Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93103 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] pojmbyjo.exe?

Started by becky7234 , Jun 15 2008 08:33 AM

  • This topic is locked This topic is locked
33 replies to this topic

#16 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 17 June 2008 - 08:14 AM

Hi

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS.0\YVAJ3BDH.ocx
Click Submit.
Please post the results of this scan to this thread.

Do the same for these:
C:\WINDOWS.0\Setup1.exe
C:\Program Files\Common Files\wrapper-windows-x86-32.dll
C:\Program Files\1038.mst
C:\Program Files\setup.ini

If Jotti is busy or unavailable, please try
Virustotal
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

    Advertisements

Register to Remove

#17 becky7234

becky7234

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 17 June 2008 - 10:36 PM

___________________________
C:\WINDOWS.0\YVAJ3BDH.ocx
____________________________
Scan taken on 18 Jun 2008 04:10:40 (GMT)
  • A-Squared Found nothing
  • AntiVir Found nothing
  • ArcaVir Found nothing
  • Avast Found nothing
  • AVG Antivirus Found nothing
  • BitDefender Found nothing
  • ClamAV Found nothing
  • CPsecure Found nothing
  • Dr.Web Found nothing
  • F-Prot Antivirus Found nothing
  • F-Secure Anti-Virus Found nothing
  • Fortinet Found nothing
  • Ikarus Found nothing
  • Kaspersky Anti-Virus Found nothing
  • NOD32 Found nothing
  • Norman Virus Control Found nothing
  • Panda Antivirus Found nothing
  • Sophos Antivirus Found nothing
  • VirusBuster Found nothing
  • VBA32 Found nothing
______________________
C:\WINDOWS.0\Setup1.exe
_____________________

Scan taken on 18 Jun 2008 04:17:41 (GMT)

  • A-Squared Found nothing
  • AntiVir Found nothing
  • ArcaVir Found nothing
  • Avast Found nothing
  • AVG Antivirus Found nothing
  • BitDefender Found nothing
  • ClamAV Found nothing
  • CPsecure Found nothing
  • Dr.Web Found nothing
  • F-Prot Antivirus Found nothing
  • F-Secure Anti-Virus Found nothing
  • Fortinet Found nothing
  • Ikarus Found nothing
  • Kaspersky Anti-Virus Found nothing
  • NOD32 Found nothing
  • Norman Virus Control Found nothing
  • Panda Antivirus Found nothing
  • Sophos Antivirus Found nothing
  • VirusBuster Found nothing
  • VBA32 Found nothing

________________________
C:\Program Files\Common Files\wrapper-windows-x86-32.dll
________________________________________________

Scan taken on 18 Jun 2008 04:22:20 (GMT)

  • A-Squared Found nothing
  • AntiVir Found nothing
  • ArcaVir Found nothing
  • Avast Found nothing
  • AVG Antivirus Found nothing
  • BitDefender Found nothing
  • ClamAV Found nothing
  • CPsecure Found nothing
  • Dr.Web Found nothing
  • F-Prot Antivirus Found nothing
  • F-Secure Anti-Virus Found nothing
  • Fortinet Found nothing
  • Ikarus Found nothing
  • Kaspersky Anti-Virus Found nothing
  • NOD32 Found nothing
  • Norman Virus Control Found nothing
  • Panda Antivirus Found nothing
  • Sophos Antivirus Found nothing
  • VirusBuster Found nothing
  • VBA32 Found nothing

_____________________
C:\Program Files\1038.mst
_____________________

Scan taken on 18 Jun 2008 04:26:14 (GMT)

  • A-Squared Found nothing
  • AntiVir Found nothing
  • ArcaVir Found nothing
  • Avast Found nothing
  • AVG Antivirus Found nothing
  • BitDefender Found nothing
  • ClamAV Found nothing
  • CPsecure Found nothing
  • Dr.Web Found nothing
  • F-Prot Antivirus Found nothing
  • F-Secure Anti-Virus Found nothing
  • Fortinet Found nothing
  • Ikarus Found nothing
  • Kaspersky Anti-Virus Found nothing
  • NOD32 Found nothing
  • Norman Virus Control Found nothing
  • Panda Antivirus Found nothing
  • Sophos Antivirus Found nothing
  • VirusBuster Found nothing
  • VBA32 Found nothing
_____________________

C:\Program Files\setup.ini
______________________

Scan taken on 18 Jun 2008 04:28:49 (GMT)
  • A-Squared Found nothing
  • AntiVir Found nothing
  • ArcaVir Found nothing
  • Avast Found nothing
  • AVG Antivirus Found nothing
  • BitDefender Found nothing
  • ClamAV Found nothing
  • CPsecure Found nothing
  • Dr.Web Found nothing
  • F-Prot Antivirus Found nothing
  • F-Secure Anti-Virus Found nothing
  • Fortinet Found nothing
  • Ikarus Found nothing
  • Kaspersky Anti-Virus Found nothing
  • NOD32 Found nothing
  • Norman Virus Control Found nothing
  • Panda Antivirus Found nothing
  • Sophos Antivirus Found nothing
  • VirusBuster Found nothing
  • VBA32 Found nothing

I have a sword.....nothing more.

#18 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 18 June 2008 - 02:10 AM

Hi

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.You must
also manually disable your anti-virus and anti-spyware programs. See the link below for instructions on doing this.
http://www.bleepingc...opic114351.html

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C 

File::
C:\WINDOWS.0\pojmbyjo.exe
C:\Program Files\Common Files\System\ntsvc32k.exe 
C:\Program Files\Common Files\System\sysvideo32.dll
C:\Program Files\Common Files\System\winmgt32k.dll

Folder::
C:\Program Files\Enigma Software Group
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Trymedia
C:\ProgramFiles\WinPcap

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"6ac7piRlDG"=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"freenet-darknet-8889-8888"=- 

Driver::
ntsvc32k
sysvideo32
winmgt32k
rpcapd

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run

Edited by Scotty, 18 June 2008 - 02:10 AM.

You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#19 becky7234

becky7234

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 18 June 2008 - 08:29 AM

I have McAfee SecurityCenter Suite running, and I have no idea how to disable it. There is no "Exit" when I right click on the icon in the taskbar. A few steps back I had to edit the startups, but I'm not sure that completely disabled it. I have searched everywhere for a temp. disable. Founf nothing. Suggestions?
I have a sword.....nothing more.

#20 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 18 June 2008 - 08:36 AM

Hi Try it this way Double-click the taskbar icon to open the Security Center Click Advanced Menu (lower left) Click Configure (left) Click Computer & Files (upper left) VirusScan can be disabled on the right.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#21 becky7234

becky7234

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 18 June 2008 - 10:25 AM

ComboFix 08-06-16.2 - Frankie3 2008-06-18 11:41:33.4 - NTFSx86
Running from: C:\Documents and Settings\Frankie3\Desktop\fixers\ComboFix.exe
Command switches used :: C:\Documents and Settings\Frankie3\Desktop\fixers\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\Program Files\Common Files\System\ntsvc32k.exe
C:\Program Files\Common Files\System\sysvideo32.dll
C:\Program Files\Common Files\System\winmgt32k.dll
C:\WINDOWS.0\pojmbyjo.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Trymedia
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Trymedia\data\{2218E256-F619-ACF9-E8A5-2092620E1681}
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Trymedia\data\{2BCA3F34-5B65-32FC-2B23-2452BCEC8E1D}
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Trymedia\data\{2F0FCFE4-345E-D9FF-5AF3-8F8804D19918}
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Trymedia\data\{3EF114E3-2BF1-C3C3-CBEB-64E65DF41165}
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Trymedia\data\{454548AA-E5BB-D290-67C2-796D40E1A4BC}
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Trymedia\data\{8C59871A-CBF3-9374-4717-01373521BCF3}
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Trymedia\data\{B0FA39D8-1175-0C0D-EF56-D52E7C5BF4F7}
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Trymedia\data\{DB29ADB4-BF16-6171-CA40-8B0CBFFA6001}
C:\Program Files\Enigma Software Group
C:\Program Files\Enigma Software Group\SpyHunter\ActiveKill.dll
C:\Program Files\Enigma Software Group\SpyHunter\ActiveXKill.dll
C:\Program Files\Enigma Software Group\SpyHunter\AXList.txt
C:\Program Files\Enigma Software Group\SpyHunter\br.exe
C:\Program Files\Enigma Software Group\SpyHunter\Common.dll
C:\Program Files\Enigma Software Group\SpyHunter\def.dat
C:\Program Files\Enigma Software Group\SpyHunter\def.dat.bak
C:\Program Files\Enigma Software Group\SpyHunter\EnigmaUpdater.dll
C:\Program Files\Enigma Software Group\SpyHunter\HelpDesk.dll
C:\Program Files\Enigma Software Group\SpyHunter\HFMonitor.dll
C:\Program Files\Enigma Software Group\SpyHunter\INSTALL.LOG
C:\Program Files\Enigma Software Group\SpyHunter\install.sss
C:\Program Files\Enigma Software Group\SpyHunter\key.dat
C:\Program Files\Enigma Software Group\SpyHunter\Language.dll
C:\Program Files\Enigma Software Group\SpyHunter\NetworkSentry.dll
C:\Program Files\Enigma Software Group\SpyHunter\Options.dll
C:\Program Files\Enigma Software Group\SpyHunter\ProcessGuard.dll
C:\Program Files\Enigma Software Group\SpyHunter\RegistryGuard.dll
C:\Program Files\Enigma Software Group\SpyHunter\scan.log
C:\Program Files\Enigma Software Group\SpyHunter\Scanner.dll
C:\Program Files\Enigma Software Group\SpyHunter\Scheduler.dll
C:\Program Files\Enigma Software Group\SpyHunter\SHDS.mht
C:\Program Files\Enigma Software Group\SpyHunter\spyhunter.log
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.chm
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.skn
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterInstance.lock
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
C:\Program Files\Enigma Software Group\SpyHunter\support.log
C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe
C:\Program Files\Enigma Software Group\SpyHunter\Updater.dll
C:\Program Files\Enigma Software Group\SpyHunter\whitelist.dat
C:\Program Files\Enigma Software Group\SpyHunter\WSAMonitor.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTSVC32K
-------\Service_ntsvc32k
-------\Service_rpcapd
-------\Service_sysvideo32
-------\Service_winmgt32k


((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 23:43 . 2008-06-17 23:43 <DIR> d-------- C:\Program Files\Trymedia
2008-06-17 23:43 . 2008-06-17 23:43 <DIR> d-------- C:\Program Files\Ludia
2008-06-16 21:38 . 2008-06-16 22:22 <DIR> d-------- C:\Program Files\X-Cleaner
2008-06-16 17:35 . 2008-06-16 17:35 <DIR> d----c--- C:\Deckard
2008-06-16 16:11 . 2008-06-16 16:11 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Malwarebytes
2008-06-16 16:10 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS.0\system32\drivers\mbamcatchme.sys
2008-06-16 16:10 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS.0\system32\drivers\mbam.sys
2008-06-15 23:02 . 2008-06-15 23:02 <DIR> d-------- C:\Program Files\AVG
2008-06-15 20:12 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS.0\system32\VCCLSID.exe
2008-06-15 20:12 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS.0\system32\SrchSTS.exe
2008-06-15 20:12 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS.0\system32\VACFix.exe
2008-06-15 20:12 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS.0\system32\IEDFix.exe
2008-06-15 20:12 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS.0\system32\IEDFix.C.exe
2008-06-15 20:12 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS.0\system32\404Fix.exe
2008-06-15 20:12 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS.0\system32\Process.exe
2008-06-15 20:12 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS.0\system32\dumphive.exe
2008-06-15 20:12 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS.0\system32\WS2Fix.exe
2008-06-14 18:13 . 2008-06-14 20:08 <DIR> d-------- C:\Program Files\IMVU
2008-06-13 00:07 . 2008-06-13 00:10 <DIR> d-------- C:\WINDOWS.0\Photo Album Downloader for Yahoo
2008-06-04 12:09 . 2008-06-04 12:09 <DIR> d----c--- C:\Documents and Settings\Frankie3\Application Data\Stellarium
2008-06-04 12:07 . 2008-06-04 12:07 <DIR> d-------- C:\Program Files\Stellarium
2008-06-02 21:55 . 2008-06-09 20:34 54,156 --ah----- C:\WINDOWS.0\QTFont.qfn
2008-06-02 21:55 . 2008-06-02 21:55 1,409 --a------ C:\WINDOWS.0\QTFont.for
2008-06-02 21:14 . 2008-06-02 21:14 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Apple
2008-06-02 21:07 . 2008-06-02 21:16 <DIR> d-------- C:\Program Files\QuickTime
2008-05-31 00:17 . 2008-05-31 00:17 3,120 --a------ C:\WINDOWS.0\YVAJ3BDH.ocx
2008-05-31 00:17 . 2008-05-31 00:17 3,120 --a------ C:\WINDOWS.0\system32\SBE48W62.ocx
2008-05-25 23:03 . 2008-05-25 23:03 <DIR> d-------- C:\Program Files\bfgclient
2008-05-25 21:41 . 2008-05-25 21:41 <DIR> d-------- C:\Program Files\Yahoo! Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 16:33 --------- dc----w C:\Documents and Settings\Frankie3\Application Data\OpenOffice.org2
2008-06-16 21:33 --------- dc----w C:\Documents and Settings\Frankie3\Application Data\IMVU
2008-06-16 20:11 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-05 13:34 --------- d-----w C:\Program Files\ArtOfIllusion
2008-06-03 01:14 --------- d-----w C:\Program Files\Apple Software Update
2008-05-28 23:23 --------- d-----w C:\Program Files\Yahoo!
2008-05-26 03:03 0 ----a-w C:\Program Files\temp01
2008-05-26 02:16 --------- dc-h--r C:\Documents and Settings\Frankie3\Application Data\yahoo!
2008-05-16 01:08 --------- d-----w C:\Program Files\DiskTrix
2008-05-12 18:22 --------- dc----w C:\Documents and Settings\Frankie3\Application Data\AdobeUM
2008-05-10 12:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 12:22 --------- d-----w C:\Program Files\eBay
2008-04-28 00:31 --------- d-----w C:\Program Files\Virtual Mechanics
2008-04-27 12:40 --------- dc-h--r C:\Documents and Settings\Frankie3\Application Data\SecuROM
2008-04-22 00:41 --------- d-----w C:\Program Files\McAfee
2008-04-21 00:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-08 16:14 73,216 ----a-w C:\WINDOWS.0\ST6UNST.EXE
2008-04-08 16:14 249,856 ------w C:\WINDOWS.0\Setup1.exe
2007-12-09 12:25 336 -c--a-w C:\Program Files\temp995.bat
2006-11-20 19:27 81,920 -c--a-w C:\Program Files\Common Files\wrapper-windows-x86-32.dll
2006-11-19 04:03 1,035,090 -c--a-w C:\Program Files\wrar361.exe
2006-01-28 04:17 20,459,766 -c--a-w C:\Program Files\def.phd
2006-01-28 04:17 140,354 -c--a-w C:\Program Files\compupic.jrn
2006-01-23 19:39 5,632 -csha-w C:\Program Files\Thumbs.db
2006-01-09 04:46 5,529,600 -c--a-w C:\Program Files\all.dnt
2006-01-09 04:46 172,032 -c--a-w C:\Program Files\pro.dnt
2006-01-09 04:46 1,634,304 -c--a-w C:\Program Files\if.dnt
2005-12-31 02:50 2,855,552 -c--a-w C:\Program Files\PPView97.exe
2005-12-15 09:09 2,731,008 -c--a-w C:\Program Files\openofficeorg20.msi
2005-12-15 08:14 49,541,055 -c--a-w C:\Program Files\openofficeorg3.cab
2005-12-15 08:14 2,339,756 -c--a-w C:\Program Files\openofficeorg4.cab
2005-12-15 08:10 6,129,372 -c--a-w C:\Program Files\openofficeorg2.cab
2005-12-15 08:10 17,710,073 -c--a-w C:\Program Files\openofficeorg1.cab
2005-11-27 12:59 683,535 -c--a-w C:\Program Files\Recovery_instructions.zip
2004-08-09 20:13 1,852,928 -c--a-w C:\Program Files\ABBYY PDF Transformer 1.0.msi
2004-08-05 09:08 92,160 -c--a-w C:\Program Files\1036.mst
2004-08-05 09:08 81,920 -c--a-w C:\Program Files\1029.mst
2004-08-05 09:08 76,288 -c--a-w C:\Program Files\1031.mst
2004-08-05 09:08 74,752 -c--a-w C:\Program Files\1040.mst
2004-08-05 09:08 74,752 -c--a-w C:\Program Files\1038.mst
2004-08-05 09:08 71,680 -c--a-w C:\Program Files\1045.mst
2004-08-05 09:08 71,680 -c--a-w C:\Program Files\1043.mst
2004-08-05 09:08 71,680 -c--a-w C:\Program Files\1034.mst
2004-08-05 09:08 38,619,860 -c--a-w C:\Program Files\Data1.cab
2004-08-05 09:08 3,584 -c--a-w C:\Program Files\1033.mst
2004-08-05 09:08 121,856 -c--a-w C:\Program Files\1049.mst
2004-08-05 01:15 285 -c--a-w C:\Program Files\setup.ini
2003-10-03 03:30 4,979,304 -c--a-w C:\Program Files\t-c623x0.zip
2003-07-14 17:00 3,190,245 ----a-w C:\Program Files\MessageAuthority OutlookExpress.exe
2003-07-14 17:00 3,171,740 ----a-w C:\Program Files\MessageAuthority Outlook.exe
2002-03-11 15:06 1,822,520 -c--a-w C:\Program Files\instmsiw.exe
2002-03-11 14:45 1,708,856 -c--a-w C:\Program Files\instmsia.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-17_ 9.16.30.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 12:56:42 2,048 --s-a-w C:\WINDOWS.0\bootstat.dat
+ 2008-06-18 15:48:43 2,048 --s-a-w C:\WINDOWS.0\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS.0\system32\NvCpl.dll" [2006-10-22 13:22 7700480]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS.0\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Frankie3^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Frankie3\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS.0\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2006-10-16 21:40 1197648 C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 13:22 7700480 C:\WINDOWS.0\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-06-02 21:07 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\X-Cleaner Deluxe]
--a------ 2008-02-25 10:11 986632 C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Friend]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MPS9"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McProxy"=2 (0x2)
"mcpromgr"=2 (0x2)
"McODS"=2 (0x2)
"mcmscsvc"=2 (0x2)
"mcmispupdmgr"=3 (0x3)
"Emproxy"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

S2 Parclass;Parclass;C:\WINDOWS.0\system32\Drivers\Parclass.sys [2000-04-04 17:27]
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS.0\system32\Drivers\Icam3.sys [2001-08-17 10:05]
S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS.0\system32\DRIVERS\nuvvid2.sys [2001-12-03 14:55]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS.0\system32\Drivers\usbbc.sys [2001-01-07 21:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 07:00:00 C:\WINDOWS.0\Tasks\012008scan.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-14 17:29:03 C:\WINDOWS.0\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-04 15:31:33 C:\WINDOWS.0\Tasks\LifeChatTask.job"
- C:\Program Files\Microsoft LifeChat\LifeChat.exe
"2008-06-17 06:15:18 C:\WINDOWS.0\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe)
"2008-06-18 06:00:17 C:\WINDOWS.0\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-18 07:30:00 C:\WINDOWS.0\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.ex
- C:\Program Files\RegSweep
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 11:49:45
Windows 5.1.2600 Service Pack 3, v.3244 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ken Kirkpatrick Software: The Birthday Chronicle update permissions manager. 16583.]
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Photodex\CompuPicPro\scsiaccess.exe
C:\WINDOWS.0\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-06-18 11:59:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-18 15:59:00
ComboFix2.txt 2008-06-17 13:16:50

Pre-Run: 16,268,558,336 bytes free
Post-Run: 16,387,870,720 bytes free

261
_______________________________________
HJT Log
_______________________________________

Logfile of HijackThis v1.99.1
Scan saved at 12:19:26, on 6/18/2008
Platform: Windows XP SP3, v.3244 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3244)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VirusScan\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINDOWS.0\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\virusscan\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Documents and Settings\Frankie3\Desktop\fixers\Spyware.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
c:\program files\mcafee\virusscan\mcinsupd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Frankie3\Start Menu\Programs\IMVU\Run IMVU.lnk
O16 - DPF: Web-Based Email Tools - http://email.secures...et/Download.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (Sony SNC-RZ30 Image Viewer) - http://209.131.7.178...SncRz30View.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.c...oad/XUpload.ocx
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
I have a sword.....nothing more.

#22 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 18 June 2008 - 12:16 PM

Hi

Did you re-install trymedia?

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.You must
also manually disable your anti-virus and anti-spyware programs. See the link below for instructions on doing this.
http://www.bleepingc...opic114351.html

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C 

File::
C:\WINDOWS.0\system32\VCCLSID.exe
C:\WINDOWS.0\system32\SrchSTS.exe
C:\WINDOWS.0\system32\VACFix.exe
C:\WINDOWS.0\system32\IEDFix.exe
C:\WINDOWS.0\system32\IEDFix.C.exe
C:\WINDOWS.0\system32\404Fix.exe
C:\WINDOWS.0\system32\Process.exe
C:\WINDOWS.0\system32\dumphive.exe
C:\WINDOWS.0\system32\WS2Fix.exe

Folder::
C:\Program Files\Trymedia

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

Now run malwarebytes Antimalware again and post the new log

In your next reply post:
ComboFix.txt
MBAM log
New HijackThis log taken after the above scan has run
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#23 becky7234

becky7234

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 18 June 2008 - 02:28 PM

Did you re-install trymedia? NO :huh:
I have a sword.....nothing more.

#24 becky7234

becky7234

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 18 June 2008 - 05:31 PM

It seems disabling McAfee ENTIRELY is impossible. I did configure within the settings to DISABLE all that was there, but it's still not stopped every process. (Real time scan in particular) tells me I am not the administrator. HA!
I have the logs:

__________________
combofix log
_________________
ComboFix 08-06-16.2 - Frankie3 2008-06-18 18:38:45.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.624 [GMT -4:00]
Running from: C:\Documents and Settings\Frankie3\Desktop\fixers\ComboFix.exe
Command switches used :: C:\Documents and Settings\Frankie3\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS.0\system32\404Fix.exe
C:\WINDOWS.0\system32\dumphive.exe
C:\WINDOWS.0\system32\IEDFix.C.exe
C:\WINDOWS.0\system32\IEDFix.exe
C:\WINDOWS.0\system32\Process.exe
C:\WINDOWS.0\system32\SrchSTS.exe
C:\WINDOWS.0\system32\VACFix.exe
C:\WINDOWS.0\system32\VCCLSID.exe
C:\WINDOWS.0\system32\WS2Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Trymedia
C:\WINDOWS.0\system32\404Fix.exe
C:\WINDOWS.0\system32\dumphive.exe
C:\WINDOWS.0\system32\IEDFix.C.exe
C:\WINDOWS.0\system32\IEDFix.exe
C:\WINDOWS.0\system32\Process.exe
C:\WINDOWS.0\system32\SrchSTS.exe
C:\WINDOWS.0\system32\VACFix.exe
C:\WINDOWS.0\system32\VCCLSID.exe
C:\WINDOWS.0\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 23:43 . 2008-06-17 23:43 <DIR> d-------- C:\Program Files\Ludia
2008-06-16 21:38 . 2008-06-16 22:22 <DIR> d-------- C:\Program Files\X-Cleaner
2008-06-16 17:35 . 2008-06-16 17:35 <DIR> d----c--- C:\Deckard
2008-06-16 16:11 . 2008-06-16 16:11 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Malwarebytes
2008-06-16 16:10 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS.0\system32\drivers\mbamcatchme.sys
2008-06-16 16:10 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS.0\system32\drivers\mbam.sys
2008-06-15 23:02 . 2008-06-15 23:02 <DIR> d-------- C:\Program Files\AVG
2008-06-14 18:13 . 2008-06-14 20:08 <DIR> d-------- C:\Program Files\IMVU
2008-06-13 00:07 . 2008-06-13 00:10 <DIR> d-------- C:\WINDOWS.0\Photo Album Downloader for Yahoo
2008-06-04 12:09 . 2008-06-04 12:09 <DIR> d----c--- C:\Documents and Settings\Frankie3\Application Data\Stellarium
2008-06-04 12:07 . 2008-06-04 12:07 <DIR> d-------- C:\Program Files\Stellarium
2008-06-02 21:55 . 2008-06-09 20:34 54,156 --ah----- C:\WINDOWS.0\QTFont.qfn
2008-06-02 21:55 . 2008-06-02 21:55 1,409 --a------ C:\WINDOWS.0\QTFont.for
2008-06-02 21:14 . 2008-06-02 21:14 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Apple
2008-06-02 21:07 . 2008-06-02 21:16 <DIR> d-------- C:\Program Files\QuickTime
2008-05-31 00:17 . 2008-05-31 00:17 3,120 --a------ C:\WINDOWS.0\YVAJ3BDH.ocx
2008-05-31 00:17 . 2008-05-31 00:17 3,120 --a------ C:\WINDOWS.0\system32\SBE48W62.ocx
2008-05-25 23:03 . 2008-05-25 23:03 <DIR> d-------- C:\Program Files\bfgclient
2008-05-25 21:41 . 2008-05-25 21:41 <DIR> d-------- C:\Program Files\Yahoo! Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 16:33 --------- dc----w C:\Documents and Settings\Frankie3\Application Data\OpenOffice.org2
2008-06-16 21:33 --------- dc----w C:\Documents and Settings\Frankie3\Application Data\IMVU
2008-06-16 20:11 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 01:14 --------- d-----w C:\Program Files\Apple Software Update
2008-05-28 23:23 --------- d-----w C:\Program Files\Yahoo!
2008-05-26 03:03 0 ----a-w C:\Program Files\temp01
2008-05-26 02:16 --------- dc-h--r C:\Documents and Settings\Frankie3\Application Data\yahoo!
2008-05-16 01:08 --------- d-----w C:\Program Files\DiskTrix
2008-05-12 18:22 --------- dc----w C:\Documents and Settings\Frankie3\Application Data\AdobeUM
2008-05-10 12:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 12:22 --------- d-----w C:\Program Files\eBay
2008-04-28 00:31 --------- d-----w C:\Program Files\Virtual Mechanics
2008-04-27 12:40 --------- dc-h--r C:\Documents and Settings\Frankie3\Application Data\SecuROM
2008-04-22 00:41 --------- d-----w C:\Program Files\McAfee
2008-04-21 00:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-08 16:14 73,216 ----a-w C:\WINDOWS.0\ST6UNST.EXE
2008-04-08 16:14 249,856 ------w C:\WINDOWS.0\Setup1.exe
2007-12-09 12:25 336 -c--a-w C:\Program Files\temp995.bat
2006-11-20 19:27 81,920 -c--a-w C:\Program Files\Common Files\wrapper-windows-x86-32.dll
2006-11-19 04:03 1,035,090 -c--a-w C:\Program Files\wrar361.exe
2006-01-28 04:17 20,459,766 -c--a-w C:\Program Files\def.phd
2006-01-28 04:17 140,354 -c--a-w C:\Program Files\compupic.jrn
2006-01-23 19:39 5,632 -csha-w C:\Program Files\Thumbs.db
2006-01-09 04:46 5,529,600 -c--a-w C:\Program Files\all.dnt
2006-01-09 04:46 172,032 -c--a-w C:\Program Files\pro.dnt
2006-01-09 04:46 1,634,304 -c--a-w C:\Program Files\if.dnt
2005-12-31 02:50 2,855,552 -c--a-w C:\Program Files\PPView97.exe
2005-12-15 09:09 2,731,008 -c--a-w C:\Program Files\openofficeorg20.msi
2005-12-15 08:14 49,541,055 -c--a-w C:\Program Files\openofficeorg3.cab
2005-12-15 08:14 2,339,756 -c--a-w C:\Program Files\openofficeorg4.cab
2005-12-15 08:10 6,129,372 -c--a-w C:\Program Files\openofficeorg2.cab
2005-12-15 08:10 17,710,073 -c--a-w C:\Program Files\openofficeorg1.cab
2005-11-27 12:59 683,535 -c--a-w C:\Program Files\Recovery_instructions.zip
2004-08-09 20:13 1,852,928 -c--a-w C:\Program Files\ABBYY PDF Transformer 1.0.msi
2004-08-05 09:08 92,160 -c--a-w C:\Program Files\1036.mst
2004-08-05 09:08 81,920 -c--a-w C:\Program Files\1029.mst
2004-08-05 09:08 76,288 -c--a-w C:\Program Files\1031.mst
2004-08-05 09:08 74,752 -c--a-w C:\Program Files\1040.mst
2004-08-05 09:08 74,752 -c--a-w C:\Program Files\1038.mst
2004-08-05 09:08 71,680 -c--a-w C:\Program Files\1045.mst
2004-08-05 09:08 71,680 -c--a-w C:\Program Files\1043.mst
2004-08-05 09:08 71,680 -c--a-w C:\Program Files\1034.mst
2004-08-05 09:08 38,619,860 -c--a-w C:\Program Files\Data1.cab
2004-08-05 09:08 3,584 -c--a-w C:\Program Files\1033.mst
2004-08-05 09:08 121,856 -c--a-w C:\Program Files\1049.mst
2004-08-05 01:15 285 -c--a-w C:\Program Files\setup.ini
2003-10-03 03:30 4,979,304 -c--a-w C:\Program Files\t-c623x0.zip
2003-07-14 17:00 3,190,245 ----a-w C:\Program Files\MessageAuthority OutlookExpress.exe
2003-07-14 17:00 3,171,740 ----a-w C:\Program Files\MessageAuthority Outlook.exe
2002-03-11 15:06 1,822,520 -c--a-w C:\Program Files\instmsiw.exe
2002-03-11 14:45 1,708,856 -c--a-w C:\Program Files\instmsia.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-17_ 9.16.30.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 12:56:42 2,048 --s-a-w C:\WINDOWS.0\bootstat.dat
+ 2008-06-18 22:45:08 2,048 --s-a-w C:\WINDOWS.0\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS.0\system32\NvCpl.dll" [2006-10-22 13:22 7700480]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS.0\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Frankie3^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Frankie3\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS.0\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2006-10-16 21:40 1197648 C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 13:22 7700480 C:\WINDOWS.0\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-06-02 21:07 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\X-Cleaner Deluxe]
--a------ 2008-02-25 10:11 986632 C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Friend]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcmispupdmgr"=3 (0x3)
"McSysmon"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McODS"=2 (0x2)
"McRedirector"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"mcpromgr"=2 (0x2)
"MPS9"=2 (0x2)
"MpfService"=2 (0x2)
"McNASvc"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"Emproxy"=3 (0x3)
"wuauserv"=2 (0x2)
"Ken Kirkpatrick Software: The Birthday Chronicle update permissions manager. 16583."=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

S2 Parclass;Parclass;C:\WINDOWS.0\system32\Drivers\Parclass.sys [2000-04-04 17:27]
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS.0\system32\Drivers\Icam3.sys [2001-08-17 10:05]
S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS.0\system32\DRIVERS\nuvvid2.sys [2001-12-03 14:55]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS.0\system32\Drivers\usbbc.sys [2001-01-07 21:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 07:00:00 C:\WINDOWS.0\Tasks\012008scan.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-14 17:29:03 C:\WINDOWS.0\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-04 15:31:33 C:\WINDOWS.0\Tasks\LifeChatTask.job"
- C:\Program Files\Microsoft LifeChat\LifeChat.exe
"2008-06-17 06:15:18 C:\WINDOWS.0\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe)
"2008-06-18 06:00:17 C:\WINDOWS.0\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-18 07:30:00 C:\WINDOWS.0\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.ex
- C:\Program Files\RegSweep
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 18:55:19
Windows 5.1.2600 Service Pack 3, v.3244 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ken Kirkpatrick Software: The Birthday Chronicle update permissions manager. 16583.]
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\McAfee\VirusScan\Mcshield.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Photodex\CompuPicPro\scsiaccess.exe
C:\WINDOWS.0\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-06-18 19:03:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-18 23:03:39
ComboFix2.txt 2008-06-18 15:59:06
ComboFix3.txt 2008-06-17 13:16:50

Pre-Run: 16,314,195,968 bytes free
Post-Run: 16,347,742,208 bytes free

220


______________________

mbam log
_____________________
Malwarebytes' Anti-Malware 1.17
Database version: 862

7:16:47 PM 6/18/2008
mbam-log-6-18-2008 (19-16-47).txt

Scan type: Quick Scan
Objects scanned: 45617
Time elapsed: 5 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

____________________
HJT log
____________________

Logfile of HijackThis v1.99.1
Scan saved at 19:17:47, on 6/18/2008
Platform: Windows XP SP3, v.3244 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3244)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\explorer.exe
C:\WINDOWS.0\system32\notepad.exe
C:\WINDOWS.0\system32\NOTEPAD.EXE
C:\Documents and Settings\Frankie3\Desktop\fixers\Spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Frankie3\Start Menu\Programs\IMVU\Run IMVU.lnk
O16 - DPF: Web-Based Email Tools - http://email.secures...et/Download.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (Sony SNC-RZ30 Image Viewer) - http://209.131.7.178...SncRz30View.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.c...oad/XUpload.ocx
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
I have a sword.....nothing more.

#25 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 19 June 2008 - 02:28 AM

Hi

Congratulations, you appear to be malware free. :woot:

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Posted Image


1 - Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: www.adobe.com/uk/products/acrobat/readstep2.html and download the latest version of Adobe Reader
OR, after uninstalling Adobe Reader, you could try installing Foxit Reader from >here<
Foxit Reader has fewer add-ons therefore loads more quickly.


Delete the older versions of Java and download the newest.
Please follow these steps to remove older version Java components.
  • Close any programmes you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel.
  • Click Add/Remove Programs.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer once all Java components are removed.
Then download the latest version of Java Runtime Environment (JRE) (5th one down the list), which is JRE6u6, and click Yes at the page warning. Under "Platform" select Windows, then check the box to accept the Licence Agreement. Click Yes at the second page warning before downloading the Offline file.
There is no need to download the Sun Download manager but it is optional.


Malwarebytes Anti-Malware is a good program to keep. If you wish to keep it, use it to do a quick scan once a week and keep it updated.
Remember, only the paid for version offers real-time protection

Here is another couple of free programs I recommend.

Winpatrol
Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.

Spyware Blaster
SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.

You can download SpywareBlaster from Javacool.

If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial at Bleeping Computer.


Hosts File
A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here is a good Hosts file:

MVPS Hosts File

A tutorial about Hosts File can be found at Malware Removal.


Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Here is some great information from experts in this field that will help you stay clean and safe online.
http://forum.malware...wtopic.php?t=14

Follow this list and your potential for being infected again will reduce dramatically.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

    Advertisements

Register to Remove

#26 becky7234

becky7234

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 19 June 2008 - 07:04 AM

I do have one question. Why does my computer have 2 windows files? Both on C drive and one is "Windows" and one is Windows.0"?
I have a sword.....nothing more.

#27 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 19 June 2008 - 08:41 AM

I did wonder about that, but hadnt noticed a plain Windows folder, only the .o one. The pc does seem to be running off the latter. Could you right-click both of them and under Properties check the filesize of both? Has anyone been tinkering around with your pc, like running a system repair? I have seen something similar like this before.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#28 becky7234

becky7234

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 22 June 2008 - 02:50 PM

Sorry for the delay, as I was out of town for 2 days. To answer your question: C:\WINDOWS Size: 1.48GB Size on disk: 0.98GB Contains: 10,474 files C:\WINDOWS.0 Size: 3.49GB Size on disk: 2.74GB Contains: 19,978 files No, no one has been running a system repair? :wacko: I feel my system is still a bit "choppy", it might be my McAffee (I'm not sure what settings it needs to be happy!) I do know it runs 13 processes as part of the protections. Boggs things down alot!
I have a sword.....nothing more.

#29 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 22 June 2008 - 03:16 PM

Hi

Yes, that is the problem with McAfee (and Norton) and they arent that good at what they do.

The .0 folder is the right size for a genuine Windows folder, the other is not. What you should do now is visit this link.
http://virusscan.jotti.org
When you see the browse box, browse to the Windows folder and pick out a file at random, and let it be scanned.

Do this for a couple more files (not folders) and post the results here.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#30 becky7234

becky7234

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 22 June 2008 - 05:16 PM

Does this program produce a .txt file? This is a copy/paste of the results: Scan taken on 22 Jun 2008 22:52:17 (GMT) File: ntoskrnl.exe Status: OK MD5: 4d4cf2c14550a4b7718e94a6e581856e Packers detected: - A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing ------------------------------------- Scan taken on 22 Jun 2008 23:01:35 (GMT) File: deskmovr.htt Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5: a3ef58a34ab1e5abb515e18104867e67 Packers detected: - A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing ---------------------------------------------------- Scan taken on 22 Jun 2008 23:08:31 (GMT) File: actmovie.exe Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5: a459aa940d845a972576ae48c7aab71b Packers detected: - A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing ---------------------------- Many of the folders are empty.
I have a sword.....nothing more.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·