have stopped but the computer still can't reach the internet.

I tried to load a copy of Malwarebytes from a disk that I got from a clean computer. But I got an error message at the end:

Unable to execute file:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
CreateProcess failed; code 2.
The system cannot find the file specified.

I tried to rename the Malware file before loading but that did not fix anything.

Sorry I can't load any of the software suggested in the FAQ or any logs here because the computer can't do anything. I have McAfee but that didn't help.

Any help is appreciated.
Mona

Hi,

Help us help you.

Please read this article and follow the protocol.
http://spywareinfofo...showtopic=23382
Then submit a fresh HijackThis log. One of our helpers will take care of you. It's the only way we can give you sound advice.

#2 User is online   nasdaq Icon

  • Forum Deity
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 44,807
  • Joined: 24-May 04

Posted 30 October 2009 - 09:40 AM

Hi,
I'm nasdaq

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr
rkill.pif

When done run the Malwarebyte tool. Submit the log if you can.

A HijackThis log is also required.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please consider Donating ,
see this topic for details. We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#3 User is offline   cmonamonamona Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 31
  • Joined: 28-October 09

Posted 31 October 2009 - 02:58 PM

I tried all 4 of the rkill files as you said. All failed with the same error:

can not create some of your include files.
pev.exe
rkill.reg
ncmd.cfxxe

Then it asks if I want to continue. I say Yes and it blinks to a dos screen but then ends itself.

I did load the hijack this and ran a log but I don't have any way that I know of to post it here. I can't get to the internet from the infected computer. I get the error that
Internet Explorer cannot display the webpage.

I'm scared to get a disk and copy from the infected computer to a clean one.

Any more suggestions?

Thanks so much for your help.
Mona

This post has been edited by cmonamonamona: 31 October 2009 - 03:02 PM

#4 User is online   nasdaq Icon

  • Forum Deity
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 44,807
  • Joined: 24-May 04

Posted 01 November 2009 - 09:08 AM

Download and run this Win32kDiag tool to another computer.
Copy it to a CD and place it on the desktop of the infected computer. Follow the instructions below.

You can get it from any of the following three links:
http://ad13.geekstog.../Win32kDiag.exe
http://download.blee.../Win32kDiag.exe
http://rootrepeal.ps.../Win32kDiag.exe

Place it on your desktop and run the tool.

It will creates a log file on your desktop called Win32kDiag.txt.

Please post back the results.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please consider Donating ,
see this topic for details. We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#5 User is offline   cmonamonamona Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 31
  • Joined: 28-October 09

Posted 01 November 2009 - 11:42 AM

Thanks for that. I did run the file per your instructions and here are the results. Is this what you meant?

Running from: C:\Program Files\WINDIAG\Win32kDiag.exe Log file at: C:\Documents and Settings\Dan Calistrat\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:WINDOWS'... Finished!

#6 User is online   nasdaq Icon

  • Forum Deity
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 44,807
  • Joined: 24-May 04

Posted 01 November 2009 - 04:19 PM

Try to run it this way.

Click on Start->Run, and copy/paste the following bolded text into the Run box and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's done, there will be a log named Win32kDiag.txt on your desktop.

Post it.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please consider Donating ,
see this topic for details. We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#7 User is offline   cmonamonamona Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 31
  • Joined: 28-October 09

Posted 02 November 2009 - 08:55 AM

Sorry, I don't know what I'm doing wrong. I did go to Start/Run and put in the command you said. It did run and create a text file as you said. But this is all that is in the text file:


Running from: C:\Program Files\WINDIAG\Win32kDiag.exe Log file at: C:\Documents and Settings\Dan Calistrat\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:WINDOWS'... Finished!

#8 User is online   nasdaq Icon

  • Forum Deity
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 44,807
  • Joined: 24-May 04

Posted 02 November 2009 - 09:53 AM

Can you now run the ComboFix tool?

Submit the results if you can.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please consider Donating ,
see this topic for details. We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#9 User is offline   cmonamonamona Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 31
  • Joined: 28-October 09

Posted 02 November 2009 - 02:59 PM

Sorry, what is the combo fix tool? I tried to run Malwarebytes but still get this error message at the very end:

Unable to execute file:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
CreateProcess failed; code 2.
The system cannot find the file specified.

I did run a hijack log file and moved it by disk. Does this tell you anything:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:26 PM, on 2009-11-02
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\MMaestro\BWheel35.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ZyXEL\G-302v3\G-302v3.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\Main\Roxio_Central36.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe RUNDLL32.EXE BEF0REGIIAV
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 osguard-pro.microsoft.com
O1 - Hosts: 91.212.127.226 osguard-pro.com
O1 - Hosts: 91.212.127.226 www.osguard-pro.com
O2 - BHO: (no name) - {21e4347a-fc0d-8411-a8ac-a6096c7ba61c} - C:\WINDOWS\amozaqesuhelehi.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\MMaestro\BWheel35.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AsioReg] REGSVR32 /S CTASIO.DLL
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [system tool] C:\Program Files\ukfmsn\awfosysguard.exe
O4 - HKLM\..\Run: [Hvuyidimenipa] rundll32.exe "C:\WINDOWS\amozaqesuhelehi.dll",Startup
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Dan Calistrat"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\iBackup.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [Login Software 2009] C:\DOCUME~1\DANCAL~1\LOCALS~1\Temp\vneky.exe
O4 - HKCU\..\Run: [system tool] C:\Program Files\ukfmsn\awfosysguard.exe
O4 - HKCU\..\Run: [wow64main.exe] C:\DOCUME~1\DANCAL~1\LOCALS~1\Temp\wow64main.exe
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\DANCAL~1\LOCALS~1\Temp\system.exe
O4 - HKCU\..\Run: [Active Security] "C:\Program Files\Active Security\asecurity.exe" -noscan
O4 - Startup: scandisk.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: ZyXEL G-302 v3 Utility.lnk = C:\Program Files\ZyXEL\G-302v3\G-302v3.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lsp.dll' missing
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...ared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1254454381125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1254454339453
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.h...tDetection2.cab
O20 - AppInit_DLLs: gomebomu.dll
O22 - SharedTaskScheduler: gsajkfh873whdngo8wuidgs4rgfr4 - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\DANCAL~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

--
End of file - 11095 bytes

#10 User is online   nasdaq Icon

  • Forum Deity
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 44,807
  • Joined: 24-May 04

Posted 02 November 2009 - 08:33 PM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Sorry my mistake I jumped the gun. We may have to run the ComboFix tool later.

Lets take the long way out for now.

Download LSPfix
Unzip the file to a folder on your desktop.
Double-click to run
Select: (Advanced) "I know what I'm doing"
Then click the FINISH button. Restart your computer.
===

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe RUNDLL32.EXE BEF0REGIIAV
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 osguard-pro.microsoft.com
O1 - Hosts: 91.212.127.226 osguard-pro.com
O1 - Hosts: 91.212.127.226 www.osguard-pro.com
O2 - BHO: (no name) - {21e4347a-fc0d-8411-a8ac-a6096c7ba61c} - C:\WINDOWS\amozaqesuhelehi.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [system tool] C:\Program Files\ukfmsn\awfosysguard.exe
O4 - HKLM\..\Run: [Hvuyidimenipa] rundll32.exe "C:\WINDOWS\amozaqesuhelehi.dll",Startup
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [Login Software 2009] C:\DOCUME~1\DANCAL~1\LOCALS~1\Temp\vneky.exe
O4 - HKCU\..\Run: [system tool] C:\Program Files\ukfmsn\awfosysguard.exe
O4 - HKCU\..\Run: [wow64main.exe] C:\DOCUME~1\DANCAL~1\LOCALS~1\Temp\wow64main.exe
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\DANCAL~1\LOCALS~1\Temp\system.exe
O4 - HKCU\..\Run: [Active Security] "C:\Program Files\Active Security\asecurity.exe" -noscan
O20 - AppInit_DLLs: gomebomu.dll
O22 - SharedTaskScheduler: gsajkfh873whdngo8wuidgs4rgfr4 - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe

Click on Fix Checked when finished and exit HijackThis.

Again restart the computer.

Can you now run the Malwarebytes and submit the log.

Include a fresh HijckThis log for my review.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please consider Donating ,
see this topic for details. We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#11 User is offline   cmonamonamona Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 31
  • Joined: 28-October 09

Posted 03 November 2009 - 10:27 AM

I'm so excited to see progress. Thanks for your patience with me. I followed your instructions. I am now able to reach the internet again! But I still can't load the Malwarebytes with the same error message popping up. Here is a new log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:17 AM, on 2009-11-03
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\MMaestro\BWheel35.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ZyXEL\G-302v3\G-302v3.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsmap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {b72436cf-9be6-4553-a52b-c68a6f8cdef9} - zilebobi.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\MMaestro\BWheel35.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AsioReg] REGSVR32 /S CTASIO.DLL
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Hvuyidimenipa] rundll32.exe "C:\WINDOWS\amozaqesuhelehi.dll",Startup
O4 - HKLM\..\Run: [fujobafob] Rundll32.exe "c:\windows\system32\wopebulu.dll",a
O4 - HKLM\..\Run: [vazenapase] Rundll32.exe "litinika.dll",s
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Dan Calistrat"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\iBackup.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: scandisk.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: ZyXEL G-302 v3 Utility.lnk = C:\Program Files\ZyXEL\G-302v3\G-302v3.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...ared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1254454381125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1254454339453
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.h...tDetection2.cab
O20 - AppInit_DLLs: c:\windows\system32\wopebulu.dll,ribodapi.dll
O21 - SSODL: tugedijoj - {aa728908-c66e-4346-bc65-7b60a1937829} - c:\windows\system32\wopebulu.dll
O22 - SharedTaskScheduler: kupuhivus - {aa728908-c66e-4346-bc65-7b60a1937829} - c:\windows\system32\wopebulu.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\DANCAL~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

--
End of file - 10172 bytes

#12 User is online   nasdaq Icon

  • Forum Deity
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 44,807
  • Joined: 24-May 04

Posted 03 November 2009 - 11:37 AM

Download ComboFix from any of the links below but rename it to namona.exe before saving it to your desktop. <- Important.

Link 1
Link 2

==================================

Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please consider Donating ,
see this topic for details. We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#13 User is offline   cmonamonamona Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 31
  • Joined: 28-October 09

Posted 03 November 2009 - 08:22 PM

More progress. I ran the ComboFix per your instructions. Then I was able to load and run Malwarebytes. It took 4 hours 40 minutes to run a full scan and found 30 items. Here is the ComboFix log. Is there more to do?



ComboFix 09-11-02.05 - Dan Calistrat 2009-11-03 13:06.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.414 [GMT -5:00]
Running from: c:\documents and settings\All Users\Desktop\namona.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Desktop\nudetube.com.lnk
c:\documents and settings\All Users\Desktop\pornotube.com.lnk
c:\documents and settings\All Users\Desktop\youporn.com.lnk
c:\documents and settings\Dan Calistrat\Application Data\inst.exe
c:\documents and settings\Dan Calistrat\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\amozaqesuhelehi.dll
c:\windows\ANS2000.INI
c:\windows\didduid.ini
c:\windows\Fonts\HDCS BRIDGE.TTF
c:\windows\Install.txt
c:\windows\system32\~.exe
c:\windows\system32\calc.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\litinika.dll
c:\windows\system32\ncase.ini
c:\windows\system32\ribodapi.dll
c:\windows\system32\wopebulu.dll
c:\windows\system32\woyobizi.dll
c:\windows\TEMP\mta13187.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-03 16:28 . 2009-11-03 16:28 -------- d-----w- C:\rsit
2009-11-03 16:17 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 16:17 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 16:17 . 2009-11-03 16:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 20:42 . 2009-11-02 20:42 -------- d-----w- c:\program files\HighMAT CD Writing Wizard
2009-11-01 17:30 . 2009-11-01 17:32 -------- d-----w- c:\program files\WINDIAG
2009-11-01 17:12 . 2009-11-02 15:02 -------- d-----w- c:\program files\RKILL
2009-10-26 21:35 . 2009-10-26 21:35 -------- d-sh--w- c:\documents and settings\Dan Calistrat\IECompatCache
2009-10-26 17:30 . 2009-10-22 20:40 4045528 ----a-w- c:\program files\copy-setup.exe
2009-10-21 19:31 . 2009-11-03 15:21 0 ----a-w- c:\windows\Ygugine.bin
2009-10-21 19:30 . 2009-11-03 17:55 120 ----a-w- c:\windows\Dbopamagabobi.dat
2009-10-21 19:28 . 2009-10-21 19:28 -------- d-----w- c:\documents and settings\Dan Calistrat\Local Settings\Application Data\{DF9167F1-17BD-4676-82DB-5F127F475C33}
2009-10-21 19:05 . 2009-10-26 16:39 -------- d-----w- c:\program files\ukfmsn
2009-10-16 14:38 . 2009-10-16 14:38 -------- d-----w- c:\documents and settings\Dan Calistrat\Application Data\HP
2009-10-16 14:34 . 2009-10-16 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-10-16 14:33 . 2009-10-16 14:33 -------- d-----w- c:\program files\Common Files\HP
2009-10-16 14:27 . 2009-10-16 14:27 -------- d-----w- c:\program files\Hewlett-Packard
2009-10-16 14:25 . 2009-10-16 14:25 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-10-16 14:24 . 2005-10-28 00:24 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2009-10-16 14:24 . 2005-10-28 00:24 49664 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2009-10-16 14:23 . 2005-10-15 03:42 46592 ----a-w- c:\windows\system32\hpzll43a.dll
2009-10-16 14:23 . 2005-03-22 12:48 77824 ----a-r- c:\windows\system32\hpzids01.dll
2009-10-16 14:21 . 2005-03-14 18:39 65536 ----a-w- c:\windows\system32\HPZinw12.exe
2009-10-16 14:21 . 2005-03-14 17:05 69632 ----a-w- c:\windows\system32\HPZipm12.exe
2009-10-16 14:21 . 2005-03-08 16:55 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2009-10-16 14:21 . 2005-03-08 16:55 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2009-10-16 14:21 . 2005-03-14 17:05 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2009-10-16 14:21 . 2005-03-14 17:03 278584 ----a-w- c:\windows\system32\HPZidr12.dll
2009-10-16 14:06 . 2009-10-16 14:37 109947 ----a-w- c:\windows\hpoins08.dat
2009-10-16 14:06 . 2006-01-24 06:15 7577 ------w- c:\windows\hpomdl08.dat
2009-10-16 13:59 . 2005-10-28 22:11 254026 ----a-r- c:\windows\system32\hpovst09.dll
2009-10-16 13:59 . 2005-10-28 22:11 614400 ----a-r- c:\windows\system32\hpotscl2.dll
2009-10-16 13:59 . 2005-10-28 22:11 602112 ----a-r- c:\windows\system32\hpowiax2.dll
2009-10-15 21:55 . 2009-10-15 21:55 -------- d-----w- c:\documents and settings\Dan Calistrat\Application Data\CyberLink
2009-10-15 21:43 . 2009-10-16 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Cyberlink
2009-10-15 21:43 . 2009-10-16 13:42 -------- d-----w- c:\documents and settings\Dan Calistrat\Local Settings\Application Data\PCM4Everio
2009-10-15 21:43 . 2006-06-04 20:48 198144 ------w- c:\windows\system32\_psisdecd.dll
2009-10-15 21:43 . 2006-06-04 20:48 44544 ----a-w- c:\windows\system32\msxml4a.dll
2009-10-15 21:36 . 2009-10-15 21:44 -------- d-----w- c:\program files\CyberLink
2009-10-15 21:36 . 2009-10-15 21:36 -------- d-----w- c:\program files\Digital Photo Navigator 1.5
2009-10-15 21:22 . 2009-10-15 21:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-05 19:54 . 2009-10-05 19:54 -------- d-----w- c:\windows\system32\Adobe
2009-10-05 14:38 . 2009-10-05 14:38 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-10-05 14:38 . 2009-10-18 23:12 -------- d-----w- c:\documents and settings\Dan Calistrat\Application Data\Vso
2009-10-05 14:37 . 2009-10-18 23:12 -------- d-----w- c:\program files\DVDFab 6
2009-10-05 14:35 . 2009-10-19 03:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-10-05 14:35 . 2009-10-05 14:35 -------- d-----w- c:\program files\DVD Shrink
2009-10-05 14:33 . 2009-10-05 14:33 -------- d-----w- c:\program files\DVD Decrypter
2009-10-05 14:18 . 2009-10-05 14:18 -------- d-sh--w- c:\documents and settings\Dan Calistrat\PrivacIE
2009-10-05 13:47 . 2009-09-16 15:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-05 13:47 . 2009-09-16 15:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-05 13:47 . 2009-09-16 15:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-05 13:47 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-05 13:46 . 2009-10-05 13:47 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-05 13:46 . 2009-10-05 13:46 -------- d-----w- c:\program files\McAfee.com
2009-10-05 13:45 . 2009-10-21 21:57 -------- d-----w- c:\program files\McAfee
2009-10-05 13:35 . 2009-09-16 15:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 20:49 . 2005-12-29 19:41 -------- d-----w- c:\program files\Trend Micro
2009-10-26 20:02 . 2003-04-16 20:27 -------- d-----w- c:\documents and settings\Dan Calistrat\Application Data\MSN6
2009-10-21 19:02 . 2009-10-21 19:02 4 ----a-w- c:\documents and settings\Dan Calistrat\Application Data\avdrn.dat
2009-10-16 14:33 . 2009-09-29 00:15 -------- d-----w- c:\program files\HP
2009-10-15 21:55 . 2003-04-04 17:24 142032 ----a-w- c:\documents and settings\Dan Calistrat\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 21:45 . 2003-04-01 14:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-05 14:38 . 2009-10-05 14:38 47360 ----a-w- c:\documents and settings\Dan Calistrat\Application Data\pcouffin.sys
2009-10-05 14:07 . 2006-11-29 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-05 13:27 . 2004-07-15 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-05 13:27 . 2004-07-15 19:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-03 05:50 . 2009-10-03 05:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-03 05:42 . 2009-10-03 05:42 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-03 05:39 . 2009-10-03 05:39 -------- d-----w- c:\program files\Microsoft
2009-10-03 05:29 . 2009-10-03 05:29 -------- d-----w- c:\program files\MSBuild
2009-10-03 05:29 . 2009-10-03 05:29 -------- d-----w- c:\program files\Reference Assemblies
2009-10-03 05:22 . 2009-10-03 05:22 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-03 05:07 . 2009-10-03 05:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2009-10-03 05:07 . 2009-10-03 05:07 -------- d-----w- c:\documents and settings\Dan Calistrat\Application Data\Roxio
2009-10-03 05:04 . 2009-10-03 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-10-03 00:29 . 2009-10-03 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-10-03 00:26 . 2009-10-03 00:16 -------- d-----w- c:\program files\Roxio
2009-10-03 00:26 . 2009-10-03 00:17 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-10-03 00:25 . 2009-10-03 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-10-03 00:20 . 2009-10-03 00:18 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-10-03 00:17 . 2009-10-03 00:17 -------- d-----w- c:\program files\SmartSound Software
2009-10-03 00:05 . 2003-04-16 19:31 -------- d-----w- c:\program files\IrfanView
2009-10-02 23:11 . 2009-10-02 23:11 -------- d-----w- c:\documents and settings\Dan Calistrat\Application Data\Malwarebytes
2009-10-02 23:11 . 2009-10-02 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-02 22:58 . 2009-10-03 05:01 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-02 22:57 . 2009-10-02 22:57 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-10-02 22:57 . 2009-10-02 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-02 22:57 . 2003-04-16 19:59 -------- d-----w- c:\program files\Lavasoft
2009-10-02 22:44 . 2003-04-01 13:53 -------- d-----w- c:\program files\CONEXANT
2009-10-02 22:26 . 2009-10-02 22:26 81920 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-02 22:26 . 2009-10-02 22:26 233472 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\documents and settings\Dan Calistrat\Application Data\Creative
2009-10-02 20:55 . 2009-10-02 20:55 -------- d-----w- c:\program files\MSXML 4.0
2009-10-02 20:30 . 2009-10-02 20:30 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-02 02:16 . 2003-08-31 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-02 02:03 . 2006-04-26 21:40 -------- d-----w- c:\program files\Motive
2009-10-02 02:03 . 2006-04-26 21:40 -------- d-----w- c:\program files\Verizon Online
2009-10-02 01:22 . 2006-12-02 05:36 -------- d-----w- c:\program files\Symantec
2009-10-02 01:22 . 2003-05-04 17:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-02 01:14 . 2005-07-13 22:16 -------- d-----w- c:\program files\Iomega
2009-09-16 15:22 . 2009-07-08 18:44 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 14:18 . 2002-08-29 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2006-10-14 07:01 . 2004-07-24 01:50 346124 ----a-w- c:\program files\sysclean.log
2006-10-14 03:49 . 2006-10-14 03:47 358 ----a-w- c:\program files\20061013.log
2006-10-14 03:49 . 2004-07-24 01:50 27 ----a-w- c:\program files\TSCDebug.log
2006-09-13 21:28 . 2004-04-08 16:09 150192 ----a-w- c:\program files\TweakUiPowertoySetup.exe
2006-08-30 12:43 . 2006-08-30 12:43 143103 ----a-w- c:\program files\PC-De-Crapifier-1.5.1.exe
2006-08-30 12:43 . 2006-08-30 12:43 42546 ----a-w- c:\program files\PC-De-Crapifier-1.5.1.au3
2006-08-04 18:54 . 2006-08-04 18:53 982222 ----a-w- c:\program files\setupmp3towav-c.exe
2006-07-10 14:43 . 2006-07-10 14:43 5112 -c--a-w- c:\program files\GUICheckListControl.au3
2006-03-21 01:26 . 2006-03-21 01:26 358 ----a-w- c:\program files\20060320.log
2006-03-15 17:23 . 2006-03-15 17:23 21254280 ----a-w- c:\program files\AdbeRdr707_en_US.exe
2005-12-29 02:57 . 2005-12-29 02:55 358 ----a-w- c:\program files\20051228.log
2005-10-15 01:59 . 2005-10-15 01:58 358 ----a-w- c:\program files\20051014.log
2005-08-22 21:09 . 2005-08-22 21:09 107474 ----a-w- c:\program files\StrokeIt_9_5.exe
2005-06-18 17:31 . 2005-06-18 17:30 12754672 -c--a-w- c:\program files\MP10Setup.exe
2005-06-13 20:33 . 2005-06-13 20:33 378016 -c--a-w- c:\program files\ydropper1_6us.exe
2005-05-02 03:23 . 2005-05-02 03:21 358 -c--a-w- c:\program files\20050501.log
2005-04-22 15:21 . 2005-04-22 15:21 20798256 -c--a-w- c:\program files\AdbeRdr70_enu_full.exe
2005-02-12 03:51 . 2005-02-12 03:49 358 -c--a-w- c:\program files\20050211.log
2005-01-13 18:16 . 2005-01-13 18:16 6537888 -c--a-w- c:\program files\MicrosoftAntiSpywareInstall.exe
2005-01-07 19:50 . 2005-01-07 19:50 184153 -c--a-w- c:\program files\configinspectorsetup1.0.exe
2004-12-31 19:41 . 2004-12-31 19:41 1390111 -c--a-w- c:\program files\picsort150e.exe
2004-12-18 21:48 . 2004-12-18 21:48 1644544 -c--a-w- c:\program files\MBSASetup-EN.msi
2004-11-25 00:42 . 2004-11-25 00:41 358 -c--a-w- c:\program files\20041124.log
2004-10-26 01:16 . 2004-10-26 01:15 358 -c--a-w- c:\program files\20041025.log
2004-10-10 00:54 . 2004-10-10 00:53 358 -c--a-w- c:\program files\20041009.log
2004-09-20 19:51 . 2004-09-20 19:51 1453478 ----a-w- c:\program files\wdtoys10.zip
2004-09-18 17:22 . 2004-09-18 17:22 5834867 -c--a-w- c:\program files\realalt123.exe
2004-09-17 23:51 . 2004-09-17 23:51 254468 ----a-w- c:\program files\procexpnt.zip
2004-08-21 01:48 . 2004-08-21 01:48 433679 -c--a-w- c:\program files\iemaximizer23.exe
2004-08-16 22:33 . 2004-08-16 22:33 2609631 -c--a-w- c:\program files\aawsepersonal.exe
2004-08-14 17:34 . 2004-08-14 17:34 2405824 ----a-w- c:\program files\rminstall.exe
2004-08-09 03:46 . 2004-08-09 03:45 358 -c--a-w- c:\program files\20040808.log
2004-08-08 16:44 . 2004-08-08 16:44 647278 -c--a-w- c:\program files\TreeSizeSetup.exe
2004-07-30 00:14 . 2004-07-30 00:13 358 ----a-w- c:\program files\20040729.log
2004-07-26 01:10 . 2004-07-26 01:10 30079096 -c--a-w- c:\program files\MIS600CDENU.exe
2004-07-24 20:43 . 2004-07-24 20:43 208896 ----a-w- c:\program files\Lame_enc.dll
2004-07-24 01:51 . 2004-07-24 01:50 358 -c--a-w- c:\program files\20040723.log
2004-07-24 01:33 . 2004-07-24 01:33 6047869 -c--a-w- c:\program files\AutoSysclean.exe
2004-07-23 18:26 . 2004-07-23 18:26 3468 -c--a-w- c:\program files\WHATSNEW.TXT
2004-07-23 18:18 . 2004-07-23 18:18 9112636 -c--a-w- c:\program files\lpt$vpn.944
2004-07-15 19:26 . 2004-07-15 19:26 4354084 -c--a-w- c:\program files\spybotsd13.exe
2004-05-27 18:34 . 2004-05-27 18:34 483732 ----a-w- c:\program files\magic fearsons_aces.zip
2004-04-08 16:13 . 2004-04-08 16:13 532616 ----a-w- c:\program files\ImageResizerPowertoySetup.exe
2004-03-19 01:07 . 2004-03-19 01:07 30720 ----a-w- c:\program files\xpdite.exe
2004-03-19 01:05 . 2004-03-19 01:05 22016 ----a-w- c:\program files\shootthemessenger.exe
2004-01-19 19:34 . 2004-01-19 19:34 2601976 -c--a-w- c:\program files\EClea2_0.exe
2004-01-01 20:38 . 2004-01-01 20:38 282624 ----a-w- c:\program files\SLPhotoBasicDownload.exe
2003-12-18 22:37 . 2003-12-18 22:37 1897672 -c--a-w- c:\program files\winzip81.exe
2003-12-17 02:27 . 2003-12-17 02:27 646985 ----a-w- c:\program files\pawn2.zip
2003-12-11 18:06 . 2003-12-11 18:06 87203 -c--a-w- c:\program files\VitriteInstall.exe
2000-11-15 14:21 . 2000-11-15 14:21 178688 ----a-w- c:\program files\hjsplit.exe
2009-08-03 16:19 . 2009-08-03 16:19 54272 --sha-w- c:\windows\SYSTEM32\hupetetu.dll
2009-08-03 16:20 . 2009-08-03 16:20 54272 --sha-w- c:\windows\SYSTEM32\zilebobi.dll
2009-07-26 16:10 . 2009-07-26 16:10 54272 --sha-w- c:\windows\SYSTEM32\zukuzibi.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b72436cf-9be6-4553-a52b-c68a6f8cdef9}]
2009-08-03 16:20 54272 --sha-w- c:\windows\SYSTEM32\zilebobi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2005-10-07 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"LWBMOUSE"="c:\mmaestro\BWheel35.exe" [2002-09-12 606208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-26 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-07-29 98304]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-23 151552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-07-19 94208]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-07-19 94208]
"AsioReg"="CTASIO.DLL" - c:\windows\SYSTEM32\CTASIO.DLL [2005-10-07 73728]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-10-07 16384]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-03 18085888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"washindex"="c:\program files\Washer\washidx.exe" [2001-04-02 64512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-9-28 671744]
ZyXEL G-302 v3 Utility.lnk - c:\program files\ZyXEL\G-302v3\G-302v3.exe [2006-12-4 12840448]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^lastchance.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\lastchance.lnk
backup=c:\windows\pss\lastchance.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan Calistrat^Start Menu^Programs^Startup^FreeSnap.lnk]
path=c:\documents and settings\Dan Calistrat\Start Menu\Programs\Startup\FreeSnap.lnk
backup=c:\windows\pss\FreeSnap.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan Calistrat^Start Menu^Programs^Startup^Iomega Product Registration.lnk]
path=c:\documents and settings\Dan Calistrat\Start Menu\Programs\Startup\Iomega Product Registration.lnk
backup=c:\windows\pss\Iomega Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan Calistrat^Start Menu^Programs^Startup^MMaestro.lnk]
path=c:\documents and settings\Dan Calistrat\Start Menu\Programs\Startup\MMaestro.lnk
backup=c:\windows\pss\MMaestro.lnkStartup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\SYSTEM32\\regsvr32.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpprop.exe"=
"c:\\Program Files\\McAfee\\MSM\\McSmtFwk.exe"=
"c:\\Program Files\\Logitech\\SetPoint\\SetPoint.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2009-10-02 5:59 PM 64160]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2002-08-29 6:00 AM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\SYSTEM32\FastNetSrv.exe [2002-08-29 6:00 AM 48128]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 9:49 AM 1028432]
R2 LBeepKE;LBeepKE;c:\windows\SYSTEM32\DRIVERS\LBeepKE.sys [2006-09-28 3712]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 3:52 PM 166384]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 4:28 PM 1533808]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 3:52 PM 1083888]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 3:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 3:52 PM 309744]
S2 SessionLauncher;SessionLauncher;c:\docume~1\DANCAL~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\DANCAL~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 3:53 PM 72176]
S3 SjyPkt;SjyPkt;c:\windows\SYSTEM32\DRIVERS\SjyPkt.sys [2006-12-04 9:19 AM 13532]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV
*NewlyCreated* - MBR
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 22:58]

2009-10-05 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-05 17:22]

2009-10-05 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-05 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: americasbank.com\www
Trusted Zone: ebankhost.net\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
HKCU-Run-Iomega Automatic Backup - c:\program files\Iomega\Iomega Automatic Backup\iBackup.exe
HKLM-Run-Hvuyidimenipa - c:\windows\amozaqesuhelehi.dll
HKLM-Run-fujobafob - c:\windows\system32\wopebulu.dll
HKLM-Run-MISAggregator - (no file)
HKLM-Run-vazenapase - litinika.dll
SharedTaskScheduler-{aa728908-c66e-4346-bc65-7b60a1937829} - c:\windows\system32\wopebulu.dll
SSODL-tugedijoj-{aa728908-c66e-4346-bc65-7b60a1937829} - c:\windows\system32\wopebulu.dll
AddRemove-Microsoft Camcorder - c:\program files\microsoft office 97\ms cam\setup\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 13:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\Install.txt

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,6e,15,e4,5f,9e,64,4e,ad,b1,b3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,6e,15,e4,5f,9e,64,4e,ad,b1,b3,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1396)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\mmaestro\BMOUDLL.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\windows\system32\LEXBCES.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\opeia.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE
c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\progra~1\McAfee\MSM\McSmtFwk.exe
c:\windows\system32\lsm32.sys
.
**************************************************************************
.
Completion time: 2009-11-03 13:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-03 18:45

Pre-Run: 2,012,471,296 bytes free
Post-Run: 2,092,322,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

#14 User is online   nasdaq Icon

  • Forum Deity
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 44,807
  • Joined: 24-May 04

Posted 05 November 2009 - 06:38 PM

We had an other breakdown.

Are you still with me?

What problem remains?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please consider Donating ,
see this topic for details. We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#15 User is offline   cmonamonamona Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 31
  • Joined: 28-October 09

Posted 06 November 2009 - 08:09 AM

Yes, I'm still here. It seems like my computer is working fine. I ran Malware, McAfee and AdAware. Is there anything else I should do to clean up or check for anything else?

Do you have any recommendations for regular maintenance to avoid this in the future?

I really appreciate your help through this. I was so frustrated with the virus and I was tempted to throw the computer out.
  • (5 Pages)
  • +
  • 1
  • 2
  • 3
  • Last »
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users


Support the forum!