1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: VirtuMonde? Pop-up problems

Discussion in 'Virus & Other Malware Removal' started by sy2, Apr 3, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. sy2

    sy2 Thread Starter

    Joined:
    Mar 24, 2005
    Messages:
    2,845
    I'm noticing pop-ups when I'm forced to use Internet Explorer and I think VirtuMonde is to blame, although I don't know how I got it.

    I'm using a work laptop that has Webroot Antispyware Corporate Edition on it and it found VirtuMonde and apparently quarantined it, but the program is set up in some way that I can't do anything to the files from quarantine - I can't click the entries in quarantine to delete them or anything.

    Anyway, here's a HJT log. If anyone could help it'd be greatly appreciated!
    -----------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:59:57 AM, on 4/3/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\mobile automation\rstate.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
    c:\Program Files\Webroot\Client\commagent.exe
    c:\Program Files\Webroot\Client\spysweeper.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Webroot\Client\SpySweeperUI.EXE
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\PROGRA~1\MOBILE~1\rstate.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    c:\program files\mobile automation\rsstatus.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Cyberlink\Shared Files\brs.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
    C:\Documents and Settings\BaronB2.BFC\Desktop\HJT\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://citrix/Citrix/MetaFrame/auth/login.aspx
    O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [DiskeeperSystray] "c:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [WebrootClientUI] "c:\Program Files\Webroot\Client\SpySweeperUI.EXE" /StartInTray
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
    O4 - HKLM\..\Run: [C3] c:\PROGRA~1\TiFiC\TIFICC~1\c3.exe /DEFLANG English /SERVER bgcba0tific01.centerbeam.com /SYSTRAY /WAIT 60 /HIDE /ONLINECHECK
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\MOBILE~1\rstate.exe /LOGON
    O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [BM4babbb6a] Rundll32.exe "C:\WINDOWS\system32\qrqumpes.dll",s
    O4 - HKLM\..\Run: [489888f6] rundll32.exe "C:\WINDOWS\system32\cxfpwpas.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://10.102.27.129/cab/OCXChecker_8120.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BFC.AD
    O17 - HKLM\Software\..\Telephony: DomainName = BFC.AD
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BFC.AD
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BFC.AD
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\mobile automation\rstate.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: TiFiC System Service - TiFiC AB - C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
    O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\commagent.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\spysweeper.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 10936 bytes
     
  2. sy2

    sy2 Thread Starter

    Joined:
    Mar 24, 2005
    Messages:
    2,845
    ...bump...
     
  3. km2357

    km2357

    Joined:
    Aug 9, 2007
    Messages:
    686
    Hello and welcome to Tech Support Forum.

    My name is km2357 and I will be helping you to remove any infection(s) that you may have.

    I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

    If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

    Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

    Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


    I will be back as soon as possible with your first instructions!
     
  4. km2357

    km2357

    Joined:
    Aug 9, 2007
    Messages:
    686
    Step # 1: Rename HijackThis

    Rename HijackThis.exe to Scanner.exe by doing the following:


    Navigate to here: C:\Documents and Settings\BaronB2.BFC\Desktop\HJT
    Right-click on the HijackThis.exe.
    From the pull-down menu, choose: "Rename".
    Rename HijackThis.exe to Scanner.exe
    Open Hijackthis.
    Run Hijackthis (Do a system scan and save a log file).
    Post the fresh HijackThis log.

    Step # 2 Download CCleaner

    Download CCleaner from here to clean temp files from your computer.
    • Double click on the ccsetup.exe file to start the installation of the program.
    • Select your language and click OK, then next.
    • Read the license agreement and click I Agree.
    • Click next to use the default install location.
    • Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
    • Click Install then finish to complete installation.

    Step # 3 Retrieve the Installed Programs List from CCleaner

    Open CCleaner if it's not already running.
    In the Left Pane, click Tools
    Verify that Uninstall is highlighted in color, or click on it.
    In the lower Right, click Save to Text File.
    Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
    You can leave the filename as install.txt
    Click Save
    Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.

    In your next post/reply, I need to see the following:

    1. A fresh HiJackThis Log (scanner.exe)
    2. The CCleaner Uninstall List

    Use multiple posts if you can't fit everything into one post.
     
  5. sy2

    sy2 Thread Starter

    Joined:
    Mar 24, 2005
    Messages:
    2,845
    Hey there km, thanks for the help - it's sincerely appreciated (y)

    Here's the new HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:47:16 PM, on 4/3/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\mobile automation\rstate.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
    C:\WINDOWS\Explorer.EXE
    c:\Program Files\Webroot\Client\commagent.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Webroot\Client\SpySweeperUI.EXE
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    c:\Program Files\Webroot\Client\spysweeper.exe
    C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\PROGRA~1\MOBILE~1\rstate.exe
    C:\Program Files\Cyberlink\Shared Files\brs.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    c:\program files\mobile automation\rsstatus.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\BaronB2.BFC\Desktop\HJT\scanner.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://citrix/Citrix/MetaFrame/auth/login.aspx
    O2 - BHO: {e8b230b6-bf38-2629-6a84-ddb7bfec2e00} - {00e2cefb-7bdd-48a6-9262-83fb6b032b8e} - C:\WINDOWS\system32\bkqxujlt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {12067E3C-36FF-4D86-9C30-DB47EDB858AB} - C:\WINDOWS\system32\geBturRH.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {C4F31A60-D2C7-4B22-ACE9-AE33C94D7316} - C:\WINDOWS\system32\wvUNFVNh.dll
    O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
    O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [DiskeeperSystray] "c:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [WebrootClientUI] "c:\Program Files\Webroot\Client\SpySweeperUI.EXE" /StartInTray
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
    O4 - HKLM\..\Run: [C3] c:\PROGRA~1\TiFiC\TIFICC~1\c3.exe /DEFLANG English /SERVER bgcba0tific01.centerbeam.com /SYSTRAY /WAIT 60 /HIDE /ONLINECHECK
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\MOBILE~1\rstate.exe /LOGON
    O4 - HKLM\..\Run: [BM4babbb6a] Rundll32.exe "C:\WINDOWS\system32\fmlatpdu.dll",s
    O4 - HKLM\..\Run: [489888f6] rundll32.exe "C:\WINDOWS\system32\putxemst.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://10.102.27.129/cab/OCXChecker_8120.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BFC.AD
    O17 - HKLM\Software\..\Telephony: DomainName = BFC.AD
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BFC.AD
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BFC.AD
    O20 - Winlogon Notify: wvUNFVNh - C:\WINDOWS\SYSTEM32\wvUNFVNh.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\mobile automation\rstate.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: TiFiC System Service - TiFiC AB - C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
    O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\commagent.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\spysweeper.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 11700 bytes


    CCleaner will be in the next post. I had CCleaner installed before this problem arose, so if that's an issue and I need to uninstall/reinstall just let me know.
     
  6. sy2

    sy2 Thread Starter

    Joined:
    Mar 24, 2005
    Messages:
    2,845
    Here's the uninstall list, let me know if you need it in cut/paste format.
     

    Attached Files:

  7. km2357

    km2357

    Joined:
    Aug 9, 2007
    Messages:
    686
    Thanks for the two logs. :) From now on just copy and paste any logs I ask for into this thread, don't attach them. Thanks.

    IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    ĀµTorrent

    I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

    Also available here.

    My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


    Step # 1: Download and Run ComboFix

    We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Be sure to save ComboFix.exe to your Desktop

    When the tool is finished, it will produce a report for you.

    Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
     
  8. sy2

    sy2 Thread Starter

    Joined:
    Mar 24, 2005
    Messages:
    2,845
    OK, I removed uTorrent, installed the virtual console, and ran ComboFix.

    I was not able to turn off my anti-virus and spyware programs. As I mentioned before I'm on a work computer logged into a domain and don't have the permissions to close those programs, even though I'm in the admin group. Just thought you should know in case something didn't work correctly.

    Here's the ComboFix log, the new HJT log will be in the next post. Thanks! :)
    -------------------------

    ComboFix 08-04-03.5 - baronb2 2008-04-04 7:20:19.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1367 [GMT -5:00]
    Running from: C:\Documents and Settings\BaronB2.BFC\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\BM4babbb6a.xml
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\afdcropu.dll
    C:\WINDOWS\system32\bkqxujlt.dll
    C:\WINDOWS\system32\fmlatpdu.dll
    C:\WINDOWS\system32\geBturRH.dll
    C:\WINDOWS\system32\HRrutBeg.ini
    C:\WINDOWS\system32\HRrutBeg.ini2
    C:\WINDOWS\system32\jPWxIRCf.ini
    C:\WINDOWS\system32\putxemst.dll
    C:\WINDOWS\system32\qrqumpes.dll
    C:\WINDOWS\system32\tsmextup.ini
    C:\WINDOWS\system32\uspppdrg.dll
    C:\WINDOWS\system32\vxaimayd.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
    .

    2008-04-03 18:36 . 2008-04-03 19:06 <DIR> d-------- C:\quarantine
    2008-04-02 21:35 . 2008-04-03 16:06 474 --ahs---- C:\WINDOWS\system32\sapwpfxc.ini
    2008-04-02 15:41 . 2008-04-04 06:54 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
    2008-04-01 21:35 . 2008-04-02 21:35 414 --ahs---- C:\WINDOWS\system32\onehkoem.ini
    2008-04-01 09:23 . 2008-04-01 09:23 <DIR> d-------- C:\Program Files\PowerISO
    2008-04-01 09:14 . 2008-04-01 09:14 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\CyberLink
    2008-04-01 09:13 . 2008-04-01 09:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-04-01 09:12 . 2008-04-01 09:13 <DIR> d-------- C:\Program Files\CyberLink
    2008-03-30 20:57 . 2008-03-30 20:57 <DIR> d-------- C:\Program Files\DivXLand
    2008-03-30 20:57 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
    2008-03-28 11:20 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
    2008-03-28 11:20 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
    2008-03-27 08:23 . 2008-03-27 16:39 578 --a------ C:\WINDOWS\M3JPEG.INI
    2008-03-27 08:23 . 2008-04-03 09:12 69 --a------ C:\WINDOWS\NeroDigital.ini
    2008-03-27 07:56 . 2005-10-20 20:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
    2008-03-27 07:56 . 2005-10-20 20:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
    2008-03-24 17:57 . 2008-03-24 17:57 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\TiFiC
    2008-03-24 17:56 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\Webroot
    2008-03-24 17:56 . 2008-03-24 17:56 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\Nero
    2008-03-24 17:56 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\Intel
    2008-03-24 17:56 . 2004-08-04 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-03-24 08:57 . 2008-03-24 08:57 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Nero
    2008-03-24 08:52 . 2008-03-24 08:52 <DIR> d-------- C:\Program Files\Nero
    2008-03-24 08:52 . 2008-03-24 08:55 <DIR> d-------- C:\Program Files\Common Files\Nero
    2008-03-24 08:52 . 2008-03-24 08:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
    2008-03-21 10:59 . 2008-04-03 22:12 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\uTorrent
    2008-03-20 12:01 . 2008-03-20 12:01 <DIR> d-------- C:\Documents and Settings\TCAdmin\Application Data\TiFiC
    2008-03-20 11:41 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\csomerville\Application Data\Webroot
    2008-03-20 11:41 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\csomerville\Application Data\Intel
    2008-03-20 09:59 . 2008-03-20 09:59 <DIR> dr------- C:\Documents and Settings\BaronB2.BFC\Application Data\Brother
    2008-03-20 09:54 . 2008-03-20 09:54 <DIR> d-------- C:\WINDOWS\Sun
    2008-03-20 09:53 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-03-20 09:52 . 2008-03-20 09:53 <DIR> d-------- C:\Program Files\Java
    2008-03-20 09:50 . 2008-03-20 09:50 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-03-19 01:33 . 2008-03-19 01:33 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\River Past G5
    2008-03-19 00:04 . 2008-03-19 00:04 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Media Player Classic
    2008-03-18 23:18 . 2008-03-18 23:18 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\TiFiC
    2008-03-18 23:17 . 2008-03-18 23:17 <DIR> d-------- C:\Program Files\TiFiC
    2008-03-18 23:17 . 2008-03-18 23:17 <DIR> d-------- C:\Program Files\Common Files\TiFiC
    2008-03-18 23:17 . 2008-03-18 23:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TiFiC
    2008-03-18 22:50 . 2008-03-18 22:50 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\DivX
    2008-03-18 22:31 . 2008-03-18 22:31 <DIR> d-------- C:\Program Files\PayPal
    2008-03-18 22:31 . 2008-03-18 22:31 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\InstallShield
    2008-03-18 16:04 . 2008-03-18 16:04 <DIR> d-------- C:\Program Files\CONEXANT
    2008-03-18 16:04 . 2005-05-03 15:09 1,033,728 --a------ C:\WINDOWS\system32\drivers\HSF_DPV.SYS
    2008-03-18 16:04 . 2005-05-03 15:08 705,408 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys
    2008-03-18 16:04 . 2005-05-03 15:08 208,384 --a------ C:\WINDOWS\system32\drivers\HSFHWICH.sys
    2008-03-18 16:04 . 2005-05-03 11:56 129,405 --a------ C:\WINDOWS\system32\drivers\del1028.cty
    2008-03-18 16:04 . 2004-03-17 12:00 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
    2008-03-18 16:04 . 2005-02-23 15:02 42,858 --a------ C:\WINDOWS\system32\hsfci014.dll
    2008-03-18 16:04 . 2004-03-17 12:04 13,059 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
    2008-03-18 15:45 . 2008-03-18 16:40 <DIR> d-------- C:\Program Files\1872_Sprint
    2008-03-18 15:31 . 2008-03-18 15:31 <DIR> d---s---- C:\Documents and Settings\BaronB2.BFC\UserData
    2008-03-18 15:18 . 2008-03-18 15:18 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
    2008-03-18 15:16 . 2008-03-18 16:31 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\ICAClient
    2008-03-18 15:15 . 2008-03-18 15:15 <DIR> d-------- C:\Program Files\Citrix
    2008-03-18 15:03 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\jgeldart\Application Data\Webroot
    2008-03-18 15:03 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\jgeldart\Application Data\Intel
    2008-03-18 14:46 . 2008-03-18 16:49 <DIR> d-------- C:\SalesDiscoverySystem
    2008-03-18 14:35 . 2008-03-18 14:35 <DIR> d-------- C:\WINDOWS\SchCache
    2008-03-18 14:28 . 2008-03-18 14:28 <DIR> d-------- C:\Program Files\IBM
    2008-03-18 14:27 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
    2008-03-18 14:25 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\TCAdmin\Application Data\Webroot
    2008-03-18 14:25 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\TCAdmin\Application Data\Intel
    2008-03-18 09:54 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Webroot
    2008-03-18 09:54 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Intel
    2008-03-18 09:53 . 2008-03-18 16:12 <DIR> d-------- C:\WINDOWS\Internet Logs
    2008-03-18 09:49 . 2008-03-18 09:49 8 --a------ C:\WINDOWS\system32\success
    2008-03-18 09:48 . 2008-03-18 09:48 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
    2008-03-18 09:48 . 2008-03-18 09:48 <DIR> d-------- C:\Program Files\Cisco Systems
    2008-03-18 09:48 . 2003-10-17 16:42 268,360 --a------ C:\WINDOWS\system32\drivers\CVPNDRVA.sys
    2008-03-18 09:48 . 2003-07-24 19:55 139,604 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
    2008-03-18 09:48 . 2003-10-17 16:43 139,096 --a------ C:\WINDOWS\system32\CSGina.dll
    2008-03-18 09:48 . 2003-07-24 19:55 114,000 --a------ C:\WINDOWS\system32\dneinobj.dll
    2008-03-18 09:48 . 2003-05-01 13:26 5,220 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys
    2008-03-18 09:42 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
    2008-03-18 09:42 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
    2008-03-17 16:20 . 2008-03-17 16:20 <DIR> d-------- C:\Program Files\River Past
    2008-03-17 16:20 . 2008-03-17 16:20 <DIR> d-------- C:\Program Files\Common Files\River Past
    2008-03-17 16:20 . 2008-03-17 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
    2008-03-17 16:20 . 2008-03-17 16:20 164,812 --a------ C:\WINDOWS\Screen Recorder Pro Uninstaller.exe
    2008-03-15 15:28 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
    2008-03-15 15:28 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
    2008-03-15 14:11 . 2008-03-15 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Laconic Software
    2008-03-15 09:51 . 2008-04-01 09:37 <DIR> d-------- C:\Program Files\PeerGuardian2
    2008-03-15 09:50 . 2008-04-04 06:57 <DIR> d-------- C:\Program Files\uTorrent
    2008-03-15 09:40 . 2008-03-15 09:40 <DIR> d-------- C:\Program Files\MSXML 4.0
    2008-03-15 09:33 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
    2008-03-15 09:33 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
    2008-03-14 16:42 . 2008-03-14 16:42 <DIR> d-------- C:\Program Files\CCleaner
    2008-03-14 16:27 . 2008-03-15 15:27 512 --a------ C:\WINDOWS\randseed.rnd
    2008-03-14 16:25 . 2008-03-14 16:25 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
    2008-03-14 16:25 . 2008-03-14 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Network Associates
    2008-03-14 16:25 . 2008-03-14 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
    2008-03-14 16:25 . 2006-06-08 20:00 116,864 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
    2008-03-14 16:25 . 2006-06-08 20:00 58,464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
    2008-03-14 16:24 . 2008-03-14 16:25 <DIR> d-------- C:\Program Files\Network Associates
    2008-03-14 16:24 . 2008-03-14 16:25 <DIR> d-------- C:\Program Files\Common Files\Network Associates
    2008-03-14 16:20 . 2008-03-14 16:20 <DIR> d-------- C:\Program Files\BigFix Enterprise
    2008-03-14 16:19 . 2008-03-14 16:19 <DIR> d-------- C:\Program Files\Webroot

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-01 14:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-01 14:11 505,392 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2008-03-14 18:03 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-03-13 20:37 5 ----a-w C:\WINDOWS\system32\drivers\DELL_LAT_D610.MRK
    2008-03-13 20:37 5 ----a-w C:\WINDOWS\system32\drivers\1028_DELL_LAT_D610.MRK
    2008-03-13 20:36 --------- d-----w C:\Program Files\Dell
    2008-03-13 20:27 --------- d-----w C:\Program Files\microsoft frontpage
    2008-03-13 20:04 --------- d-----w C:\Program Files\ATI Technologies
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4F31A60-D2C7-4B22-ACE9-AE33C94D7316}]
    C:\WINDOWS\system32\wvUNFVNh.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
    "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
    "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 06:20 122940]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 12:19 819200]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 12:17 970752]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-06 22:00 344064]
    "IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
    "itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08 813912]
    "BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
    "SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
    "ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
    "LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]
    "DiskeeperSystray"="c:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
    "WebrootClientUI"="c:\Program Files\Webroot\Client\SpySweeperUI.exe" [2007-10-25 09:24 414064]
    "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 08:00 94208]
    "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 03:06 136768]
    "Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2005-10-19 05:40 20531]
    "C3"="c:\PROGRA~1\TiFiC\TIFICC~1\c3.exe" [2007-09-14 03:12 2075136]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
    "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
    "BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-02-21 10:24 91432]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 14:23 81920]
    "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 12:06 62760]
    "EPM Agent"="c:\PROGRA~1\MOBILE~1\rstate.exe" [2006-01-10 01:52 94208]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{C4F31A60-D2C7-4B22-ACE9-AE33C94D7316}"= C:\WINDOWS\system32\wvUNFVNh.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUNFVNh]
    wvUNFVNh.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.iv50"= C:\WINDOWS\ir50_32.dll
    "msacm.ac3acm"= ac3acm.acm
    "VIDC.wmv3"= wmv9vcm.dll
    "vidc.GEOX"= C:\WINDOWS\system32\v8120\GeoCodec.dll
    "vidc.GEOV"= C:\WINDOWS\system32\v8120\GeoCodec.dll
    "vidc.GMP4"= C:\WINDOWS\system32\v8120\GXAMP4.dll
    "vidc.GM40"= C:\WINDOWS\system32\v8120\GXAMP4.dll
    "vidc.G264"= C:\WINDOWS\system32\v8120\GX264.dll
    "msacm.geoadpcm"= C:\WINDOWS\system32\v8100\GeoADPCM.acm
    "vidc.GM4H"= C:\WINDOWS\system32\v8120\GXAMP4D.dll
    "vidc.GM4S"= C:\WINDOWS\system32\v8120\GXAMP4D.dll
    "vidc.mpg4"= C:\WINDOWS\mpg4c32.dll
    "vidc.mpg2"= C:\WINDOWS\mpg4c32.dll
    "vidc.mpg3"= C:\WINDOWS\mpg4c32.dll
    "vidc.MJPG"= C:\WINDOWS\m3jpeg32.dll
    "vidc.dmb1"= C:\WINDOWS\m3jpeg32.dll
    "vidc.GM20"= C:\WINDOWS\system32\v8120\GXGM20.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-370448265-1163341058-428892626-1181\Scripts\Logon\0\0]
    "Script"=\\BFC.AD\SysVol\BFC.AD\scripts\Chicago_users.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2008-01-18 23:01]
    R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
    R2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;"c:\program files\mobile automation\rstate.exe" [2006-01-10 01:52]
    R2 TiFiC System Service;TiFiC System Service;"C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe" [2007-08-28 05:07]
    R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]

    *Newly Created Service* - ENTDRV51
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-04 07:31:34
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
    "ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    c:\Program Files\Webroot\Client\commagent.exe
    c:\Program Files\Webroot\Client\spysweeper.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    c:\program files\mobile automation\rsstatus.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-04 7:33:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-04 12:33:18
    Pre-Run: 52,014,071,808 bytes free
    Post-Run: 53,493,563,392 bytes free
    .
    2008-03-18 20:30:53 --- E O F ---
     
  9. sy2

    sy2 Thread Starter

    Joined:
    Mar 24, 2005
    Messages:
    2,845
    New HJT log:
    ----------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 07:35, on 2008-04-04
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\mobile automation\rstate.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
    c:\Program Files\Webroot\Client\commagent.exe
    c:\Program Files\Webroot\Client\spysweeper.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Webroot\Client\SpySweeperUI.EXE
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    C:\PROGRA~1\TiFiC\TIFICC~1\c3.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\Program Files\Cyberlink\Shared Files\brs.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\PROGRA~1\MOBILE~1\rstate.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    c:\program files\mobile automation\rsstatus.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\BaronB2.BFC\Desktop\HJT\scanner.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://citrix/Citrix/MetaFrame/auth/login.aspx
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {C4F31A60-D2C7-4B22-ACE9-AE33C94D7316} - C:\WINDOWS\system32\wvUNFVNh.dll (file missing)
    O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
    O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [DiskeeperSystray] "c:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [WebrootClientUI] "c:\Program Files\Webroot\Client\SpySweeperUI.EXE" /StartInTray
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
    O4 - HKLM\..\Run: [C3] c:\PROGRA~1\TiFiC\TIFICC~1\c3.exe /DEFLANG English /SERVER bgcba0tific01.centerbeam.com /SYSTRAY /WAIT 60 /HIDE /ONLINECHECK
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\MOBILE~1\rstate.exe /LOGON
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://10.102.27.129/cab/OCXChecker_8120.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BFC.AD
    O17 - HKLM\Software\..\Telephony: DomainName = BFC.AD
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BFC.AD
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BFC.AD
    O20 - Winlogon Notify: wvUNFVNh - wvUNFVNh.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\mobile automation\rstate.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: TiFiC System Service - TiFiC AB - C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
    O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\commagent.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\spysweeper.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 11677 bytes
     
  10. km2357

    km2357

    Joined:
    Aug 9, 2007
    Messages:
    686
    Step # 1: Run CFScript

    Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.

    • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      KillAll::
      
      File::
      
      C:\WINDOWS\system32\sapwpfxc.ini
      C:\WINDOWS\system32\onehkoem.ini
      C:\WINDOWS\system32\wvUNFVNh.dll
      
      Folder::
      
      C:\Documents and Settings\BaronB2.BFC\Application Data\uTorrent
      C:\Program Files\uTorrent
      
      Registry::
      
      [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4F31A60-D2C7-4B22-ACE9-AE33C94D7316}]
      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
      "{C4F31A60-D2C7-4B22-ACE9-AE33C94D7316}"=-
      [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUNFVNh]
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


      [​IMG]


    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


    Step # 2 Run CCleaner

    CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

    • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
    • Then select the items you wish to clean up.
    • In the Windows Tab:
    • Clean all entries in the Internet Explorer section except Cookies
    • Clean all the entries in the Windows Explorer section
    • Clean all entries in the System section
    • Clean all entries in the Advanced section
    • Clean any others that you choose
    • In the Applications Tab:
    • Clean all except cookies in the Firefox/Mozilla section if you use it
    • Clean all in the Opera section if you use it
    • Clean Sun Java in the Internet Section
    • Clean any others that you choose
    • Click the Run Cleaner button.
    • A pop up box will appear advising this process will permanently delete files from your system.
    • Click OK and it will scan and clean your system.
    • Click exit when done.
    • If it asks you to reboot at the end, click NO


    Step # 3 Download and Run Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location.
    • You can also access the log by doing the following:
    • Click on the Malwarebytes' Anti-Malware icon to launch the program.
    • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open.

    In your next post/reply, I need to see the following:

    1. The ComboFix Log that appears after Step #1
    2. The MalwareBytes' results
    3. A fresh HiJackThis Log

    Use multiple posts if you cannot fit everything into one post.
     
  11. sy2

    sy2 Thread Starter

    Joined:
    Mar 24, 2005
    Messages:
    2,845
    ComboFix appears to be hanging at the AutoScan part. I rebooted, closed some unnecessary items in the taskbar (messenger, printer monitor, etc...), and then dragged the TXT file onto ComboFix.exe.

    After clicking "Yes" for the disclaimer I didn't touch the mouse or keyboard. I let it run for about 20 minutes before stopping it because I'm about to leave work. I'll try running it when I get home, where I can let it sit for 30-60 minutes if necessary. I'll post back here after that.

    Any instructions in case it keeps hanging? Should I try running it in safe mode maybe? I have everything else ready for steps 2 and 3.

    Thanks for the help, it is sincerely appreciated.
     
  12. km2357

    km2357

    Joined:
    Aug 9, 2007
    Messages:
    686
    Go ahead and let it run 30-60 minutes when you get home, though normally it shouldn't take that long. If it still hangs after that time period, go ahead and boot into Safe Mode and drag the CFSCript.txt into ComboFix.exe and let it run.
     
  13. sy2

    sy2 Thread Starter

    Joined:
    Mar 24, 2005
    Messages:
    2,845
    OK, ComboFix ran right away in Safe mode. However, when it rebooted me I went back into normal windows. Not sure if that will matter or not. Here's the CF log:

    aComboFix 08-04-03.5 - baronb2 2008-04-05 9:32:05.2 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1785 [GMT -5:00]
    Running from: C:\Documents and Settings\BaronB2.BFC\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\BaronB2.BFC\Desktop\CFScript.txt

    FILE ::
    C:\WINDOWS\system32\onehkoem.ini
    C:\WINDOWS\system32\sapwpfxc.ini
    C:\WINDOWS\system32\wvUNFVNh.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\onehkoem.ini
    C:\WINDOWS\system32\sapwpfxc.ini

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
    .

    2008-04-03 18:36 . 2008-04-03 19:06 <DIR> d-------- C:\quarantine
    2008-04-02 15:41 . 2008-04-05 09:04 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
    2008-04-01 09:23 . 2008-04-01 09:23 <DIR> d-------- C:\Program Files\PowerISO
    2008-04-01 09:14 . 2008-04-01 09:14 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\CyberLink
    2008-04-01 09:13 . 2008-04-01 09:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-04-01 09:12 . 2008-04-01 09:13 <DIR> d-------- C:\Program Files\CyberLink
    2008-03-30 20:57 . 2008-03-30 20:57 <DIR> d-------- C:\Program Files\DivXLand
    2008-03-30 20:57 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
    2008-03-28 11:20 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
    2008-03-28 11:20 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
    2008-03-27 08:23 . 2008-03-27 16:39 578 --a------ C:\WINDOWS\M3JPEG.INI
    2008-03-27 08:23 . 2008-04-05 09:17 69 --a------ C:\WINDOWS\NeroDigital.ini
    2008-03-27 07:56 . 2005-10-20 20:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
    2008-03-27 07:56 . 2005-10-20 20:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
    2008-03-24 17:57 . 2008-03-24 17:57 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\TiFiC
    2008-03-24 17:56 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\Webroot
    2008-03-24 17:56 . 2008-03-24 17:56 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\Nero
    2008-03-24 17:56 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\Intel
    2008-03-24 17:56 . 2004-08-04 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-03-24 08:57 . 2008-03-24 08:57 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Nero
    2008-03-24 08:52 . 2008-03-24 08:52 <DIR> d-------- C:\Program Files\Nero
    2008-03-24 08:52 . 2008-03-24 08:55 <DIR> d-------- C:\Program Files\Common Files\Nero
    2008-03-24 08:52 . 2008-03-24 08:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
    2008-03-20 12:01 . 2008-03-20 12:01 <DIR> d-------- C:\Documents and Settings\TCAdmin\Application Data\TiFiC
    2008-03-20 11:41 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\csomerville\Application Data\Webroot
    2008-03-20 11:41 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\csomerville\Application Data\Intel
    2008-03-20 09:59 . 2008-03-20 09:59 <DIR> dr------- C:\Documents and Settings\BaronB2.BFC\Application Data\Brother
    2008-03-20 09:54 . 2008-03-20 09:54 <DIR> d-------- C:\WINDOWS\Sun
    2008-03-20 09:53 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-03-20 09:52 . 2008-03-20 09:53 <DIR> d-------- C:\Program Files\Java
    2008-03-20 09:50 . 2008-03-20 09:50 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-03-19 01:33 . 2008-03-19 01:33 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\River Past G5
    2008-03-19 00:04 . 2008-03-19 00:04 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Media Player Classic
    2008-03-18 23:18 . 2008-03-18 23:18 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\TiFiC
    2008-03-18 23:17 . 2008-03-18 23:17 <DIR> d-------- C:\Program Files\TiFiC
    2008-03-18 23:17 . 2008-03-18 23:17 <DIR> d-------- C:\Program Files\Common Files\TiFiC
    2008-03-18 23:17 . 2008-03-18 23:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TiFiC
    2008-03-18 22:50 . 2008-03-18 22:50 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\DivX
    2008-03-18 22:31 . 2008-03-18 22:31 <DIR> d-------- C:\Program Files\PayPal
    2008-03-18 22:31 . 2008-03-18 22:31 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\InstallShield
    2008-03-18 16:04 . 2008-03-18 16:04 <DIR> d-------- C:\Program Files\CONEXANT
    2008-03-18 16:04 . 2005-05-03 15:09 1,033,728 --a------ C:\WINDOWS\system32\drivers\HSF_DPV.SYS
    2008-03-18 16:04 . 2005-05-03 15:08 705,408 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys
    2008-03-18 16:04 . 2005-05-03 15:08 208,384 --a------ C:\WINDOWS\system32\drivers\HSFHWICH.sys
    2008-03-18 16:04 . 2005-05-03 11:56 129,405 --a------ C:\WINDOWS\system32\drivers\del1028.cty
    2008-03-18 16:04 . 2004-03-17 12:00 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
    2008-03-18 16:04 . 2005-02-23 15:02 42,858 --a------ C:\WINDOWS\system32\hsfci014.dll
    2008-03-18 16:04 . 2004-03-17 12:04 13,059 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
    2008-03-18 15:45 . 2008-03-18 16:40 <DIR> d-------- C:\Program Files\1872_Sprint
    2008-03-18 15:31 . 2008-03-18 15:31 <DIR> d---s---- C:\Documents and Settings\BaronB2.BFC\UserData
    2008-03-18 15:18 . 2008-03-18 15:18 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
    2008-03-18 15:16 . 2008-03-18 16:31 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\ICAClient
    2008-03-18 15:15 . 2008-03-18 15:15 <DIR> d-------- C:\Program Files\Citrix
    2008-03-18 15:03 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\jgeldart\Application Data\Webroot
    2008-03-18 15:03 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\jgeldart\Application Data\Intel
    2008-03-18 14:46 . 2008-03-18 16:49 <DIR> d-------- C:\SalesDiscoverySystem
    2008-03-18 14:35 . 2008-03-18 14:35 <DIR> d-------- C:\WINDOWS\SchCache
    2008-03-18 14:28 . 2008-03-18 14:28 <DIR> d-------- C:\Program Files\IBM
    2008-03-18 14:27 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
    2008-03-18 14:25 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\TCAdmin\Application Data\Webroot
    2008-03-18 14:25 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\TCAdmin\Application Data\Intel
    2008-03-18 09:54 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Webroot
    2008-03-18 09:54 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Intel
    2008-03-18 09:53 . 2008-03-18 16:12 <DIR> d-------- C:\WINDOWS\Internet Logs
    2008-03-18 09:49 . 2008-03-18 09:49 8 --a------ C:\WINDOWS\system32\success
    2008-03-18 09:48 . 2008-03-18 09:48 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
    2008-03-18 09:48 . 2008-03-18 09:48 <DIR> d-------- C:\Program Files\Cisco Systems
    2008-03-18 09:48 . 2003-10-17 16:42 268,360 --a------ C:\WINDOWS\system32\drivers\CVPNDRVA.sys
    2008-03-18 09:48 . 2003-07-24 19:55 139,604 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
    2008-03-18 09:48 . 2003-10-17 16:43 139,096 --a------ C:\WINDOWS\system32\CSGina.dll
    2008-03-18 09:48 . 2003-07-24 19:55 114,000 --a------ C:\WINDOWS\system32\dneinobj.dll
    2008-03-18 09:48 . 2003-05-01 13:26 5,220 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys
    2008-03-18 09:42 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
    2008-03-18 09:42 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
    2008-03-17 16:20 . 2008-03-17 16:20 <DIR> d-------- C:\Program Files\River Past
    2008-03-17 16:20 . 2008-03-17 16:20 <DIR> d-------- C:\Program Files\Common Files\River Past
    2008-03-17 16:20 . 2008-03-17 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
    2008-03-17 16:20 . 2008-03-17 16:20 164,812 --a------ C:\WINDOWS\Screen Recorder Pro Uninstaller.exe
    2008-03-15 15:28 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
    2008-03-15 15:28 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
    2008-03-15 14:11 . 2008-03-15 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Laconic Software
    2008-03-15 09:51 . 2008-04-01 09:37 <DIR> d-------- C:\Program Files\PeerGuardian2
    2008-03-15 09:40 . 2008-03-15 09:40 <DIR> d-------- C:\Program Files\MSXML 4.0
    2008-03-15 09:33 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
    2008-03-15 09:33 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
    2008-03-14 16:42 . 2008-03-14 16:42 <DIR> d-------- C:\Program Files\CCleaner
    2008-03-14 16:27 . 2008-03-15 15:27 512 --a------ C:\WINDOWS\randseed.rnd
    2008-03-14 16:25 . 2008-03-14 16:25 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
    2008-03-14 16:25 . 2008-03-14 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Network Associates
    2008-03-14 16:25 . 2008-03-14 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
    2008-03-14 16:25 . 2006-06-08 20:00 116,864 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
    2008-03-14 16:25 . 2006-06-08 20:00 58,464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
    2008-03-14 16:24 . 2008-03-14 16:25 <DIR> d-------- C:\Program Files\Network Associates
    2008-03-14 16:24 . 2008-03-14 16:25 <DIR> d-------- C:\Program Files\Common Files\Network Associates
    2008-03-14 16:20 . 2008-03-14 16:20 <DIR> d-------- C:\Program Files\BigFix Enterprise
    2008-03-14 16:19 . 2008-03-14 16:19 <DIR> d-------- C:\Program Files\Webroot
    2008-03-14 16:19 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
    2008-03-14 16:19 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
    2008-03-14 16:01 . 2008-03-14 16:01 <DIR> d-------- C:\Program Files\Common Files\L&H
    2008-03-14 16:01 . 2004-03-22 17:17 24,816 --a------ C:\WINDOWS\system32\mdimon.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-01 14:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-01 14:11 505,392 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2008-03-14 18:03 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-03-13 20:37 5 ----a-w C:\WINDOWS\system32\drivers\DELL_LAT_D610.MRK
    2008-03-13 20:37 5 ----a-w C:\WINDOWS\system32\drivers\1028_DELL_LAT_D610.MRK
    2008-03-13 20:36 --------- d-----w C:\Program Files\Dell
    2008-03-13 20:27 --------- d-----w C:\Program Files\microsoft frontpage
    2008-03-13 20:04 --------- d-----w C:\Program Files\ATI Technologies
    .

    ((((((((((((((((((((((((((((( [email protected]_ 7.33.01.51 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-04-03 14:11:28 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2008-04-04 12:34:23 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2008-04-03 14:11:28 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2008-04-04 12:34:23 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2008-04-05 14:34:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_344.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
    "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
    "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 06:20 122940]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 12:19 819200]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 12:17 970752]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-06 22:00 344064]
    "IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
    "itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08 813912]
    "BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
    "SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
    "ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
    "LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]
    "DiskeeperSystray"="c:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
    "WebrootClientUI"="c:\Program Files\Webroot\Client\SpySweeperUI.exe" [2007-10-25 09:24 414064]
    "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 08:00 94208]
    "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 03:06 136768]
    "Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2005-10-19 05:40 20531]
    "C3"="c:\PROGRA~1\TiFiC\TIFICC~1\c3.exe" [2007-09-14 03:12 2075136]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
    "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
    "BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-02-21 10:24 91432]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 14:23 81920]
    "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 12:06 62760]
    "EPM Agent"="c:\PROGRA~1\MOBILE~1\rstate.exe" [2006-01-10 01:52 94208]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.iv50"= C:\WINDOWS\ir50_32.dll
    "msacm.ac3acm"= ac3acm.acm
    "VIDC.wmv3"= wmv9vcm.dll
    "vidc.GEOX"= C:\WINDOWS\system32\v8120\GeoCodec.dll
    "vidc.GEOV"= C:\WINDOWS\system32\v8120\GeoCodec.dll
    "vidc.GMP4"= C:\WINDOWS\system32\v8120\GXAMP4.dll
    "vidc.GM40"= C:\WINDOWS\system32\v8120\GXAMP4.dll
    "vidc.G264"= C:\WINDOWS\system32\v8120\GX264.dll
    "msacm.geoadpcm"= C:\WINDOWS\system32\v8100\GeoADPCM.acm
    "vidc.GM4H"= C:\WINDOWS\system32\v8120\GXAMP4D.dll
    "vidc.GM4S"= C:\WINDOWS\system32\v8120\GXAMP4D.dll
    "vidc.mpg4"= C:\WINDOWS\mpg4c32.dll
    "vidc.mpg2"= C:\WINDOWS\mpg4c32.dll
    "vidc.mpg3"= C:\WINDOWS\mpg4c32.dll
    "vidc.MJPG"= C:\WINDOWS\m3jpeg32.dll
    "vidc.dmb1"= C:\WINDOWS\m3jpeg32.dll
    "vidc.GM20"= C:\WINDOWS\system32\v8120\GXGM20.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-370448265-1163341058-428892626-1181\Scripts\Logon\0\0]
    "Script"=\\BFC.AD\SysVol\BFC.AD\scripts\Chicago_users.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2008-01-18 23:01]
    R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
    R2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;"c:\program files\mobile automation\rstate.exe" [2006-01-10 01:52]
    R2 TiFiC System Service;TiFiC System Service;"C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe" [2007-08-28 05:07]
    S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]

    *Newly Created Service* - ENTDRV51
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-05 09:35:32
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
    "ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    c:\Program Files\Webroot\Client\commagent.exe
    c:\Program Files\Webroot\Client\spysweeper.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    c:\program files\mobile automation\rsstatus.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-05 9:37:52 - machine was rebooted [baronb2]
    ComboFix-quarantined-files.txt 2008-04-05 14:37:47
    ComboFix2.txt 2008-04-04 12:33:30
    Pre-Run: 58,645,016,576 bytes free
    Post-Run: 56,443,514,880 bytes free
    .
    2008-03-18 20:30:53 --- E O F ---
    ------------------------------------------
    MalwareByte Results

    Malwarebytes' Anti-Malware 1.10
    Database version: 593

    Scan type: Full Scan (C:\|)
    Objects scanned: 100009
    Time elapsed: 34 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\QooBox\Quarantine\C\WINDOWS\system32\afdcropu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\bkqxujlt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\vxaimayd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{3A54DEA9-8427-4B38-B5AE-B5DFBE8F6115}\RP62\A0007776.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{3A54DEA9-8427-4B38-B5AE-B5DFBE8F6115}\RP62\A0007777.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{3A54DEA9-8427-4B38-B5AE-B5DFBE8F6115}\RP62\A0007782.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
     
  14. sy2

    sy2 Thread Starter

    Joined:
    Mar 24, 2005
    Messages:
    2,845
    And here's a fresh HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:25, on 2008-04-05
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\mobile automation\rstate.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
    c:\Program Files\Webroot\Client\commagent.exe
    c:\Program Files\Webroot\Client\spysweeper.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Webroot\Client\SpySweeperUI.EXE
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    C:\PROGRA~1\TiFiC\TIFICC~1\c3.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Cyberlink\Shared Files\brs.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\PROGRA~1\MOBILE~1\rstate.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    c:\program files\mobile automation\rsstatus.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\BaronB2.BFC\Desktop\HJT\scanner.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://citrix/Citrix/MetaFrame/auth/login.aspx
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
    O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [DiskeeperSystray] "c:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [WebrootClientUI] "c:\Program Files\Webroot\Client\SpySweeperUI.EXE" /StartInTray
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
    O4 - HKLM\..\Run: [C3] c:\PROGRA~1\TiFiC\TIFICC~1\c3.exe /DEFLANG English /SERVER bgcba0tific01.centerbeam.com /SYSTRAY /WAIT 60 /HIDE /ONLINECHECK
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\MOBILE~1\rstate.exe /LOGON
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://10.102.27.129/cab/OCXChecker_8120.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BFC.AD
    O17 - HKLM\Software\..\Telephony: DomainName = BFC.AD
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BFC.AD
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BFC.AD
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\mobile automation\rstate.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: TiFiC System Service - TiFiC AB - C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
    O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\commagent.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\spysweeper.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 11373 bytes
     
  15. km2357

    km2357

    Joined:
    Aug 9, 2007
    Messages:
    686
    Step # 1: Run Kaspersky Online Scan
    Please do an online scan with Kaspersky WebScanner

    You must be using Internet Explorer, Kaspersky does not work with Firefox

    Click Accept

    You will be promted to install an ActiveX component from Kaspersky,
    Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      • Scan using the following Anti-Virus database:

      • Extended (if available otherwise Standard)
      • Scan Options:

      • Scan Archives Scan Mail Bases
    • Click OK
    • Now under select a target to scan:

      • Select My Computer
    • The program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Once finished, save the log to your Desktop as filename KAV.txt


    In your next post/reply, I need to see the following:

    1. The Kaspersky results
    2. A fresh HiJackThis Log
    3. How is your computer doing, any problems?

    Use multiple posts if you can't fit everything into one post.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/699881

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice