Sign in to follow this  
cherubicwindigo

Scan, Blue Screen, Shut Down - Tried EVERYTHING

Recommended Posts

When I scan with Lavasoft's Ad-Aware Free Edition, it makes it into about 6 to 10 different problems, still scanning, and then a blue screen pops up - I followed steps to overide my computers automatic shutdown, so I could read the screen, but I couldn't copy it and definitly couldn't memorize it. It said something about errors and gave me some codes. This happens everytime I try to scan with the program. I used AVG for virus control, at first, but it said I had no more infections and my computer was still having problems. So I uninstalled it and tried Macfee, which found a few more problems, but still fell short. I tried a direct approch with VundoFix, hoping it would stop the BlueScreen, but no avail! I was using COMODO Firewall, but if I turn it off I get pop-ups non-stop and they freeze my computer. Now I had to uninstall it because I couldn't get the program to allow me to check my Email, so that I could register for this forum. Moral: Life is hell.

 

I also get Windows Error popups when I start my PC:

 

(1st) - Error loading C:\WINDOWS\system32\fwpruidb.dll

The Specified module could not be found.

 

(2nd) - Error Code:

BCCode : 1000008e BCP1 : C000001D BCP2 : 00690064 BCP3 : F7B4CCEC BCP4 : 00000000 OSVer : 5_1_2600 SP : 2_0 Product : 256_1

 

Documents Sent:

C:\DOCUME~1\juastin\LOCALS~1\Temp\WERc933.dir00\Mini040808-03.dmp

C:\DOCUME~1\juastin\LOCALS~1\Temp\WERc933.dir00\sysdata.xml

 

(3rd) - Microsoft Visual C++ Runtime Library

Buffer overrun detected!

Program: C:\WINDOWS\Explorer.EXE

A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.

 

* MY HIJACKTHIS LOG:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:54:39 PM, on 4/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\SiteAdvisor\6172\SAService.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\SiteAdvisor\6172\SiteAdv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [68cbd350] rundll32.exe "C:\WINDOWS\system32\fwpruidb.dll",b

O4 - HKLM\..\Run: [bM6bf8e0cc] Rundll32.exe "C:\WINDOWS\system32\usqahwwa.dll",s

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll

O20 - AppInit_DLLs:

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Scanner (mcods) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (mcproxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (mcshield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (mcsysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (mpfservice) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (msk80service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: SiteAdvisor Service (siteadvisor service) - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

--

End of file - 5331 bytes

 

* MY AD-AWARE LOG:

 

20080407 17-44-26 : Full scan started.

20080407 17-56-07 : Full scan started.

20080407 18-06-36 : Smart scan started.

20080407 18-08-08 : Scheduled init.

20080407 18-08-08 : Full scan started.

20080407 18-08-47 : Scan aborted by user.

20080407 18-08-47 : Scan aborted by user.

20080407 18-08-47 : Full scan ended.

20080407 18-12-17 : Scheduled init.

20080407 18-12-17 : Full scan started.

20080407 18-15-30 : Scheduled init.

20080407 18-15-30 : Full scan started.

20080407 18-28-26 : Scheduled init.

20080407 18-28-26 : Full scan started.

20080407 18-42-48 : Scan aborted by user.

20080407 18-42-48 : Scan aborted by user.

20080407 18-42-48 : Full scan ended.

20080407 21-46-43 : Smart scan started.

20080407 21-49-38 : Smart scan started.

20080407 21-49-45 : Scan aborted by user.

20080407 21-49-45 : Scan aborted by user.

20080407 21-49-45 : Scan aborted by user.

20080407 21-49-45 : Smart scan ended.

20080407 21-50-09 : Smart scan started.

20080407 21-50-12 : Scan aborted by user.

20080407 21-50-12 : Scan aborted by user.

20080407 21-50-12 : Scan aborted by user.

20080407 21-50-12 : Smart scan ended.

20080408 08-36-06 : Smart scan started.

20080408 11-37-49 : Smart scan started.

20080408 15-39-20 : Smart scan started.

20080408 16-33-26 : Smart scan started.

20080408 16-54-44 : Checking for updates.

20080408 16-55-02 : Checking for updates succeeded.

20080408 16-55-07 : Started downloading updates.

20080408 16-55-33 : Installing updates.

20080408 17-09-52 : Full scan started.

Share this post


Link to post
Share on other sites

Hello and welcome to LS Support Forums :unsure:

 

First of all, please follow the instructions for running ComboFix here and post back with it's log once done. We'll go from there.

 

Do you recognize this as a setting done by yourself or by your ISP?

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

Share this post


Link to post
Share on other sites
Hello and welcome to LS Support Forums :)

 

First of all, please follow the instructions for running ComboFix here and post back with it's log once done. We'll go from there.

 

Um, everything didn't go exactly like the tutorial said it would, the program popped out this log and said to post it:

 

Name: CF-RC.txt

 

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptOut

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

 

Should I try it again?

 

Do you recognize this as a setting done by yourself or by your ISP?

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

 

Also, I don't regognize this setting as anything I have set up. Mabey without realizing it, if that's possible?

Share this post


Link to post
Share on other sites

Please do try again. :) ComboFix should run fine this time.

 

The Recovery Console should now be installed.

 

Edit: actually, you installed the wrong version. You have XP Pro? The recovery console installation file you should use for that part of the ComboFix tutorial.. is this. Please redo that step then just carry on with the ComboFix tutorial for running and getting a log. :)

Share this post


Link to post
Share on other sites
Please do try again. :) ComboFix should run fine this time.

 

The Recovery Console should now be installed.

 

Edit: actually, you installed the wrong version. You have XP Pro? The recovery console installation file you should use for that part of the ComboFix tutorial.. is this. Please redo that step then just carry on with the ComboFix tutorial for running and getting a log. :)

 

Oops, by the way the tut described how to look up what version to download, I thought I had the right one *_* I'll try it with the other.

Share this post


Link to post
Share on other sites
Hello and welcome to LS Support Forums :)

 

First of all, please follow the instructions for running ComboFix here and post back with it's log once done. We'll go from there.

 

HERE IT IS! (the ComboFix Log, that is)

 

ComboFix 08-04-09.1 - juastin 2008-04-10 13:13:34.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.256 [GMT -4:00]

Running from: C:\Documents and Settings\juastin\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\juastin\Application Data\DriveCleaner Freeware

C:\Documents and Settings\juastin\Application Data\DriveCleaner Freeware\Logs\update.log

C:\Documents and Settings\juastin\Application Data\WinTouch

C:\Documents and Settings\juastin\Application Data\WinTouch\wintouch.cfg

C:\Documents and Settings\juastin\Application Data\WinTouch\WinTouch.exe

C:\Documents and Settings\juastin\Application Data\WinTouch\WTUninstaller.exe

C:\Documents and Settings\NetworkService\Application Data\NetMon

C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt

C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt

C:\Program Files\Helper

C:\Program Files\winpop

C:\Temp\1cb

C:\Temp\1cb\syscheck.log

C:\Temp\fse

C:\Temp\fse\tmpZTF.log

C:\WINDOWS\BM6bf8e0cc.xml

C:\WINDOWS\cookies.ini

C:\WINDOWS\msettings.ini

C:\WINDOWS\pskt.ini

C:\WINDOWS\racle~1

C:\WINDOWS\system32\aoompjgp.dll

C:\WINDOWS\system32\bbadNqru.ini

C:\WINDOWS\system32\bbadNqru.ini2

C:\WINDOWS\system32\dnrmlysw.dll

C:\WINDOWS\system32\f02WtR

C:\WINDOWS\system32\ffdjtjnt.dll

C:\WINDOWS\system32\gxayveur.dll

C:\WINDOWS\system32\hpvxbtyk.dll

C:\WINDOWS\system32\ltyhlpcq.ini

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\mlJCUMcY.dll

C:\WINDOWS\system32\msnav32.ax

C:\WINDOWS\system32\qcplhytl.dll

C:\WINDOWS\system32\urqNdabb.dll

C:\WINDOWS\system32\usqahwwa.dll

C:\WINDOWS\system32\winpfz32.sys

C:\WINDOWS\system32\zxdnt3d.cfg

C:\WINDOWS\wnsxs~1

C:\WINDOWS\zalpqbj.sys

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_CMDSERVICE

-------\Legacy_DOMAINSERVICE

-------\Legacy_NETWORK_MONITOR

-------\Service_DomainService

-------\zalpqbj

 

 

((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))

.

 

2008-04-10 06:51 . 2008-04-10 06:51 3,648 --a--c--- C:\WINDOWS\system32\kgppvbba.dll

2008-04-09 19:43 . 2008-04-09 19:43 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn

2008-04-09 19:43 . 2008-04-09 19:43 1,409 --a--c--- C:\WINDOWS\QTFont.for

2008-04-09 06:47 . 2008-04-09 06:47 3,648 --a--c--- C:\WINDOWS\system32\mexuotnm.dll

2008-04-08 19:53 . 2008-04-08 19:53 <DIR> d----c--- C:\Program Files\Trend Micro

2008-04-08 10:49 . 2008-04-08 17:38 <DIR> d----c--- C:\Program Files\COMODO

2008-04-08 10:49 . 2008-04-08 17:38 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\Comodo

2008-04-08 10:49 . 2008-04-08 17:38 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\comodo

2008-04-07 22:30 . 2008-04-09 15:46 <DIR> d----c--- C:\VundoFix Backups

2008-04-07 20:41 . 2008-04-10 14:25 8,367 --a--c--- C:\WINDOWS\system32\Config.MPF

2008-04-07 20:40 . 2008-04-09 15:12 <DIR> d----c--- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor

2008-04-07 20:40 . 2008-04-09 06:46 <DIR> d----c--- C:\Program Files\SiteAdvisor

2008-04-07 20:40 . 2008-04-08 19:44 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\SiteAdvisor

2008-04-07 20:40 . 2008-04-09 20:00 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SiteAdvisor

2008-04-07 20:38 . 2006-03-03 08:07 143,360 --a--c--- C:\WINDOWS\system32\dunzip32.dll

2008-04-07 20:34 . 2007-11-22 06:44 201,320 --a--c--- C:\WINDOWS\system32\drivers\mfehidk.sys

2008-04-07 20:34 . 2007-07-13 06:20 113,952 --a--c--- C:\WINDOWS\system32\drivers\Mpfp.sys

2008-04-07 20:34 . 2007-11-22 06:44 79,304 --a--c--- C:\WINDOWS\system32\drivers\mfeavfk.sys

2008-04-07 20:34 . 2007-12-02 12:51 40,488 --a--c--- C:\WINDOWS\system32\drivers\mfesmfk.sys

2008-04-07 20:34 . 2007-11-22 06:44 35,240 --a--c--- C:\WINDOWS\system32\drivers\mfebopk.sys

2008-04-07 20:34 . 2007-11-22 06:44 33,832 --a--c--- C:\WINDOWS\system32\drivers\mferkdk.sys

2008-04-07 20:31 . 2008-04-08 10:45 <DIR> d----c--- C:\Program Files\McAfee

2008-04-07 20:31 . 2008-04-08 10:45 <DIR> d----c--- C:\Program Files\Common Files\McAfee

2008-04-07 18:59 . 2008-04-08 10:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\McAfee

2008-04-07 17:37 . 2008-04-07 17:37 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-07 17:33 . 2008-04-07 17:33 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard

2008-04-07 00:03 . 2008-04-07 00:03 57,624 -----c--- C:\vwhfxvxv.exe

2008-04-07 00:03 . 2008-04-07 00:03 29,090 --a--c--- C:\kbvxxo.exe

2008-04-07 00:03 . 2008-04-07 00:04 2 --a--c--- C:\1758188543

2008-03-26 20:16 . 2008-03-26 20:16 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\Nero

2008-03-22 15:55 . 2008-03-29 12:18 <DIR> d----c--- C:\Program Files\AviSynth 2.5

2008-03-15 19:28 . 2008-03-15 19:28 <DIR> d----c--- C:\Program Files\Xvid

2008-03-14 13:30 . 2008-03-14 13:30 <DIR> d----c--- C:\Program Files\DivXLand

2008-03-14 13:30 . 1999-12-17 10:13 86,016 --a--c--- C:\WINDOWS\unvise32.exe

2008-03-12 23:10 . 2008-03-12 23:11 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\Jubler

2008-03-12 23:10 . 2008-02-22 02:33 69,632 --a--c--- C:\WINDOWS\system32\javacpl.cpl

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-10 16:04 --------- dc----w C:\Documents and Settings\juastin\Application Data\uTorrent

2008-04-07 21:15 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-04-07 04:58 --------- dc----w C:\Program Files\Common Files\Adobe

2008-03-29 18:25 --------- dc----w C:\Documents and Settings\juastin\Application Data\Sony

2008-03-29 16:17 --------- dc----w C:\Program Files\Gabest

2008-03-24 14:39 --------- dc----w C:\Documents and Settings\juastin\Application Data\Apple Computer

2008-03-18 13:07 --------- dc----w C:\Program Files\Java

2008-03-07 14:03 --------- dc----w C:\Program Files\Common Files\Ahead

2008-03-02 09:01 --------- dc----w C:\Program Files\Common Files\Java

2008-02-25 21:59 --------- dc----w C:\Program Files\iTunes

2008-02-25 21:59 --------- dc----w C:\Program Files\iPod

2008-02-25 21:57 --------- dc----w C:\Program Files\QuickTime

2008-02-24 02:44 --------- dc-h--w C:\Program Files\InstallShield Installation Information

2008-02-20 17:47 --------- dc----w C:\Program Files\Red Kawa

2008-02-18 15:23 --------- dc----w C:\Program Files\DivX

2008-02-06 21:15 19,000 -c--a-w C:\Documents and Settings\juastin\Application Data\GDIPFONTCACHEV1.DAT

2007-11-15 20:34 753,152 -csha-w C:\Program Files\Common Files\ehthumbs.db

2007-11-15 20:34 2,005,504 -csha-w C:\Program Files\ehthumbs.db

2007-10-02 21:15 1,541,924 -csha-w C:\WINDOWS\system32\bcbeg.bak1

2007-10-05 19:26 1,510,449 -csha-w C:\WINDOWS\system32\bcbeg.bak2

2007-10-05 23:03 1,494,212 -csha-w C:\WINDOWS\system32\bcbeg.ini2

.

 

------- Sigcheck -------

 

2004-10-15 19:18 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 19:10 1392640]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-06 17:06 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-06 17:10 118784]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-06 17:09 94208]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-05 19:11 761856]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 17:57 36640]

"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcb]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJCUMcY]

mlJCUMcY.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxvtt]

xxyxvtt.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a--c--- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a--c--- 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

--a------ 2007-10-05 19:11 59392 C:\WINDOWS\ehome\ehtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

--a------ 2007-05-24 08:41 1628720 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a--c--- 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a--c--- 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a--c--- 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]

C:\WINDOWS\system32\qodypbrl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]

--a------ 2007-05-24 08:41 1628720 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2007-05-02 05:15 75520 C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]

C:\Documents and Settings\juastin\Application Data\WinTouch\WinTouch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Program Files\\uTorrent\\uTorrent.exe"=

"C:\\WINDOWS\\system32\\sessmgr.exe"=

"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

 

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3665bc86-970b-11dc-9043-000b7d23ff8c}]

\Shell\AutoRun\command - setupSNK.exe

 

.

Contents of the 'Scheduled Tasks' folder

"2008-04-07 14:12:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-04-10 18:59:47 C:\WINDOWS\Tasks\RegCure Program Check.job"

- C:\Program Files\RegCure\RegCure.exe

"2008-04-10 07:01:20 C:\WINDOWS\Tasks\RegCure.job"

- C:\Program Files\RegCure\RegCure.exe

.

**************************************************************************

 

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-10 15:00:18

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\explorer.exe

-> C:\Program Files\SiteAdvisor\6253\saHook.dll

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\SiteAdvisor\6253\SAService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\WgaTray.exe

.

**************************************************************************

.

Completion time: 2008-04-10 15:02:11 - machine was rebooted

ComboFix-quarantined-files.txt 2008-04-10 19:01:59

Pre-Run: 25,655,234,560 bytes free

Post-Run: 25,692,508,160 bytes free

.

2008-02-15 12:55:57 --- E O F ---

Share this post


Link to post
Share on other sites

Good! :)

 

Have you disabled Windows Security Centre's monitoring over your antivirus and firewall software (so they won't announce when either has expired or otherwise have old versions)?

 

Please open notepad and copy/paste the text in the quotebox into it

 

File::

C:\vwhfxvxv.exe

C:\kbvxxo.exe

C:\1758188543

C:\WINDOWS\system32\bcbeg.bak1

C:\WINDOWS\system32\bcbeg.bak2

C:\WINDOWS\system32\bcbeg.ini2

C:\WINDOWS\system32\kgppvbba.dll

C:\WINDOWS\system32\mexuotnm.dll

 

Folder::

C:\VundoFix Backups

C:\Documents and Settings\juastin\Application Data\WinTouch

 

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcb]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJCUMcY]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxvtt]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]

 

Save it as CFScript.txt on your desktop.

 

CFScript.gif

 

Referring to the picture above, drag CFScript.txt into ComboFix.exe

 

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Share this post


Link to post
Share on other sites
Good! :)

 

Have you disabled Windows Security Centre's monitoring over your antivirus and firewall software (so they won't announce when either has expired or otherwise have old versions)?

 

At this time I have no antivirus or firewall software on my computer, I was using AVG Antivirus and COMODO Firewall, but when I insalled Mcafee, which I though might be able to get rid of my current problems, it made me uninstall them. Anyways, both of those progams we're self-updating, I was planning to re-install them once my Ad-Aware was working again because neither of these programs we're helping me anyways.

 

Please open notepad and copy/paste the text in the quotebox into it

Save it as CFScript.txt on your desktop.

 

CFScript.gif

 

Referring to the picture above, drag CFScript.txt into ComboFix.exe

 

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

 

Will do.

Share this post


Link to post
Share on other sites

Do you have McAfee firewall & antivirus both?

 

It's critical to have both antivirus and firewall on the system. AVG AntiVirus & Comodo are much better than McAfee though... And both are free. There are better free antivirus apps than AVG though, but Comodo is one of the best firewalls out there. :)

Share this post


Link to post
Share on other sites
Do you have McAfee firewall & antivirus both?

 

No, McAfee failed me as well so I bombed it. I never liked McAfee, but I was desperate to clean up my computer, I need it for practically everything I do.

 

It's critical to have both antivirus and firewall on the system. AVG AntiVirus & Comodo are much better than McAfee though... And both are free.

There are better free antivirus apps than AVG though, but Comodo is one of the best firewalls out there. :)

 

What "better free antivirus apps than AVG" are there? ;) I have been tearing my hair out over this computer. If you think it would be helpful to re-download COMODO & AVG (or any other anti-virus you reccomend) I could, I just didn't see either program helping to fix my computer and I still got all of this Malware and Trojans in spite of them.

Share this post


Link to post
Share on other sites
Please open notepad and copy/paste the text in the quotebox into it

Save it as CFScript.txt on your desktop.

 

CFScript.gif

 

Referring to the picture above, drag CFScript.txt into ComboFix.exe

 

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

 

Here is the Log:

 

 

ComboFix 08-04-09.1 - juastin 2008-04-11 17:25:08.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.235 [GMT -4:00]

Running from: C:\Documents and Settings\juastin\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\juastin\Desktop\CFScript.txt

* Created a new restore point

 

FILE ::

C:\1758188543

C:\kbvxxo.exe

C:\vwhfxvxv.exe

C:\WINDOWS\system32\bcbeg.bak1

C:\WINDOWS\system32\bcbeg.bak2

C:\WINDOWS\system32\bcbeg.ini2

C:\WINDOWS\system32\kgppvbba.dll

C:\WINDOWS\system32\mexuotnm.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\1758188543

C:\kbvxxo.exe

C:\VundoFix Backups

C:\VundoFix Backups\bdiurpwf.ini.bad

C:\VundoFix Backups\ffdjtjnt.dll.bad

C:\VundoFix Backups\fwpruidb.dll.bad

C:\VundoFix Backups\opnkjHyW.dll.bad

C:\VundoFix Backups\WyHjknpo.ini.bad

C:\VundoFix Backups\WyHjknpo.ini2.bad

C:\vwhfxvxv.exe

C:\WINDOWS\system32\bcbeg.bak1

C:\WINDOWS\system32\bcbeg.bak2

C:\WINDOWS\system32\bcbeg.ini2

C:\WINDOWS\system32\kgppvbba.dll

C:\WINDOWS\system32\mexuotnm.dll

C:\WINDOWS\system32\wapisvsu32.exe

 

.

((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))

.

 

2008-04-09 19:43 . 2008-04-10 17:21 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn

2008-04-09 19:43 . 2008-04-09 19:43 1,409 --a--c--- C:\WINDOWS\QTFont.for

2008-04-08 19:53 . 2008-04-08 19:53 <DIR> d----c--- C:\Program Files\Trend Micro

2008-04-08 10:49 . 2008-04-08 17:38 <DIR> d----c--- C:\Program Files\COMODO

2008-04-08 10:49 . 2008-04-08 17:38 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\Comodo

2008-04-08 10:49 . 2008-04-08 17:38 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\comodo

2008-04-07 20:41 . 2008-04-11 02:02 8,367 --a--c--- C:\WINDOWS\system32\Config.MPF

2008-04-07 20:40 . 2008-04-09 15:12 <DIR> d----c--- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor

2008-04-07 20:40 . 2008-04-09 06:46 <DIR> d----c--- C:\Program Files\SiteAdvisor

2008-04-07 20:40 . 2008-04-08 19:44 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\SiteAdvisor

2008-04-07 20:40 . 2008-04-10 20:00 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SiteAdvisor

2008-04-07 20:38 . 2006-03-03 08:07 143,360 --a--c--- C:\WINDOWS\system32\dunzip32.dll

2008-04-07 20:34 . 2007-11-22 06:44 201,320 --a--c--- C:\WINDOWS\system32\drivers\mfehidk.sys

2008-04-07 20:34 . 2007-07-13 06:20 113,952 --a--c--- C:\WINDOWS\system32\drivers\Mpfp.sys

2008-04-07 20:34 . 2007-11-22 06:44 79,304 --a--c--- C:\WINDOWS\system32\drivers\mfeavfk.sys

2008-04-07 20:34 . 2007-12-02 12:51 40,488 --a--c--- C:\WINDOWS\system32\drivers\mfesmfk.sys

2008-04-07 20:34 . 2007-11-22 06:44 35,240 --a--c--- C:\WINDOWS\system32\drivers\mfebopk.sys

2008-04-07 20:34 . 2007-11-22 06:44 33,832 --a--c--- C:\WINDOWS\system32\drivers\mferkdk.sys

2008-04-07 20:31 . 2008-04-08 10:45 <DIR> d----c--- C:\Program Files\McAfee

2008-04-07 20:31 . 2008-04-08 10:45 <DIR> d----c--- C:\Program Files\Common Files\McAfee

2008-04-07 18:59 . 2008-04-08 10:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\McAfee

2008-04-07 17:37 . 2008-04-07 17:37 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-07 17:33 . 2008-04-07 17:33 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard

2008-03-26 20:16 . 2008-03-26 20:16 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\Nero

2008-03-22 15:55 . 2008-03-29 12:18 <DIR> d----c--- C:\Program Files\AviSynth 2.5

2008-03-15 19:28 . 2008-03-15 19:28 <DIR> d----c--- C:\Program Files\Xvid

2008-03-14 13:30 . 2008-03-14 13:30 <DIR> d----c--- C:\Program Files\DivXLand

2008-03-14 13:30 . 1999-12-17 10:13 86,016 --a--c--- C:\WINDOWS\unvise32.exe

2008-03-12 23:10 . 2008-03-12 23:11 <DIR> d----c--- C:\Documents and Settings\juastin\Application Data\Jubler

2008-03-12 23:10 . 2008-02-22 02:33 69,632 --a--c--- C:\WINDOWS\system32\javacpl.cpl

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-10 16:04 --------- dc----w C:\Documents and Settings\juastin\Application Data\uTorrent

2008-04-07 21:15 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-04-07 04:58 --------- dc----w C:\Program Files\Common Files\Adobe

2008-03-29 18:25 --------- dc----w C:\Documents and Settings\juastin\Application Data\Sony

2008-03-29 16:17 --------- dc----w C:\Program Files\Gabest

2008-03-24 14:39 --------- dc----w C:\Documents and Settings\juastin\Application Data\Apple Computer

2008-03-18 13:07 --------- dc----w C:\Program Files\Java

2008-03-07 14:03 --------- dc----w C:\Program Files\Common Files\Ahead

2008-03-02 09:01 --------- dc----w C:\Program Files\Common Files\Java

2008-02-25 21:59 --------- dc----w C:\Program Files\iTunes

2008-02-25 21:59 --------- dc----w C:\Program Files\iPod

2008-02-25 21:57 --------- dc----w C:\Program Files\QuickTime

2008-02-24 02:44 --------- dc-h--w C:\Program Files\InstallShield Installation Information

2008-02-20 17:47 --------- dc----w C:\Program Files\Red Kawa

2008-02-18 15:23 --------- dc----w C:\Program Files\DivX

2008-02-06 21:15 19,000 -c--a-w C:\Documents and Settings\juastin\Application Data\GDIPFONTCACHEV1.DAT

2007-11-15 20:34 753,152 -csha-w C:\Program Files\Common Files\ehthumbs.db

2007-11-15 20:34 2,005,504 -csha-w C:\Program Files\ehthumbs.db

.

 

------- Sigcheck -------

 

2004-10-15 19:18 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe

.

((((((((((((((((((((((((((((( [email protected]2008-04-10_15.01.42.89 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-10 17:10:08 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

+ 2008-04-10 21:14:28 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

- 2008-04-10 17:10:08 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2008-04-10 21:14:28 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-04-10 17:10:08 49,152 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-04-10 21:16:07 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 19:10 1392640]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-06 17:06 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-06 17:10 118784]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-06 17:09 94208]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-05 19:11 761856]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 17:57 36640]

"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a--c--- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a--c--- 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

--a------ 2007-10-05 19:11 59392 C:\WINDOWS\ehome\ehtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

--a------ 2007-05-24 08:41 1628720 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a--c--- 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a--c--- 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a--c--- 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]

--a------ 2007-05-24 08:41 1628720 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2007-05-02 05:15 75520 C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Program Files\\uTorrent\\uTorrent.exe"=

"C:\\WINDOWS\\system32\\sessmgr.exe"=

"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

 

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3665bc86-970b-11dc-9043-000b7d23ff8c}]

\Shell\AutoRun\command - setupSNK.exe

 

.

Contents of the 'Scheduled Tasks' folder

"2008-04-07 14:12:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-04-11 21:00:00 C:\WINDOWS\Tasks\RegCure Program Check.job"

- C:\Program Files\RegCure\RegCure.exe

"2008-04-10 07:01:20 C:\WINDOWS\Tasks\RegCure.job"

- C:\Program Files\RegCure\RegCure.exe

.

**************************************************************************

 

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-11 17:27:29

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\explorer.exe

-> C:\Program Files\SiteAdvisor\6253\saHook.dll

.

Completion time: 2008-04-11 17:28:18

ComboFix-quarantined-files.txt 2008-04-11 21:27:56

ComboFix2.txt 2008-04-10 19:02:12

Pre-Run: 25,620,348,928 bytes free

Post-Run: 25,599,213,568 bytes free

.

2008-02-15 12:55:57 --- E O F ---

Share this post


Link to post
Share on other sites

Let's see about that. Please post a new HijackThis log and let me know how's the system running at this point? ;)

Share this post


Link to post
Share on other sites
Let's see about that. Please post a new HijackThis log and let me know how's the system running at this point? :)

 

Log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:10:59 AM, on 4/15/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Comodo\CBOClean\BOCORE.exe

C:\Program Files\COMODO\Firewall\cmdagent.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\SiteAdvisor\6253\SAService.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

C:\PROGRA~1\Comodo\CBOClean\BOC425.exe

C:\Program Files\COMODO\Firewall\cfp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: (no name) - {089fd14d-132b-48fc-8861-0048ae113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O2 - BHO: McAntiPhishingBHO - {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: scriptproxy - {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [bOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Scanner (mcods) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (mcproxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (mcshield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (mcsysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (mpfservice) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (msk80service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: SiteAdvisor Service (siteadvisor service) - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

--

End of file - 6640 bytes

Share this post


Link to post
Share on other sites

I can see you still have McAfee running there. So is Comodo though :D

 

It is critical to have a firewall & an anti-virus running on the computer at-all times; but having more than one firewall at the same time WILL cause conflicts. It will cause more harm than good.

 

I recommend getting rid of McAfee now (uninstalling it completely) - then posting another HijackThis log so we can remove the remnants manually, as it probably leaves entries behind it :D

 

As for antivirus, if you have McAfee's antivirus (which is really quite bad antivirus, there are so much better ones), if not, I recommend installing the latest Avira Anti-Vir PREMIUM for free (6 months promotion licence) AND after that 6 months, install their free product for home use which is also awesome - just doesn't have all the features as the premium one has.

 

I'm actually using this promotion licence myself aswell. I like it. Click here.

 

The free version can be found here.

Share this post


Link to post
Share on other sites
I can see you still have McAfee running there. So is Comodo though :unsure:

 

It is critical to have a firewall & an anti-virus running on the computer at-all times; but having more than one firewall at the same time WILL cause conflicts. It will cause more harm than good.

 

I recommend getting rid of McAfee now (uninstalling it completely) - then posting another HijackThis log so we can remove the remnants manually, as it probably leaves entries behind it :blink:

 

As for antivirus, if you have McAfee's antivirus (which is really quite bad antivirus, there are so much better ones), if not, I recommend installing the latest Avira Anti-Vir PREMIUM for free (6 months promotion licence) AND after that 6 months, install their free product for home use which is also awesome - just doesn't have all the features as the premium one has.

 

I'm actually using this promotion licence myself aswell. I like it. Click here.

 

The free version can be found here.

 

I know I have McAfee SiteAdvisor, but from what I can tell I already uninstalled all of McAfee except the SiteAdvisor. BUT when I pull up the Add/Remove Programs I don't even see the McAfee SiteAdvisor, is it possible that McAfee was removed from the programs list but not from my computer?!

Share this post


Link to post
Share on other sites

  • Open HijackThis
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and paste the list from the notebook onto your post

Also check for the following folder and see if there's an uninstaller there somewhere......

 

C:\Program Files\McAfee

 

If not, we'll just stop & delete all the services and then nuke the folders, it should go with that :unsure:

 

Maybe nuke all of McAfee and then you can just install SiteAdvisor back if you want it. You should install that Avira though, right after we get rid of McAfee.

Share this post


Link to post
Share on other sites
  • Open HijackThis
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and paste the list from the notebook onto your post

Also check for the following folder and see if there's an uninstaller there somewhere......

 

C:\Program Files\McAfee

 

If not, we'll just stop & delete all the services and then nuke the folders, it should go with that :)

 

Maybe nuke all of McAfee and then you can just install SiteAdvisor back if you want it. You should install that Avira though, right after we get rid of McAfee.

 

CRIPES! What a total P.I.T.A! I have said it before and I say it now - never again, not McAfee, not ever. I found an extremely useful link: http://www.pchell.com/virus/uninstallmcafee.shtml - anyone who can't get McAfee off thier PC should check it out, it took the thorn out of my side. So, now that THAT is taken care of, I'll reboot and get myself some nice, laid-back Avira, a welcome chance from ######-Retentive McAfee. Now I know I am spending too much time with my PC when I start personifying my Anti-virus programs ^_^

Share this post


Link to post
Share on other sites

Sounds like a plan. ^_^

 

Also...a version update of Sun Java was released yesterday.

 

Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. They should have next icon next to it: javaicon.jpg
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Now to clean out the Java cache:

 

Go into the Control Panel and double-click the Java Icon.

  • Under Temporary Internet Files, click the Settings button.
  • Then click Delete Files...
  • There are two options in the window to clear the cache - Leave BOTH checked

    Applications and Applets
    Trace and Log Files

  • Click OK on Delete Temporary Files window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

Post back with a fresh HijackThis log once you have installed Avira and updated Java. :)

Share this post


Link to post
Share on other sites
Sign in to follow this