Troj/Wimad M, E, J etc - Free Antivirus Forum

Troj/Wimad M, E, J etc

BullGuard Antivirus Forum > Virus Removal > Removal Help > Troj/Wimad M, E, J etc

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

ShotGroup
New Member

Date Joined Feb 2009
Total Posts : 11

Posted 2-9-2009 5:36 (GMT +1)

Hello,

I have Troj/Wimad M, E and J, also trojan.gen, Java/DownLdr-A and an adware called commonname.

What got me to this point is my Paypal account was used and an unauthorized transaction took place. That may haven nothing to do with the viruses on my computer but I sure could use some help getting rid of them. Please let me know what I can do to help you help me!

Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:17 PM, on 2/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\Mp!!!ent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\BestPopUpKiller\BestPopupKiller.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\PnkBstrB.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] "C:\WINDOWS\system32\CTHELPER.EXE"
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] "c:\PROGRA~1\mcafee.com\agent\mcagent.exe"
O4 - HKLM\..\Run: [MCUpdateExe] "C:\PROGRA~1\mcafee.com\agent\McUpdate.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] "C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] "C:\Program Files\SpyKiller\spykiller.exe" /startup
O4 - HKCU\..\Run: [BestPopUpKiller] "C:\Program Files\BestPopUpKiller\BestPopupKiller.exe" /startup
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\ApcMain.exe -m
O4 - HKCU\..\Run: [PC SpeedScan Pro] C:\Program Files\Ascentive\PC SpeedScan Pro\PCSpeedScan.exe -m
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} (XMRADIO.XM_SystemProfiler) - http://www.xmradio.com/xstream/registration/dell/xmprofiler.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{066FBAE8-0B6F-4010-BB45-A060767DD220}: NameServer = 24.177.176.36,24.178.80.36
O17 - HKLM\System\CS1\Services\Tcpip\..\{066FBAE8-0B6F-4010-BB45-A060767DD220}: NameServer = 24.177.176.36,24.178.80.36
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 12562 bytes

Post Edited (ShotGroup) : 12-02-2009 04:39:48 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 2-9-2009 6:04 (GMT +1)

Hello ShotGroup cool

Go to add/remove programs in controlpanel, and remove, if present:

Spykiller ->

Shareware "Spyware remover" of questionable quality and repute

Download: CCleaner
http://www.majorgeeks.com/download4191.html
http://www.ccleaner.com/

Once installed, run CCleaner click the Windows tab

Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files

System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data

Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok

Then click Run Cleaner (bottom right) then Exit

Reboot

Please download Malwarebytes' Anti-Malware:

http://www.spywarefri.dk/downloads1/mbam-setup.exe

Or here:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968

to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Please connect all your external hard drive/flash drive before running Malwarebyte

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Post hijackthis log along with Malwarebytes' Anti-Malware log

NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

ShotGroup
New Member

Date Joined Feb 2009
Total Posts : 11

Posted 2-10-2009 1:50 (GMT +1)

First of all, thanks Touch for helping me out with this. Secondly, I followed your instructions exactly as you described. When I run the Malware program, it starts off running the full scan, then it crashes to a blue screen. The blue screen reads PAGE_FAULT_NONPAGED_AREA. Then at the bottom is the Technical info which reads: STOP: Ox00000050 (0xFFFFFFFC, 0x00000000, 0x8054A51A, 0x00000000)

I tried to run the Malware program in Safe Mode after the first two crashes, it crashed in Safe Mode also.

I've run the Anti-Malware program once more since posting the above, I noticed that it ran for 31 seconds, picked up an item in red at about the 25 second mark, then crashed at about the 31 second mark.

What do you think?

Post Edited (ShotGroup) : 10-02-2009 01:24:55 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 2-10-2009 8:30 (GMT +1)

It seems related to some infected sys files. I´ll therefore suggest you try combofix ->

Please download Combofix:

Http://download.bleepingcomputer.com/subs/combofix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix, if you have any

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

ShotGroup
New Member

Date Joined Feb 2009
Total Posts : 11

Posted 2-10-2009 1:45 (GMT +1)

ComboFix 09-02-08.02 - Kyle 2009-02-10 6:36:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.537 [GMT -6:00]
Running from: c:\documents and settings\Kyle\Desktop\ComboFix.exe
AV: Webroot AntiVirus with AntiSpyware *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*
* Created a new restore point
* Resident AV is active

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-09 19:41 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-09 19:40 . 2009-02-09 19:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-09 19:40 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-09 18:31 . 2009-02-09 18:31 <DIR> d-------- c:\documents and settings\Kyle\Application Data\Malwarebytes
2009-02-09 18:31 . 2009-02-09 18:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-09 18:19 . 2009-02-09 18:19 <DIR> d-------- c:\program files\CCleaner
2009-02-08 21:19 . 2009-02-08 21:19 <DIR> d-------- c:\program files\Trend Micro
2009-02-08 14:30 . 2009-02-08 14:30 <DIR> d-------- C:\Binaries
2009-02-08 14:29 . 2009-02-08 14:29 <DIR> d-------- c:\program files\Webroot
2009-02-08 14:29 . 2009-02-08 14:29 <DIR> d-------- c:\documents and settings\Kyle\Application Data\Webroot
2009-02-08 14:29 . 2009-02-08 14:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot
2009-02-08 14:29 . 2009-01-20 09:07 1,553,272 --a------ c:\windows\WRSetup.dll
2009-02-08 14:26 . 2009-02-08 14:26 164 --a------ C:\install.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 00:18 --------- d-----w c:\program files\SpyKiller
2009-02-08 23:50 201,352 ----a-w c:\windows\SYSTEM32\PnkBstrB.exe
2009-02-08 23:50 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-08 03:26 --------- d-----w c:\documents and settings\Kyle\Application Data\FrostWire
2008-12-20 15:29 --------- d-----w c:\program files\FixTunes
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-08-23 14:15 24 ----a-w c:\documents and settings\Kyle\jagex_runescape_preferences.dat
2007-09-16 22:38 22,328 -c--a-w c:\documents and settings\Kyle\Application Data\PnkBstrK.sys
2005-02-17 03:37 498 -c--a-w c:\program files\Nascar 2003.wgp
1999-07-30 20:38 2,126 -c--a-w c:\program files\readme.txt
1999-07-30 16:21 411,409 -c--a-w c:\program files\INSTALL.EXE
1998-05-12 17:18 5,465 -c--a-w c:\program files\license.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-01-20 09:01 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTHelper"="c:\windows\system32\CTHELPER.EXE" [2004-03-11 28672]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-12 110592]
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2004-07-01 139264]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2004-08-17 245760]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2004-08-17 184320]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2004-08-17 180224]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-08-22 1327104]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 11776]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-01-20 6278520]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-02-08 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\pb\\PnkBstrB.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [2008-12-07 29808]
R1 cwmtdi;cwmtdi;c:\windows\SYSTEM32\DRIVERS\cwmtdi.sys [2007-05-14 48640]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2009-02-08 1090936]
R3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [2005-02-03 23296]
S3 DockingGroup;LeapFrog WDM USB Device Driver;c:\windows\SYSTEM32\DRIVERS\MS20022K.sys [2005-08-25 14781]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [2009-02-09 38496]
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-10 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (RACERCPU-Kyle).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2004-07-01 15:15]

2009-02-10 c:\windows\Tasks\McAfee.com Update Check (DC31ZR61-Owner).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-08-17 18:29]

2009-02-10 c:\windows\Tasks\McAfee.com Update Check (DC31ZR61-Owner).job
- c:\progra~1\mcafee.com\agent [2005-03-17 18:23]

2009-02-10 c:\windows\Tasks\McAfee.com Update Check (RACERCPU-Kyle).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-08-17 18:29]

2009-02-10 c:\windows\Tasks\McAfee.com Update Check (RACERCPU-Kyle).job
- c:\progra~1\mcafee.com\agent [2005-03-17 18:23]

2009-02-10 c:\windows\Tasks\McAfee.com Update Check (RACERCPU-non admin).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-08-17 18:29]

2009-02-10 c:\windows\Tasks\McAfee.com Update Check (RACERCPU-non admin).job
- c:\progra~1\mcafee.com\agent [2005-03-17 18:23]

2009-02-08 c:\windows\Tasks\wrSpySweeper_L9706D845BE064230BB0160BEE5C12D17.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-01-20 09:07]

2009-02-08 c:\windows\Tasks\wrSpySweeper_L9706D845BE064230BB0160BEE5C12D17.job
- A:\ []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SpyKiller - c:\program files\SpyKiller\spykiller.exe
HKCU-Run-BestPopUpKiller - c:\program files\BestPopUpKiller\BestPopupKiller.exe
HKCU-Run-Performance Center - c:\program files\Ascentive\Performance Center\ApcMain.exe
HKCU-Run-PC SpeedScan Pro - c:\program files\Ascentive\PC SpeedScan Pro\PCSpeedScan.exe
HKCU-Run-Start WingMan Profiler - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
Trusted Zone: musicmatch.com\online
TCP: {066FBAE8-0B6F-4010-BB45-A060767DD220} = 24.177.176.36,24.178.80.36
DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} - hxxp://www.xmradio.com/xstream/registration/dell/xmprofiler.CAB
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 06:39:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-10 6:42:14
ComboFix-quarantined-files.txt 2009-02-10 12:42:10

Pre-Run: 116,843,737,088 bytes free
Post-Run: 117,031,661,568 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

183 --- E O F --- 2009-02-10 02:22:46

ShotGroup
New Member

Date Joined Feb 2009
Total Posts : 11

Posted 2-11-2009 3:28 (GMT +1)

I've run the Anti-Malware program again since the combo fix. It still crashes. Just FYI.

Thanks!

ShotGroup
New Member

Date Joined Feb 2009
Total Posts : 11

Posted 2-11-2009 3:44 (GMT +1)

Ran second combo fix scan just in case, heres log:

ComboFix 09-02-10.01 - Kyle 2009-02-10 20:32:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.597 [GMT -6:00]
Running from: c:\documents and settings\Kyle\Desktop\ComboFix.exe
AV: Webroot AntiVirus with AntiSpyware *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point
* Resident AV is active

((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

((((((((((((((((((((((((((((( SnapShot@2009-02-10_ 6.40.27.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-10 12:19:33 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2009-02-11 02:25:14 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2009-02-10 12:19:33 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-11 02:25:14 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-10 12:19:33 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-11 02:25:14 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-11 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (RACERCPU-Kyle).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2004-07-01 15:15]

2009-02-11 c:\windows\Tasks\McAfee.com Update Check (DC31ZR61-Owner).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-08-17 18:29]

2009-02-11 c:\windows\Tasks\McAfee.com Update Check (DC31ZR61-Owner).job
- c:\progra~1\mcafee.com\agent [2005-03-17 18:23]

2009-02-11 c:\windows\Tasks\McAfee.com Update Check (RACERCPU-Kyle).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-08-17 18:29]

2009-02-11 c:\windows\Tasks\McAfee.com Update Check (RACERCPU-Kyle).job
- c:\progra~1\mcafee.com\agent [2005-03-17 18:23]

2009-02-11 c:\windows\Tasks\McAfee.com Update Check (RACERCPU-non admin).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-08-17 18:29]

2009-02-11 c:\windows\Tasks\McAfee.com Update Check (RACERCPU-non admin).job
- c:\progra~1\mcafee.com\agent [2005-03-17 18:23]

2009-02-08 c:\windows\Tasks\wrSpySweeper_L9706D845BE064230BB0160BEE5C12D17.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-01-20 09:07]

2009-02-08 c:\windows\Tasks\wrSpySweeper_L9706D845BE064230BB0160BEE5C12D17.job
- A:\ []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
Trusted Zone: musicmatch.com\online
TCP: {066FBAE8-0B6F-4010-BB45-A060767DD220} = 24.177.176.36,24.178.80.36
DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} - hxxp://www.xmradio.com/xstream/registration/dell/xmprofiler.CAB
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 20:38:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-10 20:40:01
ComboFix-quarantined-files.txt 2009-02-11 02:39:57
ComboFix2.txt 2009-02-10 12:42:16

Pre-Run: 117,013,094,400 bytes free
Post-Run: 117,005,258,752 bytes free

177 --- E O F --- 2009-02-10 02:22:46

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 2-11-2009 8:27 (GMT +1)

Uninstall one of your antivirus programs, from add/remove programs in controlpanel.

Reboot, and see if it still crash ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

ShotGroup
New Member

Date Joined Feb 2009
Total Posts : 11

Posted 2-12-2009 1:41 (GMT +1)

I removed Webroots Spysweeper (it was a scan only version) and McAfee, it's still crashing. Using MB, I've selected only C drive and it will crash after finding an infected object. I've also selected A drive only just to see what would happen, it found an infected object and crashed just the same.

One thing you mentioned previously is that it seems to have something to with infected system files. I ran a different anti-spyware program and it stopped or got hung up at HKLM\systemcontrolset003\servicesRpcSs. I had to use the power button to power down PC, nothing else would end the program, when I used the power button the same blue screen came up with the same message as mentioned several posts up, the same one that shows up when trying to run MB and crashing.

Mean anything to you?

Post Edited (ShotGroup) : 12-02-2009 02:42:33 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 2-12-2009 6:56 (GMT +1)

Yes, it looks like NaiFiltr.sys is the culprit.

Start -run, type/copy: regsvr32 /u NaiFiltr.sys
also search for this file ( in windows folder) NaiFiltr.inf and NaiFiltr.cat and delete them.

Reboot, and let Me know if it still crash ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

ShotGroup
New Member

Date Joined Feb 2009
Total Posts : 11

Posted 2-13-2009 4:18 (GMT +1)

I couldn't find it. I tried to run it like you said, it said it wasn't found. I tried start/accessories/command prompt, no good there either. (Load Library "NaiFiltr.sys" Failed-The specified module could not be found) I tried to run MB again, it crashes just the same as before.

Post Edited (ShotGroup) : 13-02-2009 12:27:11 GMT

ShotGroup
New Member

Date Joined Feb 2009
Total Posts : 11

Posted 2-14-2009 4:24 (GMT +1)

I've purchased and have run a full sweep with Webroots Spysweeper. It found the viruses and quarantined them as well as the adaware/spyware. I ran MB again for kicks and it still shows to find an infected file and still crashes.

I'd like to post a new HJT log and get your opinion on it compared to the first one I posted.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:44 PM, on 2/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] "C:\WINDOWS\system32\CTHELPER.EXE"
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] "C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] "C:\WINDOWS\system32\DUMPREP.EXE" 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} (XMRADIO.XM_SystemProfiler) - http://www.xmradio.com/xstream/registration/dell/xmprofiler.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{066FBAE8-0B6F-4010-BB45-A060767DD220}: NameServer = 24.177.176.36,24.178.80.36
O17 - HKLM\System\CS1\Services\Tcpip\..\{066FBAE8-0B6F-4010-BB45-A060767DD220}: NameServer = 24.177.176.36,24.178.80.36
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 10385 bytes

Thank You.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 2-14-2009 6:19 (GMT +1)

That was an good idea you have purchased Webroot. However, there are probably remnants from McAfee. I´ll therefor suggest you post a fresh combofix log.

NB. Allow combofix to update, if it ask.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

ShotGroup
New Member

Date Joined Feb 2009
Total Posts : 11

Posted 2-14-2009 2:34 (GMT +1)

I allowed to combofix to update. It restarted PC when it was finished, however when it restarted I got the blue screen. I restarted in Normal mode and then in Safe Mode and could not access internet in either mode. I created a restore point last night after viruses were removed so I restored to that point. Still no good.

I cannot access internet when F8 and selecting Safe Mode, I have to select Directory Services Restore Mode, I am then able to access internet. Not sure what I should do now, it was functioning fine before last combofix run. I'm tempted to run combofix again as crazy as that sounds.

Update: I ran combofix again, it updated again, and then system crashed while on desktop just after restart. I ran combofix again (did not ask to update) and it finished, providing a log. I notice that my clock is wrong when combofix is not running.

Help!

ComboFix 09-02-12.03 - Kyle 2009-02-14 4:21:13.6 - NTFSx86 DSREPAIR
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.724 [GMT -6:00]
Running from: c:\documents and settings\Kyle\Desktop\ComboFix.exe
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-14 07:03 . 2005-02-03 15:26 <DIR> d-------- c:\documents and settings\Administrator.RACERCPU\Application Data\Sonic
2009-02-14 07:03 . 2005-02-03 15:23 <DIR> d-------- c:\documents and settings\Administrator.RACERCPU\Application Data\Jasc Software Inc
2009-02-14 07:03 . 2005-02-03 15:19 <DIR> d-------- c:\documents and settings\Administrator.RACERCPU\Application Data\Creative
2009-02-14 07:03 . 2009-02-14 07:03 <DIR> d-------- c:\documents and settings\Administrator.RACERCPU
2009-02-14 06:59 . 2005-02-03 15:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-02-14 06:59 . 2009-02-14 07:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Creative
2009-02-14 06:59 . 2009-02-14 07:00 <DIR> d---s---- c:\documents and settings\Administrator
2009-02-14 06:47 . 2009-02-14 07:00 <DIR> d-------- C:\ComboFix(2)
2009-02-13 18:30 . 2009-02-13 18:30 <DIR> d-------- c:\program files\Webroot
2009-02-13 18:30 . 2009-02-13 18:30 <DIR> d-------- c:\documents and settings\Kyle\Application Data\Webroot
2009-02-13 18:30 . 2009-02-13 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot
2009-02-13 18:30 . 2009-01-20 09:07 1,553,272 --a------ c:\windows\WRSetup.dll
2009-02-11 20:20 . 2009-02-11 20:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-11 20:20 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-11 20:20 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-11 19:09 . 2009-02-11 20:07 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-11 19:09 . 2009-02-11 20:07 <DIR> d-------- c:\documents and settings\Kyle\Application Data\SUPERAntiSpyware.com
2009-02-11 19:09 . 2009-02-11 19:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-11 19:05 . 2009-02-11 19:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-02-09 18:31 . 2009-02-09 18:31 <DIR> d-------- c:\documents and settings\Kyle\Application Data\Malwarebytes
2009-02-09 18:31 . 2009-02-09 18:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-09 18:19 . 2009-02-09 18:19 <DIR> d-------- c:\program files\CCleaner
2009-02-08 21:19 . 2009-02-08 21:19 <DIR> d-------- c:\program files\Trend Micro
2009-02-08 14:30 . 2009-02-08 14:30 <DIR> d-------- C:\Binaries
2009-02-08 14:26 . 2009-02-13 18:27 164 --a------ C:\install.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 09:56 --------- d-----w c:\program files\Yahoo!
2009-02-14 09:56 --------- d-----w c:\program files\Common Files\Scanner
2009-02-14 02:03 --------- d-----w c:\program files\Blue Coat K9 Web Protection
2009-02-12 02:10 --------- d-----w c:\program files\McAfee.com
2009-02-12 02:07 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-10 00:18 --------- d-----w c:\program files\SpyKiller
2009-02-08 23:50 201,352 ----a-w c:\windows\SYSTEM32\PnkBstrB.exe
2009-02-08 23:50 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-08 03:26 --------- d-----w c:\documents and settings\Kyle\Application Data\FrostWire
2009-01-17 03:35 3,594,752 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-20 15:29 --------- d-----w c:\program files\FixTunes
2008-12-19 09:10 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-12-11 11:57 333,184 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-08-23 14:15 24 ----a-w c:\documents and settings\Kyle\jagex_runescape_preferences.dat
2007-09-16 22:38 22,328 -c--a-w c:\documents and settings\Kyle\Application Data\PnkBstrK.sys
2005-02-17 03:37 498 -c--a-w c:\program files\Nascar 2003.wgp
1999-07-30 20:38 2,126 -c--a-w c:\program files\readme.txt
1999-07-30 16:21 411,409 -c--a-w c:\program files\INSTALL.EXE
1998-05-12 17:18 5,465 -c--a-w c:\program files\license.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTHelper"="c:\windows\system32\CTHELPER.EXE" [2004-03-11 28672]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-12 110592]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 11776]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-01-20 6278520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\pb\\PnkBstrB.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [2008-12-07 29808]
R1 cwmtdi;cwmtdi;c:\windows\SYSTEM32\DRIVERS\cwmtdi.sys [2007-05-14 48640]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2009-02-13 1090936]
S3 DockingGroup;LeapFrog WDM USB Device Driver;c:\windows\SYSTEM32\DRIVERS\MS20022K.sys [2005-08-25 14781]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [2009-02-11 38496]
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-14 c:\windows\Tasks\wrSpySweeper_LF3282A9AAADE4860B9BE3AC632F09DE7.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-01-20 09:08]

2009-02-14 c:\windows\Tasks\wrSpySweeper_LF3282A9AAADE4860B9BE3AC632F09DE7.job
- A:\ []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
Trusted Zone: musicmatch.com\online
TCP: {066FBAE8-0B6F-4010-BB45-A060767DD220} = 24.177.176.36,24.178.80.36
DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} - hxxp://www.xmradio.com/xstream/registration/dell/xmprofiler.CAB
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 04:24:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-14 4:25:10
ComboFix-quarantined-files.txt 2009-02-14 10:25:08
ComboFix2.txt 2009-02-14 10:11:10
ComboFix3.txt 2009-02-12 02:17:37
ComboFix4.txt 2009-02-11 02:40:04
ComboFix5.txt 2009-02-14 10:21:02

Pre-Run: 116,567,838,720 bytes free
Post-Run: 116,551,716,864 bytes free

158 --- E O F --- 2009-02-12 12:37:11

Post Edited (ShotGroup) : 14-02-2009 14:30:47 GMT

Forum Information

Currently it is Saturday, November 21, 2009 7:44 AM (GMT +1)
There are a total of 73.026 posts in 17.114 threads.
In the last 3 days there were 12 new threads and 70 reply posts. View Active Threads