Solved: VirtuMonde? Pop-up problems

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

sy2

Thread Starter
Joined
Mar 24, 2005
Messages
2,845
I'm noticing pop-ups when I'm forced to use Internet Explorer and I think VirtuMonde is to blame, although I don't know how I got it.

I'm using a work laptop that has Webroot Antispyware Corporate Edition on it and it found VirtuMonde and apparently quarantined it, but the program is set up in some way that I can't do anything to the files from quarantine - I can't click the entries in quarantine to delete them or anything.

Anyway, here's a HJT log. If anyone could help it'd be greatly appreciated!
-----------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:57 AM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\mobile automation\rstate.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
c:\Program Files\Webroot\Client\commagent.exe
c:\Program Files\Webroot\Client\spysweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Webroot\Client\SpySweeperUI.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MOBILE~1\rstate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
c:\program files\mobile automation\rsstatus.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Documents and Settings\BaronB2.BFC\Desktop\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://citrix/Citrix/MetaFrame/auth/login.aspx
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "c:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [WebrootClientUI] "c:\Program Files\Webroot\Client\SpySweeperUI.EXE" /StartInTray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [C3] c:\PROGRA~1\TiFiC\TIFICC~1\c3.exe /DEFLANG English /SERVER bgcba0tific01.centerbeam.com /SYSTRAY /WAIT 60 /HIDE /ONLINECHECK
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\MOBILE~1\rstate.exe /LOGON
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [BM4babbb6a] Rundll32.exe "C:\WINDOWS\system32\qrqumpes.dll",s
O4 - HKLM\..\Run: [489888f6] rundll32.exe "C:\WINDOWS\system32\cxfpwpas.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://10.102.27.129/cab/OCXChecker_8120.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BFC.AD
O17 - HKLM\Software\..\Telephony: DomainName = BFC.AD
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BFC.AD
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BFC.AD
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\mobile automation\rstate.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TiFiC System Service - TiFiC AB - C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\spysweeper.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10936 bytes
 
Joined
Aug 9, 2007
Messages
686
Hello and welcome to Tech Support Forum.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!
 
Joined
Aug 9, 2007
Messages
686
Step # 1: Rename HijackThis

Rename HijackThis.exe to Scanner.exe by doing the following:


Navigate to here: C:\Documents and Settings\BaronB2.BFC\Desktop\HJT
Right-click on the HijackThis.exe.
From the pull-down menu, choose: "Rename".
Rename HijackThis.exe to Scanner.exe
Open Hijackthis.
Run Hijackthis (Do a system scan and save a log file).
Post the fresh HijackThis log.

Step # 2 Download CCleaner

Download CCleaner from here to clean temp files from your computer.
  • Double click on the ccsetup.exe file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location.
  • Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
  • Click Install then finish to complete installation.

Step # 3 Retrieve the Installed Programs List from CCleaner

Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.

In your next post/reply, I need to see the following:

1. A fresh HiJackThis Log (scanner.exe)
2. The CCleaner Uninstall List

Use multiple posts if you can't fit everything into one post.
 

sy2

Thread Starter
Joined
Mar 24, 2005
Messages
2,845
Hey there km, thanks for the help - it's sincerely appreciated (y)

Here's the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:16 PM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\mobile automation\rstate.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Webroot\Client\commagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Webroot\Client\SpySweeperUI.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
c:\Program Files\Webroot\Client\spysweeper.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\PROGRA~1\MOBILE~1\rstate.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
c:\program files\mobile automation\rsstatus.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\BaronB2.BFC\Desktop\HJT\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://citrix/Citrix/MetaFrame/auth/login.aspx
O2 - BHO: {e8b230b6-bf38-2629-6a84-ddb7bfec2e00} - {00e2cefb-7bdd-48a6-9262-83fb6b032b8e} - C:\WINDOWS\system32\bkqxujlt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12067E3C-36FF-4D86-9C30-DB47EDB858AB} - C:\WINDOWS\system32\geBturRH.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {C4F31A60-D2C7-4B22-ACE9-AE33C94D7316} - C:\WINDOWS\system32\wvUNFVNh.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "c:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [WebrootClientUI] "c:\Program Files\Webroot\Client\SpySweeperUI.EXE" /StartInTray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [C3] c:\PROGRA~1\TiFiC\TIFICC~1\c3.exe /DEFLANG English /SERVER bgcba0tific01.centerbeam.com /SYSTRAY /WAIT 60 /HIDE /ONLINECHECK
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\MOBILE~1\rstate.exe /LOGON
O4 - HKLM\..\Run: [BM4babbb6a] Rundll32.exe "C:\WINDOWS\system32\fmlatpdu.dll",s
O4 - HKLM\..\Run: [489888f6] rundll32.exe "C:\WINDOWS\system32\putxemst.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://10.102.27.129/cab/OCXChecker_8120.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BFC.AD
O17 - HKLM\Software\..\Telephony: DomainName = BFC.AD
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BFC.AD
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BFC.AD
O20 - Winlogon Notify: wvUNFVNh - C:\WINDOWS\SYSTEM32\wvUNFVNh.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\mobile automation\rstate.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TiFiC System Service - TiFiC AB - C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\spysweeper.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11700 bytes


CCleaner will be in the next post. I had CCleaner installed before this problem arose, so if that's an issue and I need to uninstall/reinstall just let me know.
 

sy2

Thread Starter
Joined
Mar 24, 2005
Messages
2,845
Here's the uninstall list, let me know if you need it in cut/paste format.
 

Attachments

Joined
Aug 9, 2007
Messages
686
Thanks for the two logs. :) From now on just copy and paste any logs I ask for into this thread, don't attach them. Thanks.

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

µTorrent

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


Step # 1: Download and Run ComboFix

We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to save ComboFix.exe to your Desktop

When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
 

sy2

Thread Starter
Joined
Mar 24, 2005
Messages
2,845
OK, I removed uTorrent, installed the virtual console, and ran ComboFix.

I was not able to turn off my anti-virus and spyware programs. As I mentioned before I'm on a work computer logged into a domain and don't have the permissions to close those programs, even though I'm in the admin group. Just thought you should know in case something didn't work correctly.

Here's the ComboFix log, the new HJT log will be in the next post. Thanks! :)
-------------------------

ComboFix 08-04-03.5 - baronb2 2008-04-04 7:20:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1367 [GMT -5:00]
Running from: C:\Documents and Settings\BaronB2.BFC\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM4babbb6a.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\afdcropu.dll
C:\WINDOWS\system32\bkqxujlt.dll
C:\WINDOWS\system32\fmlatpdu.dll
C:\WINDOWS\system32\geBturRH.dll
C:\WINDOWS\system32\HRrutBeg.ini
C:\WINDOWS\system32\HRrutBeg.ini2
C:\WINDOWS\system32\jPWxIRCf.ini
C:\WINDOWS\system32\putxemst.dll
C:\WINDOWS\system32\qrqumpes.dll
C:\WINDOWS\system32\tsmextup.ini
C:\WINDOWS\system32\uspppdrg.dll
C:\WINDOWS\system32\vxaimayd.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-03 18:36 . 2008-04-03 19:06 <DIR> d-------- C:\quarantine
2008-04-02 21:35 . 2008-04-03 16:06 474 --ahs---- C:\WINDOWS\system32\sapwpfxc.ini
2008-04-02 15:41 . 2008-04-04 06:54 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-04-01 21:35 . 2008-04-02 21:35 414 --ahs---- C:\WINDOWS\system32\onehkoem.ini
2008-04-01 09:23 . 2008-04-01 09:23 <DIR> d-------- C:\Program Files\PowerISO
2008-04-01 09:14 . 2008-04-01 09:14 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\CyberLink
2008-04-01 09:13 . 2008-04-01 09:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-04-01 09:12 . 2008-04-01 09:13 <DIR> d-------- C:\Program Files\CyberLink
2008-03-30 20:57 . 2008-03-30 20:57 <DIR> d-------- C:\Program Files\DivXLand
2008-03-30 20:57 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-03-28 11:20 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-03-28 11:20 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-03-27 08:23 . 2008-03-27 16:39 578 --a------ C:\WINDOWS\M3JPEG.INI
2008-03-27 08:23 . 2008-04-03 09:12 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-27 07:56 . 2005-10-20 20:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-03-27 07:56 . 2005-10-20 20:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-03-24 17:57 . 2008-03-24 17:57 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\TiFiC
2008-03-24 17:56 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\Webroot
2008-03-24 17:56 . 2008-03-24 17:56 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\Nero
2008-03-24 17:56 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\Intel
2008-03-24 17:56 . 2004-08-04 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-03-24 08:57 . 2008-03-24 08:57 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Nero
2008-03-24 08:52 . 2008-03-24 08:52 <DIR> d-------- C:\Program Files\Nero
2008-03-24 08:52 . 2008-03-24 08:55 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-24 08:52 . 2008-03-24 08:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-21 10:59 . 2008-04-03 22:12 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\uTorrent
2008-03-20 12:01 . 2008-03-20 12:01 <DIR> d-------- C:\Documents and Settings\TCAdmin\Application Data\TiFiC
2008-03-20 11:41 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\csomerville\Application Data\Webroot
2008-03-20 11:41 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\csomerville\Application Data\Intel
2008-03-20 09:59 . 2008-03-20 09:59 <DIR> dr------- C:\Documents and Settings\BaronB2.BFC\Application Data\Brother
2008-03-20 09:54 . 2008-03-20 09:54 <DIR> d-------- C:\WINDOWS\Sun
2008-03-20 09:53 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-20 09:52 . 2008-03-20 09:53 <DIR> d-------- C:\Program Files\Java
2008-03-20 09:50 . 2008-03-20 09:50 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-19 01:33 . 2008-03-19 01:33 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\River Past G5
2008-03-19 00:04 . 2008-03-19 00:04 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Media Player Classic
2008-03-18 23:18 . 2008-03-18 23:18 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\TiFiC
2008-03-18 23:17 . 2008-03-18 23:17 <DIR> d-------- C:\Program Files\TiFiC
2008-03-18 23:17 . 2008-03-18 23:17 <DIR> d-------- C:\Program Files\Common Files\TiFiC
2008-03-18 23:17 . 2008-03-18 23:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TiFiC
2008-03-18 22:50 . 2008-03-18 22:50 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\DivX
2008-03-18 22:31 . 2008-03-18 22:31 <DIR> d-------- C:\Program Files\PayPal
2008-03-18 22:31 . 2008-03-18 22:31 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\InstallShield
2008-03-18 16:04 . 2008-03-18 16:04 <DIR> d-------- C:\Program Files\CONEXANT
2008-03-18 16:04 . 2005-05-03 15:09 1,033,728 --a------ C:\WINDOWS\system32\drivers\HSF_DPV.SYS
2008-03-18 16:04 . 2005-05-03 15:08 705,408 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys
2008-03-18 16:04 . 2005-05-03 15:08 208,384 --a------ C:\WINDOWS\system32\drivers\HSFHWICH.sys
2008-03-18 16:04 . 2005-05-03 11:56 129,405 --a------ C:\WINDOWS\system32\drivers\del1028.cty
2008-03-18 16:04 . 2004-03-17 12:00 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2008-03-18 16:04 . 2005-02-23 15:02 42,858 --a------ C:\WINDOWS\system32\hsfci014.dll
2008-03-18 16:04 . 2004-03-17 12:04 13,059 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-03-18 15:45 . 2008-03-18 16:40 <DIR> d-------- C:\Program Files\1872_Sprint
2008-03-18 15:31 . 2008-03-18 15:31 <DIR> d---s---- C:\Documents and Settings\BaronB2.BFC\UserData
2008-03-18 15:18 . 2008-03-18 15:18 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-03-18 15:16 . 2008-03-18 16:31 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\ICAClient
2008-03-18 15:15 . 2008-03-18 15:15 <DIR> d-------- C:\Program Files\Citrix
2008-03-18 15:03 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\jgeldart\Application Data\Webroot
2008-03-18 15:03 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\jgeldart\Application Data\Intel
2008-03-18 14:46 . 2008-03-18 16:49 <DIR> d-------- C:\SalesDiscoverySystem
2008-03-18 14:35 . 2008-03-18 14:35 <DIR> d-------- C:\WINDOWS\SchCache
2008-03-18 14:28 . 2008-03-18 14:28 <DIR> d-------- C:\Program Files\IBM
2008-03-18 14:27 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-18 14:25 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\TCAdmin\Application Data\Webroot
2008-03-18 14:25 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\TCAdmin\Application Data\Intel
2008-03-18 09:54 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Webroot
2008-03-18 09:54 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Intel
2008-03-18 09:53 . 2008-03-18 16:12 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-03-18 09:49 . 2008-03-18 09:49 8 --a------ C:\WINDOWS\system32\success
2008-03-18 09:48 . 2008-03-18 09:48 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2008-03-18 09:48 . 2008-03-18 09:48 <DIR> d-------- C:\Program Files\Cisco Systems
2008-03-18 09:48 . 2003-10-17 16:42 268,360 --a------ C:\WINDOWS\system32\drivers\CVPNDRVA.sys
2008-03-18 09:48 . 2003-07-24 19:55 139,604 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2008-03-18 09:48 . 2003-10-17 16:43 139,096 --a------ C:\WINDOWS\system32\CSGina.dll
2008-03-18 09:48 . 2003-07-24 19:55 114,000 --a------ C:\WINDOWS\system32\dneinobj.dll
2008-03-18 09:48 . 2003-05-01 13:26 5,220 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys
2008-03-18 09:42 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-03-18 09:42 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-03-17 16:20 . 2008-03-17 16:20 <DIR> d-------- C:\Program Files\River Past
2008-03-17 16:20 . 2008-03-17 16:20 <DIR> d-------- C:\Program Files\Common Files\River Past
2008-03-17 16:20 . 2008-03-17 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
2008-03-17 16:20 . 2008-03-17 16:20 164,812 --a------ C:\WINDOWS\Screen Recorder Pro Uninstaller.exe
2008-03-15 15:28 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-15 15:28 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-15 14:11 . 2008-03-15 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Laconic Software
2008-03-15 09:51 . 2008-04-01 09:37 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-03-15 09:50 . 2008-04-04 06:57 <DIR> d-------- C:\Program Files\uTorrent
2008-03-15 09:40 . 2008-03-15 09:40 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-15 09:33 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-03-15 09:33 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2008-03-14 16:42 . 2008-03-14 16:42 <DIR> d-------- C:\Program Files\CCleaner
2008-03-14 16:27 . 2008-03-15 15:27 512 --a------ C:\WINDOWS\randseed.rnd
2008-03-14 16:25 . 2008-03-14 16:25 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-03-14 16:25 . 2008-03-14 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Network Associates
2008-03-14 16:25 . 2008-03-14 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-14 16:25 . 2006-06-08 20:00 116,864 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2008-03-14 16:25 . 2006-06-08 20:00 58,464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2008-03-14 16:24 . 2008-03-14 16:25 <DIR> d-------- C:\Program Files\Network Associates
2008-03-14 16:24 . 2008-03-14 16:25 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2008-03-14 16:20 . 2008-03-14 16:20 <DIR> d-------- C:\Program Files\BigFix Enterprise
2008-03-14 16:19 . 2008-03-14 16:19 <DIR> d-------- C:\Program Files\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 14:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 14:11 505,392 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-14 18:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-13 20:37 5 ----a-w C:\WINDOWS\system32\drivers\DELL_LAT_D610.MRK
2008-03-13 20:37 5 ----a-w C:\WINDOWS\system32\drivers\1028_DELL_LAT_D610.MRK
2008-03-13 20:36 --------- d-----w C:\Program Files\Dell
2008-03-13 20:27 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-13 20:04 --------- d-----w C:\Program Files\ATI Technologies
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4F31A60-D2C7-4B22-ACE9-AE33C94D7316}]
C:\WINDOWS\system32\wvUNFVNh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 06:20 122940]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 12:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 12:17 970752]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-06 22:00 344064]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08 813912]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]
"DiskeeperSystray"="c:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
"WebrootClientUI"="c:\Program Files\Webroot\Client\SpySweeperUI.exe" [2007-10-25 09:24 414064]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 08:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 03:06 136768]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2005-10-19 05:40 20531]
"C3"="c:\PROGRA~1\TiFiC\TIFICC~1\c3.exe" [2007-09-14 03:12 2075136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-02-21 10:24 91432]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 14:23 81920]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 12:06 62760]
"EPM Agent"="c:\PROGRA~1\MOBILE~1\rstate.exe" [2006-01-10 01:52 94208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C4F31A60-D2C7-4B22-ACE9-AE33C94D7316}"= C:\WINDOWS\system32\wvUNFVNh.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUNFVNh]
wvUNFVNh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv50"= C:\WINDOWS\ir50_32.dll
"msacm.ac3acm"= ac3acm.acm
"VIDC.wmv3"= wmv9vcm.dll
"vidc.GEOX"= C:\WINDOWS\system32\v8120\GeoCodec.dll
"vidc.GEOV"= C:\WINDOWS\system32\v8120\GeoCodec.dll
"vidc.GMP4"= C:\WINDOWS\system32\v8120\GXAMP4.dll
"vidc.GM40"= C:\WINDOWS\system32\v8120\GXAMP4.dll
"vidc.G264"= C:\WINDOWS\system32\v8120\GX264.dll
"msacm.geoadpcm"= C:\WINDOWS\system32\v8100\GeoADPCM.acm
"vidc.GM4H"= C:\WINDOWS\system32\v8120\GXAMP4D.dll
"vidc.GM4S"= C:\WINDOWS\system32\v8120\GXAMP4D.dll
"vidc.mpg4"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg2"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg3"= C:\WINDOWS\mpg4c32.dll
"vidc.MJPG"= C:\WINDOWS\m3jpeg32.dll
"vidc.dmb1"= C:\WINDOWS\m3jpeg32.dll
"vidc.GM20"= C:\WINDOWS\system32\v8120\GXGM20.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-370448265-1163341058-428892626-1181\Scripts\Logon\0\0]
"Script"=\\BFC.AD\SysVol\BFC.AD\scripts\Chicago_users.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2008-01-18 23:01]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;"c:\program files\mobile automation\rstate.exe" [2006-01-10 01:52]
R2 TiFiC System Service;TiFiC System Service;"C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe" [2007-08-28 05:07]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]

*Newly Created Service* - ENTDRV51
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 07:31:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
c:\Program Files\Webroot\Client\commagent.exe
c:\Program Files\Webroot\Client\spysweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
c:\program files\mobile automation\rsstatus.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-04-04 7:33:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-04 12:33:18
Pre-Run: 52,014,071,808 bytes free
Post-Run: 53,493,563,392 bytes free
.
2008-03-18 20:30:53 --- E O F ---
 

sy2

Thread Starter
Joined
Mar 24, 2005
Messages
2,845
New HJT log:
----------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:35, on 2008-04-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\mobile automation\rstate.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
c:\Program Files\Webroot\Client\commagent.exe
c:\Program Files\Webroot\Client\spysweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Webroot\Client\SpySweeperUI.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\PROGRA~1\TiFiC\TIFICC~1\c3.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MOBILE~1\rstate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
c:\program files\mobile automation\rsstatus.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\BaronB2.BFC\Desktop\HJT\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://citrix/Citrix/MetaFrame/auth/login.aspx
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {C4F31A60-D2C7-4B22-ACE9-AE33C94D7316} - C:\WINDOWS\system32\wvUNFVNh.dll (file missing)
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "c:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [WebrootClientUI] "c:\Program Files\Webroot\Client\SpySweeperUI.EXE" /StartInTray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [C3] c:\PROGRA~1\TiFiC\TIFICC~1\c3.exe /DEFLANG English /SERVER bgcba0tific01.centerbeam.com /SYSTRAY /WAIT 60 /HIDE /ONLINECHECK
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\MOBILE~1\rstate.exe /LOGON
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://10.102.27.129/cab/OCXChecker_8120.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BFC.AD
O17 - HKLM\Software\..\Telephony: DomainName = BFC.AD
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BFC.AD
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BFC.AD
O20 - Winlogon Notify: wvUNFVNh - wvUNFVNh.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\mobile automation\rstate.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TiFiC System Service - TiFiC AB - C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\spysweeper.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11677 bytes
 
Joined
Aug 9, 2007
Messages
686
Step # 1: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.

  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    KillAll::
    
    File::
    
    C:\WINDOWS\system32\sapwpfxc.ini
    C:\WINDOWS\system32\onehkoem.ini
    C:\WINDOWS\system32\wvUNFVNh.dll
    
    Folder::
    
    C:\Documents and Settings\BaronB2.BFC\Application Data\uTorrent
    C:\Program Files\uTorrent
    
    Registry::
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4F31A60-D2C7-4B22-ACE9-AE33C94D7316}]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
    "{C4F31A60-D2C7-4B22-ACE9-AE33C94D7316}"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUNFVNh]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.





  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step # 2 Run CCleaner

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
  • Then select the items you wish to clean up.
  • In the Windows Tab:
  • Clean all entries in the Internet Explorer section except Cookies
  • Clean all the entries in the Windows Explorer section
  • Clean all entries in the System section
  • Clean all entries in the Advanced section
  • Clean any others that you choose
  • In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it
  • Clean all in the Opera section if you use it
  • Clean Sun Java in the Internet Section
  • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO


Step # 3 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.

In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step #1
2. The MalwareBytes' results
3. A fresh HiJackThis Log

Use multiple posts if you cannot fit everything into one post.
 

sy2

Thread Starter
Joined
Mar 24, 2005
Messages
2,845
ComboFix appears to be hanging at the AutoScan part. I rebooted, closed some unnecessary items in the taskbar (messenger, printer monitor, etc...), and then dragged the TXT file onto ComboFix.exe.

After clicking "Yes" for the disclaimer I didn't touch the mouse or keyboard. I let it run for about 20 minutes before stopping it because I'm about to leave work. I'll try running it when I get home, where I can let it sit for 30-60 minutes if necessary. I'll post back here after that.

Any instructions in case it keeps hanging? Should I try running it in safe mode maybe? I have everything else ready for steps 2 and 3.

Thanks for the help, it is sincerely appreciated.
 
Joined
Aug 9, 2007
Messages
686
ComboFix appears to be hanging at the AutoScan part. I rebooted, closed some unnecessary items in the taskbar (messenger, printer monitor, etc...), and then dragged the TXT file onto ComboFix.exe.

After clicking "Yes" for the disclaimer I didn't touch the mouse or keyboard. I let it run for about 20 minutes before stopping it because I'm about to leave work. I'll try running it when I get home, where I can let it sit for 30-60 minutes if necessary. I'll post back here after that.

Any instructions in case it keeps hanging? Should I try running it in safe mode maybe? I have everything else ready for steps 2 and 3.

Thanks for the help, it is sincerely appreciated.
Go ahead and let it run 30-60 minutes when you get home, though normally it shouldn't take that long. If it still hangs after that time period, go ahead and boot into Safe Mode and drag the CFSCript.txt into ComboFix.exe and let it run.
 

sy2

Thread Starter
Joined
Mar 24, 2005
Messages
2,845
OK, ComboFix ran right away in Safe mode. However, when it rebooted me I went back into normal windows. Not sure if that will matter or not. Here's the CF log:

aComboFix 08-04-03.5 - baronb2 2008-04-05 9:32:05.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1785 [GMT -5:00]
Running from: C:\Documents and Settings\BaronB2.BFC\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\BaronB2.BFC\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\system32\onehkoem.ini
C:\WINDOWS\system32\sapwpfxc.ini
C:\WINDOWS\system32\wvUNFVNh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\onehkoem.ini
C:\WINDOWS\system32\sapwpfxc.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-03 18:36 . 2008-04-03 19:06 <DIR> d-------- C:\quarantine
2008-04-02 15:41 . 2008-04-05 09:04 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-04-01 09:23 . 2008-04-01 09:23 <DIR> d-------- C:\Program Files\PowerISO
2008-04-01 09:14 . 2008-04-01 09:14 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\CyberLink
2008-04-01 09:13 . 2008-04-01 09:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-04-01 09:12 . 2008-04-01 09:13 <DIR> d-------- C:\Program Files\CyberLink
2008-03-30 20:57 . 2008-03-30 20:57 <DIR> d-------- C:\Program Files\DivXLand
2008-03-30 20:57 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-03-28 11:20 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-03-28 11:20 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-03-27 08:23 . 2008-03-27 16:39 578 --a------ C:\WINDOWS\M3JPEG.INI
2008-03-27 08:23 . 2008-04-05 09:17 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-27 07:56 . 2005-10-20 20:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-03-27 07:56 . 2005-10-20 20:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-03-24 17:57 . 2008-03-24 17:57 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\TiFiC
2008-03-24 17:56 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\Webroot
2008-03-24 17:56 . 2008-03-24 17:56 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\Nero
2008-03-24 17:56 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\DMService\Application Data\Intel
2008-03-24 17:56 . 2004-08-04 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-03-24 08:57 . 2008-03-24 08:57 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Nero
2008-03-24 08:52 . 2008-03-24 08:52 <DIR> d-------- C:\Program Files\Nero
2008-03-24 08:52 . 2008-03-24 08:55 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-24 08:52 . 2008-03-24 08:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-20 12:01 . 2008-03-20 12:01 <DIR> d-------- C:\Documents and Settings\TCAdmin\Application Data\TiFiC
2008-03-20 11:41 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\csomerville\Application Data\Webroot
2008-03-20 11:41 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\csomerville\Application Data\Intel
2008-03-20 09:59 . 2008-03-20 09:59 <DIR> dr------- C:\Documents and Settings\BaronB2.BFC\Application Data\Brother
2008-03-20 09:54 . 2008-03-20 09:54 <DIR> d-------- C:\WINDOWS\Sun
2008-03-20 09:53 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-20 09:52 . 2008-03-20 09:53 <DIR> d-------- C:\Program Files\Java
2008-03-20 09:50 . 2008-03-20 09:50 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-19 01:33 . 2008-03-19 01:33 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\River Past G5
2008-03-19 00:04 . 2008-03-19 00:04 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Media Player Classic
2008-03-18 23:18 . 2008-03-18 23:18 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\TiFiC
2008-03-18 23:17 . 2008-03-18 23:17 <DIR> d-------- C:\Program Files\TiFiC
2008-03-18 23:17 . 2008-03-18 23:17 <DIR> d-------- C:\Program Files\Common Files\TiFiC
2008-03-18 23:17 . 2008-03-18 23:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TiFiC
2008-03-18 22:50 . 2008-03-18 22:50 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\DivX
2008-03-18 22:31 . 2008-03-18 22:31 <DIR> d-------- C:\Program Files\PayPal
2008-03-18 22:31 . 2008-03-18 22:31 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\InstallShield
2008-03-18 16:04 . 2008-03-18 16:04 <DIR> d-------- C:\Program Files\CONEXANT
2008-03-18 16:04 . 2005-05-03 15:09 1,033,728 --a------ C:\WINDOWS\system32\drivers\HSF_DPV.SYS
2008-03-18 16:04 . 2005-05-03 15:08 705,408 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys
2008-03-18 16:04 . 2005-05-03 15:08 208,384 --a------ C:\WINDOWS\system32\drivers\HSFHWICH.sys
2008-03-18 16:04 . 2005-05-03 11:56 129,405 --a------ C:\WINDOWS\system32\drivers\del1028.cty
2008-03-18 16:04 . 2004-03-17 12:00 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2008-03-18 16:04 . 2005-02-23 15:02 42,858 --a------ C:\WINDOWS\system32\hsfci014.dll
2008-03-18 16:04 . 2004-03-17 12:04 13,059 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-03-18 15:45 . 2008-03-18 16:40 <DIR> d-------- C:\Program Files\1872_Sprint
2008-03-18 15:31 . 2008-03-18 15:31 <DIR> d---s---- C:\Documents and Settings\BaronB2.BFC\UserData
2008-03-18 15:18 . 2008-03-18 15:18 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-03-18 15:16 . 2008-03-18 16:31 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\ICAClient
2008-03-18 15:15 . 2008-03-18 15:15 <DIR> d-------- C:\Program Files\Citrix
2008-03-18 15:03 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\jgeldart\Application Data\Webroot
2008-03-18 15:03 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\jgeldart\Application Data\Intel
2008-03-18 14:46 . 2008-03-18 16:49 <DIR> d-------- C:\SalesDiscoverySystem
2008-03-18 14:35 . 2008-03-18 14:35 <DIR> d-------- C:\WINDOWS\SchCache
2008-03-18 14:28 . 2008-03-18 14:28 <DIR> d-------- C:\Program Files\IBM
2008-03-18 14:27 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-18 14:25 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\TCAdmin\Application Data\Webroot
2008-03-18 14:25 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\TCAdmin\Application Data\Intel
2008-03-18 09:54 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Webroot
2008-03-18 09:54 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\BaronB2.BFC\Application Data\Intel
2008-03-18 09:53 . 2008-03-18 16:12 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-03-18 09:49 . 2008-03-18 09:49 8 --a------ C:\WINDOWS\system32\success
2008-03-18 09:48 . 2008-03-18 09:48 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2008-03-18 09:48 . 2008-03-18 09:48 <DIR> d-------- C:\Program Files\Cisco Systems
2008-03-18 09:48 . 2003-10-17 16:42 268,360 --a------ C:\WINDOWS\system32\drivers\CVPNDRVA.sys
2008-03-18 09:48 . 2003-07-24 19:55 139,604 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2008-03-18 09:48 . 2003-10-17 16:43 139,096 --a------ C:\WINDOWS\system32\CSGina.dll
2008-03-18 09:48 . 2003-07-24 19:55 114,000 --a------ C:\WINDOWS\system32\dneinobj.dll
2008-03-18 09:48 . 2003-05-01 13:26 5,220 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys
2008-03-18 09:42 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-03-18 09:42 . 2008-03-13 14:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-03-17 16:20 . 2008-03-17 16:20 <DIR> d-------- C:\Program Files\River Past
2008-03-17 16:20 . 2008-03-17 16:20 <DIR> d-------- C:\Program Files\Common Files\River Past
2008-03-17 16:20 . 2008-03-17 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
2008-03-17 16:20 . 2008-03-17 16:20 164,812 --a------ C:\WINDOWS\Screen Recorder Pro Uninstaller.exe
2008-03-15 15:28 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-15 15:28 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-15 14:11 . 2008-03-15 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Laconic Software
2008-03-15 09:51 . 2008-04-01 09:37 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-03-15 09:40 . 2008-03-15 09:40 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-15 09:33 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-03-15 09:33 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2008-03-14 16:42 . 2008-03-14 16:42 <DIR> d-------- C:\Program Files\CCleaner
2008-03-14 16:27 . 2008-03-15 15:27 512 --a------ C:\WINDOWS\randseed.rnd
2008-03-14 16:25 . 2008-03-14 16:25 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-03-14 16:25 . 2008-03-14 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Network Associates
2008-03-14 16:25 . 2008-03-14 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-14 16:25 . 2006-06-08 20:00 116,864 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2008-03-14 16:25 . 2006-06-08 20:00 58,464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2008-03-14 16:24 . 2008-03-14 16:25 <DIR> d-------- C:\Program Files\Network Associates
2008-03-14 16:24 . 2008-03-14 16:25 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2008-03-14 16:20 . 2008-03-14 16:20 <DIR> d-------- C:\Program Files\BigFix Enterprise
2008-03-14 16:19 . 2008-03-14 16:19 <DIR> d-------- C:\Program Files\Webroot
2008-03-14 16:19 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-14 16:19 . 2008-03-14 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-14 16:01 . 2008-03-14 16:01 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-03-14 16:01 . 2004-03-22 17:17 24,816 --a------ C:\WINDOWS\system32\mdimon.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 14:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 14:11 505,392 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-14 18:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-13 20:37 5 ----a-w C:\WINDOWS\system32\drivers\DELL_LAT_D610.MRK
2008-03-13 20:37 5 ----a-w C:\WINDOWS\system32\drivers\1028_DELL_LAT_D610.MRK
2008-03-13 20:36 --------- d-----w C:\Program Files\Dell
2008-03-13 20:27 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-13 20:04 --------- d-----w C:\Program Files\ATI Technologies
.

((((((((((((((((((((((((((((( [email protected]_ 7.33.01.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-03 14:11:28 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-04 12:34:23 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-03 14:11:28 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-04 12:34:23 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-05 14:34:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_344.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 06:20 122940]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 12:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 12:17 970752]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-06 22:00 344064]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08 813912]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]
"DiskeeperSystray"="c:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
"WebrootClientUI"="c:\Program Files\Webroot\Client\SpySweeperUI.exe" [2007-10-25 09:24 414064]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 08:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 03:06 136768]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2005-10-19 05:40 20531]
"C3"="c:\PROGRA~1\TiFiC\TIFICC~1\c3.exe" [2007-09-14 03:12 2075136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-02-21 10:24 91432]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 14:23 81920]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 12:06 62760]
"EPM Agent"="c:\PROGRA~1\MOBILE~1\rstate.exe" [2006-01-10 01:52 94208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv50"= C:\WINDOWS\ir50_32.dll
"msacm.ac3acm"= ac3acm.acm
"VIDC.wmv3"= wmv9vcm.dll
"vidc.GEOX"= C:\WINDOWS\system32\v8120\GeoCodec.dll
"vidc.GEOV"= C:\WINDOWS\system32\v8120\GeoCodec.dll
"vidc.GMP4"= C:\WINDOWS\system32\v8120\GXAMP4.dll
"vidc.GM40"= C:\WINDOWS\system32\v8120\GXAMP4.dll
"vidc.G264"= C:\WINDOWS\system32\v8120\GX264.dll
"msacm.geoadpcm"= C:\WINDOWS\system32\v8100\GeoADPCM.acm
"vidc.GM4H"= C:\WINDOWS\system32\v8120\GXAMP4D.dll
"vidc.GM4S"= C:\WINDOWS\system32\v8120\GXAMP4D.dll
"vidc.mpg4"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg2"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg3"= C:\WINDOWS\mpg4c32.dll
"vidc.MJPG"= C:\WINDOWS\m3jpeg32.dll
"vidc.dmb1"= C:\WINDOWS\m3jpeg32.dll
"vidc.GM20"= C:\WINDOWS\system32\v8120\GXGM20.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-370448265-1163341058-428892626-1181\Scripts\Logon\0\0]
"Script"=\\BFC.AD\SysVol\BFC.AD\scripts\Chicago_users.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2008-01-18 23:01]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;"c:\program files\mobile automation\rstate.exe" [2006-01-10 01:52]
R2 TiFiC System Service;TiFiC System Service;"C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe" [2007-08-28 05:07]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]

*Newly Created Service* - ENTDRV51
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 09:35:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
c:\Program Files\Webroot\Client\commagent.exe
c:\Program Files\Webroot\Client\spysweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\mobile automation\rsstatus.exe
.
**************************************************************************
.
Completion time: 2008-04-05 9:37:52 - machine was rebooted [baronb2]
ComboFix-quarantined-files.txt 2008-04-05 14:37:47
ComboFix2.txt 2008-04-04 12:33:30
Pre-Run: 58,645,016,576 bytes free
Post-Run: 56,443,514,880 bytes free
.
2008-03-18 20:30:53 --- E O F ---
------------------------------------------
MalwareByte Results

Malwarebytes' Anti-Malware 1.10
Database version: 593

Scan type: Full Scan (C:\|)
Objects scanned: 100009
Time elapsed: 34 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\afdcropu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bkqxujlt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vxaimayd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3A54DEA9-8427-4B38-B5AE-B5DFBE8F6115}\RP62\A0007776.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3A54DEA9-8427-4B38-B5AE-B5DFBE8F6115}\RP62\A0007777.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3A54DEA9-8427-4B38-B5AE-B5DFBE8F6115}\RP62\A0007782.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
 

sy2

Thread Starter
Joined
Mar 24, 2005
Messages
2,845
And here's a fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25, on 2008-04-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\mobile automation\rstate.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
c:\Program Files\Webroot\Client\commagent.exe
c:\Program Files\Webroot\Client\spysweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Webroot\Client\SpySweeperUI.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\PROGRA~1\TiFiC\TIFICC~1\c3.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MOBILE~1\rstate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\mobile automation\rsstatus.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\BaronB2.BFC\Desktop\HJT\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://citrix/Citrix/MetaFrame/auth/login.aspx
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "c:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [WebrootClientUI] "c:\Program Files\Webroot\Client\SpySweeperUI.EXE" /StartInTray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [C3] c:\PROGRA~1\TiFiC\TIFICC~1\c3.exe /DEFLANG English /SERVER bgcba0tific01.centerbeam.com /SYSTRAY /WAIT 60 /HIDE /ONLINECHECK
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\MOBILE~1\rstate.exe /LOGON
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://10.102.27.129/cab/OCXChecker_8120.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BFC.AD
O17 - HKLM\Software\..\Telephony: DomainName = BFC.AD
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BFC.AD
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BFC.AD
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - c:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\mobile automation\rstate.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TiFiC System Service - TiFiC AB - C:\Program Files\Common Files\TiFiC\TiFiC Client G1\TiFiC System Service.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - c:\Program Files\Webroot\Client\spysweeper.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11373 bytes
 
Joined
Aug 9, 2007
Messages
686
Step # 1: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

You must be using Internet Explorer, Kaspersky does not work with Firefox

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)
    • Scan Options:

    • Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan:

    • Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt


In your next post/reply, I need to see the following:

1. The Kaspersky results
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?

Use multiple posts if you can't fit everything into one post.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top