Free Malware Removal Forum

[Unfortunatesoul]

Here's my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 1:10:40 AM, on 8/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8759F98A-6CD9-4FA3-993E-8A59327EE9E0} - (no file)
O2 - BHO: {8b347371-7e7f-2cc9-8d24-6feb876e7e8b} - {b8e7e678-bef6-42d8-9cc2-f7e7173743b8} - (no file)
O2 - BHO: (no name) - {CA4D30C9-2B8C-44F2-925F-8DF8D771F0Fc} - (no file)
O2 - BHO: (no name) - {DDDD878F-152A-4D2C-BBF8-453303F11C70} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe




If this helps, I used to run scans to try to remove it every day for the past week, but I have NOT ran a scan since I started up my computer today for this log. Thank you to whoever decides to help me clean my diseased and dying system up!

And also, if this helps any, I looked at different forum threads about Virtumonde removal and I saw on one that the helper was telling the infected to select an O20 thing on his HJT and fix it through HJT. So, I looked at my log and found two O20's listed, one is the one that is still on my log, the other was strange and had a bunch of random letters and numbers in its name. Thinking this would fix my problem I "fixed it" with HJT, and now it doesn't show up on HJT anymore, but I still have the malware.

[DFW]

My name is DFW, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a different computer or infection.

Please observe these rules while we work:
Perform all actions in the order given.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Stick with it till you're given the all clear.
REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.

[Unfortunatesoul]

Hello DFW!

First of all, thank you so much for replying to my thread. You don't know how much stress you just saved me from!

Ok, well, I am ready to get started whenever you are, and I agree to all of the rules.

[DFW]

Hi Unfortunatesoul



Thank you for closing your other thread at TSG,




You are operating your computer with multiple Anti Virus programs running in memory at once:
McAfee and AVG 8

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer.
Having two anti-virus programs running at the same time will cause your computer to run very slow, become unstable and crash.

Please Go to add/remove programs and remove one, you decide which one,
do you have a current subscription for McAfee virus definition updates, if not remove that one.


You say that you have run scans, can you please tell me which ones.




Please restore the line you deleted with HJT

Open HJT

Click on the Open the Misc Tools section button.

Click on the Back Ups Button

Place a tick on any lines yoy have deleted

Now click restore.

Exit HJT



Restart your System.

Make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.


Click on the Save list... button and specify where you would like to save this file.

When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad here on your next reply.


Now run HJT again and post a New HJT Log


Please post back

The new HJT log
Uninstall list
Information on scans

[Unfortunatesoul]

Ok, since your last post, I have done the following:

-Uninstalled McAfee
-Restored the HJT line
-Restarted
-Made an Uninstall List
-Recorded a new HJT log


The scans I have used are:

-AVG 8
-Windows Defender
-Spybot S+D
-Ad-Aware SE Pro
-(if this makes a difference) I use CCleaner to clean my PC with its 3-pass scan. I also use its registry cleaner.


Here is my Uninstall List:

ACE Mega CoDecS Pack
Ad-Aware SE Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Common File Installer
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe Stock Photos 1.0
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
AVG Free 8.0
AVIVO Codecs
Belarc Advisor 7.0
Bonjour
CCleaner (remove only)
Diablo II
DivX Content Uploader
DivX Web Player
Dungeon Siege 2
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Fraps (remove only)
Guild Wars
Hellgate: London
HijackThis 1.99.1
Hotfix for Windows XP (KB952287)
InFlac 1.1.1
iPod for Windows 2005-10-12
iTunes
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
LC5
Magic DVD Copier V4.4.3
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 7 Ultra Edition
neroxml
NVIDIA Drivers
Oblivion
QuickTime
RealPlayer
Security Update for 2007 Microsoft Office System (KB951596)
Security Update for Microsoft Office Excel 2007 (KB951546)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB934062)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Sony Media Manager 2.2
Sony Sound Forge 7.0
Sony Vegas Movie Studio 6.0
Spybot - Search & Destroy 1.4
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb955433)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Ventrilo Client
Video Converter 3
VideoLAN VLC media player 0.8.6c
Viewpoint Media Player
WD Diagnostics
Winamp
Windows Defender
Windows Installer 3.1 (KB893803)
WinRAR archiver
World of Warcraft


Here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:26:58 PM, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8759F98A-6CD9-4FA3-993E-8A59327EE9E0} - (no file)
O2 - BHO: {8b347371-7e7f-2cc9-8d24-6feb876e7e8b} - {b8e7e678-bef6-42d8-9cc2-f7e7173743b8} - (no file)
O2 - BHO: (no name) - {CA4D30C9-2B8C-44F2-925F-8DF8D771F0Fc} - (no file)
O2 - BHO: (no name) - {DDDD878F-152A-4D2C-BBF8-453303F11C70} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: mlJBRKDS - mlJBRKDS.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe



Can hardly wait for your next reply! Thanks.

[DFW]

Hi Unfortunatesoul


Please do not run any more scans on you own untill we have cleaned you up, it can sometimes make it harder to remove
infections, if we cannot see the full picture.


VIEWPOINT-OPTIONAL FIX

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval, is generally not necessary, and is therefore recommended for removal

More Info http://www.pchell.com/support/viewpoint.shtml

If you decide to remove it follow directions below

• Click Start, point to Settings, and then click Control Panel.
• In Control Panel, double-click Add or Remove Programs.
• In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
• Do the same for each Viewpoint component.

Next



1.Download and Run combofix

For information regarding Combofix, please visit this webpage:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode if needed
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed

Very Important!, before running Combofix Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".




Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

Please post back

C:\ComboFix.txt
New HijackThis log.

Note: Combofix should not be used without supervision

[Unfortunatesoul]

Here is my ComboFix Log:

ComboFix 08-08-27.01 - Alex 2008-08-27 15:48:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3044 [GMT -4:00]
Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alex\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM4f7439f4.txt
C:\WINDOWS\BM4f7439f4.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bgonpybd.ini
C:\WINDOWS\system32\hfiqpohw.ini
C:\WINDOWS\system32\jRuFffii.ini
C:\WINDOWS\system32\jRuFffii.ini2
C:\WINDOWS\system32\mcrh.tmp
I:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-20 00:27 . 2008-08-23 19:18 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-20 00:26 . 2008-08-27 15:07 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-20 00:26 . 2008-08-20 00:26 <DIR> d-------- C:\Program Files\AVG
2008-08-20 00:26 . 2008-08-20 00:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-20 00:26 . 2008-08-20 00:26 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-20 00:26 . 2008-08-20 00:26 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-15 00:59 . 2008-08-15 01:52 24 --a------ C:\Documents and Settings\Alex\jagex_runescape_preferences.dat
2008-08-12 08:30 . 2001-08-17 12:12 16,074 --a------ C:\WINDOWS\system32\drivers\FA312nd5.sys
2008-08-12 08:30 . 2001-08-17 12:12 16,074 --a--c--- C:\WINDOWS\system32\dllcache\fa312nd5.sys
2008-08-02 01:55 . 2008-08-02 01:55 <DIR> d-------- C:\Program Files\iTunes
2008-08-02 01:54 . 2008-08-02 01:54 <DIR> d-------- C:\Program Files\Bonjour
2008-07-28 03:41 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-07-28 03:41 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-28 03:41 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-28 03:41 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 19:10 --------- d-----w C:\Program Files\Viewpoint
2008-08-26 23:10 --------- d-----w C:\Program Files\McAfee
2008-08-26 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-24 02:59 --------- d-----w C:\Documents and Settings\Alex\Application Data\uTorrent
2008-08-15 06:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-02 05:55 --------- d-----w C:\Program Files\iPod
2008-07-24 02:56 --------- d-----w C:\Program Files\Diablo II
2008-07-23 00:32 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-20 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 00:39 --------- d-----w C:\Program Files\RivaTuner v2.09
2008-07-20 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-07-20 00:26 --------- d-----w C:\Program Files\ATI Technologies
2008-07-20 00:02 --------- d-----w C:\Documents and Settings\Alex\Application Data\U3
2008-07-16 03:15 --------- d-----w C:\Program Files\World of Warcraft
2008-07-13 20:30 --------- d-----w C:\Program Files\Apple Software Update
2008-07-13 05:13 --------- d-----w C:\Program Files\QuickTime
2007-09-27 02:16 87,608 ----a-w C:\Documents and Settings\Alex\Application Data\ezpinst.exe
2007-09-27 02:16 47,360 ----a-w C:\Documents and Settings\Alex\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 09:34 868352]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-20 00:26 1232152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160]

[HKLM\~\startupfolder\C:^Documents and Settings^Alex^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Alex\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Alex^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Alex\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk
backup=C:\WINDOWS\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 13:49 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 18:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-21 12:17 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Documents and Settings\\Alex\\My Documents\\Downloads\\Downthemall Destination\\WoW-enGB-Installer-downloader.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Dungeon Siege II\\DungeonSiege2.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Documents and Settings\\Alex\\My Documents\\Downloads\\Downloaded Programs\\utorrent.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\Alex\\OctoshapeClient.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-20 00:26]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-20 00:26]
R3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 12:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc640c72-2912-11dc-b257-001bfc01650d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-07-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-27 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{8759F98A-6CD9-4FA3-993E-8A59327EE9E0} - (no file)
BHO-{b8e7e678-bef6-42d8-9cc2-f7e7173743b8} - (no file)
BHO-{CA4D30C9-2B8C-44F2-925F-8DF8D771F0Fc} - (no file)
Notify-mlJBRKDS - mlJBRKDS.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\l3seox4p.default\
FF -: plugin - C:\Documents and Settings\Alex\Application Data\Mozilla\plugins\npoctoshape.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Octoshape Streaming Services\Alex\octoprogram-L03-NMS0806110_SUA_900\npoctoshape.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 15:52:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-27 15:54:12 - machine was rebooted [Alex]
ComboFix-quarantined-files.txt 2008-08-27 19:54:10

Pre-Run: 181,494,452,224 bytes free
Post-Run: 181,381,550,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

189 --- E O F --- 2008-08-26 20:31:18


Here is my new HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:57:46 PM, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


Further question(s)/concern(s):

-Before running ComboFix, I disabled resident shield on AVG as instructed, but I have the free version and could not find how to disable its other components like anti-spyware and anti-virus. Resident shield was the only one that had the option to disable it. (I followed the directions on the post about disabling running "anti" programs. So, I'm not sure if other components hindered my ComboFix results.

-Also, I couldn't help but notice McAfee stuff in the ComboFix log. Nothing with the name of McAfee exists on my control panel add/remove programs because I removed it (or I thought I removed it) in your previous instruction. Does this mean that McAfee is still on my computer? If so, is there a way to completely remove it from my system?



Thanks.
-Unfortunatesoul

[DFW]

Hi Unfortunatesoul


The Combofix log was fine, we can get the leftovers from McAfee soon, but I have a few questions

Did you decide to keep or remove veiwpoint?

Also in the combofix log there is signs that a P2P program "uTorrent"

Did you once have this installed and removed it, as I did not see it on the uninstall list.

[Unfortunatesoul]

DFW,

I did decide to remove Viewpoint, and I only found one called "Viewpoint Media Player" to uninstall. Here's an updated uninstall list (just check to see if there are any other hiding in there please):


ACE Mega CoDecS Pack
Ad-Aware SE Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Common File Installer
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe Stock Photos 1.0
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
AVG Free 8.0
AVIVO Codecs
Belarc Advisor 7.0
Bonjour
CCleaner (remove only)
Diablo II
DivX Content Uploader
DivX Web Player
Dungeon Siege 2
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Fraps (remove only)
Guild Wars
Hellgate: London
HijackThis 1.99.1
Hotfix for Windows XP (KB952287)
InFlac 1.1.1
iPod for Windows 2005-10-12
iTunes
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
LC5
Magic DVD Copier V4.4.3
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 7 Ultra Edition
neroxml
NVIDIA Drivers
Oblivion
QuickTime
RealPlayer
Security Update for 2007 Microsoft Office System (KB951596)
Security Update for Microsoft Office Excel 2007 (KB951546)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB934062)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Sony Media Manager 2.2
Sony Sound Forge 7.0
Sony Vegas Movie Studio 6.0
Spybot - Search & Destroy 1.4
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb955433)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Ventrilo Client
Video Converter 3
VideoLAN VLC media player 0.8.6c
WD Diagnostics
Winamp
Windows Defender
Windows Installer 3.1 (KB893803)
WinRAR archiver
World of Warcraft



And about uTorrent, I do have this program installed on my computer. I am not sure why it is not showing up in the uninstall list because it is functional. I however do not keep it running at all times like some people do. When a torrent is finished downloading, I remove the torrent from uTorrent and exit the program after. Maybe that helps any?

[DFW]

WE NEED TO REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

uTorrent

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

We see no purpose in cleaning your machine if you use P2P programmes, as it is pretty much certain that if you continue to use them then you will get infected again.


Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) Now.
If there is no add/remove entry for this, go to start, programs, uTorrent, and look for a uninstall link there.


Post back that you have removed it and we can carry on

[Unfortunatesoul]

Deleted

Sorry about that. Anyways, I'm ready to resume.

-Unfortunatesoul

[DFW]

Well done, let's start again



Very Important!, before running Combofix Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

• Now please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  Code: Select all

  
  Folder::
  C:\Program Files\McAfee
  C:\Documents and Settings\All Users\Application Data\McAfee
  C:\Documents and Settings\Alex\Application Data\uTorrent
  
  Registry:: 
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "McAfeeUpdaterUI"=-
   
  
  

  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Next


Update Programs, Older versions have vulnerabilities that malware can use to infect your system,
and not work as good as the new updated vertions.

Please go to Add/Remove Programs and uninstall these programs

Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
Spybot Search & Destroy 1.4
Ad-aware

Reboot your system

Now go to your C Drive, Then program Files and delete the folders below if present


Ad-aware
Viewpoint



Next


Download and install the up to date Java

Download the latest version of Java Runtime Environment (JRE) .
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment JRE 6 Update 6 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version, you just downloaded


Spybot Search and Destroy

Click HERE to download Spybot Search and Destroy, and saved it to your desktop, once the Spybot icon is on your desktop, double click on it to install the program.
You will be prompted through to create a Back up of your Registry, go ahead,
Next, it will prompt you to update the program. Click “Download All Available Updates”, make sure you Immunize once all updtaes are downloaded
Finally, you’ll be prompted to start using the program.


Now we can download and install a new Ad-aware but there's a new, I think much better program, around now, which we
are going to use to scan your system anyway. (Malwarebytes' Anti-Malware)

1. Please download Malwarebytes' Anti-Malware and save it to a convenient location.
2. Double click on mbam-setup.exe to install it.
3. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
   Update Malwarebytes' Anti-Malware
   Launch Malwarebytes' Anti-Malware
4. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
5. Select the Scanner tab. Click on Perform full scan, then click on Scan.
6. Leave the default options as it is and click on Start Scan.
7. When done, you will be prompted. Click OK, then click on Show Results.
8. Checked (ticked) all items and click on Remove Selected.
9. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

Please post back
Combofix log
Malwarebytes' Anti-Malware
A new HJT Log

[Unfortunatesoul]

DFW,

I will try to reply with logs and answers to questions and such in the order that I did them.

ComboFix Log:

ComboFix 08-08-29.01 - Alex 2008-08-29 16:32:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2965 [GMT -4:00]
Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alex\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\McAfee
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Agent.ini
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\catalog.z
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Compiled.xml
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\AUENGINEMETA\AUEngineContentDetection.McS
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\ENCPTCNT6000\EceptCntDet.mcs
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\MPEMSBCK1000\MPEMSBCKDet.McS
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\MPEPRDCK1000\MPEPRDCKDet.McS
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\MPESVRUP1000\MPESVRUPDet.McS
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\MPEVIRCK1000\MPEVIRCKDet.McS
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\PATCHTMP1000\PatchTmpDet.McS
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\PATCHTMP2000\PatchTmpDet.McS
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\PUPDAT__1000\PUPDet.mcs
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\SPAMSAFE1000\SK_det.mcs
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\VIRUSCAN8600\VSE850Det.McS
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\VSCANDAT1000\SiteStat.xml
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\VSCANDAT1000\V2datdet.mcs
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\VSCANENG1000\V2EngDet.mcs
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_A-L-E-X.log
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_A-L-E-X.xml
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_A-L-E-X_backup.log
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\FrameworkLog.xsl
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_A-L-E-X.log
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\FrameworkManifest.xml
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\InstallMain.McS
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\McScript.bak
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\McScript.log
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Precompiled.xml
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Server.xml
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\serverDefault.xml
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\SiteList.xml
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\SiteMapList.xml
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\SiteStat.xml
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\SrPubKey.bin
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Task\{A14CD6FC-3BA8-4703-87BF-E3247CE382F5}.ini
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Task\TaskInternalData\{A14CD6FC-3BA8-4703-87BF-E3247CE382F5}.ini
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\UpdateHistory.ini
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\UpdateMain.McS
C:\Program Files\McAfee
C:\Program Files\McAfee\Common Framework\0409\AgentRes.dll
C:\Program Files\McAfee\Common Framework\0409\AgentRes64.dll
C:\Program Files\McAfee\Common Framework\0409\CmaUIRes.dll
C:\Program Files\McAfee\Common Framework\0409\ScrptRes.dll
C:\Program Files\McAfee\Common Framework\0409\UpdRes.dll
C:\Program Files\McAfee\Common Framework\Agent.dll
C:\Program Files\McAfee\Common Framework\Agent64.dll
C:\Program Files\McAfee\Common Framework\AgentPlugin.dll
C:\Program Files\McAfee\Common Framework\applib.dll
C:\Program Files\McAfee\Common Framework\applib64.dll
C:\Program Files\McAfee\Common Framework\Cleanup.exe
C:\Program Files\McAfee\Common Framework\ClientUI.dll
C:\Program Files\McAfee\Common Framework\cmalib.dll
C:\Program Files\McAfee\Common Framework\cmalib64.dll
C:\Program Files\McAfee\Common Framework\CmdAgent.exe
C:\Program Files\McAfee\Common Framework\ComponentFrameworkCallback64.dll
C:\Program Files\McAfee\Common Framework\ComponentPolicyEnforcement64.dll
C:\Program Files\McAfee\Common Framework\ComponentSubSystem.dll
C:\Program Files\McAfee\Common Framework\ComponentSubSystem64.dll
C:\Program Files\McAfee\Common Framework\ComponentUserInterface.dll
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\Common Framework\FrmInst.exe
C:\Program Files\McAfee\Common Framework\FrmPlugin.dll
C:\Program Files\McAfee\Common Framework\GenEvtInf.dll
C:\Program Files\McAfee\Common Framework\GenEvtInf64.dll
C:\Program Files\McAfee\Common Framework\InternetManager.dll
C:\Program Files\McAfee\Common Framework\InternetManager64.dll
C:\Program Files\McAfee\Common Framework\JrMac.dll
C:\Program Files\McAfee\Common Framework\ListenServer.dll
C:\Program Files\McAfee\Common Framework\Logging.dll
C:\Program Files\McAfee\Common Framework\Logging64.dll
C:\Program Files\McAfee\Common Framework\Management.dll
C:\Program Files\McAfee\Common Framework\Management64.dll
C:\Program Files\McAfee\Common Framework\McScanCheck.exe
C:\Program Files\McAfee\Common Framework\McScript.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\McAfee\Common Framework\mcurial.dll
C:\Program Files\McAfee\Common Framework\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
C:\Program Files\McAfee\Common Framework\Microsoft.VC80.CRT\msvcm80.dll
C:\Program Files\McAfee\Common Framework\Microsoft.VC80.CRT\msvcp80.dll
C:\Program Files\McAfee\Common Framework\Microsoft.VC80.CRT\msvcr80.dll
C:\Program Files\McAfee\Common Framework\msvcp71.dll
C:\Program Files\McAfee\Common Framework\msvcr71.dll
C:\Program Files\McAfee\Common Framework\naCmnLib64.dll
C:\Program Files\McAfee\Common Framework\naCmnLib71.dll
C:\Program Files\McAfee\Common Framework\nagshr32.dll
C:\Program Files\McAfee\Common Framework\naicrt32.dll
C:\Program Files\McAfee\Common Framework\nailog.dll
C:\Program Files\McAfee\Common Framework\nailog64.dll
C:\Program Files\McAfee\Common Framework\naInet.dll
C:\Program Files\McAfee\Common Framework\naInet64.dll
C:\Program Files\McAfee\Common Framework\naisign.dll
C:\Program Files\McAfee\Common Framework\naitcpp.dll
C:\Program Files\McAfee\Common Framework\naPolicyManager.dll
C:\Program Files\McAfee\Common Framework\naPolicyManager64.dll
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr64.exe
C:\Program Files\McAfee\Common Framework\naSPIPE.dll
C:\Program Files\McAfee\Common Framework\naSPIPE64.dll
C:\Program Files\McAfee\Common Framework\naXML64.dll
C:\Program Files\McAfee\Common Framework\naXML71.dll
C:\Program Files\McAfee\Common Framework\nmcomn32.dll
C:\Program Files\McAfee\Common Framework\patchw32.dll
C:\Program Files\McAfee\Common Framework\PcrPlug.dll
C:\Program Files\McAfee\Common Framework\PoEvtInf.dll
C:\Program Files\McAfee\Common Framework\Scheduler.dll
C:\Program Files\McAfee\Common Framework\Scheduler64.dll
C:\Program Files\McAfee\Common Framework\ScriptSubSys.dll
C:\Program Files\McAfee\Common Framework\SecureFrameworkFactory.dll
C:\Program Files\McAfee\Common Framework\SecureFrameworkFactory64.dll
C:\Program Files\McAfee\Common Framework\TCHelper.dll
C:\Program Files\McAfee\Common Framework\TCSubSys.dll
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\unicows.dll
C:\Program Files\McAfee\Common Framework\UpdateSubSys.dll
C:\Program Files\McAfee\Common Framework\UpdPlug.dll
C:\Program Files\McAfee\Common Framework\UserSpace.dll
C:\Program Files\McAfee\Common Framework\XMLWrap.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-20 00:27 . 2008-08-23 19:18 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-20 00:26 . 2008-08-29 15:17 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-20 00:26 . 2008-08-20 00:26 <DIR> d-------- C:\Program Files\AVG
2008-08-20 00:26 . 2008-08-20 00:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-20 00:26 . 2008-08-29 15:18 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-20 00:26 . 2008-08-20 00:26 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-15 00:59 . 2008-08-15 01:52 24 --a------ C:\Documents and Settings\Alex\jagex_runescape_preferences.dat
2008-08-12 08:30 . 2001-08-17 12:12 16,074 --a------ C:\WINDOWS\system32\drivers\FA312nd5.sys
2008-08-12 08:30 . 2001-08-17 12:12 16,074 --a--c--- C:\WINDOWS\system32\dllcache\fa312nd5.sys
2008-08-02 01:55 . 2008-08-02 01:55 <DIR> d-------- C:\Program Files\iTunes
2008-08-02 01:54 . 2008-08-02 01:54 <DIR> d-------- C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 19:34 --------- d-----w C:\Program Files\World of Warcraft
2008-08-27 19:10 --------- d-----w C:\Program Files\Viewpoint
2008-08-15 06:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-02 05:55 --------- d-----w C:\Program Files\iPod
2008-07-24 02:56 --------- d-----w C:\Program Files\Diablo II
2008-07-23 00:32 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-20 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 00:39 --------- d-----w C:\Program Files\RivaTuner v2.09
2008-07-20 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-07-20 00:26 --------- d-----w C:\Program Files\ATI Technologies
2008-07-20 00:02 --------- d-----w C:\Documents and Settings\Alex\Application Data\U3
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-13 20:30 --------- d-----w C:\Program Files\Apple Software Update
2008-07-13 05:13 --------- d-----w C:\Program Files\QuickTime
2008-07-10 02:31 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-07-07 20:06 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:28 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:12 667,136 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-03 03:46 10,276,864 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-06-03 03:22 413,696 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-06-03 03:21 306,688 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-06-03 03:11 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-06-03 03:11 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-06-03 03:11 180,224 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-06-03 03:09 552,960 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-06-03 03:08 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-06-03 03:04 245,760 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-06-03 03:02 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-06-03 02:59 3,500,352 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-06-03 02:48 2,120,832 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-06-03 02:33 48,128 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-06-03 02:29 348,160 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-06-03 02:28 23,040 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-06-03 02:28 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-06-03 02:22 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-06-03 02:21 557,056 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-06-03 01:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2007-09-27 02:16 87,608 ----a-w C:\Documents and Settings\Alex\Application Data\ezpinst.exe
2007-09-27 02:16 47,360 ----a-w C:\Documents and Settings\Alex\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-27_15.53.58.04 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 09:34 868352]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-29 15:18 1235736]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160]

[HKLM\~\startupfolder\C:^Documents and Settings^Alex^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Alex\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Alex^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Alex\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk
backup=C:\WINDOWS\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 13:49 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 18:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-21 12:17 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Documents and Settings\\Alex\\My Documents\\Downloads\\Downthemall Destination\\WoW-enGB-Installer-downloader.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Dungeon Siege II\\DungeonSiege2.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\Alex\\OctoshapeClient.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 15:18]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 15:18]
R3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 12:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc640c72-2912-11dc-b257-001bfc01650d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-07-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-29 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 16:32:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\Alex\LOCALS~1\Temp\RGI12.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-08-29 16:33:18
ComboFix-quarantined-files.txt 2008-08-29 20:33:16
ComboFix2.txt 2008-08-27 19:54:13

Pre-Run: 181,240,926,208 bytes free
Post-Run: 181,216,194,560 bytes free

288 --- E O F --- 2008-08-29 19:15:03


Updates:

-Removed all five programs listed.
-Rebooted
-Deleted the following folders from my program files: Viewpoint and Spybot S+D, there was no Ad-Aware folder.
-Downloaded and installed the following programs: Java, Spybot S+D (which I updated, backed my registry, immunized, and scanned after installing, the scan came up clean), and Malwarebytes' Anti-Malware.
-Went with your advice and did not get Ad-Aware again.
-Updated and scanned with Malwarebytes'

Scan Log:

Malwarebytes' Anti-Malware 1.25
Database version: 1096
Windows 5.1.2600 Service Pack 2

6:32:55 PM 8/29/2008
mbam-log-08-29-2008 (18-32-55).txt

Scan type: Full Scan (C:\|I:\|)
Objects scanned: 93291
Time elapsed: 32 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\PIF (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Alex\My Documents\Downloads\Downloaded Programs\Macromedia Studio MX 2004\Director MX\Keygen\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5539369C-C3CE-46CD-BDBA-E390C3E41224}\RP313\A0035432.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
I:\Torrents\Sony Vegas 7 + DVD Architect 4\Vegas 7.0a\Sony Vegas v7.0a Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
I:\Torrents\Sony Vegas 7 + DVD Architect 4\DVD Architect 4.0.125\Sony DVD Architect v4.0 Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


New HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:43:47 PM, on 8/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe




And that's about it. Can't wait for your next reply!

-Unfortunatesoul

[DFW]

Hi Again


Open up Hijackthis
Click on do a system scan only.
Place a checkmark next to these lines(if still present)

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)


Then close all windows except Hijackthis and click Fix Checked



Start CCleaner

• Click the "Run Cleaner" button.
• A pop up box will appear advising this process will permanently delete files from your system.
• Click "OK"
• CCleaner will scan and clean your system.
• When cleaning is complete:
• Click "Exit".
• Repeat for all usernames.

Please ensure you run CCleaner on all user accounts, just before the online Scan, this cuts down on
scan time and log size




Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

Please post back

A new HJT Log
kaspersky scan log
and a description on how your system is now.

[Unfortunatesoul]

DFW,

I went into HJT and tried to "fix" the McAfee entry 3 times, but it did not work, as you can see it is still in the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:50:09 AM, on 8/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


So, how can I remove it then?


Here is my Kapersky Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 30, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 30, 2008 05:00:44
Records in database: 1166293
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 47308
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:41:08

No malware has been detected. The scan area is clean.

The selected area was scanned.



And finally, you want me to describe how my computer is doing. Well, it seems to be running pretty smoothely, but there are still those times when a web page will take a little longer to load and such. But even if virtumonde is completely off my system now, do you detect any other malware or spyware on here that you can help me with?

Can't wait for your next.

-Unfortunatesoul