Author Topic: unregistered files (Read 26529 times)

bandalex · « **on:** July 21, 2011, 04:09:10 PM »

Hi

I posted a query in windows xp and was directed (by Allan, moderator) to run all the virus/malware etc checks I do out of habit. Finally ran hijackthis(sniper) and now post the log for your observations. I'm not a genius but since I'm not experiencing any operating problems other than the twic-appearing windows file protection message at startup I have to query that I have a virus. Still, perhaps the log will reveal something. Surely though it should be possible to find a simpler way to identify the unregistered files?

Anyway, here's the log and I hope you can help.

Thanks
Alex

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:01:59, on 21/07/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17098)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\rundll32.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
R3 - URLSearchHook: Download Energy Toolbar - {ad708c09-d51b-45b3-9d28-4eba2681febf} - C:\Program Files\Download_Energy\prxtbDow0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Download Energy Toolbar - {ad708c09-d51b-45b3-9d28-4eba2681febf} - C:\Program Files\Download_Energy\prxtbDow0.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [FUFAXSTM] "C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe"
O4 - HKLM\..\Run: [EEventManager] "C:\Program Files\Epson Software\Event Manager\EEventManager.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON PX820FWD Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIGXE.EXE /FU "C:\WINDOWS\TEMP\E_S92.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1157552183-2752306718-432289623-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User '?')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199112852312
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://uk.games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\mcsniepl.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Emsisoft Anti-Malware 5.0 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Update Service (gupdate1ca3dc146c6f28a) (gupdate1ca3dc146c6f28a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

--
End of file - 13253 bytes

SuperDave · « **Reply #1 on:** July 21, 2011, 04:53:41 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
****************************************************
At what point do you receive that message?

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O3 - Toolbar: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please do the following.Please place a check mark next to this/these line/lines.
O15 - Trusted Zone: http://*.mcafee.com

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
*****************************************************
Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

•Open the folder and run Dial-a-fix.exe
•2 windows will open. Close the one in the background labeled Restrictive Policies
•Check the box in section 1, Empty temp folders.

•Check the box in section 2, Fix Windows Installer.

•Check the box in section 3, Fix Windows Update.

•Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked

•Check all boxes in section 5, labeled Registration Center.

•Click Go

•OK any error messages if received, but write them down and post them here.

•Restart the computer when done.

bandalex · « **Reply #2 on:** July 21, 2011, 06:13:03 PM »

Hi guys

First of all, thanks for the help so far but I'm sorry to report that on restart I'm still getting the Windows File Protection box - once early on in the startup and once more near the end.

Have you any other suggestions or do I have to go through the whole time-consuming business again?

And, is it possible to simply identify the unregistered files or not? - please try to answer my questions - I'd appreciate it very much.

Alex

bandalex · « **Reply #3 on:** July 22, 2011, 04:14:09 AM »

Just an additional observation. I noticed the message appeared both times on startup this morning (UK time) when it was reading (or attempting to read) the e: drive (CDRom). Don't know if that's helpful or not.

Alex

SuperDave · « **Reply #4 on:** July 22, 2011, 01:31:18 PM »

Quote

I noticed the message appeared both times on startup this morning (UK time) when it was reading (or attempting to read) the e: drive (CDRom).

Is there any disk in that drive?
I don't know too much about this Windows File Protection problem.
Here's is one site that may help.
Another site here.

bandalex · « **Reply #5 on:** July 22, 2011, 03:04:34 PM »

Yes, there is usually a games disk (GTA or EA Sports Golf for example). I'll startup without the disk and see if I still get the message and let you know.
You don't seem to be alone in not knowing much about this problem. All I really want to know is how to identify the faulty .dll or .osx file(s) so I can either replace or register them and I've found nothing to be of much help so far. I really don't think I have a virus - I run all the malware/antivirus/cleaners etc on a regular basis as well as having McAfee on top (no sour comments on that please!) and apart from a couple of medium risk alerts most of the problems are minor cookie trackers and the like.

If you find anything more I'd be grateful. I'm not able to understand Microsoft speak too well, partly because I'm a skilled user but not a techie and partly because they require a level of knowledge somewhat higher than I have!

Thanks for your efforts so far.

Alex

SuperDave · « **Reply #6 on:** July 22, 2011, 06:15:21 PM »

Please try this even if you don't have the OS disk

Place it in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

bandalex · « **Reply #7 on:** July 23, 2011, 07:08:11 AM »

Thanks Super Dave

This last looks like it might have worked - at least when restarting there were no nasty little boxes. Before I mark it solved I'll wait until a cold start to confirm the fix.

BTW, presuming by your avatar you're in Canada just a byline to say my big sis has been over there for the last 45 years - first in Vancouver then Calgary for last 15 years or so.

Alex

SuperDave · « **Reply #8 on:** July 23, 2011, 01:13:43 PM »

Quote

BTW, presuming by your avatar you're in Canada just a byline to say my big sis has been over there for the last 45 years - first in Vancouver then Calgary for last 15 years or so.

That's on the other side of the country from where I live on the east coast.

bandalex · « **Reply #9 on:** July 24, 2011, 04:09:04 AM »

Such a big country - like I'm in Yorkshire and a similar distance would take me to Morocco!

Anyhoo, switched on half n hour ago and, guess what, the *censored* boxes appeared again?

What next Dave? (or should I just put up with the message as a minor irritation?)

Alex

SuperDave · « **Reply #10 on:** July 24, 2011, 04:25:55 PM »

When you tried SFC the first time, did it request that you insert the OS disk?

bandalex · « **Reply #11 on:** July 24, 2011, 04:45:45 PM »

No, it ran but stopped a couple of times with the same File Protection Message appearing. Once cleared it seemed to run quite happily.

SuperDave · « **Reply #12 on:** July 24, 2011, 07:09:33 PM »

Ok. Let's run a few more scans just to make sure that your computer is clean.

Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

bandalex · « **Reply #13 on:** July 25, 2011, 03:44:16 AM »

Okay, done - here's the log:

ComboFix 11-07-24.03 - HP_Owner 25/07/2011 9:59.1.2 - x86
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\jvo1qb88.default\extensions\{73e1e35c-27c2-44c5-90fa-cf9da6cbfec3}
c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\jvo1qb88.default\extensions\{73e1e35c-27c2-44c5-90fa-cf9da6cbfec3}\chrome\xulcache.jar
c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\jvo1qb88.default\extensions\{73e1e35c-27c2-44c5-90fa-cf9da6cbfec3}\defaults\preferences\xulcache.js
c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\jvo1qb88.default\extensions\{73e1e35c-27c2-44c5-90fa-cf9da6cbfec3}\install.rdf
c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\jvo1qb88.default\extensions\{b9452a5b-916c-404f-8479-850185ae13bc}
c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\jvo1qb88.default\extensions\{b9452a5b-916c-404f-8479-850185ae13bc}\chrome\xulcache.jar
c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\jvo1qb88.default\extensions\{b9452a5b-916c-404f-8479-850185ae13bc}\defaults\preferences\xulcache.js
c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\jvo1qb88.default\extensions\{b9452a5b-916c-404f-8479-850185ae13bc}\install.rdf
c:\documents and settings\HP_Owner\Application Data\PriceGong
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\1.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\a.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\b.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\c.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\d.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\e.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\f.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\g.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\h.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\i.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\J.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\k.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\l.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\m.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\n.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\o.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\p.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\q.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\r.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\s.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\t.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\u.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\v.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\w.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\x.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\y.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\z.xml
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc17.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccD.tmp
c:\documents and settings\HP_Owner\WINDOWS
c:\documents and settings\Sauerbraten\uninstall.exe
c:\program files\INSTALL.PIF
c:\windows\system32\config\systemprofile\WINDOWS
D:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_USNJSVC
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-06-25 to 2011-07-25 )))))))))))))))))))))))))))))))
.
.
2011-07-21 23:53 . 2011-07-21 23:53   --------   d-----w-   c:\program files\Dial-a-fix-v0.60.0.24
2011-07-21 21:58 . 2011-07-21 21:58   388096   ----a-r-   c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-21 21:58 . 2011-07-21 21:58   --------   d-----w-   c:\program files\Trend Micro
2011-07-21 21:50 . 2011-07-21 21:50   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-07-12 14:52 . 2007-04-10 02:06   8192   ----a-w-   c:\windows\system32\E_DCINST.DLL
2011-07-12 14:51 . 2009-10-01 04:01   63488   ----a-w-   c:\windows\system32\E_FD4BGXE.DLL
2011-07-12 14:51 . 2008-11-12 03:00   93696   ----a-w-   c:\windows\system32\E_FLBGXE.DLL
2011-07-12 14:46 . 2011-07-12 14:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\UDL
2011-07-12 14:39 . 2011-07-13 08:25   --------   d-----w-   c:\documents and settings\HP_Owner\Application Data\Epson
2011-07-12 14:38 . 2011-07-12 14:44   --------   d-----w-   c:\program files\Epson Software
2011-07-12 14:38 . 2010-09-13 14:01   458129   ----a-w-   c:\windows\system32\ensppui.dll
2011-07-12 14:38 . 2010-09-13 14:00   475410   ----a-w-   c:\windows\system32\ensppmon.dll
2011-07-12 14:38 . 2008-06-18 10:49   249344   ----a-w-   c:\windows\system32\enspres.dll
2011-07-12 14:38 . 2010-09-13 14:01   458129   ----a-w-   c:\windows\system32\enppui.dll
2011-07-12 14:38 . 2010-09-13 14:00   475410   ----a-w-   c:\windows\system32\enppmon.dll
2011-07-12 14:38 . 2008-06-18 10:49   249344   ----a-w-   c:\windows\system32\enpres.dll
2011-07-12 14:38 . 2011-07-12 14:38   --------   d-----w-   c:\documents and settings\HP_Owner\Application Data\InstallShield
2011-07-12 14:36 . 2011-07-12 14:38   --------   d-----w-   c:\program files\EpsonNet
2011-07-12 14:34 . 2011-07-12 14:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\EPSON
2011-07-12 14:34 . 2009-10-15 23:00   132560   ----a-w-   c:\windows\system32\esdevapp.exe
2011-07-12 14:34 . 2009-10-15 23:00   12800   ----a-w-   c:\windows\system32\escdev.dll
2011-07-12 14:34 . 2009-09-16 23:00   342016   ----a-w-   c:\windows\system32\eswiaud.dll
2011-07-07 14:35 . 2011-07-06 18:52   41272   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 14:34 . 2011-07-06 18:52   22712   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-07-07 14:34 . 2011-07-17 08:19   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-07-03 13:50 . 2011-07-03 15:19   --------   d-----w-   C:\Games
2011-06-30 11:04 . 2011-02-11 13:25   229888   ----a-w-   c:\windows\system32\fxscover.exe
2011-06-30 10:49 . 2011-07-01 20:16   --------   d-----w-   c:\documents and settings\HP_Owner\Application Data\Audacity
2011-06-29 09:24 . 2008-04-13 17:36   10240   ----a-w-   c:\windows\system32\dllcache\compbatt.sys
2011-06-29 09:15 . 2001-08-17 12:51   13824   ----a-w-   c:\windows\system32\dllcache\bulltlp3.sys
2011-06-29 09:14 . 2008-04-13 17:46   13696   ----a-w-   c:\windows\system32\dllcache\avcstrm.sys
2011-06-29 09:13 . 2001-08-17 21:36   462848   ----a-w-   c:\windows\system32\dllcache\a3dapi.dll
2011-06-29 09:13 . 2001-08-17 12:52   23552   ----a-w-   c:\windows\system32\dllcache\abp480n5.sys
2011-06-29 09:13 . 2001-08-17 21:36   98304   ----a-w-   c:\windows\system32\dllcache\a3d.dll
2011-06-29 09:13 . 2001-08-17 13:55   38400   ----a-w-   c:\windows\system32\dllcache\8514a.dll
2011-06-29 09:13 . 2008-04-13 17:46   48128   ----a-w-   c:\windows\system32\dllcache\61883.sys
2011-06-29 09:13 . 2008-04-13 17:40   12288   ----a-w-   c:\windows\system32\dllcache\4mmdat.sys
2011-06-29 09:13 . 2001-08-17 13:55   689216   ----a-w-   c:\windows\system32\dllcache\3dfxvs.dll
2011-06-29 09:13 . 2001-08-17 12:28   762780   ----a-w-   c:\windows\system32\dllcache\3cwmcru.sys
2011-06-29 09:13 . 2001-08-17 11:48   148352   ----a-w-   c:\windows\system32\dllcache\3dfxvsm.sys
2011-06-29 09:13 . 2001-08-17 13:06   11264   ----a-w-   c:\windows\system32\dllcache\1394vdbg.sys
2011-06-28 17:52 . 2011-06-28 17:52   --------   d-----w-   c:\documents and settings\HP_Owner\Application Data\Unity
2011-06-28 17:43 . 2011-06-28 17:43   --------   d-----w-   c:\documents and settings\HP_Owner\Local Settings\Application Data\Unity
2011-06-27 16:09 . 2011-06-30 10:49   --------   d-----w-   c:\program files\Audacity 1.3 Beta (Unicode)
2011-06-25 18:10 . 2011-06-25 18:10   --------   d-----w-   C:\Nexon
2011-06-25 18:10 . 2011-06-25 18:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\NexonEU
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-21 21:50 . 2010-04-27 14:54   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-06-22 17:10 . 2011-06-22 17:10   25992   ----a-w-   c:\windows\system32\pgdfgsvc.exe
2011-06-19 10:32 . 2011-05-15 08:29   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-04 11:00   1858944   ----a-w-   c:\windows\system32\win32k.sys
2011-05-17 14:55 . 2010-12-07 01:31   0   ----a-w-   c:\windows\system32\ConduitEngine.tmp
2011-05-14 18:22 . 2011-05-14 18:22   53248   ----a-r-   c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-05-02 15:31 . 2004-08-04 11:00   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 11:00   151552   ----a-w-   c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 11:00   456320   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-04 11:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2004-08-04 11:00   293376   ----a-w-   c:\windows\system32\winsrv.dll
2010-06-07 15:16 . 2010-08-11 09:14   3887480   ----a-w-   c:\program files\procexp.exe
2009-12-01 10:53 . 2010-02-20 22:05   559992   ----a-w-   c:\program files\autorunsc.exe
2009-11-24 13:15 . 2009-11-24 13:22   18665720   ----a-w-   c:\program files\LimeWireWin.exe
2009-07-10 00:20 . 2009-07-10 00:19   347928562   ----a-w-   c:\program files\sauerbraten_2009_05_04_trooper_edition_win32_setup.exe
2009-06-11 22:46 . 2009-07-07 12:05   172032   ----a-w-   c:\program files\libpng13.dll
2009-04-12 19:22 . 2009-04-12 19:22   6237728   ----a-w-   c:\program files\SUPERAntiSpyware.exe
2009-03-20 12:20 . 2009-03-20 12:20   573   ----a-w-   c:\program files\xp_system32opens.vbs
2009-03-12 19:17 . 2009-09-30 11:27   5486113   ----a-w-   c:\program files\DarkWave-Studio-2.4.exe
2009-03-12 15:43 . 2009-03-12 15:43   1971378   ----a-w-   c:\program files\SetupImgBurn_2.4.2.0.exe
2009-02-22 21:35 . 2009-02-22 21:35   3171208   ----a-w-   c:\program files\ccsetup216.exe
2009-02-21 13:50 . 2009-02-21 13:50   18638688   ----a-w-   c:\program files\sdsetup.exe
2009-02-01 15:28 . 2009-07-07 12:05   45056   ----a-w-   c:\program files\Launcher.exe
2009-01-30 18:13 . 2009-01-30 18:13   1053744   ----a-w-   c:\program files\revosetup.exe
2009-01-03 20:33 . 2009-01-03 20:33   6832928   ----a-w-   c:\program files\alzip.exe
2009-01-03 17:40 . 2009-01-03 17:40   939698   ----a-w-   c:\program files\7z464.exe
2009-01-03 17:33 . 2009-01-03 17:33   8973608   ----a-w-   c:\program files\zg603sui.exe
2008-12-09 15:01 . 2008-12-09 15:01   4399029   ----a-w-   c:\program files\quickzip.exe
2008-11-19 17:48 . 2010-10-19 15:51   14709760   ----a-w-   c:\program files\ClassActionKillers.msi
2008-11-19 17:48 . 2010-10-19 15:51   370176   ----a-w-   c:\program files\setup.exe
2008-07-09 11:27 . 2008-07-09 11:27   820380   ----a-w-   c:\program files\audacity-win-1.2.6.exe
2004-03-18 18:36 . 2009-07-07 12:05   401484   ----a-w-   c:\program files\msvcrtd.dll
2011-06-22 14:57 . 2011-04-28 10:58   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 13:01 . 2010-04-22 18:23   24376   ----a-w-   c:\program files\mozilla firefox\components\Scriptff.dll
2004-08-04 11:00   94784   --sha-w-   c:\windows\twain.dll
2008-04-14 00:12   50688   --sha-w-   c:\windows\twain_32.dll
2004-07-30 06:04   1216   --sha-w-   c:\windows\Twunk_16.dll
2004-07-30 06:04   1216   --sha-w-   c:\windows\Twunk_32.dll
2008-04-14 00:12   57344   --sha-w-   c:\windows\system32\msvcirt.dll
2008-04-14 00:12   413696   --sha-w-   c:\windows\system32\msvcp60.dll
2008-04-14 00:12   343040   --sha-w-   c:\windows\system32\msvcrt.dll
2011-02-08 13:33   978944   --sha-w-   c:\windows\system32\OLDCC.tmp
2010-12-20 17:32   551936   --sh--w-   c:\windows\system32\oleaut32.dll
2008-04-14 00:12   84992   --sh--w-   c:\windows\system32\olepro32.dll
2008-04-14 00:12   11776   --sh--w-   c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\prxtbDow0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\prxtbDow0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{AD708C09-D51B-45B3-9D28-4EBA2681FEBF}"= "c:\program files\Download_Energy\prxtbDow0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-07-01 2424192]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-05-25 1306216]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-17 13529088]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-02 847872]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-27 36975]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-06-12 273544]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-6-5 27136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 09:58   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 15:11   342312   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Vid\\Vid.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
.
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1ca3dc146c6f28a;Google Update Service (gupdate1ca3dc146c6f28a);c:\program files\Google\Update\GoogleUpdate.exe [2009-09-25 133104]
R3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2011-06-08 73728]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-09-25 133104]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\DRIVERS\mfendisk.sys [2011-03-13 83688]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-03-13 85984]
R3 RTPP2K;RTPP2K;c:\windows\system32\DRIVERS\rtpp2k.sys [2001-04-30 87374]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-18 12872]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-03-13 89368]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-18 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-05-26 67656]
S2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2011-07-22 3029208]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\Drivers\LBeepKE.sys [2010-08-24 10448]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-02-16 88176]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-03-13 159832]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-03-13 148520]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-04-01 428640]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-03-13 57432]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-03-13 337912]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\DRIVERS\mfendisk.sys [2011-03-13 83688]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2009-06-18 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-08 18:23]
.
2011-07-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1157552183-2752306718-432289623-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2011-07-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1157552183-2752306718-432289623-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2011-03-21 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-03-18 13:53]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\jvo1qb88.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/webhp?hl=en&source=hp&btnG=Google+Search
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-PCDrProfiler - (no file)
SafeBoot-Wdf01000.sys
AddRemove-Sauerbraten - c:\documents and settings\Sauerbraten\uninstall.exe
.
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(532)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2088)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\windows\system32\rundll32.exe
c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
.
**************************************************************************
.
Completion time: 2011-07-25 10:36:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-25 09:36
.
Pre-Run: 93,165,621,248 bytes free
Post-Run: 92,944,678,912 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 0415A439B65A3AE295F4D2ABBF72BDDC

Will now reboot clean and see what happens.

SuperDave · « **Reply #14 on:** July 25, 2011, 06:00:43 PM »

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

DDS::
Trusted Zone: internet
Trusted Zone: mcafee.com
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
I don't need to see the log from this script.

***************************************************
P2P - I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.
FrostWire
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
******************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Computer Hope Forum

News:

Author Topic: unregistered files (Read 26529 times)

bandalex

unregistered files

SuperDave

Re: unregistered files

bandalex

Re: unregistered files

bandalex

Re: unregistered files

SuperDave

Re: unregistered files

bandalex

Re: unregistered files

SuperDave

Re: unregistered files

bandalex

Re: unregistered files

SuperDave

Re: unregistered files

bandalex

Re: unregistered files

SuperDave

Re: unregistered files

bandalex

Re: unregistered files

SuperDave

Re: unregistered files

bandalex

Re: unregistered files

SuperDave

Re: unregistered files