Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

mgmrwmrv.exe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

mgmrwmrv.exe

Unread postby dpia22 » March 5th, 2008, 11:32 am

I have been attached by something called mgmrwmrv.exe along with many other bad things that are removed by "Spyware Doctor", but reappear when I restart my computer. I removed the line containing mgmrwmrv.exe, using "Hijackthis", but the problems perstisted. The symptoms sudenly disappeared last night, but I know its stiil here because I still don't have access to" task manager" I'm told it was disabled by the administrator, which it wasn't. I don't understand Hijackthis logs and I'm terrified of wrecking my computer. My next step is to just reload my operating system(XP), so please help.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:58 AM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\afmrcncr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html?cookieattempt=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2bf9a12c-1dd2-11b2-b308-a016da5ddc27} - C:\WINDOWS\olixgjgt.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [sfqdknqb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\sfqdknqb.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Policies\Explorer\Run: [vSFvBvUEj5] C:\WINDOWS\afmrcncr.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/dow ... ysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O20 - Winlogon Notify: gebcc - gebcc.dll (file missing)
O20 - Winlogon Notify: khfcaxx - khfcaxx.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Microsoft P2S Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: Microsoft PS Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10372 bytes
dpia22
Active Member
 
Posts: 9
Joined: March 5th, 2008, 11:02 am
Advertisement
Register to Remove

Re: mgmrwmrv.exe

Unread postby dan12 » March 5th, 2008, 1:21 pm

Hi, and welcome to malwareremoval forums

I'm dan12, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: mgmrwmrv.exe

Unread postby dan12 » March 5th, 2008, 1:46 pm

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofi ... e-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: mgmrwmrv.exe

Unread postby dpia22 » March 6th, 2008, 10:32 am

Here are the things you asked for. Thanks for your help.

ComboFix 08-03-05.3 - HP_Owner 2008-03-06 9:08:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.573 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.log
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\olixgjgt.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\bbadd.ini2
C:\WINDOWS\system32\boaqjfly.ini
C:\WINDOWS\system32\clwsvqkj.ini
C:\WINDOWS\system32\dndjkoeo.dll
C:\WINDOWS\system32\dodoihjj.ini
C:\WINDOWS\system32\edmhjrkd.dll
C:\WINDOWS\system32\emuxdqne.ini
C:\WINDOWS\system32\famfgsec.ini
C:\WINDOWS\system32\feyskwac.dll
C:\WINDOWS\system32\fkxdxjwj.ini
C:\WINDOWS\system32\hhpoigay.dll
C:\WINDOWS\system32\hnburkvt.dll
C:\WINDOWS\system32\iopsuptp.ini
C:\WINDOWS\system32\jirksfoh.dll
C:\WINDOWS\system32\kldkadyc.ini
C:\WINDOWS\system32\klkmhlmq.dll
C:\WINDOWS\system32\kutgtgrh.ini
C:\WINDOWS\system32\ldwbyaeu.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mekijoqr.dll
C:\WINDOWS\system32\nohovdtp.ini
C:\WINDOWS\system32\olbgjskt.dll
C:\WINDOWS\system32\qcbaohlo.ini
C:\WINDOWS\system32\qcxwrtwx.dll
C:\WINDOWS\system32\sreuxfnx.dll
C:\WINDOWS\system32\tvkrubnh.ini
C:\WINDOWS\system32\ufgyppax.ini
C:\WINDOWS\system32\uhrqhick.dll
C:\WINDOWS\system32\vooucvcn.dll
C:\WINDOWS\system32\vuqfghtu.dll
C:\WINDOWS\system32\yagiophh.ini
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NDISWON
-------\LEGACY_SYMAVC32


((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-03 08:06 . 2008-03-03 08:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 08:11 . 2008-03-02 08:11 89,107 --a------ C:\WINDOWS\system32\mgmrwmrv.exe
2008-03-02 08:11 . 2008-03-02 08:11 89,107 --a------ C:\WINDOWS\ktcdctgv.exe
2008-03-02 08:11 . 2008-03-02 08:11 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-02-26 07:44 . 2008-02-26 07:44 57,344 --a------ C:\WINDOWS\afmrcncr.exe
2008-02-19 15:03 . 2008-03-06 08:00 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-19 15:03 . 2008-02-19 15:03 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\PC Tools
2008-02-19 15:03 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-19 15:03 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-19 15:03 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-19 15:03 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-18 20:00 . 2008-02-18 20:00 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 20:00 . 2008-02-18 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-18 19:59 . 2008-02-18 19:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-09 09:51 . 2008-02-09 09:21 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-09 09:51 . 2008-02-09 09:51 3,444 --a------ C:\WINDOWS\unins000.dat
2008-02-08 10:38 . 2008-02-28 21:34 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-08 08:16 . 2008-02-08 08:18 28 --a------ C:\WINDOWS\system32\svchost.t__
2008-02-08 08:14 . 2008-02-11 09:38 406 --a------ C:\WINDOWS\system32\svchost.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 14:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-15 11:21 --------- d-----w C:\Program Files\McAfee
2008-02-12 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 00:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-12 00:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-05 00:48 --------- d-----w C:\Program Files\NEC DISPLAY SOLUTIONS
2008-02-02 15:27 3,645 ----a-w C:\WINDOWS\viassary-hp.reg
2008-02-02 14:51 --------- d-----w C:\Program Files\HP
2007-11-19 22:19 388 ----a-w C:\Documents and Settings\Sarah\Application Data\wklnhst.dat
2007-07-22 14:52 1,688 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-05-09 01:46 9,583,328 ----a-w C:\Documents and Settings\Penny\DesktopDoctor1.5.4.exe
2006-03-31 11:30 9,583,368 ----a-w C:\Documents and Settings\Sarah\DesktopDoctor1.5.1.exe
2006-02-19 08:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2005-07-02 02:25 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"vSFvBvUEj5"= C:\WINDOWS\afmrcncr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcc]
gebcc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfcaxx]
khfcaxx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=C:\WINDOWS\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 10:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 08:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-11-02 03:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 10:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 06:42 659456 C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2004-06-07 06:53 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 04:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 16:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBkLogOnHook]
--a------ 2007-01-08 11:22 20480 C:\Program Files\McAfee\MBK\LogOnHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]
--a------ 2007-01-16 13:59 4838952 C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-04 01:33 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 08:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-15 22:23 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2002-04-24 20:37 1544192 C:\Program Files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Blubster\\Blubster.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S2 Microsoft P2S Service;Microsoft P2S Service;C:\WINDOWS\system32\_svchost.exe []
S2 Microsoft PS Service;Microsoft PS Service;C:\WINDOWS\system32\_svchost.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:04:30 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-03-01 06:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 09:17:37
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-06 9:23:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-06 14:23:48
.
2008-02-09 05:46:26 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:08 AM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\afmrcncr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html?cookieattempt=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Policies\Explorer\Run: [vSFvBvUEj5] C:\WINDOWS\afmrcncr.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/dow ... ysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O20 - Winlogon Notify: gebcc - gebcc.dll (file missing)
O20 - Winlogon Notify: khfcaxx - khfcaxx.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: Microsoft P2S Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: Microsoft PS Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9821 bytes
dpia22
Active Member
 
Posts: 9
Joined: March 5th, 2008, 11:02 am

Re: mgmrwmrv.exe

Unread postby dan12 » March 6th, 2008, 8:48 pm

Hi,dpia22

Optional - VIEWPOINT MANAGER
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
Additional info:Here
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
Your call.



To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint.
Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player.
The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information.
CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.'
_____________


P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Blubster

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm

I would recommend that you uninstall Blubster, however that choice is up to you.
If you wish to keep it, please do not use it until your computer is cleaned.

_______________



Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath,browse and find the file click open which will place it in the field.

C:\WINDOWS\afmrcncr.exe
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\ktcdctgv.exe


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html
_____________


Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
O20 - Winlogon Notify: gebcc - gebcc.dll (file missing)
O20 - Winlogon Notify: khfcaxx - khfcaxx.dll (file missing)
O23 - Service: Microsoft P2S Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: Microsoft PS Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    File::
 C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\svchost.tmp
C:\WINDOWS\viassary-hp.reg
C:\WINDOWS\Fonts\RandFont.dll
C:\WINDOWS\system32\_svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\ALCXMNTR.EXE
gebcc.dll
khfcaxx.dll

    Folder::
C:\Program Files\Google\GoogleToolbarNotifier

    Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"=-
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcc]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfcaxx]

    Driver::
Microsoft P2S Service
Microsoft PS Service
    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


----------------------------------

Please download ATF Cleaner here by Atribune. This program is for XP and Windows 2000 only.
It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
  • Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.



: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt


please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (If available otherwise Standard)
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please include in your next post:
  • Combofix log txt
  • Malwarebytes log
  • Kaspersky scan log
  • New highjackthis log
  • The jotti's reports for those files

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: mgmrwmrv.exe

Unread postby dpia22 » March 11th, 2008, 8:03 am

Hi
I followed the steps in order, once I finished with the Kaspersky scan all the symtoms that had diappeared before I posted the original problem have returned. Here is the information you asked for.

ComboFix 08-03-05.3 - HP_Owner 2008-03-10 22:23:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.483 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\Fonts\RandFont.dll
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\svchost.tmp
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\viassary-hp.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Google\GoogleToolbarNotifier
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GooE.tmp
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\resF.tmp
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\swgD.tmp
C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\gtn.dll
C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\Readme.txt
C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\res_en.dll
C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\gtn186.tmp
C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\Rea185.tmp
C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\res183.tmp
C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg184.tmp
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\Fonts\RandFont.dll
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\svchost.tmp
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\viassary-hp.reg
P:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MICROSOFT_P2S_SERVICE
-------\LEGACY_MICROSOFT_PS_SERVICE
-------\Microsoft P2S Service
-------\Microsoft PS Service


((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-10 21:28 . 2008-03-10 21:28 <DIR> d-------- C:\Program Files\Philips
2008-03-03 08:06 . 2008-03-03 08:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 08:11 . 2008-03-02 08:11 89,107 --a------ C:\WINDOWS\ktcdctgv.exe
2008-02-26 07:44 . 2008-02-26 07:44 57,344 --a------ C:\WINDOWS\afmrcncr.exe
2008-02-19 15:03 . 2008-03-10 07:42 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-19 15:03 . 2008-02-19 15:03 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\PC Tools
2008-02-19 15:03 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-19 15:03 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-19 15:03 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-19 15:03 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-18 20:00 . 2008-02-18 20:00 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 20:00 . 2008-02-18 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-18 19:59 . 2008-02-18 19:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 03:32 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 03:24 --------- d-----w C:\Program Files\Google
2008-03-11 02:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-15 11:21 --------- d-----w C:\Program Files\McAfee
2008-02-12 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 00:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-12 00:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-09 14:21 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-05 00:48 --------- d-----w C:\Program Files\NEC DISPLAY SOLUTIONS
2008-02-02 14:51 --------- d-----w C:\Program Files\HP
2007-11-19 22:19 388 ----a-w C:\Documents and Settings\Sarah\Application Data\wklnhst.dat
2007-07-22 14:52 1,688 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-05-09 01:46 9,583,328 ----a-w C:\Documents and Settings\Penny\DesktopDoctor1.5.4.exe
2006-03-31 11:30 9,583,368 ----a-w C:\Documents and Settings\Sarah\DesktopDoctor1.5.1.exe
2005-07-02 02:25 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"vSFvBvUEj5"= C:\WINDOWS\afmrcncr.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=C:\WINDOWS\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 10:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-11-02 03:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 10:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 06:42 659456 C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2004-06-07 06:53 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 04:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 16:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBkLogOnHook]
--a------ 2007-01-08 11:22 20480 C:\Program Files\McAfee\MBK\LogOnHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]
--a------ 2007-01-16 13:59 4838952 C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-04 01:33 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 08:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2002-04-24 20:37 1544192 C:\Program Files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:04:30 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-03-01 06:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 22:31:45
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-10 22:37:50 - machine was rebooted [HP_Owner]
ComboFix-quarantined-files.txt 2008-03-11 03:37:42
ComboFix2.txt 2008-03-06 14:23:58
.
2008-03-10 02:22:12 --- E O F ---


Malwarebytes' Anti-Malware 1.08
Database version: 476

Scan type: Full Scan (C:\|D:\|L:\|M:\|N:\|O:\|P:\|Q:\|)
Objects scanned: 207566
Time elapsed: 1 hour(s), 43 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\swid (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\mgmrwmrv.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP24\A0002590.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP58\A0007678.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\ktcdctgv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 11, 2008 6:20:02 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/03/2008
Kaspersky Anti-Virus database records: 622698


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
L:\
M:\
N:\
O:\
P:\
Q:\

Scan Statistics
Total number of scanned objects 166599
Number of viruses found 3
Number of infected objects 60
Number of suspicious objects 4
Duration of the scan process 02:31:40

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{745B5B72-8A1C-498D-938C-68F0081E29FB}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{990477EA-78BC-4F5D-AF3D-7E06783B82D7}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR4.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak10.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak10.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak4.zip/wbeCheck.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak4.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Documents\Config\desktop2.idf Object is locked skipped

C:\Documents and Settings\All Users\Documents\Fonts\SwUniNew.tff Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\ahhhhhhhhh.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\coche.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\eeek.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\grace and jesse.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\hah.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\hahaahaha.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\me and ryan.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\meeeeeeeep.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7020001.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7020001a.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7020051.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7020052.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7020053.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7020054.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7020055.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7130002.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7160005.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7180006.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7190007.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7190008.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7190009.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P7190010.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P8030050.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P8030053.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P8030055.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P8030056.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P8030057.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P8030058.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P8030059.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P8030060.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P8030061.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P8030063.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P8030064.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\P8030069.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\pizza.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\small.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\smallish.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\smallllllllllllllllll.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\smallllllllllllllllller.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\Thumbs.db Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\whoa.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\yay.bmp Object is locked skipped

C:\Documents and Settings\Becca\My Documents\BU copy B\My Pictures\pictures!\kylespartyy\picturessss\yeahhh.jpg Object is locked skipped

C:\Documents and Settings\HP_Owner\Application Data\McAfee\MBK\ARBUSFILE.GDB Object is locked skipped

C:\Documents and Settings\HP_Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\HP_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\HP_Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\HP_Owner\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\olixgjgt.dll.vir Infected: Trojan.Win32.Obfuscated.gx skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dndjkoeo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\edmhjrkd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\feyskwac.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\hhpoigay.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\hnburkvt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\jirksfoh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\klkmhlmq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ldwbyaeu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\mekijoqr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\olbgjskt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\qcxwrtwx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\sreuxfnx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\uhrqhick.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vooucvcn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vuqfghtu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP34\A0006085.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP34\A0006086.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP34\A0006103.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP35\A0006115.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP35\A0006116.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP35\A0006133.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP35\A0006134.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006179.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006180.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006181.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006182.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006183.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006184.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006202.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006203.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006204.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006205.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006214.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006287.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006358.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006359.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006360.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006376.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006377.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006378.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP36\A0006381.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP44\A0006685.dll Infected: Trojan.Win32.Obfuscated.gx skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007290.dll Infected: Trojan.Win32.Obfuscated.gx skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007292.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007293.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007294.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007295.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007296.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007297.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007298.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007299.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007300.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007301.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007302.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007303.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007304.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007305.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0007306.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP58\change.log Object is locked skipped

C:\WINDOWS\afmrcncr.exe Infected: Trojan.Win32.Obfuscated.gx skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\fb_1436.lck Object is locked skipped

C:\WINDOWS\Temp\mcafee_s2CVbms1hT5cGhR Object is locked skipped

C:\WINDOWS\Temp\mcmsc_fQ8Vah3aFMaf0et Object is locked skipped

C:\WINDOWS\Temp\mcmsc_gfETRxHgirqb8io Object is locked skipped

C:\WINDOWS\Temp\mcmsc_mcbkmaC3r81Kj3Q Object is locked skipped

C:\WINDOWS\Temp\mcmsc_QWt6BbM7IvteyLT Object is locked skipped

C:\WINDOWS\Temp\mcmsc_vjW7JDvrcYI0mgo Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP58\change.log Object is locked skipped

P:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP58\change.log Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:21 AM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\afmrcncr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html?cookieattempt=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {6d321fde-1dd2-11b2-badf-9645bc2e5d6b} - C:\WINDOWS\zodexuby.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [bknybcfo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\bknybcfo.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKLM\..\Policies\Explorer\Run: [13Ai9vUEj5] rundll32.exe "C:\WINDOWS\tizopsxw.dll",DllCleanServer
O4 - HKCU\..\Policies\Explorer\Run: [vSFvBvUEj5] C:\WINDOWS\afmrcncr.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/dow ... ysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9298 bytes


File d3d9caps.dat received on 03.08.2008 15:49:48 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 49 and 70 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.07 -
AntiVir 7.6.0.73 2008.03.07 -
Authentium 4.93.8 2008.03.07 -
Avast 4.7.1098.0 2008.03.07 -
AVG 7.5.0.516 2008.03.08 -
BitDefender 7.2 2008.03.08 -
CAT-QuickHeal 9.50 2008.03.08 -
ClamAV 0.92.1 2008.03.08 -
DrWeb 4.44.0.09170 2008.03.08 -
eSafe 7.0.15.0 2008.03.06 -
eTrust-Vet 31.3.5597 2008.03.07 -
Ewido 4.0 2008.03.08 -
FileAdvisor 1 2008.03.08 -
Fortinet 3.14.0.0 2008.03.08 -
F-Prot 4.4.2.54 2008.03.08 -
F-Secure 6.70.13260.0 2008.03.08 -
Ikarus T3.1.1.20 2008.03.08 -
Kaspersky 7.0.0.125 2008.03.08 -
McAfee 5247 2008.03.07 -
Microsoft 1.3301 2008.03.07 -
NOD32v2 2931 2008.03.08 -
Norman 5.80.02 2008.03.07 -
Panda 9.0.0.4 2008.03.08 -
Prevx1 V2 2008.03.08 -
Rising 20.34.52.00 2008.03.08 -
Sophos 4.27.0 2008.03.08 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.08 -
TheHacker 6.2.92.237 2008.03.08 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.07 -
Webwasher-Gateway 6.6.2 2008.03.07 -
Additional information
File size: 664 bytes
MD5: bbaa403d3588113b941c1c2a69b02b51
SHA1: 8cb6e30f9272e2d4085d509a23ab9e3fbbd1a9db
PEiD: -


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.


File afmrcncr.exe received on 02.28.2008 06:28:27 (CET)
Current status: finished

Result: 3/32 (9.38%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - Possibly a new variant of W32/CrazyCrunch-based!Maximus
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen
Additional information
MD5: f65c6e342af108247bab4bca8a0e2f1b
SHA1: 185b5a7c9a6b40f40adcb3cf09c0db81fc6a9721
SHA256: f87819949149e5210d47945fbec0e2c7ae1a318e26b9417aff2cb8e0ec6084fa
SHA512: 9909cdf8e0cc0b061ef182f02feb6d3295c1b0f74410f68e5b2ae6c6893b3b0f f8852b2f87e317b31f4cde32edad278999a065815d6dba53eec8c943a83624bf


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.


File ktcdctgv.exe received on 03.08.2008 15:59:52 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 20/30 (66.67%)
Loading server information...
Your file is queued in position: 6.
Estimated start time is between 56 and 80 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.07 Win-Trojan/Fakealert.89099
AntiVir 7.6.0.73 2008.03.07 TR/Crypt.FKM.Gen
Authentium 4.93.8 2008.03.07 -
Avast 4.7.1098.0 2008.03.07 -
AVG 7.5.0.516 2008.03.08 SHeur.AWFM
BitDefender 7.2 2008.03.08 Trojan.Renos.NBN
CAT-QuickHeal 9.50 2008.03.08 Hoax.Renos.ayn (Not a Virus)
ClamAV 0.92.1 2008.03.08 Trojan.Agent-14310
DrWeb 4.44.0.09170 2008.03.08 Trojan.Fakealert.444
eSafe 7.0.15.0 2008.03.06 suspicious Trojan/Worm
eTrust-Vet 31.3.5597 2008.03.07 Win32/VMalum.BYRL
Ewido 4.0 2008.03.08 -
FileAdvisor 1 2008.03.08 -
Fortinet 3.14.0.0 2008.03.08 Misc/Renos
F-Prot 4.4.2.54 2008.03.08 -
F-Secure 6.70.13260.0 2008.03.08 W32/Smalltroj.CZVK
Ikarus T3.1.1.20 2008.03.08 not-a-virus:Hoax.Win32.Renos.ayn
Kaspersky 7.0.0.125 2008.03.08 not-virus:Hoax.Win32.Renos.ayn
McAfee 5247 2008.03.07 -
Microsoft 1.3301 2008.03.07 TrojanDownloader:Win32/Renos.CR
NOD32v2 2931 2008.03.08 -
Panda 9.0.0.4 2008.03.08 Adware/SpyAway
Prevx1 V2 2008.03.08 Generic.Malware
Rising 20.34.52.00 2008.03.08 Trojan.DL.Win32.Renos.bah
Sophos 4.27.0 2008.03.08 Troj/FakeAle-AR
Sunbelt 3.0.930.0 2008.03.05 -
TheHacker 6.2.92.237 2008.03.08 Aplicacion/Renos.ayn
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.07 -
Webwasher-Gateway 6.6.2 2008.03.07 Trojan.Crypt.FKM.Gen
Additional information
File size: 89107 bytes
MD5: 6328b700006e9f3d3c6fcbeb44d48555
SHA1: 6d6a6e3fc4f857f5b3609f97a0b11750c080317e
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX
Prevx info: http://info.prevx.com/aboutprogramtext. ... 00216B9E56

Thanks dpia22
dpia22
Active Member
 
Posts: 9
Joined: March 5th, 2008, 11:02 am

Re: mgmrwmrv.exe

Unread postby dan12 » March 12th, 2008, 5:44 am

When we start a fix together you have to post back to me on a regular basis to get on top of an infection otherwise it just mutates. :(

As it's been a good few days since you ran combo fix for me I'd like you to delete the old version as it's updated on a regular basis.

UNINSTALL COMBOFIX

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image
You can also delete any logs we have produced, and empty your Recycle bin.



Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofi ... e-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: mgmrwmrv.exe

Unread postby dpia22 » March 12th, 2008, 10:48 am

Sorry I didn't understand the time sensitivity of the process. Here are the lastest logs.

ComboFix 08-03-10.1 - HP_Owner 2008-03-12 10:31:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.572 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\bipgvyha.dll
C:\Documents and Settings\All Users\Application Data.\bknybcfo.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.log
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\jonejwlm.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\zodexuby.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-12 10:25 . 2008-03-12 10:25 <DIR> d-------- C:\ComboFix[1]
2008-03-11 15:51 . 2008-03-11 15:51 192,512 --a------ C:\WINDOWS\dijobudk.dll
2008-03-11 15:51 . 2008-03-11 15:51 89,107 --a------ C:\WINDOWS\system32\mgmrwmrv.exe
2008-03-11 15:51 . 2008-03-11 15:51 89,107 --a------ C:\WINDOWS\jonejwlm.exe
2008-03-11 15:51 . 2008-03-11 15:51 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-03-11 14:55 . 2008-03-11 14:55 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\OverDrive
2008-03-11 14:54 . 2008-03-11 14:54 <DIR> d-------- C:\Program Files\OverDrive Media Console
2008-03-11 06:57 . 2008-03-11 06:57 <DIR> d-------- C:\WINDOWS\dqdgumap
2008-03-11 06:57 . 2008-03-11 06:57 192,512 --a------ C:\WINDOWS\tizopsxw.dll
2008-03-11 00:45 . 2008-03-11 00:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-11 00:45 . 2008-03-11 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-10 22:52 . 2008-03-10 22:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-10 22:52 . 2008-03-10 22:52 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
2008-03-10 22:52 . 2008-03-10 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-10 21:28 . 2008-03-10 21:28 <DIR> d-------- C:\Program Files\Philips
2008-03-03 08:06 . 2008-03-03 08:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-26 07:44 . 2008-02-26 07:44 57,344 --a------ C:\WINDOWS\afmrcncr.exe
2008-02-19 15:03 . 2008-03-12 08:39 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-19 15:03 . 2008-02-19 15:03 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\PC Tools
2008-02-19 15:03 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-19 15:03 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-19 15:03 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-19 15:03 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-18 20:00 . 2008-02-18 20:00 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 20:00 . 2008-02-18 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-18 19:59 . 2008-02-18 19:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 15:30 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 03:24 --------- d-----w C:\Program Files\Google
2008-03-11 02:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-15 11:21 --------- d-----w C:\Program Files\McAfee
2008-02-12 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 00:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-12 00:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-09 14:21 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-05 00:48 --------- d-----w C:\Program Files\NEC DISPLAY SOLUTIONS
2008-02-02 14:51 --------- d-----w C:\Program Files\HP
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-19 22:19 388 ----a-w C:\Documents and Settings\Sarah\Application Data\wklnhst.dat
2007-07-22 14:52 1,688 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-05-09 01:46 9,583,328 ----a-w C:\Documents and Settings\Penny\DesktopDoctor1.5.4.exe
2006-03-31 11:30 9,583,368 ----a-w C:\Documents and Settings\Sarah\DesktopDoctor1.5.1.exe
2005-07-02 02:25 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"13Ai9vUEj5"= rundll32.exe "C:\WINDOWS\tizopsxw.dll",DllCleanServer

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"vSFvBvUEj5"= C:\WINDOWS\afmrcncr.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=C:\WINDOWS\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 10:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-11-02 03:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 10:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 06:42 659456 C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2004-06-07 06:53 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 04:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 16:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBkLogOnHook]
--a------ 2007-01-08 11:22 20480 C:\Program Files\McAfee\MBK\LogOnHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]
--a------ 2007-01-16 13:59 4838952 C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-04 01:33 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 08:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2002-04-24 20:37 1544192 C:\Program Files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:04:30 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-03-01 06:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 10:37:27
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-12 10:39:10
ComboFix-quarantined-files.txt 2008-03-12 15:39:05
ComboFix2.txt 2008-03-11 03:37:51
.
2008-03-12 05:01:01 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:18 AM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\afmrcncr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html?cookieattempt=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKLM\..\Policies\Explorer\Run: [13Ai9vUEj5] rundll32.exe "C:\WINDOWS\tizopsxw.dll",DllCleanServer
O4 - HKCU\..\Policies\Explorer\Run: [vSFvBvUEj5] C:\WINDOWS\afmrcncr.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/dow ... ysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8533 bytes


I'll try to be quicker. :oops:
dpia22
Active Member
 
Posts: 9
Joined: March 5th, 2008, 11:02 am

Re: mgmrwmrv.exe

Unread postby dan12 » March 12th, 2008, 1:38 pm

Hi, Only trying to get on top of your problem :)

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    File::
C:\WINDOWS\afmrcncr.exe
C:\WINDOWS\tizopsxw.dll
C:\WINDOWS\dijobudk.dll
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\jonejwlm.exe
C:\WINDOWS\dqdgumap


     Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"13Ai9vUEj5"=-
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"vSFvBvUEj5"=-

   


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Your Java is out of date Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of [URL=http://java.sun.com/javase/downloads/index.jsp] Java Runtime Environment (JRE) 6 Update 5/URL].
  • Scroll down to where it says " Java Runtime Environment (JRE) 6 Update 5".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

-------------------------------

Run malwarebytes as before for me, Instruction as before but you don't this time have to down load it.


Please do an online scan with Kaspersky WebScanner. (You will need to use Internet Explorer to run this scan)

On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:

  • Scan using the following Anti-Virus database:

    Extended (if available, otherwise Standard)

  • Scan Options:

    Scan Archives
    Scan Mail Bases

  • Click OK.
  • Now under Select a Target to Scan:

    Select My Computer.

  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button and save the file to your desktop.

dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: mgmrwmrv.exe

Unread postby dpia22 » March 13th, 2008, 7:30 am

Hi Dan,
The symtoms I had earlier are gone again. Last night I had some problems with my Network/internet connection. My IP address would disappear and then be reaquired after a few minutes. A few times I lost internet connection completely. It made setting up for the online scan tricky. It seems to be ok now. Is this related to what we are doing or is it more likely my internet providers problem?
Here are the latest logs.

ComboFix 08-03-10.1 - HP_Owner 2008-03-12 22:12:01.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.580 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\afmrcncr.exe
C:\WINDOWS\dijobudk.dll
C:\WINDOWS\dqdgumap
C:\WINDOWS\jonejwlm.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\tizopsxw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\afmrcncr.exe
C:\WINDOWS\dijobudk.dll
C:\WINDOWS\jonejwlm.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\13Ai9vUEj5wp.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\tizopsxw.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-12 10:25 . 2008-03-12 10:25 <DIR> d-------- C:\ComboFix[1]
2008-03-11 15:51 . 2008-03-11 15:51 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-03-11 14:55 . 2008-03-11 14:55 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\OverDrive
2008-03-11 14:54 . 2008-03-11 14:54 <DIR> d-------- C:\Program Files\OverDrive Media Console
2008-03-11 06:57 . 2008-03-11 06:57 <DIR> d-------- C:\WINDOWS\dqdgumap
2008-03-11 00:45 . 2008-03-11 00:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-11 00:45 . 2008-03-11 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-10 22:52 . 2008-03-10 22:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-10 22:52 . 2008-03-10 22:52 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
2008-03-10 22:52 . 2008-03-10 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-10 21:28 . 2008-03-10 21:28 <DIR> d-------- C:\Program Files\Philips
2008-03-03 08:06 . 2008-03-03 08:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-19 15:03 . 2008-03-12 08:39 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-19 15:03 . 2008-02-19 15:03 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\PC Tools
2008-02-19 15:03 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-19 15:03 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-19 15:03 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-19 15:03 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-18 20:00 . 2008-02-18 20:00 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 20:00 . 2008-02-18 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-18 19:59 . 2008-02-18 19:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 03:08 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 03:24 --------- d-----w C:\Program Files\Google
2008-03-11 02:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-15 11:21 --------- d-----w C:\Program Files\McAfee
2008-02-12 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 00:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-12 00:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-09 14:21 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-05 00:48 --------- d-----w C:\Program Files\NEC DISPLAY SOLUTIONS
2008-02-02 14:51 --------- d-----w C:\Program Files\HP
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-19 22:19 388 ----a-w C:\Documents and Settings\Sarah\Application Data\wklnhst.dat
2007-07-22 14:52 1,688 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-05-09 01:46 9,583,328 ----a-w C:\Documents and Settings\Penny\DesktopDoctor1.5.4.exe
2006-03-31 11:30 9,583,368 ----a-w C:\Documents and Settings\Sarah\DesktopDoctor1.5.1.exe
2005-07-02 02:25 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-12_10.38.16.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-12 13:11:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-13 03:05:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-12 13:11:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-13 03:05:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-12 13:11:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-13 03:05:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=C:\WINDOWS\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 10:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-11-02 03:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 10:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 06:42 659456 C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2004-06-07 06:53 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 04:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 16:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBkLogOnHook]
--a------ 2007-01-08 11:22 20480 C:\Program Files\McAfee\MBK\LogOnHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]
--a------ 2007-01-16 13:59 4838952 C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-04 01:33 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 08:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2002-04-24 20:37 1544192 C:\Program Files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:04:30 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-03-01 06:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 22:17:48
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-12 22:20:35
ComboFix-quarantined-files.txt 2008-03-13 03:20:29
ComboFix2.txt 2008-03-12 15:39:12
ComboFix3.txt 2008-03-11 03:37:51
.
2008-03-12 05:01:01 --- E O F ---


Malwarebytes' Anti-Malware 1.08
Database version: 483

Scan type: Full Scan (C:\|D:\|L:\|M:\|N:\|O:\|P:\|Q:\|)
Objects scanned: 201198
Time elapsed: 1 hour(s), 36 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\swid (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\jonejwlm.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mgmrwmrv.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP63\A0007979.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP63\A0007980.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winfrun32.bin (Malware.Trace) -> Quarantined and deleted successfully.


KASPERSKY ONLINE SCANNER REPORT
Thursday, March 13, 2008 7:04:37 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/03/2008
Kaspersky Anti-Virus database records: 626915


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
L:\
M:\
N:\
O:\
P:\
Q:\

Scan Statistics
Total number of scanned objects 160134
Number of viruses found 2
Number of infected objects 10
Number of suspicious objects 4
Duration of the scan process 03:16:23

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{745B5B72-8A1C-498D-938C-68F0081E29FB}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{990477EA-78BC-4F5D-AF3D-7E06783B82D7}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1E.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak10.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak10.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak4.zip/wbeCheck.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak4.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Documents\Config\desktop2.idf Object is locked skipped

C:\Documents and Settings\All Users\Documents\Fonts\SwUniNew.tff Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\ahhhhhhhhh.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\coche.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\eeek.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\grace and jesse.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\hah.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\hahaahaha.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\me and ryan.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\meeeeeeeep.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7020001.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7020001a.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7020051.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7020052.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7020053.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7020054.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7020055.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7130002.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7160005.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7180006.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7190007.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7190008.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7190009.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P7190010.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P8030050.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P8030053.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P8030055.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P8030056.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P8030057.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P8030058.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P8030059.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P8030060.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P8030061.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P8030063.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P8030064.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\P8030069.JPG Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\pizza.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\small.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\smallish.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\smallllllllllllllllll.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\smallllllllllllllllller.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\Thumbs.db Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\whoa.jpg Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\yay.bmp Object is locked skipped

C:\Documents and Settings\Becca\My Documents\My Pictures\pictures!\kylespartyy\picturessss\yeahhh.jpg Object is locked skipped

C:\Documents and Settings\HP_Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\HP_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\HP_Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\HP_Owner\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\bipgvyha.dll.vir Infected: Trojan.Win32.Obfuscated.gx skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\bknybcfo.dll.vir Infected: Trojan.Win32.Obfuscated.gx skipped

C:\QooBox\Quarantine\C\WINDOWS\afmrcncr.exe.vir Infected: Trojan.Win32.Obfuscated.gx skipped

C:\QooBox\Quarantine\C\WINDOWS\jonejwlm.dll.vir Infected: Trojan.Win32.Obfuscated.gx skipped

C:\QooBox\Quarantine\C\WINDOWS\zodexuby.dll.vir Infected: Trojan.Win32.Obfuscated.gx skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP62\A0007903.dll Infected: Trojan.Win32.Obfuscated.gx skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP62\A0007904.dll Infected: Trojan.Win32.Obfuscated.gx skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP62\A0007905.dll Infected: Trojan.Win32.Obfuscated.gx skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP62\A0007906.dll Infected: Trojan.Win32.Obfuscated.gx skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP63\A0007977.exe Infected: Trojan.Win32.Obfuscated.gx skipped

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP73\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{919B2C35-E11B-4BAB-9C43-DAD24A2649EE}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcafee_7bNgnpslSBnlkPc Object is locked skipped

C:\WINDOWS\Temp\mcmsc_gnL8gg32opNrjCq Object is locked skipped

C:\WINDOWS\Temp\mcmsc_htvgwlkSMOMNG4A Object is locked skipped

C:\WINDOWS\Temp\mcmsc_oAFjXkyYZbmdVE3 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_XJlwfQcmlSzJz5I Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:17 AM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html?cookieattempt=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/dow ... ysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8527 bytes


Thanks
dpia22
Active Member
 
Posts: 9
Joined: March 5th, 2008, 11:02 am

Re: mgmrwmrv.exe

Unread postby dan12 » March 13th, 2008, 8:35 am

Let's see how it settles down!

Open up spybot and go to the recovery and delete the following files
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak10.zip << This file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak4.zip << This file

--------------------------------


Make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

---------------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    File::
C:\WINDOWS\dqdgumap
    Folder::

    Registry::

    Driver::

    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




:uninstall some programs:

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add remove programs
click on the following programs


adobe reader

and click on remove

Reboot the computer

: Update Adobe Reader
It looks like your version of Adobe Reader is out of date and you're vulnarable for infections.
Please download the newest version here:
http://www.adobe.com/uk/products/reader/

Please include in your next post:
  • Combofix log txt
  • New highjackthis log
  • uninstall list

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: mgmrwmrv.exe

Unread postby dpia22 » March 13th, 2008, 10:32 am

Hi Dan,
I had a hard time finding the files you told me to delete in Spybot S&D, but I did finally find them. I deleted them, but it was after I ran combofix. I hope order doesn't matter in this case.
Here are the latest logs.

ComboFix 08-03-10.1 - HP_Owner 2008-03-13 9:54:26.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.587 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\dqdgumap
.

((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-12 22:44 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-12 22:43 . 2008-03-12 22:43 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-12 10:25 . 2008-03-12 10:25 <DIR> d-------- C:\ComboFix[1]
2008-03-11 14:55 . 2008-03-11 14:55 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\OverDrive
2008-03-11 14:54 . 2008-03-11 14:54 <DIR> d-------- C:\Program Files\OverDrive Media Console
2008-03-11 06:57 . 2008-03-11 06:57 <DIR> d-------- C:\WINDOWS\dqdgumap
2008-03-11 00:45 . 2008-03-11 00:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-11 00:45 . 2008-03-11 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-10 22:52 . 2008-03-10 22:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-10 22:52 . 2008-03-10 22:52 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
2008-03-10 22:52 . 2008-03-10 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-10 21:28 . 2008-03-10 21:28 <DIR> d-------- C:\Program Files\Philips
2008-03-03 08:06 . 2008-03-03 08:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-19 15:03 . 2008-03-12 08:39 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-19 15:03 . 2008-02-19 15:03 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\PC Tools
2008-02-19 15:03 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-19 15:03 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-19 15:03 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-19 15:03 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-18 20:00 . 2008-02-18 20:00 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 20:00 . 2008-02-18 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-18 19:59 . 2008-02-18 19:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 14:52 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-13 03:44 --------- d-----w C:\Program Files\Java
2008-03-11 03:24 --------- d-----w C:\Program Files\Google
2008-03-11 02:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-15 11:21 --------- d-----w C:\Program Files\McAfee
2008-02-12 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 00:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-12 00:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-09 14:21 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-05 00:48 --------- d-----w C:\Program Files\NEC DISPLAY SOLUTIONS
2008-02-02 14:51 --------- d-----w C:\Program Files\HP
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-19 22:19 388 ----a-w C:\Documents and Settings\Sarah\Application Data\wklnhst.dat
2007-07-22 14:52 1,688 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-05-09 01:46 9,583,328 ----a-w C:\Documents and Settings\Penny\DesktopDoctor1.5.4.exe
2006-03-31 11:30 9,583,368 ----a-w C:\Documents and Settings\Sarah\DesktopDoctor1.5.1.exe
2005-07-02 02:25 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-12_10.38.16.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-12 13:11:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-13 12:01:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-12 13:11:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-13 12:01:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-12 13:11:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-13 12:01:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=C:\WINDOWS\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 10:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-11-02 03:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 10:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 06:42 659456 C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2004-06-07 06:53 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 04:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 16:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBkLogOnHook]
--a------ 2007-01-08 11:22 20480 C:\Program Files\McAfee\MBK\LogOnHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]
--a------ 2007-01-16 13:59 4838952 C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-04 01:33 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 08:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2002-04-24 20:37 1544192 C:\Program Files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:04:30 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-03-01 06:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 09:59:21
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-13 10:01:04
ComboFix-quarantined-files.txt 2008-03-13 15:00:59
ComboFix2.txt 2008-03-13 03:20:37
ComboFix3.txt 2008-03-12 15:39:12
ComboFix4.txt 2008-03-11 03:37:51
.
2008-03-12 05:01:01 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:36 AM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html?cookieattempt=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/dow ... ysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9098 bytes



Sansa Media Converter
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
Agere Systems PCI Soft Modem
AIM 6
AIM Toolbar
AIM+ (remove only)
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
Best Buy Rhapsody
Blackhawk Striker 2 from Hewlett-Packard Desktops (remove only)
Blasterball 2 from Hewlett-Packard Desktops (remove only)
Blasterball 2 Remix from Hewlett-Packard Desktops (remove only)
Bounce Symphony from Hewlett-Packard Desktops (remove only)
Corel Uninstaller
Crystal Maze from Hewlett-Packard Desktops (remove only)
Disney's Lilo & Stitch Trouble in Paradise
Easy Internet Sign-up
Enhanced Multimedia Keyboard Solution
Google Earth
Google Toolbar for Internet Explorer
grandMA onPC 5.810
Harry Potter
Harry Potter and the Goblet of Fire™
Harry Potter II
Help and Support Additions
Hexic Deluxe
HijackThis 2.0.2
Hotfix for Windows XP (KB909394)
HP Customer Participation Program 7.0
HP Deskjet 3840
HP Deskjet Preloaded Printer Drivers
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Organize
HP Photosmart Cameras 4.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Detection
HP PSC & OfficeJet 4.0
HP Software Update
HP Software Update
HP Solution Center 7.0
Intel(R) Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
iPod for Windows 2005-09-06
iTunes
Java(TM) 6 Update 5
Kaspersky Online Scanner
LiveUpdate 2.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
McAfee SecurityCenter
McDougal Littell EasyPlanner
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Digital Image Suite 10 Trial Edition
Microsoft Money 2005
Microsoft Office 97, Professional Edition
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
muvee autoProducer 3.5 magicMoments - HPD
NEC DISPLAY SOLUTIONS: Monitor Installer
NewzToolz-EZ v1.3.0
OCR Software by I.R.I.S 7.0
OLYMPUS CAMEDIA Master 4.2
Orbital from Hewlett-Packard Desktops (remove only)
Overball from Hewlett-Packard Desktops (remove only)
OverDrive Media Console
PC-Doctor for Windows
PCI Audio Driver
Photosmart 320,370,7400,8100,8400 Series
Polar Bowler from Hewlett-Packard Desktops (remove only)
Polar Golfer from Hewlett-Packard Desktops (remove only)
Project64 1.6
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quake
QuickTime
Rhapsody
Rhapsody Player Engine
Road Ready Streetwise from Hewlett-Packard Desktops (remove only)
SA21xx Device Manager
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Shrek 2 Ogre Bowler from Hewlett-Packard Desktops (remove only)
Sonic Express Labeler
Sonic RecordNow!
Sony Picture Utility
Sony USB Driver
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Spyware Doctor 5.5
Super Granny from Hewlett-Packard Desktops (remove only)
Terayon DOCSIS Modem
The Sims Complete Collection
Tradewinds from Hewlett-Packard Desktops (remove only)
TurboTax Deluxe 2005
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Updates from HP
WD Diagnostics
Webshots Desktop
WexTech AnswerWorks
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476

Thanks,
dpia22
dpia22
Active Member
 
Posts: 9
Joined: March 5th, 2008, 11:02 am

Re: mgmrwmrv.exe

Unread postby dan12 » March 13th, 2008, 2:55 pm

That's fine how you did it, they were items kaspersky flagged. I will deal with other items it flagged shortly.
Things are looking better! :)

This file is being stuburn, believe it to be a folder.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
      Folder::
    C:\WINDOWS\dqdgumap
    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please include in your next post:
  • Combofix log txt
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: mgmrwmrv.exe

Unread postby dpia22 » March 13th, 2008, 3:25 pm

Dan,
My machine had a hard time with that last round of combofix. I had to log off and log back on to get my desktop back, but it seems fine now. :)
Here are the next logs.

ComboFix 08-03-10.1 - HP_Owner 2008-03-13 15:05:06.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.557 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dqdgumap
C:\WINDOWS\dqdgumap\1.png
C:\WINDOWS\dqdgumap\2.png
C:\WINDOWS\dqdgumap\3.png
C:\WINDOWS\dqdgumap\4.png
C:\WINDOWS\dqdgumap\5.png
C:\WINDOWS\dqdgumap\6.png
C:\WINDOWS\dqdgumap\7.png
C:\WINDOWS\dqdgumap\8.png
C:\WINDOWS\dqdgumap\9.png
C:\WINDOWS\dqdgumap\bottom-rc.gif
C:\WINDOWS\dqdgumap\config.png
C:\WINDOWS\dqdgumap\content.png
C:\WINDOWS\dqdgumap\download.gif
C:\WINDOWS\dqdgumap\frame-bg.gif
C:\WINDOWS\dqdgumap\frame-bottom-left.gif
C:\WINDOWS\dqdgumap\frame-h1bg.gif
C:\WINDOWS\dqdgumap\head.png
C:\WINDOWS\dqdgumap\icon.png
C:\WINDOWS\dqdgumap\indexwp.html
C:\WINDOWS\dqdgumap\main.css
C:\WINDOWS\dqdgumap\memory-prots.png
C:\WINDOWS\dqdgumap\net.png
C:\WINDOWS\dqdgumap\pc-mag.gif
C:\WINDOWS\dqdgumap\pc.gif
C:\WINDOWS\dqdgumap\poloska1.png
C:\WINDOWS\dqdgumap\poloska2.png
C:\WINDOWS\dqdgumap\poloska3.png
C:\WINDOWS\dqdgumap\promowp1.html
C:\WINDOWS\dqdgumap\promowp2.html
C:\WINDOWS\dqdgumap\promowp3.html
C:\WINDOWS\dqdgumap\promowp4.html
C:\WINDOWS\dqdgumap\promowp5.html
C:\WINDOWS\dqdgumap\reg.png
C:\WINDOWS\dqdgumap\repair.png
C:\WINDOWS\dqdgumap\scr-1.png
C:\WINDOWS\dqdgumap\scr-2.png
C:\WINDOWS\dqdgumap\start.png
C:\WINDOWS\dqdgumap\styles.css
C:\WINDOWS\dqdgumap\top-rc.gif
C:\WINDOWS\dqdgumap\vline.gif
C:\WINDOWS\dqdgumap\wp.png

.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-12 22:44 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-12 22:43 . 2008-03-12 22:43 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-12 10:25 . 2008-03-12 10:25 <DIR> d-------- C:\ComboFix[1]
2008-03-11 14:55 . 2008-03-11 14:55 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\OverDrive
2008-03-11 14:54 . 2008-03-11 14:54 <DIR> d-------- C:\Program Files\OverDrive Media Console
2008-03-11 00:45 . 2008-03-11 00:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-11 00:45 . 2008-03-11 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-10 22:52 . 2008-03-10 22:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-10 22:52 . 2008-03-10 22:52 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
2008-03-10 22:52 . 2008-03-10 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-10 21:28 . 2008-03-10 21:28 <DIR> d-------- C:\Program Files\Philips
2008-03-03 08:06 . 2008-03-03 08:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-19 15:03 . 2008-03-12 08:39 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-19 15:03 . 2008-02-19 15:03 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\PC Tools
2008-02-19 15:03 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-19 15:03 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-19 15:03 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-19 15:03 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-18 20:00 . 2008-02-18 20:00 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 20:00 . 2008-02-18 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-18 19:59 . 2008-02-18 19:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 20:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-13 15:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-13 03:44 --------- d-----w C:\Program Files\Java
2008-03-11 03:24 --------- d-----w C:\Program Files\Google
2008-03-11 02:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-15 11:21 --------- d-----w C:\Program Files\McAfee
2008-02-12 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 00:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-12 00:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-09 14:21 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-05 00:48 --------- d-----w C:\Program Files\NEC DISPLAY SOLUTIONS
2008-02-02 14:51 --------- d-----w C:\Program Files\HP
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-19 22:19 388 ----a-w C:\Documents and Settings\Sarah\Application Data\wklnhst.dat
2007-07-22 14:52 1,688 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-05-09 01:46 9,583,328 ----a-w C:\Documents and Settings\Penny\DesktopDoctor1.5.4.exe
2006-03-31 11:30 9,583,368 ----a-w C:\Documents and Settings\Sarah\DesktopDoctor1.5.1.exe
2005-07-02 02:25 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-12_10.38.16.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-13 15:14:20 65,536 ----a-r C:\WINDOWS\Installer\{A654A805-41D9-40C7-AA46-4AF04F044D61}\ARPPRODUCTICON.exe
+ 2008-03-13 15:14:20 65,536 ----a-r C:\WINDOWS\Installer\{A654A805-41D9-40C7-AA46-4AF04F044D61}\NewShortcut2_4BDFD2CE632942E498019B3D1F10D79B.exe
+ 2008-03-13 15:14:20 65,536 ----a-r C:\WINDOWS\Installer\{A654A805-41D9-40C7-AA46-4AF04F044D61}\NewShortcut3_4BDFD2CE632942E498019B3D1F10D79B.exe
+ 2008-03-13 15:15:44 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
- 2008-03-12 13:11:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-13 17:00:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-12 13:11:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-13 17:00:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-12 13:11:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-13 17:00:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2006-06-05 19:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 19:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 19:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=C:\WINDOWS\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 10:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-11-02 03:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 10:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 06:42 659456 C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2004-06-07 06:53 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 04:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 16:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBkLogOnHook]
--a------ 2007-01-08 11:22 20480 C:\Program Files\McAfee\MBK\LogOnHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]
--a------ 2007-01-16 13:59 4838952 C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-04 01:33 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 08:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2002-04-24 20:37 1544192 C:\Program Files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:04:30 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-03-01 06:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 15:10:39
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-13 15:12:22
ComboFix-quarantined-files.txt 2008-03-13 20:12:17
ComboFix2.txt 2008-03-13 15:01:06
ComboFix3.txt 2008-03-13 03:20:37
ComboFix4.txt 2008-03-12 15:39:12
ComboFix5.txt 2008-03-11 03:37:51
.
2008-03-12 05:01:01 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:46 PM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html?cookieattempt=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/dow ... ysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9015 bytes


Thanks again,
dpia22
dpia22
Active Member
 
Posts: 9
Joined: March 5th, 2008, 11:02 am

Re: mgmrwmrv.exe

Unread postby dan12 » March 13th, 2008, 3:45 pm

Ok, well done! that got it. Were going to cleanup some of the tools we used.
I would keep malwarebytes but update it on a regular basis.


UNINSTALL COMBOFIX

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image
You can also delete any logs we have produced, and empty your Recycle bin.



Close all windows and try typing this command directly in and see if ComboFix runs.

Remember to use the " marks and there is a space between exe" and /killall

Start > Run > type "%userprofile%\desktop\combofix.exe" /killall

If ComboFix runs, please post the log.

Let me know when you have carried out this post and if there was any problems, how are things now with the machine.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 327 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware