Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: Virus Troubles  (Read 5533 times)

0 Members and 1 Guest are viewing this topic.

Brett999

    Topic Starter


    Greenhorn

    Virus Troubles
    « on: July 10, 2010, 09:08:34 PM »
    I am hoping someone here can help me with some major pc problems I am having.  I have a virus and cannot get rid of it.  I have followed all of the instructions listed in the what to do before you Post.  This has helped some, but still have issues with my pc.  As requested in the instructions, I am posting the logs for Super AntiSpyware, Malwarebytes and HJT.

    If someone could review these logs and advise as to next steps, I would very much appreciate it.  Thanks.

    Brett

    Super Anti Spyware Log:
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/10/2010 at 09:31 PM

    Application Version : 4.40.1002

    Core Rules Database Version : 5181
    Trace Rules Database Version: 2993

    Scan type       : Complete Scan
    Total Scan Time : 02:02:55

    Memory items scanned      : 268
    Memory threats detected   : 0
    Registry items scanned    : 8428
    Registry threats detected : 4
    File items scanned        : 224829
    File threats detected     : 36

    Trojan.Agent/Gen-FakeAlert
       [phdbbjwa] C:\DOCUMENTS AND SETTINGS\HP_OWNER\LOCAL SETTINGS\APPLICATION DATA\ACAUWOIBC\DPFRQVQTSSD.EXE
       C:\DOCUMENTS AND SETTINGS\HP_OWNER\LOCAL SETTINGS\APPLICATION DATA\ACAUWOIBC\DPFRQVQTSSD.EXE
       [phdbbjwa] C:\DOCUMENTS AND SETTINGS\HP_OWNER\LOCAL SETTINGS\APPLICATION DATA\ACAUWOIBC\DPFRQVQTSSD.EXE
       C:\WINDOWS\Prefetch\DPFRQVQTSSD.EXE-0A33541B.pf

    Malware.Trace
       HKU\S-1-5-21-1572252950-3769495935-3230574001-1008\SOFTWARE\AVSUITE
       HKLM\SOFTWARE\AVSUITE

    Adware.Tracking Cookie
       media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\HYJL5MPV ]
       secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\HYJL5MPV ]
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@adtechus[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@adtech[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
       C:\Documents and Settings\NetworkService\Cookies\system@edgeadx[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@legolas-media[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[3].txt
       C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[3].txt
       C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@tacoda[2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt

    Rogue.Agent/Gen-Nullo[DLL]
       C:\WINDOWS\EGOFIKAV.DLL
       C:\WINDOWS\IBIJUYIB.DLL

    Malwarebytes Anti-Malware Log:
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4301

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    7/10/2010 10:02:49 PM
    mbam-log-2010-07-10 (22-02-49).txt

    Scan type: Quick scan
    Objects scanned: 128837
    Time elapsed: 5 minute(s), 14 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 35
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.

    HJT Log:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:45:43 PM, on 7/10/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ATT-SST\McciTrayApp.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\sniper.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
    O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: LimeWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.mcafee.com
    O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
    O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab
    O16 - DPF: Yahoo! Fleet - http://download2.games.yahoo.com/games/clients/y/fltt3_x.cab
    O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/clients/y/pt3_x.cab
    O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - http://coupons.smartsource.com/download/cscmv5X.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    --
    End of file - 11404 bytes


    Logged

    Dr Jay

    • Malware Removal Specialist


      • Specialist
    • Moderator emeritus
      • Thanked: 119
    • Experience: Guru
    • OS: Windows 10
    Re: Virus Troubles
    « Reply #1 on: July 10, 2010, 09:11:30 PM »
    Hello, and welcome to Computer Hope.

    Please note the following information about the malware forum:
    • Only the Malware Specialist Team is allowed to give advice on removing malware from your computer.
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
    • Please do not attach logs or post them in Quote/Code boxes unless requested.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, reply to this topic with the word BUMP
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Please visit this webpage for a tutorial on downloading and running ComboFix:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    See the area: Using ComboFix, and when done, post the log back here.
    Logged
    ~Dr Jay

    Brett999

      Topic Starter


      Greenhorn

      Re: Virus Troubles
      « Reply #2 on: July 10, 2010, 10:07:00 PM »
      Thank you for the reply.  I have run combofix as requested and my log is below.

      Combofix Log:
      ComboFix 10-07-10.01 - HP_Owner 07/10/2010  23:53:14.1.1 - x86
      Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.958.545 [GMT -4:00]
      Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
      AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
      .

      (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      c:\documents and settings\HP_Owner\Application Data\alot
      c:\documents and settings\HP_Owner\Application Data\alot\BrowserSearch\BrowserSearch.xml
      c:\documents and settings\HP_Owner\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\Button_0\Button_0.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Button_0\Button_0.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\Button_1\Button_1.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Button_1\Button_1.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\Button_10\Button_10.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Button_10\Button_10.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\Button_11\Button_11.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Button_11\Button_11.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\Button_2\Button_2.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Button_2\Button_2.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\Button_3\Button_3.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Button_3\Button_3.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\Button_4\Button_4.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Button_4\Button_4.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\Button_5\Button_5.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Button_5\Button_5.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\Button_6\Button_6.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Button_6\Button_6.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\Button_7\Button_7.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Button_7\Button_7.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\Button_8\Button_8.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Button_8\Button_8.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\Button_9\Button_9.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Button_9\Button_9.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\configurator\configurator.xml
      c:\documents and settings\HP_Owner\Application Data\alot\configurator\configurator.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\ErrorSearch\ErrorSearch.xml
      c:\documents and settings\HP_Owner\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml
      c:\documents and settings\HP_Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\products\products.xml
      c:\documents and settings\HP_Owner\Application Data\alot\products\products.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_0\images\alot_icon_35x16.bmp
      c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_1\images\alot_search_24x16.bmp
      c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_2\images\default_296_alot_hea_heasearch.bmp
      c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_3\images\active_default_297_alot_hea_news.bmp
      c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_3\images\default_297_alot_hea_news.bmp
      c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_4\images\default_298_alot_hea_fitness.bmp
      c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_5\images\default_299_alot_mrkt_firstaid.bmp
      c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_5\images\default_299_alot_mrkt_readers_digest3.bmp
      c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_5\images\default_299_alot_mrkt_readersdigestorange.bmp
      c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\default_452_alot_mrkt_180.bmp
      c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\alot_brand.png
      c:\documents and settings\HP_Owner\Application Data\alot\TimerManager\TimerManager.xml
      c:\documents and settings\HP_Owner\Application Data\alot\TimerManager\TimerManager.xml.backup
      c:\documents and settings\HP_Owner\Application Data\alot\toolbar.xml
      c:\documents and settings\HP_Owner\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Updater\Updater.xml
      c:\documents and settings\HP_Owner\Application Data\alot\Updater\Updater.xml.backup
      c:\windows\uninstal.BAT
      D:\Autorun.inf

      Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
      Restored copy from - Kitty had a snack :p
      .
      (((((((((((((((((((((((((   Files Created from 2010-06-11 to 2010-07-11  )))))))))))))))))))))))))))))))
      .

      2010-07-11 02:43 . 2010-07-11 02:43   388096   ----a-r-   c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
      2010-07-11 02:43 . 2010-07-11 02:43   --------   d-----w-   c:\program files\Trend Micro
      2010-07-11 01:55 . 2010-07-11 01:55   --------   d-----w-   c:\documents and settings\HP_Owner\Application Data\Malwarebytes
      2010-07-11 01:54 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
      2010-07-11 01:54 . 2010-07-11 01:54   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
      2010-07-11 01:54 . 2010-07-11 01:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
      2010-07-11 01:54 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
      2010-07-10 23:16 . 2010-07-10 23:16   --------   d-----w-   c:\program files\CCleaner
      2010-07-09 23:39 . 2010-07-11 02:00   664   ----a-w-   c:\windows\system32\d3d9caps.dat
      2010-07-09 15:38 . 2010-07-11 01:50   --------   d-----w-   c:\documents and settings\HP_Owner\Local Settings\Application Data\acauwoibc
      2010-07-04 20:35 . 2010-07-04 20:35   --------   d-----w-   c:\documents and settings\HP_Owner\Local Settings\Application Data\PCHealth

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2010-07-11 02:29 . 2008-01-25 19:27   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
      2010-07-11 02:27 . 2008-02-05 01:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
      2010-07-10 23:26 . 2010-05-09 16:07   63488   ----a-w-   c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
      2010-07-10 23:26 . 2010-05-01 19:52   117760   ----a-w-   c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
      2010-07-08 13:01 . 2007-07-15 18:16   --------   d-----w-   c:\program files\Diablo II
      2010-07-04 20:36 . 2009-12-25 15:06   --------   d-----w-   c:\program files\Microsoft Security Essentials
      2010-07-04 17:42 . 2009-12-30 23:40   --------   d-----w-   c:\program files\SUPERAntiSpyware
      2010-06-18 00:13 . 2010-01-02 01:29   --------   d-----w-   c:\program files\Steam
      2010-06-06 20:05 . 2010-03-23 13:26   --------   d-----w-   c:\program files\Microsoft Silverlight
      2010-06-01 17:37 . 2009-12-25 15:12   221568   ------w-   c:\windows\system32\MpSigStub.exe
      2010-05-15 15:56 . 2008-02-05 01:43   --------   d-----w-   c:\program files\Google
      2010-05-06 10:41 . 2004-08-04 04:00   916480   ----a-w-   c:\windows\system32\wininet.dll
      2010-05-02 05:22 . 2004-08-04 04:00   1851264   ----a-w-   c:\windows\system32\win32k.sys
      2010-05-01 19:52 . 2010-05-01 19:52   52224   ----a-w-   c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
      2010-04-20 05:30 . 2004-08-04 04:00   285696   ----a-w-   c:\windows\system32\atmfd.dll
      .

      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
      2010-02-04 21:50   1197448   ----a-w-   c:\program files\Ask.com\GenericAskToolbar.dll

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
      "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

      [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
      [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
      [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
      [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

      [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
      "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

      [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
      [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
      [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
      [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-05 68856]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-28 221184]
      "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
      "ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
      "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
      "RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2010-02-10 136744]

      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
      "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
      2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
      @="Service"

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
      path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
      backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
      path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
      backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^forteManager.lnk]
      path=c:\documents and settings\All Users\Start Menu\Programs\Startup\forteManager.lnk
      backup=c:\windows\pss\forteManager.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
      path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
      backup=c:\windows\pss\Google Updater.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
      path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
      backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
      path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
      backup=c:\windows\pss\Updates From HP.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
      path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
      backup=c:\windows\pss\VPN Client.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
      path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
      backup=c:\windows\pss\ymetray.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
      path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
      backup=c:\windows\pss\Microsoft Find Fast.lnkStartup

      [HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Office Startup.lnk]
      path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\Office Startup.lnk
      backup=c:\windows\pss\Office Startup.lnkStartup

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
      c:\windows\system32\dumprep 0 -u [X]

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
      2009-02-27 22:10   35696   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
      2006-02-19 07:41   49152   ----a-w-   c:\program files\HP\HP Software Update\hpwuSchd2.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
      2006-02-15 23:34   249856   ----a-w-   c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
      2006-11-22 01:09   842584   ----a-w-   c:\program files\Microsoft IntelliPoint\ipoint.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
      2009-07-17 15:12   288080   ----a-w-   c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
      2008-04-14 00:12   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
      2009-12-09 01:29   240992   ----a-w-   c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
      2010-06-01 18:53   1093208   ----a-w-   c:\program files\Microsoft Security Essentials\msseces.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
      2006-05-09 15:50   7311360   ----a-w-   c:\windows\system32\nvcpl.dll

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
      2006-05-09 15:50   1519616   ----a-w-   c:\windows\system32\nwiz.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
      2005-07-22 23:14   237568   ----a-w-   c:\windows\SMINST\Recguard.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
      2006-06-13 20:05   16239616   ----a-w-   c:\windows\RTHDCPL.EXE

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
      2010-05-31 23:13   1238352   ----a-w-   c:\program files\Steam\Steam.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
      2009-05-21 15:34   148888   ----a-w-   c:\program files\Java\jre6\bin\jusched.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
      2008-02-05 01:44   68856   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
      2010-02-10 00:40   198160   ----a-w-   c:\program files\Common Files\Real\Update_OB\realsched.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
      2007-10-26 20:42   509224   ----a-w-   c:\progra~1\Yahoo!\YOP\yop.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
      "WebClient"=2 (0x2)
      "upnphost"=3 (0x3)
      "SSDPSRV"=3 (0x3)
      "RDSessMgr"=3 (0x3)
      "RSVP"=3 (0x3)
      "Netlogon"=3 (0x3)
      "CiSvc"=3 (0x3)
      "FastUserSwitchingCompatibility"=3 (0x3)
      "AppMgmt"=3 (0x3)

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
      "DisableMonitoring"=dword:00000001

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring"=dword:00000001

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
      "DisableMonitoring"=dword:00000001

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
      "EnableFirewall"= 0 (0x0)

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
      "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
      "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
      "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
      "c:\\Program Files\\LimeWire\\LimeWire.exe"=
      "c:\\Program Files\\Yahoo! Games\\Bejeweled 2 Deluxe\\WinBej2.exe"=
      "c:\\Program Files\\PopCap Games\\BookWorm Deluxe\\BookWorm.exe"=
      "c:\\Program Files\\Yahoo! Games\\Insaniquarium Deluxe\\InsaniquariumDeluxe.exe"=
      "c:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe"=
      "c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
      "c:\\Program Files\\Yahoo! Games\\Blackhawk Striker 2\\Blackhawk2.exe"=
      "c:\\Program Files\\Yahoo! Games\\Word Whomp To Go\\WordWhompToGo.exe"=
      "c:\\Program Files\\Yahoo! Games\\Blasterball 2 Remix\\bb2remix.exe"=
      "c:\\Program Files\\WildTangent\\Blasterball 2\\BB2.exe"=
      "c:\\Program Files\\Yahoo! Games\\Yahoo! Ten Pin Championship Bowling\\Yahoo Ten Pin Championship Bowling.exe"=
      "c:\\Program Files\\Yahoo! Games\\BeTrapped!\\BeTrapped.exe"=
      "c:\\Program Files\\Alphaqueue\\alphaqueue.exe"=
      "c:\\Program Files\\GameHouse\\Ricochet\\Ricochet.exe"=
      "c:\\Program Files\\Yahoo! Games\\FiberTwig\\FiberTwig.exe"=
      "c:\\Program Files\\Yahoo! Games\\Rock N Rockets\\RocksAndRockets.exe"=
      "c:\\Program Files\\Yahoo! Games\\Phoenix Assault\\Phoenix.exe"=
      "c:\\Program Files\\PopCap Games\\Rocket Mania Deluxe\\RocketMania.exe"=
      "c:\\Program Files\\GameHouse\\CollapseCrunch\\Collapse3.exe"=
      "c:\\Program Files\\Yahoo! Games\\Shroomz\\Shroomz.exe"=
      "c:\\Program Files\\GameHouse\\Combo Chaos\\ComboChaos.exe"=
      "c:\\Program Files\\Yahoo! Games\\AstroPop Deluxe\\WinAP.exe"=
      "c:\\Program Files\\Yahoo! Games\\Poppit To Go\\PoppitToGo.exe"=
      "c:\\Program Files\\GameHouse\\FeedingFrenzy\\FeedingFrenzy.exe"=
      "c:\\Program Files\\Charlie's Angels Angel X\\Charlie's Angels Angel X.exe"=
      "c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
      "c:\\Program Files\\Serious Sam 2\\Bin\\Sam2.exe"=
      "c:\\Program Files\\Marble Blast Gold\\MarbleBlast.exe"=
      "c:\\Program Files\\GameHouse\\Glinx\\Glinx.exe"=
      "c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
      "c:\\Program Files\\Steam\\Steam.exe"=
      "c:\\Program Files\\Steam\\steamapps\\byy230\\deathmatch classic\\hl.exe"=
      "c:\\Program Files\\Steam\\steamapps\\byy230\\opposing force\\hl.exe"=
      "c:\\Program Files\\Steam\\steamapps\\byy230\\ricochet\\hl.exe"=
      "c:\\Program Files\\Steam\\steamapps\\byy230\\half-life blue shift\\hl.exe"=
      "c:\\Program Files\\Steam\\steamapps\\byy230\\day of defeat\\hl.exe"=
      "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
      "c:\\WINDOWS\\system32\\dpvsetup.exe"=
      "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
      "c:\\Program Files\\Steam\\steamapps\\byy230\\half-life\\hl.exe"=

      R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
      R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 67656]
      S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/29/2009 2:34 PM 135664]
      S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [11/22/2009 3:54 PM 14336]
      S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [11/22/2009 3:54 PM 18432]

      [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
      2009-03-08 09:32   128512   ----a-w-   c:\windows\system32\advpack.dll
      .
      Contents of the 'Scheduled Tasks' folder

      2010-07-11 c:\windows\Tasks\Google Software Updater.job
      - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-05 15:07]

      2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
      - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 18:34]

      2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
      - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 18:34]

      2010-07-11 c:\windows\Tasks\MP Scheduled Scan.job
      - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

      2010-07-11 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
      - c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]

      2010-07-11 c:\windows\Tasks\User_Feed_Synchronization-{1F9DCC05-B308-4D50-8D57-5EF9DC013732}.job
      - c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
      .
      .
      ------- Supplementary Scan -------
      .
      uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
      uStart Page = hxxp://www.att.net
      uInternet Connection Wizard,ShellNext = iexplore
      uInternet Settings,ProxyOverride = <local>
      uInternet Settings,ProxyServer = http=127.0.0.1:5577
      uSearchURL,(Default) = hxxp://search.yahoo.com
      IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
      IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
      Trusted Zone: ccf.org\mail
      Trusted Zone: internet
      Trusted Zone: mcafee.com
      DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
      .
      - - - - ORPHANS REMOVED - - - -

      BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
      SafeBoot-MCODS
      MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
      MSConfigStartUp-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe
      MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
      MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
      MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
      MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
      MSConfigStartUp-McENUI - c:\progra~1\McAfee\MHN\McENUI.exe
      MSConfigStartUp-Motive SmartBridge - c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
      MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
      MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
      MSConfigStartUp-osCheck - c:\progra~1\Symantec\osCheck.exe
      MSConfigStartUp-SiteAdvisor - c:\program files\SiteAdvisor\6172\SiteAdv.exe
      MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
      MSConfigStartUp-Win32 LanMgr - c:\windows\system32\netspool.exe
      MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe
      MSConfigStartUp-Windows Update - c:\program files\Common Files\System\SystemUpgrade.exe
      MSConfigStartUp-WindowsSystem32 - c:\program files\Common Files\System\hs32.exe
      MSConfigStartUp-YBrowser - c:\progra~1\Yahoo!\browser\ybrwicon.exe
      AddRemove-HP Solution Center & Imaging Support Tools - c:\program files\HP\Digital Imaging\eSupport\hpzscr01.exe



      **************************************************************************

      catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2010-07-11 00:01
      Windows 5.1.2600 Service Pack 3 NTFS

      scanning hidden processes ... 

      scanning hidden autostart entries ...

      scanning hidden files ... 

      scan completed successfully
      hidden files: 0

      **************************************************************************
      .
      --------------------- LOCKED REGISTRY KEYS ---------------------

      [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
      "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
         00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

      [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
      @DACL=(02 0000)
      "Installed"="1"
      @=""

      [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
      @DACL=(02 0000)
      "NoChange"="1"
      "Installed"="1"
      @=""

      [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
      @DACL=(02 0000)
      "Installed"="1"
      @=""
      .
      --------------------- DLLs Loaded Under Running Processes ---------------------

      - - - - - - - > 'winlogon.exe'(968)
      c:\program files\SUPERAntiSpyware\SASWINLO.dll
      c:\windows\system32\WININET.dll
      .
      Completion time: 2010-07-11  00:04:13
      ComboFix-quarantined-files.txt  2010-07-11 04:04

      Pre-Run: 62,592,495,616 bytes free
      Post-Run: 62,626,213,888 bytes free

      WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
      [boot loader]
      timeout=2
      default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
      [operating systems]
      c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
      multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

      - - End Of File - - 4E36B903196D2326F77202D944159E7B
      Logged

      Dr Jay

      • Malware Removal Specialist


        • Specialist
      • Moderator emeritus
        • Thanked: 119
      • Experience: Guru
      • OS: Windows 10
      Re: Virus Troubles
      « Reply #3 on: July 11, 2010, 11:06:20 PM »
      Re-running ComboFix to remove infections:

      • Close any open browsers.
      • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Open notepad and copy/paste the text in the codebox below into it:
      Code: [Select]
      Folder::
      c:\documents and settings\HP_Owner\Local Settings\Application Data\acauwoibc

      DDS::
      uInternet Settings,ProxyOverride = <local>
      uInternet Settings,ProxyServer = http=127.0.0.1:5577
      Trusted Zone: ccf.org\mail
      Trusted Zone: internet
      Trusted Zone: mcafee.com
      • Save this as CFScript.txt, in the same location as ComboFix.exe



      • Referring to the picture above, drag CFScript into ComboFix.exe
      • When finished, it shall produce a log for you at C:\ComboFix.txt
      • Please post the contents of the log in your next reply.
      Logged
      ~Dr Jay
      Pages: [1]   Go Up
      « previous next »