Banker Fox.A Virus

View previous topic View next topic Go down

Banker Fox.A Virus

Post by charleyono on Mon Jan 18, 2010 7:27 am

I'm on my laptop because I can't get anywhere with my e-machines desktop. I am running XP home and I can't get to the CMD promt, regedit, can't unregister a dll file or block websites. Cannot run any programs either. I'm stuck.
Can you halp me - P--L--E--A--S--E???

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Mon Jan 18, 2010 7:29 am

Don't know what I'm suppose to do now?

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by Belahzur on Mon Jan 18, 2010 10:18 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Tue Jan 19, 2010 5:37 am

Using my laptop, which is not infected, I downloaded the Hijack program on to a jump drive to run it on the infected desktop. Since the desktop virus blocks every attempt to select, I have to try to install it in Safe Mode.
When I select the file to install on the desktop, from the jump drive, I receive a message, "The system Administrator has set policies to prevent this installation." It seems the virus is blocking my attempt in Safe Mode.
Any ideas?

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by Belahzur on Tue Jan 19, 2010 6:49 pm

Try this instead.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Tue Jan 19, 2010 9:04 pm

I ran a McAfee scan in safe mode and restored to an earlier date, which enabled me to use the Hijack software after all. Here's the file. By the way, I do not use Pitstop or Apple software. Also use McAfee (not Norton) because it is provided by the ISP. I'd like your advice with regard to better Anti-Virus and Spyware to prevent issues like this in the future. I'm disappointed in the free McAfee.

(Do you see anything wrong with Roxio Creator 10? It's been giving me trouble of late) Thanks!!

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 2:47:15 PM, on 1/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\Imgtask.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Media Key\Versato.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Media Key\OSD.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dial"); (C:\Documents and Settings\CHARLEY\Application Data\Mozilla\Profiles\default\vhdagj6a.slt\prefs.js)
O1 - Hosts: 127.0.0.` [You must be registered and logged in to see this link.]
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ImgTask] C:\WINDOWS\Imgtask.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [Versato] C:\Program Files\Media Key\Versato.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Charley\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: eBay Search - [You must be registered and logged in to see this link.] Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: absoƖute NET - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\AbsolutePoker NET\AbsolutePoker NET.lnk
O9 - Extra 'Tools' menuitem: absoƖute NET - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\AbsolutePoker NET\AbsolutePoker NET.lnk
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - [You must be registered and logged in to see this link.]
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - [You must be registered and logged in to see this link.]
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - [You must be registered and logged in to see this link.]
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 17612 bytes

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by Belahzur on Tue Jan 19, 2010 10:23 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Wed Jan 20, 2010 12:57 am

Here's an image of it: [You must be registered and logged in to see this link.]


Malwarebytes' Anti-Malware 1.44
Database version: 3600
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/19/2010 6:37:38 PM
mbam-log-2010-01-19 (18-37-38).txt

Scan type: Quick Scan
Objects scanned: 131108
Time elapsed: 8 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\admdll.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\raddrv.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully.
[img][/img][img][/img]

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Wed Jan 20, 2010 7:57 am

All appears to be well! Do you agree, Belahzur?

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by Belahzur on Wed Jan 20, 2010 4:14 pm

Looks okay, how is the machine running?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Wed Jan 20, 2010 4:55 pm

The machine is running beautifully! Thank you so much for your help!
Your time and expertise are very much appreciated. Thanks for being there at a time of crisis and working through it with me.

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Thu Jan 21, 2010 7:21 am

This evening, I was reading a compact flash card (downloading photos).
I sucessfully retrieved photos from one card (4GB), then I put in another
CF card into the card reader (8GB). Nothing happened, so I went to My Computer to select Auto Play and the Card Reader Drive Icons were gone!
I restarted the computer (stupid move) and when it came back on, all of my desktop icons were gone. I restarted in safe mode and cannot get a desktop to appear. I can access Task Mgr though. Here are the files listed there:
alg.exe LOCAL SERVICE
btwdins.exe SYSTEM
CALMAIN.exe "
csrss.exe "
ctfmon Charley
Isass.exe SYSTEM
mainserv.exe "
mcagent.exe Charley
McciCMService.exe SYSTEM
mcmscsvc.exe "
McNASvc.exe "
McProxy.exe "
McSACore.exe "
McShield.exe "
mcsymon.exe "
mDNSResponder.exe "
MpfSrv.exe "
MsPMSPSv.exe "
nvsvc32.exe "
PIFSvc.exe "
RoxWatch10.exe "
scardsvr.exe LOCAL SERVICE
services.exe STSTEM
slserv.exe "
smss.exe SYSTEM
spoolsv.exe "
svhost.exe "
schost.exe NETWORK SERVICE
schost.exe SYSTEM
schost.exe "
svhost.exe LOCAL SERVICE
svhost.exe "
svhost.exe "
svhost.exe "
svhost.exe "
svhost.exe SYSTEM
System "
System Idle Process "
taskmgr.exe Charley
ULCDRSvr.exe SYSTEM
winlogon.exe "
WLanCfgG.exe "
WLService.exe "

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by Belahzur on Thu Jan 21, 2010 5:21 pm

Hello.
Sounds like explorer isn't loading, open the Task Manager via ctrl/alt/del. Go to the "Applications" tab, and press "New Task..."

In the open field, type in explorer an hit the OK button.

Does your Desktop load now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Thu Jan 21, 2010 6:01 pm

That did it! I also ran Malwarebytes again, but this time I ran the full scan.
It detected several more infected files. Here's the log:

Malwarebytes' Anti-Malware 1.44
Database version: 3600
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/21/2010 10:06:42 AM
mbam-log-2010-01-21 (10-06-42).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 265760
Time elapsed: 1 hour(s), 51 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\Charley\Desktop\Commenco Files\ie6setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP1740\A0226699.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP1740\A0226700.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully.
C:\Program Files\Radmin\AdmDll.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully.
C:\Program Files\Radmin\raddrv.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
C:\Documents and Settings\Charley\Local Settings\Temp\e.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by Belahzur on Thu Jan 21, 2010 11:35 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Fri Jan 22, 2010 1:43 am

ComboFix 10-01-21.01 - Charley 01/21/2010 19:15:54.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1535 [GMT -6:00]
Running from: c:\documents and settings\Charley\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT
c:\recycler\S-1-5-21-1477866784-3567247576-2136645716-1003
c:\recycler\S-1-5-21-2237592691-3377558703-110070704-1003
c:\recycler\S-1-5-21-2392485839-2649148296-2204470028-1003
c:\recycler\S-1-5-21-406060443-2983749964-1457716007-1003
c:\recycler\S-1-5-21-507921405-1580436667-839522115-1003
c:\recycler\S-1-5-21-692769158-1352353359-185335893-1003
c:\windows\Imgtask.exe
c:\windows\MailSwitch.ocx
c:\windows\patch.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\muzapp.exe
c:\windows\system32\Thumbs.db
d:\documents and settings\Charley\My Documents\ZbThumbnail.info

.
((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-21 21:24 . 2010-01-21 21:25 -------- d-----w- c:\program files\InterActual
2010-01-20 03:49 . 2009-07-16 18:32 120136 ------w- c:\windows\system32\drivers\Mpfp.sys
2010-01-20 03:48 . 2010-01-20 03:49 -------- d-----w- c:\program files\Common Files\McAfee
2010-01-20 03:48 . 2010-01-20 03:48 -------- d-----w- c:\program files\McAfee.com
2010-01-20 03:48 . 2010-01-21 05:44 -------- d-----w- c:\program files\McAfee
2010-01-20 00:27 . 2010-01-20 00:27 -------- d-----w- c:\documents and settings\Charley\Application Data\Malwarebytes
2010-01-20 00:26 . 2010-01-07 22:07 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-20 00:26 . 2010-01-20 00:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-20 00:26 . 2010-01-20 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-20 00:26 . 2010-01-07 22:07 19160 ------w- c:\windows\system32\drivers\mbam.sys
2010-01-19 20:46 . 2010-01-19 20:46 388096 ----a-r- c:\documents and settings\Charley\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-19 20:46 . 2010-01-19 20:46 -------- d-----w- c:\program files\TrendMicro
2010-01-19 20:40 . 2010-01-19 20:40 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-19 20:35 . 2010-01-19 20:35 -------- d-----w- c:\program files\Documents To Go
2010-01-19 20:35 . 2010-01-19 20:35 -------- d-----w- c:\program files\Common Files\DataViz
2010-01-19 20:35 . 2010-01-19 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\DataViz
2010-01-19 04:59 . 2010-01-19 04:59 -------- d-----w- c:\documents and settings\Administrator.XPCOMPUTER\PrivacIE
2010-01-18 10:06 . 2010-01-19 20:22 -------- d-----w- c:\program files\Common Files\McAfee(2)
2010-01-18 10:06 . 2010-01-19 20:22 -------- d-----w- c:\program files\McAfee(2).com
2010-01-18 10:05 . 2010-01-19 20:22 -------- d-----w- c:\program files\McAfee(2)
2010-01-15 20:26 . 2010-01-19 20:36 -------- d-----w- c:\program files\PCPitstop
2010-01-07 00:01 . 2009-12-24 16:58 6515976 ---ha-w- c:\documents and settings\Charley\Application Data\mjusbsp\in00000\setup.exe
2010-01-07 00:01 . 2009-12-24 16:58 6515976 ---ha-w- c:\documents and settings\Charley\Application Data\mjusbsp\Upgrade\setup1.exe
2010-01-07 00:01 . 2009-12-24 16:54 730032 ---ha-w- c:\documents and settings\Charley\Application Data\mjusbsp\Upgrade\install1.exe
2010-01-06 23:59 . 2009-08-01 16:12 728600 ---ha-w- c:\documents and settings\Charley\Application Data\mjusbsp\ar00000\install.exe
2010-01-01 22:32 . 2001-08-17 19:47 12928 ------w- c:\windows\system32\drivers\Dot4Prt.sys
2009-12-31 05:22 . 2008-12-20 00:08 27784 ------w- c:\windows\system32\drivers\point32.sys
2009-12-31 05:20 . 2009-12-31 05:21 -------- d-----w- c:\program files\Microsoft IntelliPoint
2009-12-31 03:02 . 2009-12-31 03:02 -------- d-----w- c:\program files\Media Key
2009-12-24 16:59 . 2009-12-24 16:59 93016 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\ug00000\magicJack.dll
2009-12-24 16:58 . 2009-12-24 16:58 6515976 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\ug00000\setup.exe
2009-12-24 16:58 . 2009-12-24 16:58 416328 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\magicJackLoader.exe
2009-12-24 16:58 . 2009-12-24 16:58 480608 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\octvqe1_apiw.dll
2009-12-24 16:58 . 2009-12-24 16:58 214360 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\TjVista.dll
2009-12-24 16:58 . 2009-12-24 16:58 337240 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\TjIpSys.dll
2009-12-24 16:58 . 2009-12-24 16:58 607600 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\SJHandsetMagicJack.dll
2009-12-24 16:58 . 2009-12-24 16:58 87384 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\st00000\mjsetup.exe
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\st00000\magicJack.dll
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\magicJack.dll
2009-12-24 16:55 . 2009-12-24 16:55 12482904 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\magicJack.exe
2009-12-24 16:54 . 2009-12-24 16:54 730032 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\ug00000\install.exe
2009-12-24 16:53 . 2009-12-24 16:53 87384 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\in00000\mjsetup.exe
2009-12-24 16:53 . 2009-12-24 16:53 93016 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\in00000\magicJack.dll
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\st00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\in00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 50520 ----a-w- c:\documents and settings\Charley\Application Data\mjusbsp\cdloader2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 21:18 . 2003-08-16 16:00 -------- d-----w- c:\program files\Roxio
2010-01-21 21:17 . 2006-12-21 02:37 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-01-21 21:15 . 2003-08-16 16:00 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-01-21 21:11 . 2007-11-06 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-01-21 20:57 . 2005-05-26 01:53 56152 -c--a-w- c:\documents and settings\Charley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-20 22:50 . 2009-04-10 23:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-01-20 03:53 . 2009-03-25 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-20 00:21 . 2008-06-06 00:21 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 20:35 . 2007-01-01 19:52 -------- d-----w- c:\program files\palmOne
2010-01-19 20:33 . 2009-05-23 01:17 -------- d-----w- c:\documents and settings\Charley\Application Data\mjusbsp
2010-01-18 20:47 . 2006-07-09 02:22 -------- d-----w- c:\program files\Google
2010-01-15 20:27 . 2009-02-28 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2010-01-13 19:42 . 2010-01-15 20:30 142780 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-01-01 22:30 . 2006-12-21 02:33 -------- d-----w- c:\program files\Hewlett-Packard
2009-12-15 07:58 . 2009-05-07 22:30 -------- d-----w- c:\documents and settings\Charley\Application Data\Download Manager
2009-12-15 05:52 . 2008-06-10 22:01 -------- d-----w- c:\documents and settings\Charley\Application Data\GARMIN
2009-12-15 05:52 . 2009-12-15 05:52 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-12-10 09:05 . 2008-04-11 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-21 15:51 . 2003-08-13 12:27 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-04 22:54 . 2009-03-25 02:34 79816 ------w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-04 22:54 . 2009-03-25 02:34 40552 ------w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-04 22:54 . 2009-03-25 02:34 35272 ------w- c:\windows\system32\drivers\mfebopk.sys
2009-11-04 22:54 . 2009-03-25 02:34 214664 ------w- c:\windows\system32\drivers\mfehidk.sys
2009-10-29 07:45 . 2006-06-23 17:33 916480 ------w- c:\windows\system32\wininet.dll
2009-10-28 01:14 . 2009-10-28 01:14 10134 -c--a-r- c:\documents and settings\Charley\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe
2002-07-26 22:02 . 2007-11-06 03:32 153088 -c--a-w- c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-28 39408]
"cdloader"="c:\documents and settings\Charley\Application Data\mjusbsp\cdloader2.exe" [2009-12-24 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_15\bin\jusched.exe" [2007-05-22 32881]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-10-16 202312]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
"Versato"="c:\program files\Media Key\Versato.exe" [2002-12-25 733184]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-11-27 221247]
HP OfficeJet T Series Startup.lnk - c:\program files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe [2010-1-1 1175552]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-28 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Charley^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=c:\documents and settings\Charley\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=c:\windows\pss\TrueAssistant.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ------w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2003-06-03 18:01 496640 -c--a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
2009-01-19 23:01 632048 -c--a-w- c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 08:41 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
2003-07-14 19:30 98304 -c--a-w- c:\program files\SBC Yahoo!\Connection Manager\IP Insight\ipmon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App]
2007-04-05 20:29 684118 -c--a-w- c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-05-02 22:19 4640768 ------w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-05-02 22:19 323584 -c----w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PNAgent]
2006-01-13 18:05 40960 -c--a-w- c:\program files\PhatNoise Media Manager\PNAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 15:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBC Yahoo! Connection Manager]
2003-07-14 19:55 1028096 -c--a-w- c:\program files\SBC Yahoo!\Connection Manager\ConnectionManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-11-07 20:31 21633320 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2005-08-15 21:24 3092480 ----a-w- c:\program files\Yahoo!\Messenger\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ImapiService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\palmOne\\Hotsync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Charley\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/19/2010 9:52 PM 93320]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 3:52 PM 166384]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 3:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 3:52 PM 309744]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 3:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 3:52 PM 1083888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ROXIO_UPNP_SERVER_10
*NewlyCreated* - ROXMEDIADB10
*NewlyCreated* - ROXWATCH10
*Deregistered* - IPVNMon
*Deregistered* - SessionLauncher

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2010-01-20 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 18:22]

2010-01-20 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 18:22]

2009-12-31 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-07 19:46]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\Bluetooth\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - c:\documents and settings\All Users\Start Menu\Programs\AbsolutePoker NET\AbsolutePoker NET.lnk
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)
MSConfigStartUp-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe
MSConfigStartUp-CaAvTray - c:\program files\Yahoo!\Antivirus\CAVTray.exe
MSConfigStartUp-CAVRID - c:\program files\Yahoo!\Antivirus\CAVRID.exe
MSConfigStartUp-gStart - c:\garmin\gStart.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-PhotoShow Deluxe Media Manager - c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
MSConfigStartUp-RoxioDragToDisc - c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
MSConfigStartUp-RoxioEngineUtility - c:\program files\Common Files\Roxio Shared\System\EngUtil.exe
MSConfigStartUp-showicon2k - c:\program files\\eM\Bay Reader\Shwicon2k.exe
MSConfigStartUp-YBrowser - c:\progra~1\Yahoo!\browser\ybrwicon.exe
MSConfigStartUp-YOP - c:\progra~1\Yahoo!\YOP\yop.exe
AddRemove-BigFix - c:\program files\BigFix\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-21 19:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2010-01-21 19:32:29
ComboFix-quarantined-files.txt 2010-01-22 01:32

Pre-Run: 81,127,075,840 bytes free
Post-Run: 81,307,635,712 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 6361BA37809EC7C3D424480D4B7FC341

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Duplicate entry

Post by charleyono on Fri Jan 22, 2010 2:49 am

Disregard


Last edited by charleyono on Fri Jan 22, 2010 3:37 am; edited 1 time in total (Reason for editing : Duplicate)

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Fri Jan 22, 2010 3:03 am

I have a built-in card reader in my CPU. I use compact Flash Card media to copy photos via Microsoft Scanner & Camera Wizard. When I insert the card, I'm no longer presented with options. When this happened in the past, I would right click on the drive and select Auto Play. Now the Autp Play option is not listed in the right click menu, so I selected the drive properties>Prompt me ea. time to choose an action. However, when the card is inserted, the hour glass just blinks and no option window appears. I discovered that I cannot Auto Play an audio CD either. Registry Issues??
Also, the machine seems to take an long time to populate all of the desktop icons on Start-Up and takes a long time to Shut Down.

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by Belahzur on Fri Jan 22, 2010 10:13 pm

Hello.
Autorun infections are very common nowadays, and are very dangerous. Combofix will switch off autorun and autoplay when run, see here for more info:
[You must be registered and logged in to see this link.]

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Sat Jan 23, 2010 3:21 am

Thanks for the Auto-Run advice! I attempted to uninstall ComboFix, but when I did, I received a window with this message:

Windows cannot find 'ComboFix'. make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click search.

I searched and the results were:
ComboFix.txt
ComboFix-quarantined-files.txt

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Sat Jan 23, 2010 8:56 pm

Belahzur,

No matter what I try, I cannot open a CF card (jpeg files) with Microsoft Scanner & Camera Wizard. I have associated the type file and the drive with
the MS Wizard to no avail. The Auto-Play is not important, except that it is the only method I know for opening the files with the MS Wizard. Can you help me?

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by Belahzur on Sat Jan 23, 2010 11:42 pm

Hello.
See here:
[You must be registered and logged in to see this link.]

4th option down for switching autoplay back on, be beware, you do so at your own risk.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Sun Jan 24, 2010 2:56 am

Is this the only option I have to enable MS Scanner & Camera Wizard for opening jpeg files on my CF card??

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by Belahzur on Sun Jan 24, 2010 5:40 pm

Well in theory, just right click on the jpg files, and select the Scanner & Camera wizard.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Sun Jan 24, 2010 7:37 pm

I can do that, but it doesn't open the files in the Wizard like it did before.
I edited the rgistry and changed the HEX value to 91 in the 'NoDriveTypeAutoRun' folder, but it did not restore the Auto-Play feature. Any other suggestions? Do you think ComboFix is resident on the machine?

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Sun Jan 24, 2010 8:55 pm

If I upgrade to Windows 7 - would it end this craziness? Would Microsoft Scanner and Camera Wizard return? Would the effects of ComboFix linger? I need to find a way to resolve this issue.

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Mon Jan 25, 2010 6:38 pm

Tired of this? Me too! Windows 7 may come later, for now, FDISK is on it's way. Back-up, Wipe clean, Re-install and all of this foolishness will be gone.
It would have been helpful if your responses had been a bit more timely.
Good luck and hope my donation helps others more than it helped me!

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by Belahzur on Mon Jan 25, 2010 9:36 pm

Sorry, was doing some research on this, if you want to upgrade, that's your choice. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Banker Fox.A Virus

Post by charleyono on Mon Jan 25, 2010 9:43 pm

Not quite ready for upgrading at this point, I'll need some new hardware.
Did you uncover anything helpful with the research? If you think there's a way to undo ComboFix, that would be great. If not, I will FDISK on Thursday, because I don't have my external hard drive with me at the present time. Thanks for all you do.

charleyono
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-01-18
OS OS : XP Home
Points Points : 25591
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum