Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

WinAntiVirus Virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Robbo » July 31st, 2006, 8:06 am

Hi Navigator,

Here is the data you requested:


Incident Status Location

Adware:adware/commad Not disinfected c:\windows\system32\atmtd.dll._
Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Adware:adware/maxifiles Not disinfected c:\program files\common files\Download
Adware:adware/sqwire Not disinfected Windows Registry
Adware:adware/block-checker Not disinfected Windows Registry
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\LocalService\Cookies\system@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\LocalService\Cookies\system@888[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\LocalService\Cookies\system@cassava[1].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banners.searchingbooth[1].txt
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\DivX\Google\Firefox\ffinstaller.exe[²ÜÇ\System.dll]
Logfile of HijackThis v1.99.1
Scan saved at 13:03:26, on 31/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\SONYER~1\COMMUN~1\MOBILE~1\EPMWOR~1.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\AnalyseThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PDF-Capture.lnk = C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.com/mvt/bin/3,0,1,0/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
Active Camera 2004
Active Camera 2004 update
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.8
Adobe® Photoshop® Album Starter Edition 3.0
Application Suite
Application Suite
AsusUpdate
AudibleManager
Creative DVD Audio Plugin for Audigy Series
Creative Mass Storage Drivers
Creative MediaSource
Creative System Information
Creative WebCam NX Pro Driver (1.03.03.0326)
Creative Zen Nano
DYMO Label Software
ewido anti-spyware 4.0
Google Toolbar for Firefox
Guitar Pro 5.0
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Windows XP (KB909394)
Hydro Thunder
InterVideo WinDVD 5
J2SE Runtime Environment 5.0 Update 3
Just Flight British Airports Volume 3- SouthWest v1.01 FS2004
Just Flight British Airports Volume 4- Central v1.01 FS2004
Just Flight World Airports 2 FS2004 v1.00
LEGO Star Wars
Macromedia Flash Player 8
Macromedia Shockwave Player
McAfee Personal Firewall Plus
McAfee SecurityCenter
McAfee VirusScan
Microsoft ActiveSync 4.0
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Midtown Madness
Microsoft Office XP Professional with FrontPage
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
Mozilla Firefox (1.5.0.4)
NVIDIA Drivers
Panda ActiveScan
PDF-XChange 2.5 Driver Install
Ready for Pushback Second Generation_V2_06_CD
Realtek High Definition Audio Driver
Registry Mechanic 5.1
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SolidConverterPDF
Sony Ericsson Communications Suite
Sony Ericsson MMS Home Studio
Tennis Titans
TTS_Technology
Ultimate Traffic
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Virtual Cable Tester
Windows Defender
Windows Defender Signatures
Windows Driver Package - MSN (usbccgp) USB (04/19/2006 1.1.0.2)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XTNDConnect PC


All is quiet on my machine at present though it's too early to say if the beast has been slayed! I'll post back later with an update. Thanks for your continued help, it's really appreciated.

Robbo
Robbo
Regular Member
 
Posts: 16
Joined: July 30th, 2006, 5:26 am
Advertisement
Register to Remove

Unread postby Robbo » July 31st, 2006, 9:02 am

Sadly, it's still there. Greatly reduced activity but it is still there. Any ideas?
Robbo
Regular Member
 
Posts: 16
Joined: July 30th, 2006, 5:26 am

Unread postby Navigator » July 31st, 2006, 9:19 pm

Robbo wrote:Sadly, it's still there. Greatly reduced activity but it is still there. Any ideas?


Ideas? Yeah, I got a few.... :D

Is the problem persistent WinAntiVirus pop-ups?

We'll kill of the files found by Panda, update your Java (out of date Java versions are a security risk), run another online scan and if the problem still persists we'll start digging deeper (get a WinPFind log to look deeper into your system).

For now, please do this:

1. Please download the Killbox by Option^Explicit.
Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\windows\system32\atmtd.dll._
    c:\windows\keyboard1.dat

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

2. Go here and download and install JRE 5.0 Update 7. Click the link that says Download JRE 5.0 Update 7. You will then need to select Accept License Agreement and click the Continue button that is beside it. Then click the link that says Windows Offline Installation, Multi-language. Save it to your Desktop. Then go back to your Desktop and double click jre-1_5_0_07-windows-i586-p.exe to start the install.

Once you have it installed, click Start>>Run, type in appwiz.cpl and hit Enter. From the list, uninstall Java - J2SE Runtime Environment 5.0 Update 3 .

3. TrendMicroâ„¢ HouseCall ActiveX Scan
  • Please go HERE to run the Trend Microâ„¢ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • Under "Browser plug-in" Installing and using Housecall kernel, click the Starting HouseCall>> button.
  • You may receive a prompt to install the ActiveX, click install.
  • If you are taken back to the main page, click Launching HouseCall>> button again.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

4. Post back with:
  • a new HJT log
  • and let me know if the problem is still there
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Robbo » August 1st, 2006, 4:18 pm

Hi Navigator,

No problems were found with the scan. The WinAntiVirus pop ups are still occuring. If it helps, I can here internet activity but without any pop-ups. They seem to activate when an explorer window is opened or re-launched when minimised.

Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 21:13:39, on 01/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\SONYER~1\COMMUN~1\MOBILE~1\EPMWOR~1.EXE
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\AnalyseThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PDF-Capture.lnk = C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/com ... MediaX.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.com/mvt/bin/3,0,1,0/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

Thanks again,

Robbo
Robbo
Regular Member
 
Posts: 16
Joined: July 30th, 2006, 5:26 am

Unread postby Navigator » August 1st, 2006, 4:25 pm

OK...let's look a bit deeper:

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Robbo » August 1st, 2006, 5:58 pm

Hi Navigator,

Here's the WinPFind Log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
Umonitor 29/07/2006 19:51:06 81552 C:\WINDOWS\pxinstall_log.txt

Checking %System% folder...
PEC2 18/08/2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 15/07/2003 00:57:20 31744 C:\WINDOWS\SYSTEM32\flt1chk2.dll
PTech 19/06/2006 16:19:42 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 07/07/2006 02:21:46 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/08/2004 01:56:38 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
PEC2 29/11/2002 18:09:04 3050298 C:\WINDOWS\SYSTEM32\PDFREPORT_XP.dll
Umonitor 04/08/2004 01:56:46 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 18/08/2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 19/06/2006 16:19:26 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
PTech 03/08/2004 23:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
01/08/2006 22:44:56 S 2048 C:\WINDOWS\bootstat.dat
16/06/2006 20:29:34 HS 61 C:\WINDOWS\cnerolf.dat
25/06/2006 13:55:00 H 54156 C:\WINDOWS\QTFont.qfn
28/07/2006 14:18:48 RH 749 C:\WINDOWS\WindowsShell.Manifest
28/07/2006 14:18:46 H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
09/06/2006 15:40:08 HS 67 C:\WINDOWS\Fonts\desktop.ini
28/07/2006 14:19:04 H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
09/06/2006 15:39:54 RHS 242478 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
09/06/2006 15:39:54 RHS 19959 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
09/06/2006 15:39:54 RHS 727 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
09/06/2006 15:40:58 H 233472 C:\WINDOWS\repair\ntuser.dat
28/07/2006 14:18:46 RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
09/06/2006 15:39:42 RH 488 C:\WINDOWS\system32\logonui.exe.manifest
28/07/2006 14:18:46 RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
28/07/2006 14:18:46 RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
28/07/2006 14:18:46 RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
09/06/2006 15:39:42 RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
28/07/2006 14:18:46 RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
22/06/2006 12:18:30 S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
18/06/2006 18:09:30 S 7977 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem13.CAT
19/06/2006 16:20:58 S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
01/08/2006 22:45:02 H 12288 C:\WINDOWS\system32\config\default.LOG
07/07/2006 16:45:12 H 0 C:\WINDOWS\system32\config\DEFAULT.rrr.LOG
01/08/2006 22:45:12 H 1024 C:\WINDOWS\system32\config\SAM.LOG
01/08/2006 22:44:58 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
01/08/2006 22:45:26 H 118784 C:\WINDOWS\system32\config\software.LOG
07/07/2006 16:45:12 H 0 C:\WINDOWS\system32\config\SOFTWARE.rrr.LOG
01/08/2006 22:45:04 H 1204224 C:\WINDOWS\system32\config\system.LOG
09/06/2006 16:19:54 H 1024 C:\WINDOWS\system32\config\TempKey.LOG
09/06/2006 16:19:56 H 1024 C:\WINDOWS\system32\config\userdiff.LOG
17/07/2006 08:46:06 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
09/06/2006 16:31:20 HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
19/07/2006 12:10:56 S 574 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5
21/06/2006 16:45:42 S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
19/07/2006 12:10:56 S 136 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5
21/06/2006 16:45:42 S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
09/06/2006 16:31:20 HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
09/06/2006 15:39:54 HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
09/06/2006 15:39:54 HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
09/06/2006 15:39:54 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
09/06/2006 15:39:54 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
09/06/2006 15:39:54 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\216PA1O3\desktop.ini
09/06/2006 15:39:54 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2P4R47CR\desktop.ini
09/06/2006 15:39:54 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GRWV8N21\desktop.ini
09/06/2006 15:39:54 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IFG1OL61\desktop.ini
09/06/2006 15:39:42 HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
09/06/2006 16:31:20 HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
09/06/2006 15:40:26 HS 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
09/06/2006 15:40:26 HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
09/06/2006 15:40:26 HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
09/06/2006 15:40:26 HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
09/06/2006 15:40:26 HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
13/06/2006 13:42:26 H 0 C:\WINDOWS\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf
16/06/2006 19:35:20 H 0 C:\WINDOWS\system32\drivers\umdf\Msft_User_WpdMtpDr_01_00_00.Wdf
11/06/2006 15:49:26 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\64ff9dc2-c566-45d6-ad4a-6f22217df68f
11/06/2006 15:49:26 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
11/06/2006 03:05:48 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c92a74be-b13a-44c2-ba64-c7ec8e24fcb6
11/06/2006 03:05:48 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
01/08/2006 22:48:12 H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
01/08/2006 22:43:46 H 6 C:\WINDOWS\Tasks\SA.DAT
31/07/2006 14:02:58 HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
31/07/2006 14:02:58 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
31/07/2006 14:02:58 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4P27GDEV\desktop.ini
31/07/2006 14:02:58 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\AH0H0BA5\desktop.ini
31/07/2006 14:02:58 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTEXE9SJ\desktop.ini
31/07/2006 14:02:58 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\X7SMXUE5\desktop.ini

Checking for CPL files...
Microsoft Corporation 04/08/2004 01:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 03/05/2005 19:44:12 294912 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 04/08/2004 01:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 00:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04/08/2004 01:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Teleca Software Solutions AB 14/05/2003 15:39:20 339968 C:\WINDOWS\SYSTEM32\ecsepm.cpl
Microsoft Corporation 04/08/2004 01:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 01:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04/08/2004 01:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04/08/2004 01:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 01:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 01:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 03/05/2006 02:56:54 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 01:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 01:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 01:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
09/03/2006 15:29:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 04/08/2004 01:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Tracker Software Products 18/12/2002 10:26:24 15360 C:\WINDOWS\SYSTEM32\pdfSaver.cpl
Microsoft Corporation 04/08/2004 01:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Realtek Semiconductor Corp. 17/03/2005 12:43:34 262144 C:\WINDOWS\SYSTEM32\RTSndMgr.CPL
Silicon Image 11/01/2005 19:56:46 R 78336 C:\WINDOWS\SYSTEM32\SilSupp.cpl
01/02/2005 12:49:24 131072 C:\WINDOWS\SYSTEM32\skvctcp.cpl
Microsoft Corporation 04/08/2004 01:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 01:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 01:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 05:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04/08/2004 00:56:58 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 26/05/2005 05:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
12/06/2006 11:52:02 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
09/06/2006 15:40:26 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
20/07/2006 19:57:02 1777 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
12/06/2006 08:43:06 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
12/06/2006 11:53:34 1634 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PDF-Capture.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
09/06/2006 16:31:20 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
22/06/2006 16:47:22 1369 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
09/06/2006 15:40:26 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
09/06/2006 16:31:20 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SolidConverterDWG
{36EB2FB7-593D-45aa-9669-582196FB1B2A} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SolidConverterDWG
{36EB2FB7-593D-45aa-9669-582196FB1B2A} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}
Windows Live Sign-in Helper = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
ButtonText = Create Mobile Favorite :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}
MenuText = Create Mobile Favorite... : C:\PROGRA~1\MICROS~4\INetRepl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
XTNDConnect PC - ErPhn2 C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
Windows Defender "C:\Program Files\Windows Defender\MSASCui.exe" -hide
VSOCheckTask "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
VirusScan Online C:\Program Files\McAfee.com\VSO\mcvsshld.exe
RTHDCPL RTHDCPL.EXE
OASClnt C:\Program Files\McAfee.com\VSO\oasclnt.exe
nwiz nwiz.exe /install
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
MPFExe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
BluetoothAuthenticationAgent rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
Adobe Photo Downloader "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
!ewido "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
WPDShServiceObj {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 01/08/2006 22:53:35


regards,

Robbo
Robbo
Regular Member
 
Posts: 16
Joined: July 30th, 2006, 5:26 am

Unread postby Navigator » August 1st, 2006, 8:28 pm

Hey Robbo....

I don't see anything in that WinPFind log...but I'm going to try and get some others to peak in on us and get their opinion. I've researched the WinAntiVirus and DriveCleaner infections and looked for those files/reg entries, but I just ain't seeing them or much of anything else.

Are those pop-ups a constant issue or do they just happen when you visit certain web pages?

While I get another opinion, can you do this:

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Double-click sspsetup1.exe to install it.
  • Before installation it may ask you to check for program updates. Click YES.
    Then finish installation leaving all the default options.
  • Once the program is installed, it will ask if you wish to reboot now choose YES.
  • After reboot, open SpySweeper, by double-clicking the icon on your desktop.
  • Click Options on the left side.
  • Click the Sweep tab.
  • Under Items to Sweep make sure the following are checked:
    • Windows registry
    • Memory objects
    • Cookies
    • Compressed Files
    • System Restore Folder
  • Under Other Options make sure the following are checked:
    • Sweep all user accounts
    • Enable Direct Disk Sweeping
    • Sweep for rootkits
  • Click the Sweep button on the left side.
  • Click the Start Sweep button.
  • When it's done scanning, make sure everything has a check next to it, then click the Quarantine Selected button.
  • It will quarantine all of the items found.
  • Click View Session Log in the right corner above the box where the items are listed.
  • Click Save to File and save it on your desktop.
  • Exit SpySweeper.
  • Paste the contents of the session log you saved into your next reply (Spy Sweeper Session Log.txt).
  • NOTE: you can get to the log by clicking Options on the left. Then, View Session Log will be listed under Other Options.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Robbo » August 2nd, 2006, 6:36 am

Hi Nav,

Some progress I think. The Spy Sweeper program found some infected files. As I quarantined the items, McAfee (rather late in the game!) sprang into life with the message "Trojan found - C:\windows\temp\SSTB9.tmp has been infected with the Exploit-ObscuredHtml Trojan and cannot be cleaned" At the same time Spy Sweeper poped a message up by the taskbar saying it had blocked an attempt to contact Z-Quest.com.

Despite the files being quarantined though I can still hear activity being blocked by the firewall. Haven't had any pop-ups though. As to your question about when the pop-ups appear, they are not related to any particular website, I've even had them pop up when no explorer window was open.

Here is the Spy Sweeper log:

11:22: Removal process completed. Elapsed time 00:00:06
11:22: Quarantining All Traces: cassava cookie
11:22: Quarantining All Traces: 888 cookie
11:22: Quarantining All Traces: adbureau cookie
11:22: Quarantining All Traces: tradedoubler cookie
11:22: Quarantining All Traces: reliablestats cookie
11:22: Quarantining All Traces: revenue.net cookie
11:22: Quarantining All Traces: realmedia cookie
11:22: Quarantining All Traces: mediaplex cookie
11:22: Quarantining All Traces: fastclick cookie
11:22: Quarantining All Traces: casalemedia cookie
11:22: Quarantining All Traces: searchingbooth cookie
11:22: Quarantining All Traces: atlas dmt cookie
11:22: Quarantining All Traces: adviva cookie
11:22: Quarantining All Traces: adtech cookie
11:22: Quarantining All Traces: adrevolver cookie
11:22: Quarantining All Traces: yieldmanager cookie
11:22: Quarantining All Traces: targetsaver
11:22: Quarantining All Traces: command
11:22: Quarantining All Traces: findthewebsiteyouneed hijack
11:22: Removal process initiated
11:19: Traces Found: 23
11:19: Full Sweep has completed. Elapsed time 00:15:04
11:19: File Sweep Complete, Elapsed Time: 00:13:41
11:18: Warning: Failed to access drive E:
11:18: Warning: Failed to access drive D:
11:17: Warning: Failed to open file "c:\documents and settings\owner\local settings\temp\~df45a3.tmp". The operation completed successfully
11:17: Warning: Failed to open file "c:\documents and settings\owner\cookies\owner@www.fun-photo[2].txt". The operation completed successfully
11:17: Warning: Failed to open file "c:\documents and settings\owner\local settings\temp\~df25df.tmp". The operation completed successfully
11:17: Warning: Failed to open file "c:\documents and settings\owner\local settings\temporary internet files\content.ie5\1c5l399b\campaign[5].htm". The operation completed successfully
11:17: Warning: Failed to open file "c:\documents and settings\owner\local settings\temporary internet files\content.ie5\1c5l399b\queryxx[6].htm". The operation completed successfully
11:17: Warning: Failed to open file "c:\documents and settings\owner\cookies\owner@mytopfriends[1].txt". The operation completed successfully
11:17: Warning: Failed to open file "c:\documents and settings\owner\cookies\owner@servedby.headlinesandnews[1].txt". The operation completed successfully
11:15: The Spy Communication shield has blocked access to: http://WWW.Z-QUEST.COM
11:15: The Spy Communication shield has blocked access to: http://WWW.Z-QUEST.COM
11:15: C:\Program Files\Common Files\fqww\fqwwd\class-barrel (ID = 78229)
11:15: C:\Program Files\Common Files\fqww\fqwwd\vocabulary (ID = 78283)
11:15: Found Adware: targetsaver
11:14: C:\!KillBox\atmtd.dll._ (ID = 166754)
11:14: Found Adware: command
11:05: Starting File Sweep
11:05: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:05: c:\documents and settings\localservice\cookies\system@www.888[1].txt (ID = 2020)
11:05: c:\documents and settings\localservice\cookies\system@cassava[1].txt (ID = 2362)
11:05: Found Spy Cookie: cassava cookie
11:05: c:\documents and settings\localservice\cookies\system@888[2].txt (ID = 2019)
11:05: c:\documents and settings\localservice\cookies\system@888[1].txt (ID = 2019)
11:05: Found Spy Cookie: 888 cookie
11:05: c:\documents and settings\owner\cookies\owner@videoegg.adbureau[1].txt (ID = 2060)
11:05: Found Spy Cookie: adbureau cookie
11:05: c:\documents and settings\owner\cookies\owner@tradedoubler[2].txt (ID = 3575)
11:05: Found Spy Cookie: tradedoubler cookie
11:05: c:\documents and settings\owner\cookies\owner@stats1.reliablestats[1].txt (ID = 3254)
11:05: Found Spy Cookie: reliablestats cookie
11:05: c:\documents and settings\owner\cookies\owner@revenue[2].txt (ID = 3257)
11:05: Found Spy Cookie: revenue.net cookie
11:05: c:\documents and settings\owner\cookies\owner@realmedia[1].txt (ID = 3235)
11:05: Found Spy Cookie: realmedia cookie
11:05: c:\documents and settings\owner\cookies\owner@mediaplex[1].txt (ID = 6442)
11:05: Found Spy Cookie: mediaplex cookie
11:05: c:\documents and settings\owner\cookies\owner@fastclick[2].txt (ID = 2651)
11:05: Found Spy Cookie: fastclick cookie
11:05: c:\documents and settings\owner\cookies\owner@casalemedia[1].txt (ID = 2354)
11:05: Found Spy Cookie: casalemedia cookie
11:05: c:\documents and settings\owner\cookies\owner@banners.searchingbooth[1].txt (ID = 3322)
11:05: Found Spy Cookie: searchingbooth cookie
11:05: c:\documents and settings\owner\cookies\owner@atdmt[2].txt (ID = 2253)
11:05: Found Spy Cookie: atlas dmt cookie
11:05: c:\documents and settings\owner\cookies\owner@adviva[1].txt (ID = 2177)
11:05: Found Spy Cookie: adviva cookie
11:05: c:\documents and settings\owner\cookies\owner@adtech[2].txt (ID = 2155)
11:05: Found Spy Cookie: adtech cookie
11:05: c:\documents and settings\owner\cookies\owner@adrevolver[3].txt (ID = 2088)
11:05: c:\documents and settings\owner\cookies\owner@adrevolver[2].txt (ID = 2088)
11:05: Found Spy Cookie: adrevolver cookie
11:05: c:\documents and settings\owner\cookies\owner@ad.yieldmanager[1].txt (ID = 3751)
11:05: Found Spy Cookie: yieldmanager cookie
11:05: Starting Cookie Sweep
11:05: Registry Sweep Complete, Elapsed Time:00:00:13
11:05: HKU\S-1-5-21-329068152-1202660629-839522115-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
11:05: Found Adware: findthewebsiteyouneed hijack
11:05: Starting Registry Sweep
11:05: Memory Sweep Complete, Elapsed Time: 00:01:05
11:04: Starting Memory Sweep
11:04: Sweep initiated using definitions version 691
11:04: Spy Sweeper 5.0.5.1286 started
11:04: | Start of Session, 02 August 2006 |
********
11:04: | End of Session, 02 August 2006 |
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
11:02: Shield States
11:02: Spyware Definitions: 691
11:01: Spy Sweeper 5.0.5.1286 started
11:01: Spy Sweeper 5.0.5.1286 started
11:01: | Start of Session, 02 August 2006 |
********


Thanks for your persistence, I think we are getting somewhere!

Robbo
Robbo
Regular Member
 
Posts: 16
Joined: July 30th, 2006, 5:26 am

Unread postby Navigator » August 2nd, 2006, 4:18 pm

Robbo wrote:Hi Nav,

Some progress I think. The Spy Sweeper program found some infected files. As I quarantined the items, McAfee (rather late in the game!) sprang into life with the message "Trojan found - C:\windows\temp\SSTB9.tmp has been infected with the Exploit-ObscuredHtml Trojan and cannot be cleaned" At the same time Spy Sweeper poped a message up by the taskbar saying it had blocked an attempt to contact Z-Quest.com.

Despite the files being quarantined though I can still hear activity being blocked by the firewall. Haven't had any pop-ups though. As to your question about when the pop-ups appear, they are not related to any particular website, I've even had them pop up when no explorer window was open.


Hello Robbo....I'm glad we're making progress! Spy Sweeper looked like it did some good. Since most of the stuff is popping up out of temp files, although we cleaned them earlier with an automated tool, let's manually clean them and the cookies. See if you can find out from your FW's log what it is blocking if anything.

I've received a sugggestion as to where to go from here, let's see if it helps. After we are done I'm going to have to make a list of things (tools) I had you download so that you can remove them from your computer. Sorry to make you use so many, but this is taking more than the usual to clean!

1. Clear IE's Cookies and Cache
  • Close all instances of Outlook Express and Internet Explorer.
  • Go to Control Panel » Internet Options » General tab.
  • Click Delete Cookies.
  • Next to it, Click the Delete Files button.
  • When prompted, place a check in: Delete all offline content, click OK.

Clear Firefox' Cookies

  • Open Firefox.
  • Click Tools » Options.
  • Click the Privacy tab, then the Cookies tab.
  • Click the Clear Cookies Now button.
  • Then click OK to exit.

Clean Temporary Files

  • Go to Start » Run » type: cleanmgr » OK.
  • Choose (C: ) and then click OK.
  • Make sure these are the only ones that are checked :

    • Temporary Internet Files
    • Temporary Files
    • Recycle Bin
  • Click OK to remove them.
  • Click Yes to confirm the deletion.

2. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Image and select alcanshorty.bfu
  • Press Execute and let the program do it's job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.

4. Reboot into normal windows.

5. Download this file from either location:

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

6. Post the contents of the ComboFix log and a new HiJackThis log...and let me know how things are going with your computer.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Robbo » August 2nd, 2006, 6:29 pm

Hi Navigator,

All had been going great today with all pop ups having stopped, just the firewall intercepts but having done all you requested and rebooted I just got another WinAntiVirus pop-up box. How annoying!

Here is the log you asked for:

tart Time= 02/08/2006 23:23:37.96
Running from: C:\Documents and Settings\Owner\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-02 20:30:04 ( .D... ) "C:\Program Files\EPSON"
2006-08-02 10:58:40 ( .D... ) "C:\Program Files\Webroot"
2006-08-02 10:58:40 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Webroot"
2006-08-01 20:23:20 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Sun"
2006-07-30 10:21:52 ( .D... ) "C:\Program Files\HijackThis"
2006-07-29 20:19:04 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-28 17:43:08 2508 ( A.... ) "C:\Documents and Settings\Owner\Application Data\$_hpcst$.hpc"
2006-07-20 19:57:16 ( .D... ) "C:\Documents and Settings\Owner\Application Data\InterVideo"
2006-07-20 19:57:08 ( .D... ) "C:\Program Files\Common Files\InterVideo"
2006-07-20 19:56:34 ( .D... ) "C:\Program Files\InterVideo"
2006-07-20 19:36:06 ( .D... ) "C:\Program Files\Google"
2006-07-20 19:35:54 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Mozilla"
2006-07-20 19:35:52 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-07-20 19:34:32 ( .D... ) "C:\Program Files\DivX"
2006-07-15 10:39:54 ( .D... ) "C:\Documents and Settings\Owner\Application Data\VideoEgg"
2006-07-13 19:52:26 ( .D... ) "C:\Program Files\VideoEgg"
2006-07-09 22:45:58 ( .D... ) "C:\Program Files\Common Files\xing shared"
2006-07-09 22:45:52 176167 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-07-09 22:45:44 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2006-07-09 22:45:44 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-07-09 22:45:44 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-07-09 22:45:40 ( .D... ) "C:\Program Files\Common Files\Real"
2006-07-09 22:45:34 ( .D... ) "C:\Program Files\Real"
2006-07-09 22:45:20 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Real"
2006-07-07 16:54:10 252928 ( A.... ) "C:\WINDOWS\WRUninstall.dll"
2006-07-07 16:53:54 208896 ( A.... ) "C:\WINDOWS\system32\WRLogonNtf.dll"
2006-07-07 16:53:52 8704 ( A.... ) "C:\WINDOWS\system32\ssiefr.EXE"
2006-07-07 16:53:50 20992 ( A.... ) "C:\WINDOWS\system32\wrlzma.dll"
2006-07-07 16:38:30 14848 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-07-07 16:36:14 ( .D... ) "C:\Program Files\Registry Mechanic"
2006-07-06 16:13:38 ( .D... ) "C:\Program Files\Hydro Thunder"
2006-07-04 15:35:48 68600 ( A.... ) "C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT"
2006-06-29 17:11:34 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Creative"
2006-06-29 17:03:42 ( .D... ) "C:\Program Files\Audible"
2006-06-29 16:52:56 ( .D... ) "C:\Program Files\Creative"
2006-06-27 11:58:42 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Leadertech"
2006-06-26 10:39:18 ( .D... ) "C:\Program Files\Company Manuals"
2006-06-25 15:16:08 ( .D... ) "C:\Documents and Settings\Owner\Application Data\McAfee.com Personal Firewall"
2006-06-25 15:12:30 ( .D... ) "C:\Program Files\McAfee.com"
2006-06-25 13:25:30 2 ( A.... ) "C:\WINDOWS\system32\wtssu.exe"
2006-06-25 13:25:30 ( .D... ) "C:\Documents and Settings\Owner\Application Data\W?nSxS"
2006-06-25 13:25:18 ( .D... ) "C:\Program Files\Common Files\Download"
2006-06-24 13:30:20 737280 ( A.... ) "C:\WINDOWS\iun6002.exe"
2006-06-24 10:30:54 248 ( A.... ) "C:\WINDOWS\system32\n.bat"
2006-06-24 10:18:26 ( .D... ) "C:\Program Files\Windows Defender"
2006-06-23 20:14:42 ( .D... ) "C:\Documents and Settings\Owner\Application Data\AdobeAUM"
2006-06-21 20:29:22 ( .D... ) "C:\Program Files\Incomplete"
2006-06-21 18:50:36 ( .D... ) "C:\Program Files\Miniclip Games"
2006-06-21 16:14:08 ( .D... ) "C:\Program Files\Common Files\fqww"
2006-06-21 16:13:02 ( .D... ) "C:\Program Files\Windows"
2006-06-21 16:12:52 0 ( A.... ) "C:\WINDOWS\system32\taskkill.exe"
2006-06-20 22:30:34 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Folder Guard"
2006-06-20 22:14:52 ( .D... ) "C:\Program Files\Folder Password Expert"
2006-06-20 19:57:02 ( .D... ) "C:\Program Files\WinRAR"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-18 18:30:06 ( .D... ) "C:\Program Files\Common Files\Teleca Shared"
2006-06-18 18:25:32 ( .D... ) "C:\Program Files\XTNDConnect PC"
2006-06-18 18:25:30 ( .D... ) "C:\Program Files\Common Files\XCPCSync"
2006-06-18 18:22:30 ( .D... ) "C:\Program Files\Sony Ericsson"
2006-06-17 20:58:22 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Help"
2006-06-17 20:52:26 756736 ( ..... ) "C:\WINDOWS\system32\ir41_32.dll"
2006-06-17 20:52:26 143872 ( ..... ) "C:\WINDOWS\system32\iacenc.dll"
2006-06-17 20:52:26 56832 ( ..... ) "C:\WINDOWS\system32\iyvu9_32.dll"
2006-06-16 14:34:44 48936 ( A.... ) "C:\WINDOWS\system32\sirenacm.dll"
2006-06-14 12:20:46 ( .D... ) "C:\Program Files\Guitar Pro 5"
2006-06-14 09:48:12 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Azureus"
2006-06-14 09:48:02 ( .D... ) "C:\Program Files\Azureus"
2006-06-13 15:14:14 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Apple Computer"
2006-06-13 15:09:14 ( .D... ) "C:\Program Files\QuickTime"
2006-06-13 09:51:12 ( .D... ) "C:\Program Files\Java"
2006-06-13 09:50:22 ( .D... ) "C:\Program Files\Common Files\Java"
2006-06-12 23:21:54 ( .D... ) "C:\Program Files\DYMO Label"
2006-06-12 12:28:24 ( .D... ) "C:\Documents and Settings\Owner\Application Data\AdobeUM"
2006-06-12 11:53:32 ( .D... ) "C:\Program Files\PDF-XChangeSDKEU"
2006-06-12 11:53:08 ( .D... ) "C:\Program Files\SolidDocuments"
2006-06-12 11:53:08 ( .D... ) "C:\Documents and Settings\Owner\Application Data\SolidDocuments"
2006-06-12 11:51:16 1557 ( A.... ) "C:\Documents and Settings\Owner\Application Data\AdobeDLM.log"
2006-06-12 11:51:16 0 ( A.... ) "C:\Documents and Settings\Owner\Application Data\dm.ini"
2006-06-12 11:50:58 ( .D... ) "C:\Program Files\Adobe"
2006-06-12 11:50:40 ( .D... ) "C:\Program Files\Yahoo!"
2006-06-12 11:48:30 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Adobe"
2006-06-12 11:48:28 ( .D... ) "C:\Program Files\Common Files\Adobe"
2006-06-12 08:40:06 ( .D... ) "C:\Program Files\Microsoft ActiveSync"
2006-06-12 08:39:56 ( .D... ) "C:\Program Files\Common Files\Designer"
2006-06-12 08:39:24 ( .D... ) "C:\Program Files\Microsoft Office"
2006-06-11 20:26:54 122880 ( A.... ) "C:\WINDOWS\system32\UAService7.exe"
2006-06-11 20:26:54 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2006-06-11 19:52:32 ( .D... ) "C:\Program Files\Giant"
2006-06-11 18:45:44 ( .D... ) "C:\Program Files\Microsoft Games"
2006-06-09 16:31:46 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-06-09 16:31:44 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-06-09 16:31:44 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-06-09 16:31:42 ( .D... ) "C:\Program Files\Common Files"
2006-06-09 16:31:20 62 ( A.SH. ) "C:\Documents and Settings\Owner\Application Data\desktop.ini"
2006-06-09 15:41:00 ( .D... ) "C:\Program Files\xerox"
2006-06-09 15:41:00 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-06-09 15:40:24 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-06-09 15:39:00 ( .D... ) "C:\Program Files\Movie Maker"
2006-06-09 15:38:28 ( .D... ) "C:\Program Files\Windows Media Player"
2006-06-09 15:38:24 ( .D... ) "C:\Program Files\NetMeeting"
2006-06-09 15:38:22 ( .D... ) "C:\Program Files\Common Files\Services"
2006-06-09 15:38:16 ( .D... ) "C:\Program Files\Outlook Express"
2006-06-09 15:38:12 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-06-09 15:38:08 ( .D... ) "C:\Program Files\Common Files\System"
2006-06-09 15:38:06 ( .D... ) "C:\Program Files\Internet Explorer"
2006-06-09 15:37:58 ( .D... ) "C:\Program Files\ComPlus Applications"
2006-06-09 15:37:36 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-06-09 15:37:36 ( .D... ) "C:\Program Files\Online Services"
2006-06-09 15:37:30 ( .D... ) "C:\Program Files\Messenger"
2006-06-09 15:37:24 ( .D... ) "C:\Program Files\MSN"
2006-06-09 15:37:20 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-06-09 15:37:06 ( .D... ) "C:\Program Files\Windows NT"
2006-05-19 13:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 13:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 13:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-17 07:20:56 17 ( A.... ) "C:\Program Files\d.bat"
2006-05-09 22:36:46 6656 ( ..... ) "C:\WINDOWS\system32\WdfMgr.exe"
2006-05-09 22:36:46 6656 ( ..... ) "C:\WINDOWS\system32\uWDF.exe"
2006-05-09 22:26:34 7706112 ( A.... ) "C:\WINDOWS\system32\wmploc.dll"
2006-05-09 22:26:34 1641472 ( ..... ) "C:\WINDOWS\system32\wmpencen.dll"
2006-05-09 22:26:34 1280000 ( ..... ) "C:\WINDOWS\system32\WMSPDMOE.dll"
2006-05-09 22:26:34 1063424 ( A.... ) "C:\WINDOWS\system32\WMADMOE.dll"
2006-05-09 22:26:34 992256 ( A.... ) "C:\WINDOWS\system32\WMNetMgr.dll"
2006-05-09 22:26:34 705024 ( A.... ) "C:\WINDOWS\system32\wmadmod.dll"
2006-05-09 22:26:34 564736 ( ..... ) "C:\WINDOWS\system32\WMSPDMOD.dll"
2006-05-09 22:26:34 433152 ( ..... ) "C:\WINDOWS\system32\wmpeffects.dll"
2006-05-09 22:26:34 417280 ( ..... ) "C:\WINDOWS\system32\wmdrmdev.dll"
2006-05-09 22:26:34 337408 ( ..... ) "C:\WINDOWS\system32\wmdrmnet.dll"
2006-05-09 22:26:34 306688 ( A.... ) "C:\WINDOWS\system32\MSWMDM.dll"
2006-05-09 22:26:34 301056 ( ..... ) "C:\WINDOWS\system32\wmpdxm.dll"
2006-05-09 22:26:34 267776 ( ..... ) "C:\WINDOWS\system32\Audiodev.dll"
2006-05-09 22:26:34 237056 ( ..... ) "C:\WINDOWS\system32\wmpasf.dll"
2006-05-09 22:26:34 221696 ( A.... ) "C:\WINDOWS\system32\wmasf.dll"
2006-05-09 22:26:34 219648 ( A.... ) "C:\WINDOWS\system32\CEWMDM.dll"
2006-05-09 22:26:34 212480 ( A.... ) "C:\WINDOWS\system32\msnetobj.dll"
2006-05-09 22:26:34 203776 ( ..... ) "C:\WINDOWS\system32\wmpsrcwp.dll"
2006-05-09 22:26:34 201728 ( A.... ) "C:\WINDOWS\system32\qasf.dll"
2006-05-09 22:26:34 165376 ( A.... ) "C:\WINDOWS\system32\MsPMSP.dll"
2006-05-09 22:26:34 155136 ( A.... ) "C:\WINDOWS\system32\wmidx.dll"
2006-05-09 22:26:34 135680 ( ..... ) "C:\WINDOWS\system32\wmpps.dll"
2006-05-09 22:26:34 97792 ( A.... ) "C:\WINDOWS\system32\wmpshell.dll"
2006-05-09 22:26:34 36864 ( A.... ) "C:\WINDOWS\system32\WMDMPS.dll"
2006-05-09 22:26:34 31744 ( A.... ) "C:\WINDOWS\system32\WMDMLOG.dll"
2006-05-09 22:26:34 26112 ( ..... ) "C:\WINDOWS\system32\MsPMSNSv.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmod.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmod.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\MPG4DMOD.dll"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\wmvdmoe2.dll"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\WMVADVE.DLL"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\WMVADVD.dll"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\wmsdmoe2.dll"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\wdfApi.dll"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP4SDMOD.dll"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\MP43DMOD.dll"
2006-05-09 22:26:32 218112 ( ..... ) "C:\WINDOWS\system32\wmerror.dll"
2006-05-09 22:26:32 9728 ( A.... ) "C:\WINDOWS\system32\LAPRXY.dll"
2006-05-09 22:26:32 7168 ( A.... ) "C:\WINDOWS\system32\asferror.dll"
2006-05-09 22:22:32 2463744 ( A.... ) "C:\WINDOWS\system32\wmvcore.dll"
2006-05-09 21:02:02 84480 ( A.... ) "C:\WINDOWS\system32\logagent.exe"
2006-05-09 21:01:06 1463808 ( ..... ) "C:\WINDOWS\system32\WMVDECOD.dll"
2006-05-09 21:01:06 1359360 ( ..... ) "C:\WINDOWS\system32\WMVSDECD.dll"
2006-05-09 21:00:58 1455616 ( ..... ) "C:\WINDOWS\system32\WMVENCOD.dll"
2006-05-09 21:00:58 770560 ( ..... ) "C:\WINDOWS\system32\WMVSENCD.dll"
2006-05-09 21:00:58 299520 ( ..... ) "C:\WINDOWS\system32\MP4SDECD.dll"
2006-05-09 21:00:58 241152 ( ..... ) "C:\WINDOWS\system32\MPG4DECD.dll"
2006-05-09 21:00:56 636928 ( ..... ) "C:\WINDOWS\system32\WMVXENCD.dll"
2006-05-09 21:00:56 241152 ( ..... ) "C:\WINDOWS\system32\MP43DECD.dll"
2006-05-09 21:00:22 546816 ( ..... ) "C:\WINDOWS\system32\wmpmde.dll"
2006-05-09 21:00:08 382976 ( ..... ) "C:\WINDOWS\system32\MFPLAT.dll"
2006-05-09 21:00:02 1350656 ( A.... ) "C:\WINDOWS\system32\drmv2clt.dll"
2006-05-09 20:59:34 513536 ( ..... ) "C:\WINDOWS\system32\wmdrmsdk.dll"
2006-05-09 20:59:20 417280 ( A.... ) "C:\WINDOWS\system32\MSSCP.dll"
2006-05-09 20:59:18 229376 ( ..... ) "C:\WINDOWS\system32\drmupgds.exe"
2006-05-09 20:59:14 585216 ( A.... ) "C:\WINDOWS\system32\blackbox.dll"
2006-05-09 20:58:54 3745280 ( ..... ) "C:\WINDOWS\system32\WpdShext.dll"
2006-05-09 20:58:54 52224 ( ..... ) "C:\WINDOWS\system32\WPDShServiceObj.dll"
2006-05-09 20:58:54 13824 ( ..... ) "C:\WINDOWS\system32\wpdshextautoplay.exe"
2006-05-09 20:58:50 670208 ( ..... ) "C:\WINDOWS\system32\wpd_ci.dll"
2006-05-09 20:58:50 103424 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWiaCompat.dll"
2006-05-09 20:58:48 345600 ( ..... ) "C:\WINDOWS\system32\PortableDeviceApi.dll"
2006-05-09 20:58:48 188928 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWMDRM.dll"
2006-05-09 20:58:48 101376 ( ..... ) "C:\WINDOWS\system32\PortableDeviceClassExtension.dll"
2006-05-09 20:58:46 343552 ( ..... ) "C:\WINDOWS\system32\WPDSp.dll"
2006-05-09 20:58:40 144896 ( ..... ) "C:\WINDOWS\system32\wpdmtp.dll"
2006-05-09 20:58:40 55808 ( ..... ) "C:\WINDOWS\system32\wpdmtpus.dll"
2006-05-09 20:58:40 35840 ( ..... ) "C:\WINDOWS\system32\wpdconns.dll"
2006-05-09 20:58:38 168960 ( ..... ) "C:\WINDOWS\system32\PortableDeviceTypes.dll"
2006-05-09 20:58:38 13312 ( ..... ) "C:\WINDOWS\system32\wpdtrace.dll"
2006-05-09 20:57:06 11264 ( ..... ) "C:\WINDOWS\system32\ehETW.dll"
2006-05-09 20:45:20 304640 ( ..... ) "C:\WINDOWS\system32\MSDelta.dll"
2006-05-09 20:00:48 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-02 20:33 79,679 C:\WINDOWS\system32\E_FLMAHE.DLL
2006-08-02 20:33 64,000 C:\WINDOWS\system32\E_FBCBAHE.DLL
2006-08-02 20:33 49,152 C:\WINDOWS\system32\E_DCINST.DLL
2006-08-02 20:33 34,304 C:\WINDOWS\system32\E_FBCHAHE.DLL
2006-08-02 10:58 8,704 C:\WINDOWS\system32\ssiefr.EXE
2006-08-02 10:58 684,032 C:\WINDOWS\libeay32.dll
2006-08-02 10:58 252,928 C:\WINDOWS\WRUninstall.dll
2006-08-02 10:58 208,896 C:\WINDOWS\system32\WRLogonNtf.dll
2006-08-02 10:58 20,992 C:\WINDOWS\system32\wrlzma.dll
2006-08-02 10:58 155,648 C:\WINDOWS\ssleay32.dll
2006-08-01 20:20 53,346 C:\WINDOWS\system32\javaw.exe
2006-08-01 20:20 49,248 C:\WINDOWS\system32\java.exe
2006-08-01 20:20 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-31 12:25 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-31 12:25 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-31 11:30 25,088 C:\WINDOWS\system32\CTSVCCTL.EXE
2006-07-20 19:56 77,824 C:\WINDOWS\system32\ctdvda32.dll
2006-07-20 19:56 122,880 C:\WINDOWS\system32\cddvdint.dll
2006-07-09 22:45 6,656 C:\WINDOWS\system32\pndx5016.dll
2006-07-09 22:45 5,632 C:\WINDOWS\system32\pndx5032.dll
2006-07-09 22:45 278,528 C:\WINDOWS\system32\pncrt.dll
2006-07-09 22:45 176,167 C:\WINDOWS\system32\rmoc3260.dll
2006-07-07 16:36 24,576 C:\WINDOWS\system32\STKIT432.DLL
2006-07-07 16:36 14,848 C:\WINDOWS\system32\BASSMOD.dll
2006-06-29 17:05 41,984 C:\WINDOWS\Ctregrun.exe
2006-06-29 17:04 974,848 C:\WINDOWS\system32\mfc70.dll
2006-06-29 17:04 54,784 C:\WINDOWS\system32\msvci70.dll
2006-06-29 17:04 487,424 C:\WINDOWS\system32\msvcp70.dll
2006-06-29 17:04 344,064 C:\WINDOWS\system32\msvcr70.dll
2006-06-29 17:04 24,576 C:\WINDOWS\system32\msxml3a.dll
2006-06-26 18:24 180,224 C:\WINDOWS\system32\NVUNINST.EXE
2006-06-25 15:14 24,576 C:\WINDOWS\system32\MpfApi.dll
2006-06-24 13:50 737,280 C:\WINDOWS\iun6002.exe
2006-06-21 16:13 248 C:\WINDOWS\system32\n.bat
2006-06-21 16:13 2 C:\WINDOWS\system32\wtssu.exe
2006-06-21 16:12 0 C:\WINDOWS\system32\taskkill.exe
2006-06-18 18:30 82,432 C:\WINDOWS\system32\msxml4r.dll
2006-06-18 18:30 44,544 C:\WINDOWS\system32\msxml4a.dll
2006-06-18 18:30 1,230,336 C:\WINDOWS\system32\msxml4.dll
2006-06-18 18:25 89,360 C:\WINDOWS\system32\VB5DB.DLL
2006-06-18 18:25 78,096 C:\WINDOWS\system32\GAPI32.dll
2006-06-18 18:25 77,824 C:\WINDOWS\system32\XSerObex.dll
2006-06-18 18:25 77,824 C:\WINDOWS\system32\XCOLExt.dll
2006-06-18 18:25 703,760 C:\WINDOWS\system32\cdo.dll
2006-06-18 18:25 48,640 C:\WINDOWS\system32\inetwh32.dll
2006-06-18 18:25 317,952 C:\WINDOWS\system32\roboex32.dll
2006-06-18 18:10 8,192 C:\WINDOWS\system32\wshirda.dll
2006-06-18 18:10 27,136 C:\WINDOWS\system32\irmon.dll
2006-06-18 18:10 152,576 C:\WINDOWS\system32\irftp.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"XTNDConnect PC - ErPhn2"="C:\\PROGRA~1\\COMMON~1\\XCPCSync\\TRANSL~1\\ErPhn2\\ErTray.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe\""
"RTHDCPL"="RTHDCPL.EXE"
"OASClnt"="\"C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe\""
"nwiz"="\"nwiz.exe\" /install"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"NvMediaCenter"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"EPSON Stylus Photo R240 Series"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAHE.EXE\" /P30 \"EPSON Stylus Photo R240 Series\" /O6 \"USB002\" /M \"Stylus Photo R240\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent"="\"C:\\PROGRA~1\\MICROS~4\\wcescomm.exe\""
"Creative Detector"="\"C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\DIFX\\kyzese.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"=""
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,df,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 02/08/2006 23:23:55.79
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-02.232337.txt


I am away on business until after the weekend so sadly I'm unable to do any more work on this until I get back. I can catch you up agan on Monday if that's ok? Thanks for your efforts this week, much appreciated.

Robbo
Robbo
Regular Member
 
Posts: 16
Joined: July 30th, 2006, 5:26 am

Unread postby Navigator » August 2nd, 2006, 9:27 pm

Robbo wrote:Hi Navigator,


I am away on business until after the weekend so sadly I'm unable to do any more work on this until I get back. I can catch you up agan on Monday if that's ok? Thanks for your efforts this week, much appreciated.

Robbo


No problem Robbo...that will give me time to go through that ComboFix log with a fine tooth comb... :D

I'll have a reply before you return...or at least I will try. :lol:
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Robbo » August 3rd, 2006, 3:10 am

Just to let you know, Spy Sweeper is blocking attempts by my computer to access the Z-Quest website. Hope that's of help.

Robbo
Robbo
Regular Member
 
Posts: 16
Joined: July 30th, 2006, 5:26 am

Unread postby Navigator » August 5th, 2006, 2:49 pm

Hello Robbo....OK, I came up with a few things after reviewing the combofix log (with some other helpers/experts). We're also going to run Ad-aware to try and take care of Z-Quest.:



1. If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

2. Download and run this uninstaller:
Purity Scan Uninstaller

Tutorial for the uninstaller if needed

3. Go to start> > control panel >> Display properties> > Desktop> > Customize Desktop..> > Web tab
Uncheck and delete everything you find in there EXCEPT for "My current home page". Let me know if there are no other entries here other than "My Current Home Page".

4. Reveal Hidden Files

  • Click Start.
  • Open My Computer.
  • SelectTools menu
  • Click Folder Options.
  • Select the View Tab.
  • Check Show hidden files and foldersin the Hidden files and folders section.
  • Uncheck Hide protected operating system files (recommended) option.
  • Uncheck the Hide file extensions for known file types option.
  • Click Yes.
  • Click OK.

5. Next, please reboot your computer in SafeMode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode. Log into your usual account

6. Please delete these files and folders using Windows Explorer (if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed folders or files, then right-click to select them and click delete:


C:\Program Files\Common Files\fqww
C:\Documents and Settings\Owner\Application Data\W?nSxS<==the ? mark can be any character, probably an "i". DO NOT delete the C:\Windows\WinSxS folder which is legitimate!
C:\WINDOWS\system32\wtssu.exe
C:\WINDOWS\system32\n.bat
C:\Program Files\d.bat
C:\Program Files\DIFX\kyzese.html


7. Open Ad-aware and do a full scan. Remove all it finds, then reboot into Windows normally.

8. Please repeat a ComboFix scan using the directions from before.

9. Please post back with:
  • the Adaware log (if any)
  • a new Combofix log
  • let me know if your problems still persist!
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Robbo » August 9th, 2006, 6:23 am

Hi Navigator,

I can't get the outerinfo website to open, been trying for 2 days now. It might be being blocked by spy-sweeper as it pops up in the corner when I try to load the site.

The great news though is that I have not had a pop-up for days now. I checked with my family and they've had none whilst I was away. Have we killed the beast?

Robbo
Robbo
Regular Member
 
Posts: 16
Joined: July 30th, 2006, 5:26 am

Unread postby Navigator » August 9th, 2006, 7:34 am

Robbo wrote:Hi Navigator,

I can't get the outerinfo website to open, been trying for 2 days now. It might be being blocked by spy-sweeper as it pops up in the corner when I try to load the site.

The great news though is that I have not had a pop-up for days now. I checked with my family and they've had none whilst I was away. Have we killed the beast?

Robbo


I hope so! You are probably correct about SpySweeper blocking the Outerinfo site...but since you're not having pop-ups now just wait on it for now. Did you delete the rest of the files/folders I listed and run adaware? Maybe just deleting the W?nSxS folder was enough.

Can you repeat the combofix scan now and post the results? Then we'll keep this thread open another few days to see if they return...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 350 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware