GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

antivirus pro

View previous topic View next topic Go down

antivirus pro

Post by rmacint on Thu Nov 26, 2009 8:35 pm

antivirus pro infection.
i can't run malwarebytes or combo-fix or dds.

(i also don't get a 'new topic' button in firefox for this forum - ie is hijacked)

please help.

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by Belahzur on Thu Nov 26, 2009 8:56 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Thu Nov 26, 2009 8:59 pm

when i try to install hijack this, i get a security warning and it won't let me run the installer.
i have an older version of hijack this already installed, and it won't let me run that, either.

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by Belahzur on Thu Nov 26, 2009 9:17 pm

Hello.

Try this renamed version.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Thu Nov 26, 2009 9:32 pm

i get the same 'application cannot be executed' warning and it won't run.

(i believe i do have the recovery console installed, but i am reluctant to restart in the middle of this mess)

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by Belahzur on Fri Nov 27, 2009 12:30 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Fri Nov 27, 2009 5:11 am

i get a message that rundll32.exe is infected and combo-fix won't run.

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by Belahzur on Fri Nov 27, 2009 10:16 am

Hmm, lets try this.

Please download exeHelper from one of the two links.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Fri Nov 27, 2009 4:38 pm

exeHelper by Raktor
Build 20091122
Run at exeHelper by Raktor
Build 20091122
Run at 08:25:54


[i think i was able to run hijack this - i logged off and logged on and ran hijack this but it may have been before the virus loaded]


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:01 AM, on 11/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\rmac\Local Settings\Application Data\khgaul\bsgasysguard.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Documents and Settings\rmac\Desktop\winlogon.scr
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dfilausg] C:\Documents and Settings\rmac\Local Settings\Application Data\khgaul\bsgasysguard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [dfilausg] C:\Documents and Settings\rmac\Local Settings\Application Data\khgaul\bsgasysguard.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7595 bytes

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Fri Nov 27, 2009 11:27 pm

it looks like the problem may be:

Rundll32 P17.dll,P17Helper
khgaul\bsgasysguard.exe

how can i get rid of these?

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by Belahzur on Fri Nov 27, 2009 11:34 pm

Hello.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O4 - HKLM\..\Run: [dfilausg] C:\Documents and Settings\rmac\Local Settings\Application Data\khgaul\bsgasysguard.exe
    O4 - HKCU\..\Run: [dfilausg] C:\Documents and Settings\rmac\Local Settings\Application Data\khgaul\bsgasysguard.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Sat Nov 28, 2009 3:16 am

Malwarebytes' Anti-Malware 1.41
Database version: 3245
Windows 5.1.2600 Service Pack 3

11/27/2009 6:18:58 PM
mbam-log-2009-11-27 (18-18-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 271775
Time elapsed: 1 hour(s), 56 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\rmac\Local Settings\Application Data\khgaul\bsgasysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiawow32.sys.vir (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1271509828-3427056199-959002699-1007\Dc20\sp3gdr\iexplore.exe (Worm.Autorun.One Cool Dude -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1271509828-3427056199-959002699-1007\Dc20\sp3qfe\iexplore.exe (Worm.Autorun.One Cool Dude -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1271509828-3427056199-959002699-1007\Dc32\SP2GDR\services.exe (Worm.Autorun.One Cool Dude -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1271509828-3427056199-959002699-1007\Dc32\SP2GDR\wmiprvse.exe (Worm.Autorun.One Cool Dude -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1271509828-3427056199-959002699-1007\Dc32\SP2QFE\services.exe (Worm.Autorun.One Cool Dude -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1271509828-3427056199-959002699-1007\Dc32\SP2QFE\wmiprvse.exe (Worm.Autorun.One Cool Dude -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1271509828-3427056199-959002699-1007\Dc32\SP3GDR\services.exe (Worm.Autorun.One Cool Dude -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1271509828-3427056199-959002699-1007\Dc32\SP3GDR\wmiprvse.exe (Worm.Autorun.One Cool Dude -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1271509828-3427056199-959002699-1007\Dc32\SP3QFE\services.exe (Worm.Autorun.One Cool Dude -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1271509828-3427056199-959002699-1007\Dc32\SP3QFE\wmiprvse.exe (Worm.Autorun.One Cool Dude -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{96C62E59-4E3E-4D02-AC57-3ED3FCA8137F}\RP63\A0012321.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by Belahzur on Sat Nov 28, 2009 7:06 pm

Hello.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Sat Nov 28, 2009 8:29 pm

DDS (Ver_09-11-24.02) - NTFSx86
Run by rmac at 12:20:34.04 on Sat 11/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.98 [GMT -8:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\rmac\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\hold\malwarebytes' anti-malware2\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rmac\applic~1\mozilla\firefox\profiles\h8u0shrj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.14); user_pref(general.useragent.extra.zencast, Creative ZENcast v2.00.14);user_pref(general.useragent.extra.zencast, c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2006-4-27 10880]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-7-2 19160]
R3 vmmemctl;VMware server memory controller;c:\windows\system32\drivers\vmmemctl.sys [2006-3-28 5500]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-7-2 195856]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2003-1-30 18864]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2006-4-27 4608]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2006-4-27 15744]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2006-4-27 22528]

=============== Created Last 30 ================

2009-11-22 15:57:41 54156 ---ha-w- c:\windows\QTFont.qfn
2009-11-22 15:57:41 1409 ----a-w- c:\windows\QTFont.for
2009-11-20 23:36:34 0 d-----w- c:\program files\SPSSIncOEM
2009-11-20 23:26:09 0 ----a-w- c:\windows\system32\nsprs.dll
2009-11-20 23:25:25 0 d-----w- c:\program files\common files\Data Dynamics
2009-11-20 23:23:24 0 ----a-w- C:\law.sp
2009-11-20 21:49:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SPSS
2009-11-20 21:49:24 0 d-----w- c:\program files\common files\SPSS
2009-11-20 21:27:56 0 d-----w- c:\documents and settings\rmac\.spss
2009-11-20 19:42:43 114 ----a-w- c:\windows\system32\prsgrc.tgz
2009-11-20 19:42:43 1024 ----a-w- c:\windows\system32\grcauth2.dll
2009-11-20 19:42:43 1024 ----a-w- c:\windows\system32\grcauth1.dll
2009-11-20 19:42:43 100 ----a-w- c:\windows\system32\prsgrc.dll
2009-11-20 19:42:10 0 d-----w- c:\docume~1\alluse~1\applic~1\SafeNet Sentinel
2009-11-20 19:36:55 0 d-----w- c:\program files\SPSSInc
2009-10-30 16:08:00 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat

==================== Find3M ====================

2009-11-22 02:04:38 152363 ----a-w- c:\windows\fonts\AdobeFnt07.lst
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2001-05-24 20:59:30 162304 ----a-w- c:\program files\UNWISE.EXE
2008-04-01 03:31:09 80 --sh--r- c:\windows\system32\64B6FEA206.dll
2005-07-14 19:31:20 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2009-07-05 03:56:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009070420090705\index.dat

============= FINISH: 12:23:25.96 ===============

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Sat Nov 28, 2009 8:29 pm

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-11-24.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/30/2006 10:52:39 AM
System Uptime: 11/28/2009 12:05:44 PM (0 hours ago)

Motherboard: Dell Computer Corp. | |
Processor: Intel(R) Pentium(R) 4 CPU 2.26GHz | Microprocessor | 2266/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 67 GiB total, 8.041 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 9.732 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/1000 MT Network Connection
Device ID: PCI\VEN_8086&DEV_100E&SUBSYS_002E1028&REV_02\4&3B1CAF2B&0&60F0
Manufacturer: Intel
Name: Intel(R) PRO/1000 MT Network Connection
PNP Device ID: PCI\VEN_8086&DEV_100E&SUBSYS_002E1028&REV_02\4&3B1CAF2B&0&60F0
Service: E1000

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: SoundMAX Integrated Digital Audio
Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_01261028&REV_01\3&172E68DD&0&FD
Manufacturer: Analog Devices, Inc.
Name: SoundMAX Integrated Digital Audio
PNP Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_01261028&REV_01\3&172E68DD&0&FD
Service: smwdm

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP38: 10/27/2009 6:55:07 PM - System Checkpoint
RP39: 10/27/2009 8:39:24 PM - Software Distribution Service 3.0
RP40: 10/28/2009 8:41:52 PM - Software Distribution Service 3.0
RP41: 10/29/2009 8:56:41 AM - Printer Driver Microsoft XPS Document Writer Installed
RP42: 10/30/2009 9:23:46 AM - System Checkpoint
RP43: 10/30/2009 10:47:42 AM - Software Distribution Service 3.0
RP44: 10/31/2009 11:04:01 AM - System Checkpoint
RP45: 10/31/2009 8:21:34 PM - Software Distribution Service 3.0
RP46: 11/19/2009 5:07:48 PM - System Checkpoint
RP47: 11/19/2009 8:07:07 PM - Software Distribution Service 3.0
RP48: 11/20/2009 11:25:17 AM - Removed SPSS 14.0 for Windows (14.0.2 patch)
RP49: 11/20/2009 11:27:46 AM - Removed SPSS 15.0 for Windows
RP50: 11/20/2009 11:36:41 AM - Installed SPSS Statistics 17.0.
RP51: 11/20/2009 1:41:03 PM - Removed SPSS Statistics 17.0.
RP52: 11/20/2009 1:46:53 PM - Installed PASW Statistics 17.0.
RP53: 11/20/2009 3:24:26 PM - Installed Amos 17.0.
RP54: 11/20/2009 3:36:29 PM - Installed SPSS Inc. Data Access Pack 5.3 for Windows
RP55: 11/20/2009 3:55:12 PM - Installed Microsoft Office Enterprise 2007
RP56: 11/20/2009 3:58:33 PM - Installed Microsoft Office Enterprise 2007
RP57: 11/20/2009 10:24:50 PM - Software Distribution Service 3.0
RP58: 11/22/2009 7:58:48 AM - Software Distribution Service 3.0
RP59: 11/22/2009 9:19:27 PM - Software Distribution Service 3.0
RP60: 11/23/2009 9:43:04 PM - System Checkpoint
RP61: 11/24/2009 10:03:57 PM - Software Distribution Service 3.0
RP62: 11/25/2009 10:07:59 PM - Software Distribution Service 3.0
RP63: 11/26/2009 10:48:56 PM - System Checkpoint
RP64: 11/28/2009 11:55:37 AM - System Checkpoint

==== Installed Programs ======================


7-Zip 4.65
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Standard
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop Elements 2.0
Adobe Reader 7.0.7
Adobe Setup
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Allway Sync version 5.0.10
ALPS Touch Pad Driver
Amos 17.0
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AudibleManager
AudioShell 1.3.5
BurnPlugin for Audible
CmdHere Powertoy For Windows XP
Color Matching System
Compatibility Pack for the 2007 Office system
Cool MP3 Splitter 3.0
Creative Mass Storage Drivers
Creative Removable Disk Manager
Creative Software AutoUpdate
Creative System Information
Creative ZEN V Series (R2)
Critical Update for Windows Media Player 11 (KB959772)
Crystal Ball Training CD Demo 2.0
CSPro 3.2
DAEMON Tools
DFTransfer
DVD-CLONER V4.50 Build 922
Easy CD Creator 5 Basic
Epi Info
Eudora
Express Burn Uninstall
Express Rip Uninstall
ExtractNow
EZ-Pix
Fine WoodWorking
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Photosmart Essential
hp photosmart printer series (Remove only)
Hummingbird Connectivity Secure Shell V9.0
Hummingbird HostExplorer V9.0
Image Resizer Powertoy for Windows XP
Imagicon
iTunes
J2SE Development Kit 5.0 Update 6
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_01
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.5
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office FrontPage 2003
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.5)
Mozilla Thunderbird (2.0.0.23)
Mp3tag v2.43
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser
Napster
Napster Burn Engine
Napster Label Creator
Nimiq
oggcodecs 0.71.0946
OverDrive Media Console
PASW Statistics 17.0
PC Wizard 2008.1.82
PDF Settings
PENTAX USB DISK Device
PowerDVD
Preclick PhotoMovieMaker
Print Server Driver
QuickTime
QVT/Term
R for Windows 2.4.1
RealPlayer
RealProducer Basic 8.5
Replay AV 8
Replay Music 2.51
Rhapsody
Rhapsody Player Engine
RokuRadioSnooper v2.10.06
Rylee Bass Fretboard Addict
SAS 9.1
SAS Private JRE (J2SE(tm) Java Runtime Environment 1.4.1)
SAS/Secure Client-Side Components
ScanWizard Pro
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sound Blaster Audigy
SoundTaxi 2.5.7
SPSS Dimensions Component Pack 3.5
SPSS Inc. Data Access Pack 5.3 for Windows
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Tag&Rename 3.4.6
TextPad 4.7
Tweak UI
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (kb975960)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VideoLAN VLC media player 0.8.6c
ViewSonic Monitor Drivers
VPN Client
WavePad Uninstall
WebFldrs XP
WesVarPC 2.12 for Windows95
Winamp (remove only)
WinAVI Video Converter
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Vista Upgrade Advisor
Windows XP Service Pack 3
WinPcap 3.1
WXTide32
Yahoo! Music Jukebox

==== Event Viewer Messages From Past Week ========

11/28/2009 8:53:46 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
11/28/2009 8:53:46 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
11/26/2009 8:47:08 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/26/2009 8:47:06 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
11/26/2009 11:52:51 AM, error: Service Control Manager [7034] - The Pml Driver service terminated unexpectedly. It has done this 1 time(s).
11/23/2009 7:39:43 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/23/2009 7:39:42 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
11/22/2009 7:55:38 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sptd
11/22/2009 7:55:24 AM, error: Print [19] - Sharing printer failed + 1722, Printer hp photosmart 1215 series share name hpphotos.
11/22/2009 3:56:08 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
11/21/2009 7:55:26 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
11/21/2009 7:55:26 AM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/21/2009 7:55:13 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "-Service" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
11/21/2009 5:16:22 PM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Sat Nov 28, 2009 8:30 pm

still infected.

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by Belahzur on Sun Nov 29, 2009 1:48 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Development Kit 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_01

Now post a Hijack This log, Hijack This instructions are in the second post down.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Sun Nov 29, 2009 3:53 am

here is the hijack this log.
also, i pasted after the hjt log, a portion of the combo-fix log that indicates i may have a rootkit infection.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:37 PM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Hold\Malwarebytes' Anti-Malware2\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7165 bytes

combo-fix log portion:

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x832894C0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf87d8f28
\Driver\ACPI -> ACPI.sys @ 0xf86a5cb8
\Driver\atapi -> 0x832894c0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Linksys Wireless-G PCI Network Adapter with SpeedBooster -> SendCompleteHandler -> NDIS.sys @ 0xf84d3bb0
PacketIndicateHandler -> NDIS.sys @ 0xf84e0a21
SendHandler -> NDIS.sys @ 0xf84be87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by Belahzur on Sun Nov 29, 2009 7:10 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Tue Dec 01, 2009 2:38 am

i have the randomly named version of gmer. it starts, but aborts and doesn't finish the scan (this was in safe mode, as well).

what next?

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by Belahzur on Tue Dec 01, 2009 9:59 pm

Can you post the full Combofix log please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Tue Dec 01, 2009 10:27 pm

ComboFix 09-11-30.02 - rmac 11/30/2009 18:46.5.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.246 [GMT -8:00]
Running from: c:\documents and settings\rmac\Desktop\Combo-Fix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.

2010-04-28 21:44 . 2006-05-24 00:01 -------- d-----w- c:\documents and settings\itc\Application Data\Apple Computer
2010-04-28 21:43 . 2006-05-24 00:01 -------- d-----w- c:\documents and settings\itc\Local Settings\Application Data\Apple Computer
2009-11-29 02:16 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-29 02:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-29 01:57 . 2006-03-28 23:28 10880 ----a-r- c:\windows\system32\drivers\vmscsi_2.sys
2009-11-28 16:35 . 2009-11-28 16:50 -------- d-----w- c:\documents and settings\rmac\Local Settings\Application Data\jxrtsg
2009-11-26 19:15 . 2009-11-28 00:31 -------- d-----w- c:\documents and settings\rmac\Local Settings\Application Data\khgaul
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\documents and settings\rmac\Local Settings\Application Data\Microsoft Help
2009-11-21 00:01 . 2009-11-25 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-20 23:39 . 2009-11-21 18:44 -------- d-----w- c:\documents and settings\rmac\Local Settings\Application Data\Amos 17.0
2009-11-20 23:36 . 2009-11-20 23:36 -------- d-----w- c:\program files\SPSSIncOEM
2009-11-20 23:25 . 2009-11-20 23:25 -------- d-----w- c:\program files\Common Files\Data Dynamics
2009-11-20 21:49 . 2009-11-20 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS
2009-11-20 21:49 . 2009-11-20 21:49 -------- d-----w- c:\program files\Common Files\SPSS
2009-11-20 21:27 . 2009-11-20 21:27 -------- d-----w- c:\documents and settings\rmac\.spss
2009-11-20 19:36 . 2009-11-20 23:24 -------- d-----w- c:\program files\SPSSInc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 15:57 . 2009-07-02 02:33 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-29 03:41 . 2006-04-27 23:55 -------- d-----w- c:\program files\Java
2009-11-29 02:19 . 2008-06-30 22:19 -------- d-----w- c:\program files\Replay Music
2009-11-26 19:22 . 2007-01-01 05:46 80768 ----a-w- c:\documents and settings\rmac\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-25 06:09 . 2006-04-27 22:19 -------- d-----w- c:\program files\Microsoft Works
2009-11-22 22:15 . 2007-01-11 17:49 -------- d-----w- c:\documents and settings\rmac\Application Data\Image Zone Express
2009-11-20 19:29 . 2006-09-12 15:18 -------- d-----w- c:\program files\SPSS
2009-10-29 03:50 . 2009-10-29 03:50 -------- d-----w- c:\program files\MSBuild
2009-10-29 03:50 . 2009-10-29 03:50 -------- d-----w- c:\program files\Reference Assemblies
2009-10-28 15:06 . 2008-04-02 19:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:18 . 2004-08-04 00:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 22:54 . 2009-07-02 21:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 22:53 . 2009-07-02 21:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-04 00:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2001-05-24 20:59 . 2007-01-16 16:45 162304 ----a-w- c:\program files\UNWISE.EXE
2008-04-01 03:31 . 2008-04-01 03:30 80 --sha-r- c:\windows\system32\64B6FEA206.dll
2005-07-14 19:31 . 2006-05-24 17:37 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-11-29_02.39.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-06-19 10:35 . 2009-11-29 02:40 72480 c:\windows\system32\perfc009.dat
+ 2003-06-19 10:35 . 2009-12-01 02:36 72480 c:\windows\system32\perfc009.dat
+ 2003-06-19 10:35 . 2009-12-01 02:36 445942 c:\windows\system32\perfh009.dat
- 2003-06-19 10:35 . 2009-11-29 02:40 445942 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2006-05-18 684032]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-31 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2003-01-31 311296]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-16 271672]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Malwarebytes Anti-Malware (reboot)"="c:\hold\Malwarebytes' Anti-Malware2\mbam.exe" [2009-09-10 1312080]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-06-17 414992]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-10-6 1524776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2001-04-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=APTRRNTm.dll
"wave"=APTRRNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microtek\\ScanWizard Pro\\LANServer.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SPSSInc\\Statistics17\\paswstat.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\paswstat.com"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [8/30/2006 3:56 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [8/30/2006 3:56 PM 5248]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [4/27/2006 9:53 AM 10880]
R3 vmmemctl;VMware server memory controller;c:\windows\system32\drivers\vmmemctl.sys [3/28/2006 3:28 PM 5500]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/2/2009 1:27 PM 195856]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [1/30/2003 5:55 PM 18864]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/2/2009 1:27 PM 19160]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 1:10 PM 32512]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [4/27/2006 9:52 AM 4608]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [4/27/2006 9:52 AM 15744]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [4/27/2006 9:53 AM 22528]

--- Other Services/Drivers In Memory ---

*Deregistered* - kfncqpow
.
Contents of the 'Scheduled Tasks' folder

2009-11-28 c:\windows\Tasks\Malwarebytes' Scheduled Update for rmac.job
- c:\hold\Malwarebytes' Anti-Malware2\mbam.exe [2009-11-26 22:53]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\rmac\Application Data\Mozilla\Firefox\Profiles\h8u0shrj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.14); user_pref(general.useragent.extra.zencast, Creative ZENcast v2.00.14);user_pref(general.useragent.extra.zencast, c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-30 18:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83209B38]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf87bcf28
\Driver\ACPI -> ACPI.sys @ 0xf8689cb8
\Driver\atapi -> 0x83209b38
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Linksys Wireless-G PCI Network Adapter with SpeedBooster -> SendCompleteHandler -> NDIS.sys @ 0xf84b7bb0
PacketIndicateHandler -> NDIS.sys @ 0xf84c4a21
SendHandler -> NDIS.sys @ 0xf84a287b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(584)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-30 19:00
ComboFix-quarantined-files.txt 2009-12-01 03:00
ComboFix2.txt 2009-11-29 03:21
ComboFix3.txt 2009-11-29 02:52
ComboFix4.txt 2009-07-03 20:59
ComboFix5.txt 2009-12-01 02:45

Pre-Run: 9,514,438,656 bytes free
Post-Run: 9,463,459,840 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 6A2CF295925BD54A5FB80367ECF1C7D7

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by Belahzur on Tue Dec 01, 2009 11:23 pm

Looks okay, the MBR rootkit part isn't right, it says possible infection, but says it's OK.
Still having problems?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Wed Dec 02, 2009 12:40 am

gmer starts, but aborts and malware bytes aborts when it loads on start-up. does that mean they are encountering some malware?

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by Belahzur on Wed Dec 02, 2009 1:47 am

Please download [You must be registered and logged in to see this link.] to your desktop.
Double click on the MBR.exe to run it. A log will be produced, named MBR.log.
Please open this log in Notepad and post it's contents in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Wed Dec 02, 2009 2:11 am

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

Re: antivirus pro

Post by Belahzur on Wed Dec 02, 2009 8:53 pm

Aside from tools not working? are you still having problems regarding malware? the logs look good, so the machine should be okay from what I can tell, but you may know more than I do.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: antivirus pro

Post by rmacint on Wed Dec 02, 2009 9:18 pm

i still have some doubts about whether my machine is clean, but i know your resources are limited, so i will sign off for now. thanks for your help. it's greatly appreciated.

rmacint
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-11-26
OS : xp
Points : 25881
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum