antivirus pro

randymac · by randymac on Thu 02 Jul 2009, 10:25 pm

I have run malwarebytes several times (quick and full scan) and deleted everything it found. My searches in Yahoo and Google are still hijacked. I also get the error message "Generic Host Process for Win32 service encountered a problem."

I can't start in Safe mode.

Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:39 PM, on 7/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\windows\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]|ap.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: C:\WINDOWS\system32\gsf83iujid.dll - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\DOCUME~1\rmac\LOCALS~1\Temp\7285562229mxx.dll
O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8311 bytes

**Origin** · by **Origin** on Thu 02 Jul 2009, 11:33 pm

Hello randymac,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
If you have any cracked/pirated software in your computer delete them or we will not help you.
Only follow advise from Geek Police Staff and not a regular member.
Do NOT run any tool without Geek Police supervision as it could hinder your system useless.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

Open HijackThis.
Choose "Do a system scan only"
Check the boxes in front of these lines:

O2 - BHO: C:\WINDOWS\system32\gsf83iujid.dll - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll (file missing)
O20 - AppInit_DLLs: C:\DOCUME~1\rmac\LOCALS~1\Temp\7285562229mxx.dll
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Press "Fix Checked"
Close Hijack This.

Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
Double click DDS.scr to run.
When complete, two logs will open. Save both of the report to your Desktop.
Copy and paste DDS.txt back here, I don't need to see attach.txt.

I see you have Viewpoint software installed.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: [You must be registered and logged in to see this link.] and [You must be registered and logged in to see this link.]

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint Manager (remove only)
Viewpoint Media Player
Viewpoint Toolbar

Next, please download ViewpointKiller by Prm753 from [You must be registered and logged in to see this link.].
Save it to a permanent folder (such as C:\ViewpointKiller) and unzip it there.
Open ViewpointKiller, and press the Start button.
A log will be produced in the same folder where you unzipped it to. Please post the contents of that log in your reply.

randymac · by randymac on Fri 03 Jul 2009, 11:10 am

Thank you for your help and response.

I was able to remove the 3 items you identified via HijackThis.

I was also able to complete the Viewpoint removal.

DDS runs, but I never get a log file.

My searches are still being highjacked.

Below is a new HighJack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:13 AM, on 7/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]|ap.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7664 bytes

**Belahzur** · by **Belahzur** on Fri 03 Jul 2009, 11:24 am

Download combofix from here
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
We need to disable your local AV (Anti-virus) before running Combofix.
See [You must be registered and logged in to see this link.] for how to disable your AV. (Mcafee)
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

randymac · by randymac on Fri 03 Jul 2009, 1:05 pm

ComboFix 09-07-02.02 - rmac 07/03/2009 11:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.247 [GMT -7:00]
Running from: c:\documents and settings\rmac\Desktop\Combo-Fix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\videosoft
c:\program files\videosoft\Shared Files\ViewRep7.dll
c:\program files\videosoft\Shared Files\Vsflex7.ocx
c:\program files\videosoft\Shared Files\VSPRINT7.ocx
c:\program files\videosoft\Shared Files\VSStr7.ocx
c:\windows\010112010146118114.dat
c:\windows\Install.txt
c:\windows\Installer\6e35ed.msi
c:\windows\system32\Install.txt
c:\windows\system32\lsprst7.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wiawow32.sys

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_DRV
-------\Legacy_MSNCACHE
-------\Legacy_SOPIDKC
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_drv

((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2010-04-28 21:44 . 2006-05-24 00:01 -------- d-----w- c:\documents and settings\itc\Application Data\Apple Computer
2010-04-28 21:43 . 2006-05-24 00:01 -------- d-----w- c:\documents and settings\itc\Local Settings\Application Data\Apple Computer
2009-07-03 16:24 . 2009-07-03 16:25 -------- d-----w- C:\viewpointkiller
2009-07-03 04:15 . 2009-07-03 04:15 -------- d-----w- c:\program files\Trend Micro
2009-07-03 01:55 . 2009-07-03 01:55 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-07-03 01:55 . 2009-07-03 01:55 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-07-03 01:55 . 2009-07-03 01:55 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-07-03 01:55 . 2009-07-03 01:55 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-02 21:27 . 2009-07-02 21:27 -------- d-----w- c:\documents and settings\rmac\Application Data\Malwarebytes
2009-07-02 21:27 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 21:27 . 2009-07-02 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 21:27 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 21:27 . 2009-07-02 21:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 20:51 . 2009-07-02 20:51 166 ----a-w- c:\windows\567788.bat
2009-07-02 18:01 . 2009-07-02 18:01 2 ----a-w- c:\windows\0101120101465749.dat
2009-07-02 17:01 . 2009-07-02 17:01 -------- d-----w- c:\program files\drv
2009-07-02 16:55 . 2009-07-02 16:55 28672 ----a-w- C:\fdvjfx.exe
2009-07-02 16:55 . 2009-07-02 16:55 -------- d-sh--w- c:\windows\System Volume Information
2009-07-02 02:36 . 2009-07-02 02:36 -------- d-----w- c:\documents and settings\rmac\Local Settings\Application Data\Thunderbird
2009-07-02 02:36 . 2009-07-02 02:36 -------- d-----w- c:\documents and settings\rmac\Application Data\Thunderbird
2009-07-02 02:33 . 2009-07-03 04:47 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-11 17:33 . 2009-06-11 17:46 -------- d-----w- c:\documents and settings\rmac\Application Data\Mp3tag
2009-06-11 17:32 . 2009-06-11 17:33 -------- d-----w- c:\program files\Mp3tag
2009-06-11 17:00 . 2009-06-12 03:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-11 17:00 . 2009-06-11 17:14 -------- d-----w- c:\program files\Cool MP3 Splitter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 03:07 . 2006-05-04 18:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-03 02:09 . 2006-05-04 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-15 01:07 . 2006-09-12 15:18 -------- d-----w- c:\program files\SPSS
2009-06-14 20:34 . 2006-08-31 00:50 -------- d-----w- c:\documents and settings\rmac\Application Data\AdobeUM
2009-06-13 15:54 . 2006-12-22 01:14 -------- d-----w- c:\program files\Replay AV 8
2009-05-24 05:21 . 2009-05-24 05:21 -------- d-----w- c:\program files\Devious Codeworks
2009-05-24 00:29 . 2009-05-24 00:29 -------- d-----w- c:\program files\7-Zip
2009-05-23 21:09 . 2009-05-23 21:09 -------- d-----w- c:\documents and settings\rmac\Application Data\PKWARE
2009-05-23 21:09 . 2009-05-23 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PKWARE
2009-05-21 21:06 . 2009-05-21 20:37 -------- d-----w- c:\documents and settings\rmac\Application Data\dvdcss
2009-05-21 20:56 . 2007-08-19 18:32 -------- d-----w- c:\program files\Dvd-cloner
2001-05-24 20:59 . 2007-01-16 16:45 162304 ----a-w- c:\program files\UNWISE.EXE
2006-08-30 18:59 . 2006-04-27 23:12 60526 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-08-30 18:59 . 2006-04-27 23:12 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-08-30 18:59 . 2006-04-27 23:12 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-04-01 03:31 . 2008-04-01 03:30 80 --sh--r- c:\windows\system32\64B6FEA206.dll
2005-07-14 19:31 . 2006-05-24 17:37 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2006-05-18 684032]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-31 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2003-01-31 311296]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-16 271672]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-10-6 1524776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2001-04-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=APTRRNTm.dll
"wave"=APTRRNTm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microtek\\ScanWizard Pro\\LANServer.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [4/27/2006 10:53 AM 10880]
R1 drvdrv;drvdrv;c:\program files\drv\drv.sys [7/2/2009 10:01 AM 9344]
R2 Gizmo Plugin;Gizmo VoIP Service;c:\program files\GizmoPlugin\GizmoPlugin.exe [5/31/2007 7:55 AM 962048]
R3 vmmemctl;VMware server memory controller;c:\windows\system32\drivers\vmmemctl.sys [3/28/2006 4:28 PM 5500]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [1/30/2003 6:55 PM 18864]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 2:10 PM 32512]
S3 pcmstub;pcmstub;c:\windows\system32\pcmstub.sys [8/3/2004 5:56 PM 2304]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [4/27/2006 10:52 AM 4608]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [4/27/2006 10:52 AM 15744]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [4/27/2006 10:53 AM 22528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]|ap.html
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]{searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\rmac\Application Data\Mozilla\Firefox\Profiles\h8u0shrj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\inspector@mozilla.org\components\inspector.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.14); user_pref(general.useragent.extra.zencast, Creative ZENcast v2.00.14);user_pref(general.useragent.extra.zencast, c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-03 11:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2276)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Hummingbird\Connectivity\9.00\Hummingbird Neighborhood\heshell.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-03 11:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 18:32

Pre-Run: 21,891,276,800 bytes free
Post-Run: 21,894,311,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

207 --- E O F --- 2008-03-30 04:09

**Belahzur** · by **Belahzur** on Fri 03 Jul 2009, 1:09 pm

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:filefind proquota.exe
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

randymac · by randymac on Fri 03 Jul 2009, 1:11 pm

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 12:11 on 03/07/2009 by rmac (Administrator - Elevation successful)

No Context: filefind

No Context: proquota.exe

-=End Of File=-

randymac · by randymac on Fri 03 Jul 2009, 1:15 pm

SystemLook v1.0 by jpshortstuff (22.05.09)
(sorry- missed the colon in my first try)

Log created at 12:12 on 03/07/2009 by rmac (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"
No files found.

-=End Of File=-

**Belahzur** · by **Belahzur** on Fri 03 Jul 2009, 1:22 pm

Hello.
Do you have your XP disc?

randymac · by randymac on Fri 03 Jul 2009, 2:14 pm

sorry.
no. i can't find my xp disk.

**Belahzur** · by **Belahzur** on Fri 03 Jul 2009, 2:38 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\567788.bat
c:\windows\0101120101465749.dat
C:\fdvjfx.exe

Driver::
drvdrv

Folder::
c:\program files\drv

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"drv"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

randymac · by randymac on Fri 03 Jul 2009, 3:01 pm

ComboFix 09-07-02.02 - rmac 07/03/2009 13:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.288 [GMT -7:00]
Running from: c:\documents and settings\rmac\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\rmac\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::
"C:\fdvjfx.exe"
"c:\windows\0101120101465749.dat"
"c:\windows\567788.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\fdvjfx.exe
c:\program files\drv
c:\program files\drv\drv.dll
c:\program files\drv\drv.sys
c:\windows\0101120101465749.dat
c:\windows\567788.bat

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRVDRV
-------\Service_drvdrv

((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2010-04-28 21:44 . 2006-05-24 00:01 -------- d-----w- c:\documents and settings\itc\Application Data\Apple Computer
2010-04-28 21:43 . 2006-05-24 00:01 -------- d-----w- c:\documents and settings\itc\Local Settings\Application Data\Apple Computer
2009-07-03 16:24 . 2009-07-03 16:25 -------- d-----w- C:\viewpointkiller
2009-07-03 04:15 . 2009-07-03 04:15 -------- d-----w- c:\program files\Trend Micro
2009-07-03 01:55 . 2009-07-03 01:55 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-07-03 01:55 . 2009-07-03 01:55 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-07-03 01:55 . 2009-07-03 01:55 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-07-03 01:55 . 2009-07-03 01:55 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-02 21:27 . 2009-07-02 21:27 -------- d-----w- c:\documents and settings\rmac\Application Data\Malwarebytes
2009-07-02 21:27 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 21:27 . 2009-07-02 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 21:27 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 21:27 . 2009-07-02 21:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 16:55 . 2009-07-02 16:55 -------- d-sh--w- c:\windows\System Volume Information
2009-07-02 02:36 . 2009-07-02 02:36 -------- d-----w- c:\documents and settings\rmac\Local Settings\Application Data\Thunderbird
2009-07-02 02:36 . 2009-07-02 02:36 -------- d-----w- c:\documents and settings\rmac\Application Data\Thunderbird
2009-07-02 02:33 . 2009-07-03 04:47 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-11 17:33 . 2009-06-11 17:46 -------- d-----w- c:\documents and settings\rmac\Application Data\Mp3tag
2009-06-11 17:32 . 2009-06-11 17:33 -------- d-----w- c:\program files\Mp3tag
2009-06-11 17:00 . 2009-06-12 03:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-11 17:00 . 2009-06-11 17:14 -------- d-----w- c:\program files\Cool MP3 Splitter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 03:07 . 2006-05-04 18:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-03 02:09 . 2006-05-04 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-15 01:07 . 2006-09-12 15:18 -------- d-----w- c:\program files\SPSS
2009-06-14 20:34 . 2006-08-31 00:50 -------- d-----w- c:\documents and settings\rmac\Application Data\AdobeUM
2009-06-13 15:54 . 2006-12-22 01:14 -------- d-----w- c:\program files\Replay AV 8
2009-05-24 05:21 . 2009-05-24 05:21 -------- d-----w- c:\program files\Devious Codeworks
2009-05-24 00:29 . 2009-05-24 00:29 -------- d-----w- c:\program files\7-Zip
2009-05-23 21:09 . 2009-05-23 21:09 -------- d-----w- c:\documents and settings\rmac\Application Data\PKWARE
2009-05-23 21:09 . 2009-05-23 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PKWARE
2009-05-21 21:06 . 2009-05-21 20:37 -------- d-----w- c:\documents and settings\rmac\Application Data\dvdcss
2009-05-21 20:56 . 2007-08-19 18:32 -------- d-----w- c:\program files\Dvd-cloner
2001-05-24 20:59 . 2007-01-16 16:45 162304 ----a-w- c:\program files\UNWISE.EXE
2006-08-30 18:59 . 2006-04-27 23:12 60526 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-08-30 18:59 . 2006-04-27 23:12 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-08-30 18:59 . 2006-04-27 23:12 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-04-01 03:31 . 2008-04-01 03:30 80 --sh--r- c:\windows\system32\64B6FEA206.dll
2005-07-14 19:31 . 2006-05-24 17:37 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2003-06-19 10:35 . 2009-07-03 17:04 63764 c:\windows\system32\perfc009.dat
+ 2003-06-19 10:35 . 2009-07-03 18:28 63764 c:\windows\system32\perfc009.dat
+ 2003-06-19 10:35 . 2009-07-03 18:28 405882 c:\windows\system32\perfh009.dat
- 2003-06-19 10:35 . 2009-07-03 17:04 405882 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2006-05-18 684032]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-31 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2003-01-31 311296]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-16 271672]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-10-6 1524776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2001-04-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=APTRRNTm.dll
"wave"=APTRRNTm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microtek\\ScanWizard Pro\\LANServer.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [4/27/2006 10:53 AM 10880]
R2 Gizmo Plugin;Gizmo VoIP Service;c:\program files\GizmoPlugin\GizmoPlugin.exe [5/31/2007 7:55 AM 962048]
R3 vmmemctl;VMware server memory controller;c:\windows\system32\drivers\vmmemctl.sys [3/28/2006 4:28 PM 5500]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [1/30/2003 6:55 PM 18864]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 2:10 PM 32512]
S3 pcmstub;pcmstub;c:\windows\system32\pcmstub.sys [8/3/2004 5:56 PM 2304]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [4/27/2006 10:52 AM 4608]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [4/27/2006 10:52 AM 15744]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [4/27/2006 10:53 AM 22528]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]|ap.html
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]{searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\rmac\Application Data\Mozilla\Firefox\Profiles\h8u0shrj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\inspector@mozilla.org\components\inspector.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.14); user_pref(general.useragent.extra.zencast, Creative ZENcast v2.00.14);user_pref(general.useragent.extra.zencast, c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-03 13:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2956)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Hummingbird\Connectivity\9.00\Hummingbird Neighborhood\heshell.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-03 13:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 20:59
ComboFix2.txt 2009-07-03 18:32

Pre-Run: 21,911,732,224 bytes free
Post-Run: 21,901,471,744 bytes free

188 --- E O F --- 2008-03-30 04:09

randymac · by randymac on Sun 05 Jul 2009, 3:09 pm

I don't know if you had a chance to look at the second combo-fix log above.
But I have one problem I believe is related to the antivirus pro infection: My IE browser hangs when I first open it. If I open it, then close it, then reopen it works.

Could that be the result of some of the malware?

**Belahzur** · by **Belahzur** on Sun 05 Jul 2009, 3:36 pm

It could, malware damages the OS sometimes.
A side from a missing OS file, how is the machine running.

As for the browser issue, I recommend you use Firefox than than Internet Explorer.

randymac · by randymac on Sun 05 Jul 2009, 4:37 pm

Systems seems ok.
Thanks for your help.

Should I re-install IE?

antivirus pro

antivirus pro

Re: antivirus pro

Re: antivirus pro

Re: antivirus pro

Re: antivirus pro

Re: antivirus pro

Re: antivirus pro

Re: antivirus pro

Re: antivirus pro

Re: antivirus pro

Re: antivirus pro

Re: antivirus pro

Re: antivirus pro

Re: antivirus pro

Re: antivirus pro