Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93085 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help! Spyware Popup

Started by Gregory , Dec 28 2008 04:04 PM

  • Please log in to reply
9 replies to this topic

#1 Gregory

Gregory

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 28 December 2008 - 04:04 PM

I frequently get a spyware popup and some webpages automatically open up on there own... I can't advise what they say, I closed them all out... ANd they only do it sometimes... Can you please check my log?

I have been running AdAware several times a day and it ALWAYS finds something new...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:06 PM, on 12/28/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Windows\sttray.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Avaya\Avaya IP Agent\IpAgent.exe
C:\Program Files\CounterPath\X-Lite\x-lite.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Educate\NGAdmin Application\AdminApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\Windows\system32\ljJCvUOe.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Web Replay BHO - {8B57DF7C-9BF9-4D52-B94E-37ACE3893F7D} - C:\Program Files\Deskperience\Web Replay\inetie.dll (file missing)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {B4CB814B-E960-48E2-B79C-51DEF599BBB5} - C:\Windows\system32\awtqnkhe.dll
O2 - BHO: Avaya Web Dialer - {E6DF0B46-7D6F-407A-A6A2-62D17A021A9A} - C:\Program Files\Avaya\Avaya IP Agent\WebDialer.dll
O3 - Toolbar: Web Replay Toolbar - {756727E5-1E5C-4284-B2DA-C21D3A283A38} - C:\Program Files\Deskperience\Web Replay\inetieui.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CCUTRAYICON] "C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe"
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [FinePointSIS] C:\Users\Greg\AppData\Local\Temp\fplicensereg.exe Zhimakaimen /FinePointSIS /FPSIS_QuitNow /Remove_All
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [pwreset] C:\Program Files\Avaya\Avaya IP Agent\Service Provider\pwreset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ljJCvUOe.dll,#1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\CounterPath\X-Lite\x-lite.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3889450244-2785813946-2893821554-1000\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /detectMem (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-3889450244-2785813946-2893821554-1000\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-3889450244-2785813946-2893821554-1000\..\Run: [eyeBeam SIP Client] (User 'IUSR_NMPR')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &WebReplay Fill Login - res://C:\Program Files\Deskperience\Web Replay\inetieui.dll/292
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra button: Web Replay - {3401B8CC-95A4-4dbe-B73F-00E2D23F2B73} - C:\Program Files\Deskperience\Web Replay\ShowToolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Dialer - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Avaya\Avaya IP Agent\WebDialer.dll
O9 - Extra 'Tools' menuitem: Avaya Web Dialer - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Avaya\Avaya IP Agent\WebDialer.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...ge/w4sgeen9.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...etup1.0.1.0.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.co...sreqlab_srl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {970EF5A2-CE21-4A16-B21F-3FC9AF1F89F2} (HearMe (eSylvan) (Firewall) Voice Control) - http://techsupport.e...itor/esvcfe.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iClarityQoSService - AVAYA Communication - C:\Windows\system32\\QosServM.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12685 bytes

    Advertisements

Register to Remove

#2 Clark76

Clark76

    Trusted

  • Visiting Fellow
  • PipPip
  • 35 posts

Posted 03 January 2009 - 10:21 AM

Hello and Welcome. Apologies for any delay in replying, but we have been rather busy lately.

Since it has been a few days since you first posted, please do this:

---------------------------------------------------------------------------------------------

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
Please include the contents of the following in your next reply:
  • DDS.txt
  • Attach.txt

Proud Member of ASAP

Proud Member of UNITE

#3 Gregory

Gregory

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 04 January 2009 - 09:41 AM

DDS (Version 1.1.0) - NTFSx86 Run by Greg at 10:39:31.58 on Sun 01/04/2009 Internet Explorer: 7.0.6001.18000 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.926 [GMT -5:00] ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\system32\Ati2evxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Windows\system32\Ati2evxx.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Windows\system32\taskeng.exe C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe C:\Windows\sttray.exe C:\Windows\WindowsMobile\wmdSync.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe C:\Program Files\Intel\IntelDH\CCU\AlertService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\Windows\system32\rundll32.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Windows\system32\PnkBstrA.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\svchost.exe -k WindowsMobile C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Windows\System32\mobsync.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Windows\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\AIM6\aolsoftware.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Greg\Desktop\dds.scr C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uSearch Page = uStart Page = hxxp://www.yahoo.com/ uWindow Title = Internet Explorer provided by Dell uSearch Bar = BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: NoExplorer - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.11.30.dll BHO: {669b4929-1259-4c24-978b-2de9f47c5ecc} - c:\windows\system32\awtqnkhe.dll BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\xxyyyWNE.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Web Replay BHO: {8b57df7c-9bf9-4d52-b94e-37ace3893f7d} - c:\program files\deskperience\web replay\inetie.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: WebDialerBHO Class: {e6df0b46-7d6f-407a-a6a2-62d17a021a9a} - c:\program files\avaya\avaya ip agent\WebDialer.dll TB: Web Replay Toolbar: {756727e5-1e5c-4284-b2da-c21d3a283a38} - c:\program files\deskperience\web replay\inetieui.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: {B24BA06E-FB7B-4757-95C2-DC01125F750E} - No File TB: {BFB5F154-9212-46F3-B547-AC6106030A54} - No File uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup uRun: [Aim6] uRun: [eyeBeam SIP Client] "c:\program files\counterpath\x-lite\x-lite.exe" uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [Steam] "c:\program files\steam\steam.exe" -silent mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe" mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [CCUTRAYICON] "c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe" mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup mRun: [ECenter] c:\dell\e-center\EULALauncher.exe mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" mRun: [FinePointSIS] c:\users\greg\appdata\local\temp\fplicensereg.exe Zhimakaimen /FinePointSIS /FPSIS_QuitNow /Remove_All mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [SigmatelSysTrayApp] sttray.exe mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide mRun: [pwreset] c:\program files\avaya\avaya ip agent\service provider\pwreset.exe mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [MSServer] rundll32.exe c:\windows\system32\xxyyyWNE.dll,#1 StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: &WebReplay Fill Login - c:\program files\deskperience\web replay\inetieui.dll/292 IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000 IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\programdata\microsoft\windows\start menu\programs\ultimatebet\UltimateBet.lnk IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.1.11.30.dll/206 IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll IE: {3401B8CC-95A4-4dbe-B73F-00E2D23F2B73} - {35D71809-1CFC-4B88-A79B-154B483327DD} - c:\program files\deskperience\web replay\ShowToolbar.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - c:\program files\avaya\avaya ip agent\WebDialer.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\xxyyyWNE.dll LSA: Authentication Packages = msv1_0 c:\windows\system32\awtqnkhe ================= FIREFOX =================== FF - ProfilePath - ============= SERVICES / DRIVERS =============== R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-4-23 5504] R4 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896] R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-9-30 46112] R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-11-3 206096] R4 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672] R4 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424] =============== Created Last 30 ================ 2008-12-31 14:03 36,864 a------- c:\windows\system32\xxyyyWNE.dll 2008-12-30 21:54 <DIR> --d----- c:\users\greg\appdata\roaming\G-Lock Software 2008-12-30 21:54 <DIR> --d----- c:\program files\G-Lock Software 2008-12-28 17:00 <DIR> --d----- c:\program files\Trend Micro 2008-12-24 22:29 671,047 a--sh--- c:\windows\system32\ehknqtwa.ini 2008-12-24 22:29 664,571 a--sh--- c:\windows\system32\ehknqtwa.ini2 2008-12-24 22:29 236,032 a------- c:\windows\system32\awtqnkhe.dll 2008-12-24 22:24 434,688 a------- c:\windows\system32\ss2uinst.exe 2008-12-18 19:47 <DIR> --d----- C:\Poker Application 2008-12-11 03:02 2,048 a------- c:\windows\system32\tzres.dll ==================== Find3M ==================== 2008-12-24 22:28 137,688 a------- c:\windows\system32\drivers\PnkBstrK.sys 2008-12-24 22:28 202,040 a------- c:\windows\system32\PnkBstrB.exe 2008-11-04 19:22 66,360 a------- c:\users\greg\g2ax_customer_downloadhelper_win32_x86.exe 2008-11-03 23:37 143,360 a------- c:\windows\inf\infstrng.dat 2008-11-03 23:37 51,200 a------- c:\windows\inf\infpub.dat 2008-11-03 23:37 86,016 a------- c:\windows\inf\infstor.dat 2008-11-03 21:50 61,224 a------- c:\users\greg\GoToAssistDownloadHelper.exe 2008-10-31 22:44 52,736 a------- c:\windows\apppatch\iebrshim.dll 2008-10-31 22:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll 2008-10-31 22:44 541,696 a------- c:\windows\apppatch\AcLayers.dll 2008-10-31 22:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll 2008-10-31 22:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll 2008-10-31 22:44 28,672 a------- c:\windows\system32\Apphlpdm.dll 2008-10-31 20:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll 2008-10-29 01:29 2,927,104 a------- c:\windows\explorer.exe 2008-10-21 22:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll 2008-10-21 00:25 296,960 a------- c:\windows\system32\gdi32.dll 2008-10-21 00:25 1,645,568 a------- c:\windows\system32\connect.dll 2008-10-16 15:56 1,524,736 a------- c:\windows\system32\wucltux.dll 2008-10-16 15:55 83,456 a------- c:\windows\system32\wudriver.dll 2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll 2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe 2008-10-15 23:47 827,392 a------- c:\windows\system32\wininet.dll 2008-09-17 00:33 174 a--sh--- c:\program files\desktop.ini 2008-09-17 00:21 665,600 a------- c:\windows\inf\drvindex.dat 2008-08-08 19:02 56 a---h--- c:\programdata\ezsidmv.dat 2008-08-08 19:02 56 a---h--- c:\progra~2\ezsidmv.dat 2008-05-20 19:32 22,328 a------- c:\users\greg\appdata\roaming\PnkBstrK.sys 2007-04-27 13:48 0 a------- c:\users\greg\appdata\roaming\wklnhst.dat 2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat 2008-02-06 12:05 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat 2008-02-06 12:05 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 2008-02-06 12:05 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat ============= FINISH: 10:40:11.73 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Version 1.0) Microsoft® Windows Vista™ Home Premium Boot Device: \Device\HarddiskVolume3 Install Date: 4/23/2007 9:33:11 AM System Uptime: 12/31/2008 2:03:20 PM (92 hours ago) Motherboard: Dell Inc. | | 0CT017 Processor: Intel® Core™2 CPU 6400 @ 2.13GHz | Microprocessor | 2128/1066mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 223 GiB total, 132.007 GiB free. D: is FIXED (NTFS) - 10 GiB total, 5.922 GiB free. E: is CDROM (UDF) ==== Disabled Device Manager Items ============= Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0000 Service: CVirtA ==== System Restore Points =================== RP751: 12/9/2008 9:57:29 PM - RP774: 12/24/2008 10:30:48 PM - Last known good configuration RP775: 12/26/2008 12:00:02 AM - Scheduled Checkpoint RP776: 12/27/2008 12:29:22 AM - Scheduled Checkpoint RP777: 12/27/2008 9:29:47 PM - Scheduled Checkpoint RP778: 12/29/2008 12:00:03 AM - Scheduled Checkpoint RP779: 12/30/2008 1:23:38 AM - Scheduled Checkpoint RP780: 12/31/2008 12:00:03 AM - Scheduled Checkpoint RP781: 12/31/2008 7:00:59 PM - Scheduled Checkpoint RP782: 1/2/2009 12:00:03 AM - Scheduled Checkpoint RP783: 1/3/2009 12:13:39 AM - Scheduled Checkpoint RP784: 1/3/2009 10:54:22 PM - Installed Steam ==== Installed Programs ====================== Ad-Aware Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) Adobe Anchor Service CS3 Adobe Asset Services CS3 Adobe Bridge CS3 Adobe Bridge Start Meeting Adobe Camera Raw 4.0 Adobe CMaps Adobe Color - Photoshop Specific Adobe Color Common Settings Adobe Color EU Extra Settings Adobe Color JA Extra Settings Adobe Color NA Recommended Settings Adobe Default Language CS3 Adobe Device Central CS3 Adobe ExtendScript Toolkit 2 Adobe Flash Player ActiveX Adobe Flash Player Plugin Adobe Fonts All Adobe Help Viewer CS3 Adobe Linguistics CS3 Adobe PDF Library Files Adobe Photoshop CS3 Adobe Reader 8.1.2 Adobe Reader 8.1.2 Security Update 1 (KB403742) Adobe Setup Adobe Shockwave Player Adobe Stock Photos CS3 Adobe Type Support Adobe Update Manager CS3 Adobe Version Cue CS3 Client Adobe WinSoft Linguistics Plugin Adobe XMP Panels CS3 AIM 6 ATI Catalyst Install Manager AusLogics System Information Avaya IP Agent Battlefield 2™ Call of Duty® 4 - Modern Warfare™ Call of Duty® 4 - Modern Warfare™ 1.4 Patch Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch Call of Duty® 4 - Modern Warfare™ 1.5 Patch Call of Duty® 4 - Modern Warfare™ 1.6 Patch Call of Duty® 4 - Modern Warfare™ 1.7 Patch Catalyst Control Center - Branding Catalyst Control Center Core Implementation Catalyst Control Center Graphics Full Existing Catalyst Control Center Graphics Full New Catalyst Control Center Graphics Light Catalyst Control Center Graphics Previews Common Catalyst Control Center Graphics Previews Vista Catalyst Control Center HydraVision Full ccc-core-static ccc-utility CCC Help English Cisco Systems VPN Client 5.0.02.0090 Compatibility Pack for the 2007 Office system ComTekk Core FTP LE 2.1 Dell System Customization Wizard DellSupport EasyCleaner Fast Blog Finder 2.50 Flight Simulator X Flight Simulator X Service Pack 1 HijackThis 2.0.2 Intel® Matrix Storage Manager Intel® Viiv™ Software Java™ SE Runtime Environment 6 Learning Environment Left 4 Dead McAfee SecurityCenter Microsoft Flight Simulator X Microsoft Flight Simulator X: Acceleration Microsoft Office Professional Edition 2003 Microsoft Visual C++ 2005 Redistributable Mozilla Firefox (3.0.1) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB941833) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 Parser and SDK NGAdmin Application PDF Settings PunkBuster Services RealPlayer SigmaTel Audio Skins Sonic Activation Module Steam System Requirements Lab TeamSpeak 2 RC2 TrueSpeech Internet Player UltimateBet User's Guides Ventrilo Client Ventrilo Server VeryDOC PDF To Word Converter v2.5 Viewpoint Media Player Windows Live Messenger Windows Vending WinRAR archiver X-Lite 3.0 Yahoo! Messenger ==== Event Viewer Messages From Past Week ======== 12/28/2008 2:33:36 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user Greg-PC\Greg SID (S-1-5-21-3889450244-2785813946-2893821554-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool. 12/31/2008 10:24:12 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 0019D16AA44F has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message). 12/31/2008 10:24:16 AM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{A144ED2C-4432-436A-9E9F-BB2D8C14DA81} because another computer on the network has the same name. The server could not start. 12/31/2008 10:24:16 AM, Error: netbt [4321] - The name "GREG-PC :0" could not be registered on the interface with IP address 192.168.2.3. The computer with the IP address 192.168.2.4 did not allow the name to be claimed by this computer. 12/31/2008 10:24:16 AM, Error: netbt [4321] - The name "GREG-PC :0" could not be registered on the interface with IP address 0.0.0.0. The computer with the IP address 192.168.2.4 did not allow the name to be claimed by this computer. 12/31/2008 10:24:16 AM, Error: netbt [4321] - The name "GREG-PC :20" could not be registered on the interface with IP address 192.168.2.3. The computer with the IP address 192.168.2.4 did not allow the name to be claimed by this computer. 12/31/2008 2:03:43 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer HP Deskjet D2300 series with shared resource name HP Deskjet D2300 series. Error 2114. The printer cannot be used by others on the network. 12/31/2008 2:05:33 PM, Error: Service Control Manager [7000] - The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the path specified. 1/3/2009 10:59:40 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect. 1/3/2009 10:59:40 PM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. ==== End Of File ===========================

#4 Clark76

Clark76

    Trusted

  • Visiting Fellow
  • PipPip
  • 35 posts

Posted 04 January 2009 - 09:55 AM

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Proud Member of ASAP

Proud Member of UNITE

#5 Gregory

Gregory

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 04 January 2009 - 10:02 AM

Thanks for your fast response... I am just a little confused about the Windows Recovery Console for Vista... I found the disc, now what?! lol!

#6 Clark76

Clark76

    Trusted

  • Visiting Fellow
  • PipPip
  • 35 posts

Posted 04 January 2009 - 10:13 AM

At this time you do not need to do anything with disc. It only helps right now to know you do have it in case we need it later. For now just follow the tutorial instructions on running ComboFix itself.

Proud Member of ASAP

Proud Member of UNITE

#7 Gregory

Gregory

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 04 January 2009 - 10:20 AM

Okay, I am on my laptop now (we are working on my desktop) and it is doing its thing on my desktop... Will post it ASAP. Thanks again!

#8 Gregory

Gregory

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 04 January 2009 - 10:38 AM

ComboFix 09-01-02.01 - Greg 2009-01-04 11:16:39.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.921 [GMT -5:00]
Running from: c:\users\Greg\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\awtqnkhe.dll
c:\windows\System32\ehknqtwa.ini
c:\windows\system32\ehknqtwa.ini2

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2008-12-31 14:03 . 2009-01-04 11:20 36,864 --a------ c:\windows\System32\xxyyyWNE.dll
2008-12-28 17:00 . 2008-12-28 17:00 <DIR> d-------- c:\program files\Trend Micro
2008-12-24 22:24 . 2008-12-24 22:24 434,688 --a------ c:\windows\System32\ss2uinst.exe
2008-12-18 19:47 . 2008-12-18 19:47 <DIR> d-------- C:\Poker Application
2008-12-11 03:02 . 2008-10-21 20:22 2,048 --a------ c:\windows\System32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 16:25 --------- d-----w c:\program files\Common Files\Steam
2009-01-04 16:23 --------- d-----w c:\program files\Steam
2009-01-03 03:22 --------- d-----w c:\users\Greg\AppData\Roaming\CoreFTP
2008-12-25 03:28 202,040 ----a-w c:\windows\System32\PnkBstrB.exe
2008-12-25 03:28 137,688 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-19 00:47 --------- d-----w c:\program files\UltimateBet
2008-12-16 02:00 --------- d-----w c:\users\Greg\AppData\Roaming\gtk-2.0
2008-12-11 08:09 --------- d-----w c:\program files\Windows Mail
2008-12-10 17:02 --------- d-----w c:\program files\McAfee
2008-12-02 05:01 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 05:01 --------- d-----w c:\program files\Common Files\Microsoft Games
2008-12-01 05:43 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-23 05:52 --------- d-----w c:\program files\Common Files\xing shared
2008-11-23 05:52 --------- d-----w c:\program files\Common Files\Real
2008-11-23 05:51 --------- d-----w c:\program files\Real
2008-11-17 00:35 --------- d-----w c:\program files\AIM6
2008-11-17 00:34 --------- d-----w c:\programdata\Viewpoint
2008-11-17 00:34 --------- d-----w c:\programdata\acccore
2008-11-17 00:33 --------- d-----w c:\programdata\AOL Downloads
2008-11-05 20:35 --------- d-----w c:\program files\Citrix
2008-11-05 20:25 --------- d-----w c:\users\Greg\AppData\Roaming\Elluminate
2008-11-05 00:39 --------- d-----w c:\program files\MSN Messenger
2008-11-05 00:25 --------- d-----w c:\users\Greg\AppData\Roaming\Avaya
2008-11-05 00:25 --------- d-----w c:\program files\Avaya
2008-11-05 00:22 66,360 ----a-w c:\users\Greg\g2ax_customer_downloadhelper_win32_x86.exe
2008-11-04 04:50 --------- d-----w c:\program files\CounterPath
2008-11-04 04:50 --------- d-----w c:\program files\Common Files\Intel
2008-11-04 04:36 --------- d-----w c:\program files\Common Files\Deterministic Networks
2008-11-04 04:36 --------- d-----w c:\program files\Cisco Systems
2008-11-04 04:17 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-04 04:15 --------- d-----w c:\program files\Microsoft.NET
2008-11-04 03:50 --------- d-----w c:\program files\SiteAdvisor
2008-11-04 03:48 --------- d-----w c:\programdata\SiteAdvisor
2008-11-04 03:48 --------- d-----w c:\programdata\McAfee
2008-11-04 03:46 --------- d-----w c:\program files\McAfee.com
2008-11-04 03:46 --------- d-----w c:\program files\Common Files\McAfee
2008-11-04 03:32 --------- d-----w c:\users\Greg\AppData\Roaming\Hide IP NG
2008-11-04 02:50 61,224 ----a-w c:\users\Greg\GoToAssistDownloadHelper.exe
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 296,960 ----a-w c:\windows\System32\gdi32.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 19:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 18:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-17 05:33 174 --sha-w c:\program files\desktop.ini
2008-08-09 00:02 56 ---ha-w c:\users\All Users\ezsidmv.dat
2008-08-09 00:02 56 ---ha-w c:\programdata\ezsidmv.dat
2008-05-21 00:32 22,328 ----a-w c:\users\Greg\AppData\Roaming\PnkBstrK.sys
2007-04-27 18:48 0 ----a-w c:\users\Greg\AppData\Roaming\wklnhst.dat
2008-02-06 17:05 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-02-06 17:05 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-02-06 17:05 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]
"eyeBeam SIP Client"="c:\program files\CounterPath\X-Lite\x-lite.exe" [2008-04-22 22237184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Steam"="c:\program files\steam\steam.exe" [2009-01-03 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]
"pwreset"="c:\program files\Avaya\Avaya IP Agent\Service Provider\pwreset.exe" [2007-09-12 45056]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-23 185872]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 c:\windows\sttray.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2008-11-03 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A8F95294-5DAA-4CD2-952B-76775592E5C8}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{4DEF8122-8766-478B-9FDF-E935D4DF7288}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{D99F8354-66AD-4BCF-BE7F-27FFFA08B9F0}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{A12C8F03-5A40-4585-8D41-09A635B37430}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{4D0FC031-20DB-4E63-B3ED-BF75990DBDA3}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{E5AF6EB2-18F3-4230-A2D1-D1BDAC5F6CB8}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{D00C3374-13A8-4479-9EBC-857F86B03211}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{41B8F1AC-707A-4E3C-BFA3-E5E8509202B4}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{140DD688-A74F-4896-BB3D-C0B363731F9C}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{AC405A6D-974B-43FA-96F9-C87850A19B08}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{371DEE0C-A2F5-4622-BAD1-63DB23269E2E}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{2274DEB0-A84E-45EE-BE8D-C69AA4609CC0}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{32C9B139-7E93-4254-9C41-B24D6A400DBF}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{CDDC446D-A4DD-40BA-B5EF-9DEDA0E4F282}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{30A02838-9746-421E-B09E-66D88B3860F1}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{DE6B7446-D2A2-4914-96D4-EE4367333A00}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{4585B7F7-FB9A-41EF-8423-B390E02BB9B4}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{EBEC1761-6E42-44E0-BA3A-2BB30BB08251}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{FE224604-C76A-4C66-BEB8-91EC57CF51DE}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{463D894E-4538-4682-ADF0-48569CF6E665}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{112623F2-06E1-4575-A5D7-10B7115246E1}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{1977DC2F-1D35-4E9E-AD27-1B2AABA3A9A2}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{4308B454-9D96-4E04-844D-EC25BB63F987}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{BB74DCA2-2161-44B5-8305-E9107AD96E16}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{84078C89-7EC3-40F0-B4A0-157D0EB9B7CE}"= UDP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare™
"{4C9142D2-0526-4591-82A4-CDC55F0BDED8}"= TCP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare™
"{8BAB697C-D40A-4D86-842F-FBB18D002A1A}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{F7C98697-5A32-4254-A9C5-146E4617E304}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{465C4111-490E-4A17-9967-32DCC6515A71}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{5DE1F29A-86AF-475D-A0D3-0E89A1A59114}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{82E82DCD-F02C-4804-A8A6-92C704AF88C0}"= UDP:c:\program files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"{AC121FDF-4B5E-4C7D-B06D-A6E1976CC3CE}"= TCP:c:\program files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"{E5183907-C52B-4011-BCD6-9911EC40B105}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [2007-04-23 5504]
R4 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [2007-09-30 46112]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-11-03 206096]
R4 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\System32\drivers\nmsgopro.sys [2006-09-27 28672]
R4 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [2006-10-19 7424]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-24 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d61c2113-f19e-11db-beee-806e6f6e6963}]
\shell\AutoRun\command - E:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7120ef3-9288-11dc-9d0d-0019d16aa44f}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2009-01-04 c:\windows\Tasks\vgppmssa.job
- c:\windows\system32\rundll32.exe [2006-11-02 04:45]
.
- - - - ORPHANS REMOVED - - - -

BHO-{669B4929-1259-4C24-978B-2DE9F47C5ECC} - c:\windows\system32\awtqnkhe.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: &WebReplay Fill Login - c:\program files\Deskperience\Web Replay\inetieui.dll/292
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\programdata\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk
IE: {{3401B8CC-95A4-4dbe-B73F-00E2D23F2B73} - {35D71809-1CFC-4B88-A79B-154B483327DD} - c:\program files\Deskperience\Web Replay\ShowToolbar.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll

c:\windows\Downloaded Program Files\sysreqlab_srl.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
c:\windows\Downloaded Program Files\sysreqlab.osd

c:\windows\System32\msvcrt.dll - c:\windows\System32\mfc42.dll
c:\windows\Downloaded Program Files\esvcfe.ocx
O16 -: {970EF5A2-CE21-4A16-B21F-3FC9AF1F89F2}
hxxp://techsupport.esylvan.com/monitor/esvcfe.cab
c:\windows\Downloaded Program Files\esvcfe.inf
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 11:25:35
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2724)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Intel\IntelDH\CCU\CCU_Engine.exe
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\System32\PnkBstrA.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\issm.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-01-04 11:35:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 16:35:16

Pre-Run: 141,295,292,416 bytes free
Post-Run: 141,957,496,832 bytes free

321 --- E O F --- 2008-12-18 07:06:06

#9 Clark76

Clark76

    Trusted

  • Visiting Fellow
  • PipPip
  • 35 posts

Posted 04 January 2009 - 01:48 PM

Hello again,

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.

Please print out or save the following instructions in Notepad.

----------------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following program (if it exists):

Viewpoint Media Player<<< is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". See Viewpoint to Plunge Into Adware

----------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

http://forums.whatthetech.com/Help_Spyware_Popup_t98376.html#entry515528

Folder::
c:\programdata\Viewpoint
c:\program files\Viewpoint

Driver::
Viewpoint Manager Service
Registry::

Collect::
c:\windows\System32\xxyyyWNE.dll


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

------------------------------------

Please provide the following logs with your next post:

C:\ComboFix.txt
Kaspersky Report

Also include an update on how your system is running

Proud Member of ASAP

Proud Member of UNITE

#10 Gregory

Gregory

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 06 January 2009 - 12:14 AM

I am in the process of completing this, I will post results later today, thanks!

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·