cherubicwindigo 0 Report post Posted April 8, 2008 When I scan with Lavasoft's Ad-Aware Free Edition, it makes it into about 6 to 10 different problems, still scanning, and then a blue screen pops up - I followed steps to overide my computers automatic shutdown, so I could read the screen, but I couldn't copy it and definitly couldn't memorize it. It said something about errors and gave me some codes. This happens everytime I try to scan with the program. I used AVG for virus control, at first, but it said I had no more infections and my computer was still having problems. So I uninstalled it and tried Macfee, which found a few more problems, but still fell short. I tried a direct approch with VundoFix, hoping it would stop the BlueScreen, but no avail! I was using COMODO Firewall, but if I turn it off I get pop-ups non-stop and they freeze my computer. Now I had to uninstall it because I couldn't get the program to allow me to check my Email, so that I could register for this forum. Moral: Life is hell. I also get Windows Error popups when I start my PC: (1st) - Error loading C:\WINDOWS\system32\fwpruidb.dll The Specified module could not be found. (2nd) - Error Code: BCCode : 1000008e BCP1 : C000001D BCP2 : 00690064 BCP3 : F7B4CCEC BCP4 : 00000000 OSVer : 5_1_2600 SP : 2_0 Product : 256_1 Documents Sent: C:\DOCUME~1\juastin\LOCALS~1\Temp\WERc933.dir00\Mini040808-03.dmp C:\DOCUME~1\juastin\LOCALS~1\Temp\WERc933.dir00\sysdata.xml (3rd) - Microsoft Visual C++ Runtime Library Buffer overrun detected! Program: C:\WINDOWS\Explorer.EXE A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. * MY HIJACKTHIS LOG: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:54:39 PM, on 4/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\SiteAdvisor\6172\SAService.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\SiteAdvisor\6172\SiteAdv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide O4 - HKLM\..\Run: [68cbd350] rundll32.exe "C:\WINDOWS\system32\fwpruidb.dll",b O4 - HKLM\..\Run: [bM6bf8e0cc] Rundll32.exe "C:\WINDOWS\system32\usqahwwa.dll",s O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll O20 - AppInit_DLLs: O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Scanner (mcods) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (mcproxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (mcshield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (mcsysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (mpfservice) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (msk80service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: SiteAdvisor Service (siteadvisor service) - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 5331 bytes * MY AD-AWARE LOG: 20080407 17-44-26 : Full scan started. 20080407 17-56-07 : Full scan started. 20080407 18-06-36 : Smart scan started. 20080407 18-08-08 : Scheduled init. 20080407 18-08-08 : Full scan started. 20080407 18-08-47 : Scan aborted by user. 20080407 18-08-47 : Scan aborted by user. 20080407 18-08-47 : Full scan ended. 20080407 18-12-17 : Scheduled init. 20080407 18-12-17 : Full scan started. 20080407 18-15-30 : Scheduled init. 20080407 18-15-30 : Full scan started. 20080407 18-28-26 : Scheduled init. 20080407 18-28-26 : Full scan started. 20080407 18-42-48 : Scan aborted by user. 20080407 18-42-48 : Scan aborted by user. 20080407 18-42-48 : Full scan ended. 20080407 21-46-43 : Smart scan started. 20080407 21-49-38 : Smart scan started. 20080407 21-49-45 : Scan aborted by user. 20080407 21-49-45 : Scan aborted by user. 20080407 21-49-45 : Scan aborted by user. 20080407 21-49-45 : Smart scan ended. 20080407 21-50-09 : Smart scan started. 20080407 21-50-12 : Scan aborted by user. 20080407 21-50-12 : Scan aborted by user. 20080407 21-50-12 : Scan aborted by user. 20080407 21-50-12 : Smart scan ended. 20080408 08-36-06 : Smart scan started. 20080408 11-37-49 : Smart scan started. 20080408 15-39-20 : Smart scan started. 20080408 16-33-26 : Smart scan started. 20080408 16-54-44 : Checking for updates. 20080408 16-55-02 : Checking for updates succeeded. 20080408 16-55-07 : Started downloading updates. 20080408 16-55-33 : Installing updates. 20080408 17-09-52 : Full scan started. Share this post Link to post Share on other sites
Rawe 0 Report post Posted April 9, 2008 Hello and welcome to LS Support Forums First of all, please follow the instructions for running ComboFix here and post back with it's log once done. We'll go from there. Do you recognize this as a setting done by yourself or by your ISP? R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local Share this post Link to post Share on other sites
cherubicwindigo 0 Report post Posted April 9, 2008 Hello and welcome to LS Support Forums First of all, please follow the instructions for running ComboFix here and post back with it's log once done. We'll go from there. Um, everything didn't go exactly like the tutorial said it would, the program popped out this log and said to post it: Name: CF-RC.txt WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptOut C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons Should I try it again? Do you recognize this as a setting done by yourself or by your ISP? R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local Also, I don't regognize this setting as anything I have set up. Mabey without realizing it, if that's possible? Share this post Link to post Share on other sites
Rawe 0 Report post Posted April 10, 2008 Please do try again. ComboFix should run fine this time. The Recovery Console should now be installed. Edit: actually, you installed the wrong version. You have XP Pro? The recovery console installation file you should use for that part of the ComboFix tutorial.. is this. Please redo that step then just carry on with the ComboFix tutorial for running and getting a log. Share this post Link to post Share on other sites
cherubicwindigo 0 Report post Posted April 10, 2008 Please do try again. ComboFix should run fine this time. The Recovery Console should now be installed. Edit: actually, you installed the wrong version. You have XP Pro? The recovery console installation file you should use for that part of the ComboFix tutorial.. is this. Please redo that step then just carry on with the ComboFix tutorial for running and getting a log. Oops, by the way the tut described how to look up what version to download, I thought I had the right one *_* I'll try it with the other. Share this post Link to post Share on other sites
cherubicwindigo 0 Report post Posted April 10, 2008 Hello and welcome to LS Support Forums First of all, please follow the instructions for running ComboFix here and post back with it's log once done. We'll go from there. HERE IT IS! (the ComboFix Log, that is) ComboFix 08-04-09.1 - juastin 2008-04-10 13:13:34.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.256 [GMT -4:00] Running from: C:\Documents and Settings\juastin\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\juastin\Application Data\DriveCleaner Freeware C:\Documents and Settings\juastin\Application Data\DriveCleaner Freeware\Logs\update.log C:\Documents and Settings\juastin\Application Data\WinTouch C:\Documents and Settings\juastin\Application Data\WinTouch\wintouch.cfg C:\Documents and Settings\juastin\Application Data\WinTouch\WinTouch.exe C:\Documents and Settings\juastin\Application Data\WinTouch\WTUninstaller.exe C:\Documents and Settings\NetworkService\Application Data\NetMon C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt C:\Program Files\Helper C:\Program Files\winpop C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Temp\fse C:\Temp\fse\tmpZTF.log C:\WINDOWS\BM6bf8e0cc.xml C:\WINDOWS\cookies.ini C:\WINDOWS\msettings.ini C:\WINDOWS\pskt.ini C:\WINDOWS\racle~1 C:\WINDOWS\system32\aoompjgp.dll C:\WINDOWS\system32\bbadNqru.ini C:\WINDOWS\system32\bbadNqru.ini2 C:\WINDOWS\system32\dnrmlysw.dll C:\WINDOWS\system32\f02WtR C:\WINDOWS\system32\ffdjtjnt.dll C:\WINDOWS\system32\gxayveur.dll C:\WINDOWS\system32\hpvxbtyk.dll C:\WINDOWS\system32\ltyhlpcq.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mlJCUMcY.dll C:\WINDOWS\system32\msnav32.ax C:\WINDOWS\system32\qcplhytl.dll C:\WINDOWS\system32\urqNdabb.dll C:\WINDOWS\system32\usqahwwa.dll C:\WINDOWS\system32\winpfz32.sys C:\WINDOWS\system32\zxdnt3d.cfg C:\WINDOWS\wnsxs~1 C:\WINDOWS\zalpqbj.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CMDSERVICE -------\Legacy_DOMAINSERVICE -------\Legacy_NETWORK_MONITOR -------\Service_DomainService -------\zalpqbj ((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 ))))))))))))))))))))))))))))))) . 2008-04-10 06:51 . 2008-04-10 06:51 3,648 --a--c--- C:\WINDOWS\system32\kgppvbba.dll 2008-04-09 19:43 . 2008-04-09 19:43 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn 2008-04-09 19:43 . 2008-04-09 19:43 1,409 --a--c--- C:\WINDOWS\QTFont.for 2008-04-09 06:47 . 2008-04-09 06:47 3,648 --a--c--- C:\WINDOWS\system32\mexuotnm.dll 2008-04-08 19:53 . 2008-04-08 19:53 <DIR> d----c--- C:\Program Files\Trend Micro 2008-04-08 10:49 . 2008-04-08 17:38 <DIR> d----c--- C:\Program Files\COMODO 2008-04-08 10:49 . 2008-04-08 17:38 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\Comodo 2008-04-08 10:49 . 2008-04-08 17:38 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\comodo 2008-04-07 22:30 . 2008-04-09 15:46 <DIR> d----c--- C:\VundoFix Backups 2008-04-07 20:41 . 2008-04-10 14:25 8,367 --a--c--- C:\WINDOWS\system32\Config.MPF 2008-04-07 20:40 . 2008-04-09 15:12 <DIR> d----c--- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor 2008-04-07 20:40 . 2008-04-09 06:46 <DIR> d----c--- C:\Program Files\SiteAdvisor 2008-04-07 20:40 . 2008-04-08 19:44 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\SiteAdvisor 2008-04-07 20:40 . 2008-04-09 20:00 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-04-07 20:38 . 2006-03-03 08:07 143,360 --a--c--- C:\WINDOWS\system32\dunzip32.dll 2008-04-07 20:34 . 2007-11-22 06:44 201,320 --a--c--- C:\WINDOWS\system32\drivers\mfehidk.sys 2008-04-07 20:34 . 2007-07-13 06:20 113,952 --a--c--- C:\WINDOWS\system32\drivers\Mpfp.sys 2008-04-07 20:34 . 2007-11-22 06:44 79,304 --a--c--- C:\WINDOWS\system32\drivers\mfeavfk.sys 2008-04-07 20:34 . 2007-12-02 12:51 40,488 --a--c--- C:\WINDOWS\system32\drivers\mfesmfk.sys 2008-04-07 20:34 . 2007-11-22 06:44 35,240 --a--c--- C:\WINDOWS\system32\drivers\mfebopk.sys 2008-04-07 20:34 . 2007-11-22 06:44 33,832 --a--c--- C:\WINDOWS\system32\drivers\mferkdk.sys 2008-04-07 20:31 . 2008-04-08 10:45 <DIR> d----c--- C:\Program Files\McAfee 2008-04-07 20:31 . 2008-04-08 10:45 <DIR> d----c--- C:\Program Files\Common Files\McAfee 2008-04-07 18:59 . 2008-04-08 10:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\McAfee 2008-04-07 17:37 . 2008-04-07 17:37 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-07 17:33 . 2008-04-07 17:33 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard 2008-04-07 00:03 . 2008-04-07 00:03 57,624 -----c--- C:\vwhfxvxv.exe 2008-04-07 00:03 . 2008-04-07 00:03 29,090 --a--c--- C:\kbvxxo.exe 2008-04-07 00:03 . 2008-04-07 00:04 2 --a--c--- C:\1758188543 2008-03-26 20:16 . 2008-03-26 20:16 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\Nero 2008-03-22 15:55 . 2008-03-29 12:18 <DIR> d----c--- C:\Program Files\AviSynth 2.5 2008-03-15 19:28 . 2008-03-15 19:28 <DIR> d----c--- C:\Program Files\Xvid 2008-03-14 13:30 . 2008-03-14 13:30 <DIR> d----c--- C:\Program Files\DivXLand 2008-03-14 13:30 . 1999-12-17 10:13 86,016 --a--c--- C:\WINDOWS\unvise32.exe 2008-03-12 23:10 . 2008-03-12 23:11 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\Jubler 2008-03-12 23:10 . 2008-02-22 02:33 69,632 --a--c--- C:\WINDOWS\system32\javacpl.cpl . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-10 16:04 --------- dc----w C:\Documents and Settings\juastin\Application Data\uTorrent 2008-04-07 21:15 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-07 04:58 --------- dc----w C:\Program Files\Common Files\Adobe 2008-03-29 18:25 --------- dc----w C:\Documents and Settings\juastin\Application Data\Sony 2008-03-29 16:17 --------- dc----w C:\Program Files\Gabest 2008-03-24 14:39 --------- dc----w C:\Documents and Settings\juastin\Application Data\Apple Computer 2008-03-18 13:07 --------- dc----w C:\Program Files\Java 2008-03-07 14:03 --------- dc----w C:\Program Files\Common Files\Ahead 2008-03-02 09:01 --------- dc----w C:\Program Files\Common Files\Java 2008-02-25 21:59 --------- dc----w C:\Program Files\iTunes 2008-02-25 21:59 --------- dc----w C:\Program Files\iPod 2008-02-25 21:57 --------- dc----w C:\Program Files\QuickTime 2008-02-24 02:44 --------- dc-h--w C:\Program Files\InstallShield Installation Information 2008-02-20 17:47 --------- dc----w C:\Program Files\Red Kawa 2008-02-18 15:23 --------- dc----w C:\Program Files\DivX 2008-02-06 21:15 19,000 -c--a-w C:\Documents and Settings\juastin\Application Data\GDIPFONTCACHEV1.DAT 2007-11-15 20:34 753,152 -csha-w C:\Program Files\Common Files\ehthumbs.db 2007-11-15 20:34 2,005,504 -csha-w C:\Program Files\ehthumbs.db 2007-10-02 21:15 1,541,924 -csha-w C:\WINDOWS\system32\bcbeg.bak1 2007-10-05 19:26 1,510,449 -csha-w C:\WINDOWS\system32\bcbeg.bak2 2007-10-05 23:03 1,494,212 -csha-w C:\WINDOWS\system32\bcbeg.ini2 . ------- Sigcheck ------- 2004-10-15 19:18 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 19:10 1392640] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-06 17:06 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-06 17:10 118784] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-06 17:09 94208] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-05 19:11 761856] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 17:57 36640] "McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcb] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJCUMcY] mlJCUMcY.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxvtt] xxyxvtt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a--c--- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a--c--- 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] --a------ 2007-10-05 19:11 59392 C:\WINDOWS\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] --a------ 2007-05-24 08:41 1628720 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a--c--- 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a--c--- 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a--c--- 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer] C:\WINDOWS\system32\qodypbrl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc] --a------ 2007-05-24 08:41 1628720 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a--c--- 2007-05-02 05:15 75520 C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch] C:\Documents and Settings\juastin\Application Data\WinTouch\WinTouch.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3665bc86-970b-11dc-9043-000b7d23ff8c}] \Shell\AutoRun\command - setupSNK.exe . Contents of the 'Scheduled Tasks' folder "2008-04-07 14:12:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-04-10 18:59:47 C:\WINDOWS\Tasks\RegCure Program Check.job" - C:\Program Files\RegCure\RegCure.exe "2008-04-10 07:01:20 C:\WINDOWS\Tasks\RegCure.job" - C:\Program Files\RegCure\RegCure.exe . ************************************************************************** catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-10 15:00:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\SiteAdvisor\6253\saHook.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\SiteAdvisor\6253\SAService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\WgaTray.exe . ************************************************************************** . Completion time: 2008-04-10 15:02:11 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-10 19:01:59 Pre-Run: 25,655,234,560 bytes free Post-Run: 25,692,508,160 bytes free . 2008-02-15 12:55:57 --- E O F --- Share this post Link to post Share on other sites
Rawe 0 Report post Posted April 11, 2008 Good! Have you disabled Windows Security Centre's monitoring over your antivirus and firewall software (so they won't announce when either has expired or otherwise have old versions)? Please open notepad and copy/paste the text in the quotebox into it File::C:\vwhfxvxv.exe C:\kbvxxo.exe C:\1758188543 C:\WINDOWS\system32\bcbeg.bak1 C:\WINDOWS\system32\bcbeg.bak2 C:\WINDOWS\system32\bcbeg.ini2 C:\WINDOWS\system32\kgppvbba.dll C:\WINDOWS\system32\mexuotnm.dll Folder:: C:\VundoFix Backups C:\Documents and Settings\juastin\Application Data\WinTouch Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcb] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJCUMcY] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxvtt] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch] Save it as CFScript.txt on your desktop. Referring to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Share this post Link to post Share on other sites
cherubicwindigo 0 Report post Posted April 11, 2008 Good! Have you disabled Windows Security Centre's monitoring over your antivirus and firewall software (so they won't announce when either has expired or otherwise have old versions)? At this time I have no antivirus or firewall software on my computer, I was using AVG Antivirus and COMODO Firewall, but when I insalled Mcafee, which I though might be able to get rid of my current problems, it made me uninstall them. Anyways, both of those progams we're self-updating, I was planning to re-install them once my Ad-Aware was working again because neither of these programs we're helping me anyways. Please open notepad and copy/paste the text in the quotebox into itSave it as CFScript.txt on your desktop. Referring to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Will do. Share this post Link to post Share on other sites
Rawe 0 Report post Posted April 11, 2008 Do you have McAfee firewall & antivirus both? It's critical to have both antivirus and firewall on the system. AVG AntiVirus & Comodo are much better than McAfee though... And both are free. There are better free antivirus apps than AVG though, but Comodo is one of the best firewalls out there. Share this post Link to post Share on other sites
cherubicwindigo 0 Report post Posted April 12, 2008 Do you have McAfee firewall & antivirus both? No, McAfee failed me as well so I bombed it. I never liked McAfee, but I was desperate to clean up my computer, I need it for practically everything I do. It's critical to have both antivirus and firewall on the system. AVG AntiVirus & Comodo are much better than McAfee though... And both are free. There are better free antivirus apps than AVG though, but Comodo is one of the best firewalls out there. What "better free antivirus apps than AVG" are there? I have been tearing my hair out over this computer. If you think it would be helpful to re-download COMODO & AVG (or any other anti-virus you reccomend) I could, I just didn't see either program helping to fix my computer and I still got all of this Malware and Trojans in spite of them. Share this post Link to post Share on other sites
cherubicwindigo 0 Report post Posted April 12, 2008 Please open notepad and copy/paste the text in the quotebox into itSave it as CFScript.txt on your desktop. Referring to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Here is the Log: ComboFix 08-04-09.1 - juastin 2008-04-11 17:25:08.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.235 [GMT -4:00] Running from: C:\Documents and Settings\juastin\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\juastin\Desktop\CFScript.txt * Created a new restore point FILE :: C:\1758188543 C:\kbvxxo.exe C:\vwhfxvxv.exe C:\WINDOWS\system32\bcbeg.bak1 C:\WINDOWS\system32\bcbeg.bak2 C:\WINDOWS\system32\bcbeg.ini2 C:\WINDOWS\system32\kgppvbba.dll C:\WINDOWS\system32\mexuotnm.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\1758188543 C:\kbvxxo.exe C:\VundoFix Backups C:\VundoFix Backups\bdiurpwf.ini.bad C:\VundoFix Backups\ffdjtjnt.dll.bad C:\VundoFix Backups\fwpruidb.dll.bad C:\VundoFix Backups\opnkjHyW.dll.bad C:\VundoFix Backups\WyHjknpo.ini.bad C:\VundoFix Backups\WyHjknpo.ini2.bad C:\vwhfxvxv.exe C:\WINDOWS\system32\bcbeg.bak1 C:\WINDOWS\system32\bcbeg.bak2 C:\WINDOWS\system32\bcbeg.ini2 C:\WINDOWS\system32\kgppvbba.dll C:\WINDOWS\system32\mexuotnm.dll C:\WINDOWS\system32\wapisvsu32.exe . ((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 ))))))))))))))))))))))))))))))) . 2008-04-09 19:43 . 2008-04-10 17:21 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn 2008-04-09 19:43 . 2008-04-09 19:43 1,409 --a--c--- C:\WINDOWS\QTFont.for 2008-04-08 19:53 . 2008-04-08 19:53 <DIR> d----c--- C:\Program Files\Trend Micro 2008-04-08 10:49 . 2008-04-08 17:38 <DIR> d----c--- C:\Program Files\COMODO 2008-04-08 10:49 . 2008-04-08 17:38 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\Comodo 2008-04-08 10:49 . 2008-04-08 17:38 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\comodo 2008-04-07 20:41 . 2008-04-11 02:02 8,367 --a--c--- C:\WINDOWS\system32\Config.MPF 2008-04-07 20:40 . 2008-04-09 15:12 <DIR> d----c--- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor 2008-04-07 20:40 . 2008-04-09 06:46 <DIR> d----c--- C:\Program Files\SiteAdvisor 2008-04-07 20:40 . 2008-04-08 19:44 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\SiteAdvisor 2008-04-07 20:40 . 2008-04-10 20:00 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-04-07 20:38 . 2006-03-03 08:07 143,360 --a--c--- C:\WINDOWS\system32\dunzip32.dll 2008-04-07 20:34 . 2007-11-22 06:44 201,320 --a--c--- C:\WINDOWS\system32\drivers\mfehidk.sys 2008-04-07 20:34 . 2007-07-13 06:20 113,952 --a--c--- C:\WINDOWS\system32\drivers\Mpfp.sys 2008-04-07 20:34 . 2007-11-22 06:44 79,304 --a--c--- C:\WINDOWS\system32\drivers\mfeavfk.sys 2008-04-07 20:34 . 2007-12-02 12:51 40,488 --a--c--- C:\WINDOWS\system32\drivers\mfesmfk.sys 2008-04-07 20:34 . 2007-11-22 06:44 35,240 --a--c--- C:\WINDOWS\system32\drivers\mfebopk.sys 2008-04-07 20:34 . 2007-11-22 06:44 33,832 --a--c--- C:\WINDOWS\system32\drivers\mferkdk.sys 2008-04-07 20:31 . 2008-04-08 10:45 <DIR> d----c--- C:\Program Files\McAfee 2008-04-07 20:31 . 2008-04-08 10:45 <DIR> d----c--- C:\Program Files\Common Files\McAfee 2008-04-07 18:59 . 2008-04-08 10:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\McAfee 2008-04-07 17:37 . 2008-04-07 17:37 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-07 17:33 . 2008-04-07 17:33 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard 2008-03-26 20:16 . 2008-03-26 20:16 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\Nero 2008-03-22 15:55 . 2008-03-29 12:18 <DIR> d----c--- C:\Program Files\AviSynth 2.5 2008-03-15 19:28 . 2008-03-15 19:28 <DIR> d----c--- C:\Program Files\Xvid 2008-03-14 13:30 . 2008-03-14 13:30 <DIR> d----c--- C:\Program Files\DivXLand 2008-03-14 13:30 . 1999-12-17 10:13 86,016 --a--c--- C:\WINDOWS\unvise32.exe 2008-03-12 23:10 . 2008-03-12 23:11 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\Jubler 2008-03-12 23:10 . 2008-02-22 02:33 69,632 --a--c--- C:\WINDOWS\system32\javacpl.cpl . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-10 16:04 --------- dc----w C:\Documents and Settings\juastin\Application Data\uTorrent 2008-04-07 21:15 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-07 04:58 --------- dc----w C:\Program Files\Common Files\Adobe 2008-03-29 18:25 --------- dc----w C:\Documents and Settings\juastin\Application Data\Sony 2008-03-29 16:17 --------- dc----w C:\Program Files\Gabest 2008-03-24 14:39 --------- dc----w C:\Documents and Settings\juastin\Application Data\Apple Computer 2008-03-18 13:07 --------- dc----w C:\Program Files\Java 2008-03-07 14:03 --------- dc----w C:\Program Files\Common Files\Ahead 2008-03-02 09:01 --------- dc----w C:\Program Files\Common Files\Java 2008-02-25 21:59 --------- dc----w C:\Program Files\iTunes 2008-02-25 21:59 --------- dc----w C:\Program Files\iPod 2008-02-25 21:57 --------- dc----w C:\Program Files\QuickTime 2008-02-24 02:44 --------- dc-h--w C:\Program Files\InstallShield Installation Information 2008-02-20 17:47 --------- dc----w C:\Program Files\Red Kawa 2008-02-18 15:23 --------- dc----w C:\Program Files\DivX 2008-02-06 21:15 19,000 -c--a-w C:\Documents and Settings\juastin\Application Data\GDIPFONTCACHEV1.DAT 2007-11-15 20:34 753,152 -csha-w C:\Program Files\Common Files\ehthumbs.db 2007-11-15 20:34 2,005,504 -csha-w C:\Program Files\ehthumbs.db . ------- Sigcheck ------- 2004-10-15 19:18 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe . ((((((((((((((((((((((((((((( [email protected]_15.01.42.89 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-10 17:10:08 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-04-10 21:14:28 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-04-10 17:10:08 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-04-10 21:14:28 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-04-10 17:10:08 49,152 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-04-10 21:16:07 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 19:10 1392640] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-06 17:06 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-06 17:10 118784] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-06 17:09 94208] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-05 19:11 761856] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 17:57 36640] "McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a--c--- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a--c--- 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] --a------ 2007-10-05 19:11 59392 C:\WINDOWS\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] --a------ 2007-05-24 08:41 1628720 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a--c--- 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a--c--- 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a--c--- 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc] --a------ 2007-05-24 08:41 1628720 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a--c--- 2007-05-02 05:15 75520 C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3665bc86-970b-11dc-9043-000b7d23ff8c}] \Shell\AutoRun\command - setupSNK.exe . Contents of the 'Scheduled Tasks' folder "2008-04-07 14:12:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-04-11 21:00:00 C:\WINDOWS\Tasks\RegCure Program Check.job" - C:\Program Files\RegCure\RegCure.exe "2008-04-10 07:01:20 C:\WINDOWS\Tasks\RegCure.job" - C:\Program Files\RegCure\RegCure.exe . ************************************************************************** catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-11 17:27:29 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\SiteAdvisor\6253\saHook.dll . Completion time: 2008-04-11 17:28:18 ComboFix-quarantined-files.txt 2008-04-11 21:27:56 ComboFix2.txt 2008-04-10 19:02:12 Pre-Run: 25,620,348,928 bytes free Post-Run: 25,599,213,568 bytes free . 2008-02-15 12:55:57 --- E O F --- Share this post Link to post Share on other sites
Rawe 0 Report post Posted April 12, 2008 Let's see about that. Please post a new HijackThis log and let me know how's the system running at this point? Share this post Link to post Share on other sites
cherubicwindigo 0 Report post Posted April 15, 2008 Let's see about that. Please post a new HijackThis log and let me know how's the system running at this point? Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:10:59 AM, on 4/15/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\Program Files\COMODO\Firewall\cmdagent.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\SiteAdvisor\6253\SAService.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\SiteAdvisor\6253\SiteAdv.exe C:\PROGRA~1\Comodo\CBOClean\BOC425.exe C:\Program Files\COMODO\Firewall\cfp.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: (no name) - {089fd14d-132b-48fc-8861-0048ae113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O2 - BHO: McAntiPhishingBHO - {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: scriptproxy - {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide O4 - HKLM\..\Run: [bOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Scanner (mcods) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (mcproxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (mcshield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (mcsysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (mpfservice) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (msk80service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: SiteAdvisor Service (siteadvisor service) - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 6640 bytes Share this post Link to post Share on other sites
Rawe 0 Report post Posted April 15, 2008 I can see you still have McAfee running there. So is Comodo though It is critical to have a firewall & an anti-virus running on the computer at-all times; but having more than one firewall at the same time WILL cause conflicts. It will cause more harm than good. I recommend getting rid of McAfee now (uninstalling it completely) - then posting another HijackThis log so we can remove the remnants manually, as it probably leaves entries behind it As for antivirus, if you have McAfee's antivirus (which is really quite bad antivirus, there are so much better ones), if not, I recommend installing the latest Avira Anti-Vir PREMIUM for free (6 months promotion licence) AND after that 6 months, install their free product for home use which is also awesome - just doesn't have all the features as the premium one has. I'm actually using this promotion licence myself aswell. I like it. Click here. The free version can be found here. Share this post Link to post Share on other sites
cherubicwindigo 0 Report post Posted April 15, 2008 I can see you still have McAfee running there. So is Comodo though It is critical to have a firewall & an anti-virus running on the computer at-all times; but having more than one firewall at the same time WILL cause conflicts. It will cause more harm than good. I recommend getting rid of McAfee now (uninstalling it completely) - then posting another HijackThis log so we can remove the remnants manually, as it probably leaves entries behind it As for antivirus, if you have McAfee's antivirus (which is really quite bad antivirus, there are so much better ones), if not, I recommend installing the latest Avira Anti-Vir PREMIUM for free (6 months promotion licence) AND after that 6 months, install their free product for home use which is also awesome - just doesn't have all the features as the premium one has. I'm actually using this promotion licence myself aswell. I like it. Click here. The free version can be found here. I know I have McAfee SiteAdvisor, but from what I can tell I already uninstalled all of McAfee except the SiteAdvisor. BUT when I pull up the Add/Remove Programs I don't even see the McAfee SiteAdvisor, is it possible that McAfee was removed from the programs list but not from my computer?! Share this post Link to post Share on other sites
Rawe 0 Report post Posted April 16, 2008 Open HijackThis Click on the tab "Misc Tools" Click on the Box that says "Uninstall Manager" Click on the button "Save list" Copy and paste the list from the notebook onto your post Also check for the following folder and see if there's an uninstaller there somewhere...... C:\Program Files\McAfee If not, we'll just stop & delete all the services and then nuke the folders, it should go with that Maybe nuke all of McAfee and then you can just install SiteAdvisor back if you want it. You should install that Avira though, right after we get rid of McAfee. Share this post Link to post Share on other sites
cherubicwindigo 0 Report post Posted April 17, 2008 Open HijackThis Click on the tab "Misc Tools" Click on the Box that says "Uninstall Manager" Click on the button "Save list" Copy and paste the list from the notebook onto your post Also check for the following folder and see if there's an uninstaller there somewhere...... C:\Program Files\McAfee If not, we'll just stop & delete all the services and then nuke the folders, it should go with that Maybe nuke all of McAfee and then you can just install SiteAdvisor back if you want it. You should install that Avira though, right after we get rid of McAfee. CRIPES! What a total P.I.T.A! I have said it before and I say it now - never again, not McAfee, not ever. I found an extremely useful link: http://www.pchell.com/virus/uninstallmcafee.shtml - anyone who can't get McAfee off thier PC should check it out, it took the thorn out of my side. So, now that THAT is taken care of, I'll reboot and get myself some nice, laid-back Avira, a welcome chance from ######-Retentive McAfee. Now I know I am spending too much time with my PC when I start personifying my Anti-virus programs Share this post Link to post Share on other sites
Rawe 0 Report post Posted April 17, 2008 Sounds like a plan. Also...a version update of Sun Java was released yesterday. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop. Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications". Click the "Download" button to the right. Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. They should have next icon next to it: Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version. Now to clean out the Java cache: Go into the Control Panel and double-click the Java Icon. Under Temporary Internet Files, click the Settings button. Then click Delete Files... There are two options in the window to clear the cache - Leave BOTH checked Applications and AppletsTrace and Log Files Click OK on Delete Temporary Files windowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. Post back with a fresh HijackThis log once you have installed Avira and updated Java. Share this post Link to post Share on other sites
