Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

BestSeller Antivirus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

BestSeller Antivirus

Unread postby bking » October 23rd, 2007, 11:06 pm

A balloon keeps popping up telling me I have a virus/ NetWorm-i, spyware, malware threats, or trojan, etc... I've tried Spy Sweeper and it does not remove it. MacAfee does not remove it. When I click the balloon, it tells me I should download BestSeller Antivirus. Do I actually have a virus or malware?
bking
Active Member
 
Posts: 4
Joined: October 23rd, 2007, 10:36 pm
Advertisement
Register to Remove

Unread postby random/random » October 24th, 2007, 11:41 am

CLICK HERE to download the HijackThis Installer:
  1. Save HJTInstall.exe to your desktop.
  2. Double-click on HJTInstall.exe to run the program.
  3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  4. Accept the license agreement by clicking the "I Accept" button.
  5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  6. Click "Save log" to save the log file and then the log will open in Notepad.
  7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  8. Come back here to this thread and paste the log in your next reply.
  9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

BestSeller Antivirus

Unread postby bking » October 25th, 2007, 7:33 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:55 PM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\RightFax\Client\FaxCtrl.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {86882CA4-BE70-4BCE-AEA5-CF40EB8E0BC3} - C:\WINDOWS\system32\vtutrrq.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\fyzuvrwa.dll
O2 - BHO: (no name) - {BE2275DF-3560-4ACD-8BE2-96F26DA36259} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: (no name) - {EDDB2045-D9EB-4E57-8719-D30B9D615A08} - C:\WINDOWS\system32\mljge.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fyzuvrwa.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PTHOSTTR] "C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" /Start
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [HPWWANGSAssistant] "c:\SWSetup\HPQWWAN\HPWWanGSAssistant.exe" /TrayMode
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PDDM] "C:\Program Files\PatchLink\Update Agent\pddm.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [eCopy Desktop Inbox Monitor] "C:\PROGRA~1\eCopy\Desktop\Bin\INBOXM~1.EXE" -run
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] "C:\Program Files\RightFax\Client\FaxCtrl.exe"
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [WinVNC] "C:\WINDOWS\system32\rc\winvnc4.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [6d1ea1dd] "rundll32.exe" "C:\WINDOWS\system32\wdrlxfkv.dll",b
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bmp: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .dgn: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .doc: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .dot: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .dwf: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .dwg: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .dxf: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .gcd: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .pcx: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .plt: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .png: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .ppt: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .prj: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .prt: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .rlc: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .rtf: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .sld: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .tga: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .tif: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .vsd: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .vss: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .vst: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .vsw: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .wmf: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .wpg: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .xls: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: *.ezbdk.com
O15 - Trusted Zone: *.ezbdk.com (HKLM)
O16 - DPF: HOB Portal Software - http://161.36.147.247/hob/lib/JLaunchDU.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emhartna.com
O17 - HKLM\Software\..\Telephony: DomainName = emhartna.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emhartna.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emhartna.com
O20 - Winlogon Notify: fyzuvrwa - C:\WINDOWS\SYSTEM32\fyzuvrwa.dll
O20 - Winlogon Notify: vtutrrq - C:\WINDOWS\SYSTEM32\vtutrrq.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PatchLink Update - PatchLink Corporation - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: VNC (WinVNC) - RealVNC Ltd. - C:\WINDOWS\system32\rc\winvnc4.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 13785 bytes
bking
Active Member
 
Posts: 4
Joined: October 23rd, 2007, 10:36 pm

Unread postby random/random » October 26th, 2007, 5:09 am

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Unread postby q80 » October 26th, 2007, 10:33 pm

Post removed by random/random

q80, please do not post in other people's topics
q80
Active Member
 
Posts: 6
Joined: October 25th, 2007, 9:54 pm

BestSeller Antivirus

Unread postby bking » October 27th, 2007, 2:59 pm

ComboFix Log

ComboFix 07-10-26.4 - BKing 2007-10-27 14:42:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.424 [GMT -4:00]
Running from: C:\Documents and Settings\bking\My Documents\H Drive\ComboFix\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\bking\Application Data.\AVSystemCare
C:\Documents and Settings\bking\Application Data.\AVSystemCare\avtasks.dat
C:\Documents and Settings\bking\Application Data.\AVSystemCare\Logs\av.log
C:\Documents and Settings\bking\Application Data.\AVSystemCare\Logs\ga6Support.log
C:\Documents and Settings\bking\Application Data.\AVSystemCare\Logs\update.log
C:\Documents and Settings\bking\Application Data\BestsellerAntivirus
C:\Documents and Settings\bking\Application Data\BestsellerAntivirus\avtasks.dat
C:\Documents and Settings\bking\Application Data\BestsellerAntivirus\Logs\av.log
C:\Documents and Settings\bking\Application Data\BestsellerAntivirus\Logs\ga6Support.log
C:\Documents and Settings\bking\Application Data\BestsellerAntivirus\Logs\update.log
C:\Documents and Settings\bking\Application Data\BestsellerAntivirus\PGE.dat
C:\Documents and Settings\bking\Desktop\Live Safety Center.lnk
C:\Documents and Settings\bking\Desktop\Online Security Guide.lnk
C:\Documents and Settings\bking\Favorites\Online Security Guide.lnk
C:\Documents and Settings\bking\ResErrors.log
C:\Documents and Settings\LocalService\Desktop\Live Safety Center.lnk
C:\Documents and Settings\LocalService\Desktop\Online Security Guide.lnk
C:\Documents and Settings\LocalService\Favorites\Online Security Guide.lnk
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Temp\fCOe
C:\UGA6P
C:\WINDOWS\system32\dqviqifr.dll
C:\WINDOWS\system32\egjlm.bak1
C:\WINDOWS\system32\egjlm.bak2
C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\fyzuvrwa.dllbox
C:\WINDOWS\system32\jmllm.bak1
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.bak2
C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pbhtwadm.dll
C:\WINDOWS\system32\rrutv.bak1
C:\WINDOWS\system32\rrutv.bak2
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\vtutrrq.dll
C:\WINDOWS\system32\x64

.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-27 14:51 172,032 --a------ C:\WINDOWS\system32\KevlarSigs.dll
2007-10-27 14:51 172,032 --a------ C:\WINDOWS\system32\hidapi.dll
2007-10-27 14:51 53,248 --a------ C:\WINDOWS\system32\hidapistub.dll
2007-10-27 14:51 22,422 --a------ C:\WINDOWS\system32\kevlar_api_hook_list.dat
2007-10-27 14:50 187,904 --a------ C:\WINDOWS\system32\drivers\HidSys.sys
2007-10-27 14:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 14:38 83,520 --a------ C:\WINDOWS\system32\eetdlwjp.dll
2007-10-25 19:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-24 20:58 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2007-10-24 20:58 486,400 --a------ C:\WINDOWS\system32\wwSecure.exe
2007-10-24 20:58 57,344 --a------ C:\WINDOWS\Unwash6.exe
2007-10-23 23:36 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Bluetooth Software
2007-10-22 22:19 <DIR> d-------- C:\WINDOWS\pss
2007-10-22 20:38 15,860 --a------ C:\WINDOWS\system32\instdump.zip
2007-10-22 18:28 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-10-22 18:27 164 --a------ C:\install.dat
2007-10-22 14:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-22 14:43 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-22 14:43 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-22 14:43 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-22 14:42 <DIR> d-------- C:\Program Files\Webroot
2007-10-22 14:42 <DIR> d-------- C:\Documents and Settings\bking\Application Data\Webroot
2007-10-22 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-22 14:42 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-10-22 11:54 340,032 --a------ C:\WINDOWS\system32\kruokqdv.dll
2007-10-22 11:54 340,032 --a------ C:\WINDOWS\system32\fyzuvrwa.dll
2007-10-21 23:46 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-21 23:39 <DIR> d-------- C:\QUARANTINE
2007-10-19 10:33 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-19 10:33 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-19 10:33 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-19 10:33 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-10-19 10:33 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-10-19 10:33 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-16 13:47 <DIR> d-------- C:\Program Files\Emhart Tucker GmbH
2007-10-13 12:34 <DIR> d-------- C:\Program Files\InterActual
2007-10-12 11:43 5,316,176 --a------ C:\TEMP\msjavx86.exe
2007-10-12 11:42 <DIR> d-------- C:\TEMP
2007-10-11 15:00 <DIR> d-------- C:\WINDOWS\system32\rc
2007-10-05 11:41 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-10-05 11:41 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2007-10-05 11:39 <DIR> d-------- C:\Documents and Settings\bking\Application Data\Smart Panel
2007-10-05 11:38 <DIR> d-------- C:\EPSONREG
2007-10-05 11:38 <DIR> d-------- C:\Documents and Settings\bking\Application Data\Leadertech
2007-10-05 11:37 <DIR> d-------- C:\Program Files\NewSoft
2007-10-05 11:36 <DIR> d-------- C:\Program Files\Common Files\Python
2007-10-05 11:36 <DIR> d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-10-05 11:36 708,696 --a------ C:\WINDOWS\system32\python21.dll
2007-10-05 11:36 290,919 --a------ C:\WINDOWS\system32\pythoncom21.dll
2007-10-05 11:36 57,344 --a------ C:\WINDOWS\system32\PyWinTypes21.dll
2007-10-05 11:34 96,768 --a------ C:\WINDOWS\SlantAdj.dll
2007-10-05 11:34 73,216 --a------ C:\WINDOWS\ADE.DLL
2007-10-05 11:34 3,136 --a------ C:\WINDOWS\Ade001.bin
2007-10-05 11:33 <DIR> d-------- C:\Program Files\Smart Panel
2007-10-05 11:33 <DIR> d-------- C:\Program Files\EPSON
2007-10-05 11:33 217,088 --a------ C:\WINDOWS\system32\ESDTR.dll
2007-10-05 11:33 139,264 --a------ C:\WINDOWS\system32\Esint32.dll
2007-10-05 11:33 65,793 --a------ C:\WINDOWS\system32\EsFw32.BIN
2007-10-05 11:33 47,104 --a------ C:\WINDOWS\system32\escimgn.dll
2007-10-05 11:33 32,768 --a------ C:\WINDOWS\system32\eswia32.dll
2007-10-05 11:33 23,552 --a------ C:\WINDOWS\system32\esccmn.dll
2007-10-05 11:17 <DIR> d--h----- C:\BJPrinter
2007-10-05 11:17 107,008 --a------ C:\WINDOWS\system32\CNMLM56.DLL
2007-10-05 11:17 6,656 --a------ C:\WINDOWS\system32\CNMVS56.DLL
2007-10-05 11:13 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-05 11:13 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-28 16:43 <DIR> d-------- C:\Program Files\Atari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 12:50 --------- d-----w C:\Documents and Settings\bking\Application Data\U3
2007-10-22 01:09 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-19 14:33 --------- d-----w C:\Program Files\McAfee
2007-10-19 14:33 --------- d-----w C:\Program Files\Common Files\Network Associates
2007-10-19 14:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-16 17:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 14:31 53,248 ----a-w C:\WINDOWS\java\hob_jportal\hobjni.dll
2007-09-26 18:34 --------- d-----w C:\Program Files\Convert-It Pro
2007-09-26 16:06 94,208 ----a-w C:\WINDOWS\system32\ScrUnZip.dll
2007-09-26 16:06 129,536 ----a-w C:\WINDOWS\system32\IJL15.dll
2007-09-26 15:25 --------- d-----w C:\Program Files\Common Files\Cyco Shared
2007-09-26 15:25 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-09-20 21:12 356,352 ----a-w C:\WINDOWS\system32\AegisI5Installer.exe
2007-09-20 21:12 21,393 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-09-20 21:12 21,393 ----a-w C:\WINDOWS\AegisP.sys
2007-09-20 21:12 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2007-09-20 21:12 --------- d-----w C:\Program Files\Intel
2007-09-20 21:12 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2007-09-20 21:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2007-09-20 21:12 --------- d-----w C:\Documents and Settings\EFTAdministrator\Application Data\Intel
2007-09-20 21:12 --------- d-----w C:\Documents and Settings\bking\Application Data\Intel
2007-09-20 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2007-09-20 21:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Intel
2007-09-20 20:51 --------- d-----w C:\Program Files\Hewlett-Packard
2007-09-20 20:51 --------- d-----w C:\Program Files\Google
2007-09-20 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-20 20:43 --------- d-----w C:\Program Files\InterVideo
2007-09-20 20:28 --------- d-----w C:\Program Files\WIDCOMM
2007-09-20 20:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ATI
2007-09-20 20:26 --------- d-----w C:\Program Files\Macrovision Corp
2007-09-20 20:26 --------- d-----w C:\Program Files\Common Files\InterVideo
2007-09-20 20:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-20 20:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-09-20 20:25 1,781 --sha-r C:\WINDOWS\system32\drivers\103C_HP_NTBK_HP Compaq 6910p (RM234UA#ABA)_YN_0U_QCND73529CF_E450345002_46_I30C1_SHP_VKBC Version 68.30_B68MCD Ver. F.06_T070620_WXP2_L409_M1024_J120_7Intel_8Core2 Duo T7300_92_#070705_N80861049_(RM234UA#ABA).MRK
2007-09-20 20:25 --------- d-----w C:\Program Files\ATI Technologies
2007-09-20 20:15 --------- d-----w C:\Program Files\Program Shortcuts
2007-09-20 20:13 --------- d-----w C:\Program Files\HPQ
2007-09-20 16:51 --------- d-----w C:\Program Files\MSXML 6.0
2007-09-20 16:41 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-20 15:27 15,793 ----a-w C:\WINDOWS\system32\drivers\mdc80211.sys
2007-09-20 15:27 --------- d-----w C:\Program Files\iPass
2007-09-20 15:24 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2007-09-20 15:24 --------- d-----w C:\Program Files\Cisco Systems
2007-09-20 15:13 --------- d-----w C:\Program Files\RightFax
2007-09-20 15:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\RightFax
2007-09-20 15:12 --------- d-----w C:\Program Files\eCopy
2007-09-20 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2007-09-20 15:09 --------- d-----w C:\Program Files\Common Files\McAfee Inc
2007-09-20 15:09 --------- d-----w C:\Program Files\Common Files\Cisco Systems
2007-09-20 15:05 --------- d-----w C:\Program Files\Snapshot Viewer
2007-09-20 14:57 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-09-20 14:57 --------- d-----w C:\Program Files\Common Files\L&H
2007-09-20 14:56 --------- d-----w C:\Program Files\Microsoft Works
2007-09-20 14:55 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-20 14:54 --------- d-----w C:\Program Files\IBM
2007-09-20 14:26 --------- d-----w C:\Program Files\PatchLink
2007-09-20 14:26 --------- d-----w C:\Program Files\Common Files\PatchLink
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-22 11:54 340032 --a------ C:\WINDOWS\system32\fyzuvrwa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE2275DF-3560-4ACD-8BE2-96F26DA36259}]
C:\WINDOWS\system32\pmnno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDDB2045-D9EB-4E57-8719-D30B9D615A08}]
C:\WINDOWS\system32\mljge.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\fyzuvrwa.dll [2007-10-22 11:54 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-02-26 06:34]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-02-26 06:34]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-02-26 06:33]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 10:12]
"PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.exe" [2007-01-09 18:52]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 09:36]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-05 18:54]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 19:51]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-10-09 14:23]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 10:52]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 12:36]
"HPWWANGSAssistant"="c:\SWSetup\HPQWWAN\HPWWanGSAssistant.exe" [2007-02-26 11:07]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 10:51]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 10:49]
"PDDM"="C:\Program Files\PatchLink\Update Agent\pddm.exe" [2007-07-03 14:08]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2001-05-08 05:10]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2001-05-08 05:10]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2001-05-08 05:10]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2001-05-08 05:10]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-07-11 16:53]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe" [2005-02-24 13:09]
"eCopy Desktop Printer Service"="C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe" [2004-11-19 08:50]
"eCopy Desktop Inbox Monitor"="C:\PROGRA~1\eCopy\Desktop\Bin\INBOXM~1.exe" [2004-11-19 09:26]
"RightFAX Print-to-Fax Driver"="C:\Program Files\RightFax\Client\FaxCtrl.exe" [2007-06-20 14:10]
"iPCCheck"="C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" [2004-05-11 10:05]
"WinVNC"="C:\WINDOWS\system32\rc\winvnc4.exe" [2006-05-12 15:04]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50]
"6d1ea1dd"="rundll32.exe" [2004-08-04 04:00 C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-06-10 09:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-21 21:10:01]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 15:14:00]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-09-20 11:24:31]
iPassConnect.lnk - C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe [2007-09-20 11:27:14]
McAfee Host Intrusion Prevention Tray.lnk - C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe [2007-09-20 11:09:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)
"NoMSAppLogo5ChannelNotify"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fyzuvrwa]
fyzuvrwa.dll 2007-10-22 11:54 340032 C:\WINDOWS\system32\fyzuvrwa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vturr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\emhartna.com\NETLOGON\plagent.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtasks]
C:\Program Files\BestsellerAntivirus\rtasks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com

R0 FirePM;McAfee HIP Component FirePM;C:\WINDOWS\system32\Drivers\FirePM.sys
R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R1 FireHook;McAfee HIP Component FireHook;\??\C:\WINDOWS\system32\Drivers\Firehk5x.sys
R1 FireTDI;McAfee HIP Component FireTDI;\??\C:\WINDOWS\system32\Drivers\FireTDI.sys
R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;"C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe"
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys
R2 SWIHPWMI;SWIHPWMI;C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
R3 firelm01;firelm01;\??\C:\WINDOWS\system32\drivers\firelm01.sys
R3 hidsys;hidsys;\??\C:\WINDOWS\system32\Drivers\hidsys.sys
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
R3 mfeapfk;McAfee Inc.;C:\WINDOWS\system32\drivers\mfeapfk.sys
R3 rismc32;RICOH Smart Card Reader;C:\WINDOWS\system32\DRIVERS\rismc32.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - HIDSYS
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 14:52:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-27 14:54:48 - machine was rebooted
.
--- E O F ---


HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:59, on 2007-10-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\Program Files\RightFax\Client\FaxCtrl.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\fyzuvrwa.dll
O2 - BHO: (no name) - {BE2275DF-3560-4ACD-8BE2-96F26DA36259} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: (no name) - {EDDB2045-D9EB-4E57-8719-D30B9D615A08} - C:\WINDOWS\system32\mljge.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fyzuvrwa.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PTHOSTTR] "C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" /Start
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [HPWWANGSAssistant] "c:\SWSetup\HPQWWAN\HPWWanGSAssistant.exe" /TrayMode
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PDDM] "C:\Program Files\PatchLink\Update Agent\pddm.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [eCopy Desktop Inbox Monitor] "C:\PROGRA~1\eCopy\Desktop\Bin\INBOXM~1.EXE" -run
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] "C:\Program Files\RightFax\Client\FaxCtrl.exe"
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [WinVNC] "C:\WINDOWS\system32\rc\winvnc4.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [6d1ea1dd] "rundll32.exe" "C:\WINDOWS\system32\eetdlwjp.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bmp: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .dgn: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .doc: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .dot: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .dwf: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .dwg: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .dxf: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .gcd: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .pcx: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .plt: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .png: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .ppt: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .prj: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .prt: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .rlc: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .rtf: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .sld: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .tga: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .tif: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .vsd: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .vss: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .vst: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .vsw: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .wmf: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .wpg: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O12 - Plugin for .xls: C:\Program Files\Common Files\Cyco Shared\NpAMPlug.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: *.ezbdk.com
O15 - Trusted Zone: *.ezbdk.com (HKLM)
O16 - DPF: HOB Portal Software - http://161.36.147.247/hob/lib/JLaunchDU.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emhartna.com
O17 - HKLM\Software\..\Telephony: DomainName = emhartna.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emhartna.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emhartna.com
O20 - Winlogon Notify: fyzuvrwa - C:\WINDOWS\SYSTEM32\fyzuvrwa.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PatchLink Update - PatchLink Corporation - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: VNC (WinVNC) - RealVNC Ltd. - C:\WINDOWS\system32\rc\winvnc4.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 13558 bytes
bking
Active Member
 
Posts: 4
Joined: October 23rd, 2007, 10:36 pm

Unread postby random/random » October 27th, 2007, 5:28 pm

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Code: Select all
    File::
    C:\WINDOWS\system32\eetdlwjp.dll
    C:\WINDOWS\system32\kruokqdv.dll
    C:\WINDOWS\system32\fyzuvrwa.dll
    C:\WINDOWS\system32\vturr.dll
    Folder::
    C:\TEMP
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE2275DF-3560-4ACD-8BE2-96F26DA36259}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDDB2045-D9EB-4E57-8719-D30B9D615A08}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "6d1ea1dd"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fyzuvrwa]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtasks]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

BestSeller Antivirus

Unread postby bking » October 29th, 2007, 8:52 pm

After using combofix.exe, The symptoms seem to have gone away. Do I still need to open the new notepad and copy data?
bking
Active Member
 
Posts: 4
Joined: October 23rd, 2007, 10:36 pm

Re: BestSeller Antivirus

Unread postby random/random » October 30th, 2007, 1:24 pm

bking wrote:After using combofix.exe, The symptoms seem to have gone away. Do I still need to open the new notepad and copy data?


If you want to remove the malware files on your PC, then yes
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Re: BestSeller Antivirus

Unread postby askey127 » November 13th, 2007, 7:02 pm

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware