WiredWX Hobby Weather ToolsLog in

 


AV Security Suite and other issues

2 posters

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
what do you have it saved as? Can you try uploading it to here:

http://www.rapidshare.com/

just click on the button to be redirected

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
extra.txt - - - - - http://rapidshare.com/files/404198091/Extras.Txt.html

OTL.Txt - - - - - http://rapidshare.com/files/404198253/OTL.Txt.html

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
Hi again,

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):


  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.

=====

Please run OTL.exe.


  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O2 - BHO: (no name) - {099E79F0-1E14-43E4-9B61-F985A7D76946} - No CLSID value found.
    O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - No CLSID value found.
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
    O2 - BHO: (no name) - {8DF6F4AC-CE79-42B4-9F29-8E9455E305A1} - No CLSID value found.
    O2 - BHO: (no name) - {BEA57482-22BB-4B7B-8195-B99C5FC1FBCB} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found

    :Commands
    [emptytemp]
    [resethosts]
    [reboot]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe


If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
======

Please download ComboFix AV Security Suite and other issues - Page 2 Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

AV Security Suite and other issues - Page 2 Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
AV Security Suite and other issues - Page 2 RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
Combofix log is included the OTL log was lost when combofix rebooted the computer. Should I run it with that fix again? I looked where all the other OTL files are and it is not there.

ComboFix 10-06-30.03 - Sean Leahy 07/01/2010 1:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1591 [GMT -4:00]
Running from: c:\documents and settings\Sean Leahy\desktop\commy.exe
Command switches used :: /stepdel
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sean Leahy\Local Settings\Application Data\{C6F103EE-CA12-40AC-840A-0EA2E96210A1}
c:\documents and settings\Sean Leahy\Local Settings\Application Data\{C6F103EE-CA12-40AC-840A-0EA2E96210A1}\chrome.manifest
c:\documents and settings\Sean Leahy\Local Settings\Application Data\{C6F103EE-CA12-40AC-840A-0EA2E96210A1}\chrome\content\_cfg.js
c:\documents and settings\Sean Leahy\Local Settings\Application Data\{C6F103EE-CA12-40AC-840A-0EA2E96210A1}\chrome\content\overlay.xul
c:\documents and settings\Sean Leahy\Local Settings\Application Data\{C6F103EE-CA12-40AC-840A-0EA2E96210A1}\install.rdf
c:\program files\Common Files\System\Uninstall

Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2010-07-01 05:12 . 2010-07-01 05:12 -------- d-----w- c:\program files\World of Warcraft
2010-07-01 05:06 . 2010-07-01 05:06 -------- d-----w- C:\_OTL
2010-07-01 05:02 . 2010-07-01 05:02 -------- d-----w- c:\program files\World of Warcraft.temp
2010-07-01 00:48 . 2010-07-01 00:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-01 00:26 . 2010-07-01 00:26 -------- d-----w- c:\program files\Defraggler
2010-06-30 22:46 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-30 22:46 . 2010-06-30 22:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 22:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 22:34 . 2010-06-30 22:34 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 22:34 . 2010-06-30 22:34 -------- d-----w- c:\windows\.file_store_32
2010-06-30 22:33 . 2010-06-30 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-30 22:33 . 2010-06-30 22:33 -------- d-----w- c:\program files\Google Video
2010-06-26 02:23 . 2010-06-30 22:31 188584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-17 04:28 . 2010-06-26 02:10 120 ----a-w- c:\windows\Ulelace.dat
2010-06-17 04:28 . 2010-06-26 02:10 0 ----a-w- c:\windows\Qkutubetoguma.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-01 05:33 . 2006-09-05 15:14 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
2010-07-01 05:33 . 2006-09-03 04:21 57752 ----a-w- c:\windows\system32\Rpcnet.dll
2010-07-01 05:32 . 2009-02-16 00:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-01 05:09 . 2006-08-30 19:52 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-01 05:04 . 2006-08-26 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-01 02:49 . 2010-02-01 04:33 -------- d-----w- c:\program files\Heroes of Newerth
2010-07-01 00:38 . 2006-08-26 12:19 -------- d-----w- c:\program files\Google
2010-07-01 00:25 . 2009-08-03 20:09 -------- d-----w- c:\program files\CCleaner
2010-06-30 05:41 . 2006-10-27 20:37 -------- d-----w- c:\program files\Warcraft III
2010-06-23 03:03 . 2009-08-20 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-06-22 01:18 . 2008-09-14 09:16 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\Skype
2010-06-22 00:46 . 2008-09-14 09:20 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\skypePM
2010-06-19 23:27 . 2006-10-26 01:05 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-19 23:27 . 2006-10-26 01:05 88 -csh--r- c:\windows\system32\195609FFE0.sys
2010-06-19 03:54 . 2006-10-27 20:42 91488 -c--a-w- c:\windows\War3Unin.dat
2010-06-18 04:38 . 2006-11-04 06:56 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\uTorrent
2010-06-11 22:04 . 2010-02-22 01:23 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-21 18:14 . 2010-01-23 06:35 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 22:17 . 2006-12-05 20:22 23954 ----a-w- c:\documents and settings\Sean Leahy\Application Data\wklnhst.dat
2010-05-04 17:20 . 2005-08-16 09:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-08-16 09:18 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2005-08-16 09:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-08-16 09:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 00:40 . 2005-08-16 09:18 57752 ------w- c:\windows\system32\rpcnet.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-2-2 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-26 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccipStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2006-09-21 21:36 43520 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
2004-04-01 13:51 1589248 -c--a-w- c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 03:23 160752 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 16:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-03-06 20:19 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-08-12 21:13 21741864 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-02-24 02:43 1217872 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-04 17:32 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 14:20 1118208 -c----w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\firehousehoss23@yahoo.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Sean Leahy\\Local Settings\\Apps\\2.0\\HKN2TL5K.KMN\\HX6HWK9N.6KA\\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizz
"6112:TCP"= 6112:TCP:blizz
"6881:TCP"= 6881:TCP:blizz
"6999:TCP"= 6999:TCP:blizz
"11804:TCP"= 11804:TCP:torrent
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/31/2009 3:47 AM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/23/2010 3:22 AM 112592]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/15/2009 8:58 PM 359624]
S3 skfilt;skfilt;c:\windows\system32\drivers\skfilt.sys --> c:\windows\system32\drivers\skfilt.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2005-08-16 00:12]

2010-07-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-15 03:23]

2010-07-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Sean Leahy\Application Data\Mozilla\Firefox\Profiles\jiyiout7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Sean Leahy\Application Data\Mozilla\Firefox\Profiles\jiyiout7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SetDefaultMIDI - MIDIDef.exe
Notify-lJASLBSi - lJASLBSi.dll
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 01:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\autochk(3).exe:BAK 23040 bytes executable
c:\windows\system32\autochk(4).exe:BAK 23040 bytes executable
c:\windows\system32\autochk(5).exe:BAK 23040 bytes executable
c:\windows\system32\autochk(7).exe:BAK 23040 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2548)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\RMSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\stsystra.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\windows\SYSTEM32\Rpcnet.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2010-07-01 01:39:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-01 05:39

Pre-Run: 30,981,738,496 bytes free
Post-Run: 30,829,584,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - F8D15C6CFF345BEACEBBF7409E6B7EEB

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
hi,

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\195609FFE0.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    AV Security Suite and other issues - Page 2 Cfscriptb4

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


Things to include in your reply:
what you did about viewpoint
Combofix log
how things are running now

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
ok before I run that, the computer is running well. I have not had the JIT debugging popup occur since the reboot. I did remove the viewpoint thing but was unable to find "viewpoint components" only a thing called viewpoint updater which I destroyed. going to run combofix now.

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
ok. looking forward to your reply

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
ComboFix 10-06-30.03 - Sean Leahy 07/01/2010 1:56.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1176 [GMT -4:00]
Running from: c:\documents and settings\Sean Leahy\Desktop\commy.exe
Command switches used :: c:\documents and settings\Sean Leahy\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2010-07-01 05:12 . 2010-07-01 05:45 -------- d-----w- c:\program files\World of Warcraft
2010-07-01 05:06 . 2010-07-01 05:06 -------- d-----w- C:\_OTL
2010-07-01 05:02 . 2010-07-01 05:02 -------- d-----w- c:\program files\World of Warcraft.temp
2010-07-01 00:48 . 2010-07-01 00:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-01 00:26 . 2010-07-01 00:26 -------- d-----w- c:\program files\Defraggler
2010-06-30 22:46 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-30 22:46 . 2010-06-30 22:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 22:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 22:34 . 2010-06-30 22:34 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 22:34 . 2010-06-30 22:34 -------- d-----w- c:\windows\.file_store_32
2010-06-30 22:33 . 2010-06-30 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-30 22:33 . 2010-06-30 22:33 -------- d-----w- c:\program files\Google Video
2010-06-26 02:23 . 2010-06-30 22:31 188584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-17 04:28 . 2010-06-26 02:10 120 ----a-w- c:\windows\Ulelace.dat
2010-06-17 04:28 . 2010-06-26 02:10 0 ----a-w- c:\windows\Qkutubetoguma.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-01 05:33 . 2006-09-05 15:14 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
2010-07-01 05:33 . 2006-09-03 04:21 57752 ----a-w- c:\windows\system32\Rpcnet.dll
2010-07-01 05:32 . 2009-02-16 00:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-01 05:09 . 2006-08-30 19:52 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-01 05:04 . 2006-08-26 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-01 02:49 . 2010-02-01 04:33 -------- d-----w- c:\program files\Heroes of Newerth
2010-07-01 00:38 . 2006-08-26 12:19 -------- d-----w- c:\program files\Google
2010-07-01 00:25 . 2009-08-03 20:09 -------- d-----w- c:\program files\CCleaner
2010-06-30 05:41 . 2006-10-27 20:37 -------- d-----w- c:\program files\Warcraft III
2010-06-23 03:03 . 2009-08-20 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-06-22 01:18 . 2008-09-14 09:16 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\Skype
2010-06-22 00:46 . 2008-09-14 09:20 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\skypePM
2010-06-19 23:27 . 2006-10-26 01:05 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-19 23:27 . 2006-10-26 01:05 88 -csh--r- c:\windows\system32\195609FFE0.sys
2010-06-19 03:54 . 2006-10-27 20:42 91488 -c--a-w- c:\windows\War3Unin.dat
2010-06-18 04:38 . 2006-11-04 06:56 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\uTorrent
2010-06-11 22:04 . 2010-02-22 01:23 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-21 18:14 . 2010-01-23 06:35 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 22:17 . 2006-12-05 20:22 23954 ----a-w- c:\documents and settings\Sean Leahy\Application Data\wklnhst.dat
2010-05-04 17:20 . 2005-08-16 09:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-08-16 09:18 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2005-08-16 09:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-08-16 09:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 00:40 . 2005-08-16 09:18 57752 ------w- c:\windows\system32\rpcnet.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-2-2 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-26 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccipStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2006-09-21 21:36 43520 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
2004-04-01 13:51 1589248 -c--a-w- c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 03:23 160752 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 16:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-03-06 20:19 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-08-12 21:13 21741864 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-02-24 02:43 1217872 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-04 17:32 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 14:20 1118208 -c----w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\firehousehoss23@yahoo.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Sean Leahy\\Local Settings\\Apps\\2.0\\HKN2TL5K.KMN\\HX6HWK9N.6KA\\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizz
"6112:TCP"= 6112:TCP:blizz
"6881:TCP"= 6881:TCP:blizz
"6999:TCP"= 6999:TCP:blizz
"11804:TCP"= 11804:TCP:torrent
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/31/2009 3:47 AM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/23/2010 3:22 AM 112592]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/15/2009 8:58 PM 359624]
S3 skfilt;skfilt;c:\windows\system32\drivers\skfilt.sys --> c:\windows\system32\drivers\skfilt.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2005-08-16 00:12]

2010-07-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-15 03:23]

2010-07-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Sean Leahy\Application Data\Mozilla\Firefox\Profiles\jiyiout7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Sean Leahy\Application Data\Mozilla\Firefox\Profiles\jiyiout7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 02:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\autochk(3).exe:BAK 23040 bytes executable
c:\windows\system32\autochk(4).exe:BAK 23040 bytes executable
c:\windows\system32\autochk(5).exe:BAK 23040 bytes executable
c:\windows\system32\autochk(7).exe:BAK 23040 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(900)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\mslbui.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-01 02:04:00
ComboFix-quarantined-files.txt 2010-07-01 06:03
ComboFix2.txt 2010-07-01 05:39

Pre-Run: 28,307,992,576 bytes free
Post-Run: 28,230,803,456 bytes free

- - End Of File - - 94CDCFD47B0823F5792A6CDE026C961B

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
Hi again.

Please go to VirSCAN.org
  • Browse for the following file path for the "Suspicious files to scan" box on the top of the page:


    • c:\windows\Qkutubetoguma.bin
    • c:\windows\system32\autochk(3).exe
    • c:\windows\system32\autochk(4).exe
    • c:\windows\system32\autochk(5).exe
    • c:\windows\system32\autochk(7).exe


  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
VirSCAN.org Scanned Report :
Scanned time : 2010/07/01 02:16:17 (EDT)
Scanner results: Scanners did not find malware!
File Name : autochk(3).exe
File Size : 588800 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : c39a8dc88f79e5b6bfa4b89fd31a0709
SHA1 : 9686390b98451574b7ed0e4aa5ec99675d6d9516
Online report : http://virscan.org/report/75366643470ad7f73a69ee03ec666612.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.13 20100701013121 2010-07-01 40.09 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 4.42 -
AntiVir 8.2.4.2 7.10.8.236 2010-06-30 0.40 -
Antiy 2.0.18 20100701.4813005 2010-07-01 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.02 -
Authentium 5.1.1 201006302128 2010-06-30 1.67 -
AVAST! 4.7.4 100630-1 2010-06-30 0.04 -
AVG 8.5.793 271.1.1/2974 2010-07-01 0.74 -
BitDefender 7.90123.6354843 7.32521 2010-07-01 5.63 -
ClamAV 0.96.1 11301 2010-07-01 0.24 -
Comodo 3.13.579 5271 2010-06-30 40.18 -
CP Secure 1.3.0.5 2010.07.01 2010-07-01 0.10 -
Dr.Web 5.0.2.3300 2010.07.01 2010-07-01 8.85 -
F-Prot 4.4.4.56 20100630 2010-06-30 1.32 -
F-Secure 7.02.73807 2010.07.01.02 2010-07-01 0.14 -
Fortinet 4.1.133 12.102 2010-06-30 40.09 -
GData 21.439/21.160 20100630 2010-06-30 40.09 -
ViRobot 20100630 2010.06.30 2010-06-30 40.09 -
Ikarus T3.1.01.84 2010.07.01.76173 2010-07-01 7.25 -
JiangMin 13.0.900 2010.06.30 2010-06-30 40.09 -
Kaspersky 5.5.10 2010.07.01 2010-07-01 0.08 -
KingSoft 2009.2.5.15 2010.7.1.12 2010-07-01 40.09 -
McAfee 5400.1158 6029 2010-06-30 17.20 -
Microsoft 1.5902 2010.07.01 2010-07-01 40.09 -
Norman 6.05.10 6.05.00 2010-06-30 6.01 -
Panda 9.05.01 2010.06.30 2010-06-30 40.09 -
Trend Micro 9.120-1004 7.277.00 2010-06-30 0.03 -
Quick Heal 10.00 2010.06.30 2010-06-30 40.09 -
Rising 20.0 22.54.02.04 2010-06-30 40.09 -
Sophos 3.09.0 4.55 2010-07-01 3.32 -
Sunbelt 3.9.2426.2 6524 2010-06-29 40.09 -
Symantec 1.3.0.24 20100630.004 2010-06-30 0.06 -
nProtect 20100629.01 8851204 2010-06-29 40.10 -
The Hacker 6.5.2.0 v00306 2010-06-29 40.09 -
VBA32 3.12.12.5 20100630.0947 2010-06-30 2.95 -
VirusBuster 4.5.11.10 10.126.111/20423882010-06-30 2.68 -

VirSCAN.org Scanned Report :
Scanned time : 2010/07/01 02:32:05 (EDT)
Scanner results: Scanners did not find malware!
File Name : autochk(4).exe
File Size : 588800 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : c39a8dc88f79e5b6bfa4b89fd31a0709
SHA1 : 9686390b98451574b7ed0e4aa5ec99675d6d9516
Online report : http://virscan.org/report/30ff96a8d1a9ca0cdf89d680d495415f.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.13 20100701013121 2010-07-01 40.18 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 40.09 -
AntiVir 8.2.4.2 7.10.8.236 2010-06-30 0.28 -
Antiy 2.0.18 20100701.4813005 2010-07-01 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.00 -
Authentium 5.1.1 201006302128 2010-06-30 1.31 -
AVAST! 4.7.4 100630-1 2010-06-30 0.04 -
AVG 8.5.793 271.1.1/2974 2010-07-01 0.25 -
BitDefender 7.90123.6354843 7.32521 2010-07-01 3.83 -
ClamAV 0.96.1 11301 2010-07-01 0.01 -
Comodo 3.13.579 5271 2010-06-30 40.09 -
CP Secure 1.3.0.5 2010.07.01 2010-07-01 0.11 -
Dr.Web 5.0.2.3300 2010.07.01 2010-07-01 8.75 -
F-Prot 4.4.4.56 20100630 2010-06-30 1.32 -
F-Secure 7.02.73807 2010.07.01.02 2010-07-01 10.80 -
Fortinet 4.1.133 12.102 2010-06-30 40.09 -
GData 21.439/21.160 20100630 2010-06-30 40.09 -
ViRobot 20100630 2010.06.30 2010-06-30 40.09 -
Ikarus T3.1.01.84 2010.07.01.76173 2010-07-01 6.95 -
JiangMin 13.0.900 2010.07.01 2010-07-01 40.09 -
Kaspersky 5.5.10 2010.07.01 2010-07-01 0.09 -
KingSoft 2009.2.5.15 2010.7.1.12 2010-07-01 40.09 -
McAfee 5400.1158 6029 2010-06-30 17.08 -
Microsoft 1.5902 2010.07.01 2010-07-01 40.09 -
Norman 6.05.10 6.05.00 2010-06-30 6.01 -
Panda 9.05.01 2010.06.30 2010-06-30 40.09 -
Trend Micro 9.120-1004 7.277.00 2010-06-30 0.03 -
Quick Heal 10.00 2010.06.30 2010-06-30 40.09 -
Rising 20.0 22.54.02.04 2010-06-30 40.09 -
Sophos 3.09.0 4.55 2010-07-01 3.41 -
Sunbelt 3.9.2426.2 6524 2010-06-29 40.09 -
Symantec 1.3.0.24 20100630.004 2010-06-30 0.07 -
nProtect 20100629.01 8851204 2010-06-29 40.10 -
The Hacker 6.5.2.0 v00306 2010-06-29 40.09 -
VBA32 3.12.12.5 20100630.0947 2010-06-30 3.20 -
VirusBuster 4.5.11.10 10.126.111/20423882010-06-30 2.72 -

Ill have to do the other 2 tomorrow I really need to get to bed I have work in the morning(I am on the East Coast). Thanks for all your help thusfar. The computer is running great but I will run those tests tomorrow evening when I get home from work.

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
I'm on the East Coast too Smile....

It's likely the only one that will come up as malicious is the .bin file but we'll see. Looking forward to your reply.

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
Got an email notification that you had posted again. First off I'm at work posting from my blackberry so I can't run the tests until I get back home. I tried to run the .bin first and it wasn't working. Ill try again tonight when I get home.

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
Ok. Looking forward to it.

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
VirSCAN.org Scanned Report :
Scanned time : 2010/07/01 21:57:43 (EDT)
Scanner results: Scanners did not find malware!
File Name : autochk(5).exe
File Size : 588800 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : e0dad023702958e400a6573323db02a4
SHA1 : 49c49c666931080d5184153a237a899a81ece237
Online report : http://virscan.org/report/cce4a919a7b3c7837d522660974c35fe.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.13 20100702040342 2010-07-02 5.24 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 1.16 -
AntiVir 8.2.4.2 7.10.8.241 2010-07-01 0.29 -
Antiy 2.0.18 20100701.4813005 2010-07-01 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.01 -
Authentium 5.1.1 201007012201 2010-07-01 1.38 -
AVAST! 4.7.4 100701-1 2010-07-01 0.04 -
AVG 8.5.793 271.1.1/2976 2010-07-02 0.25 -
BitDefender 7.90123.6359071 7.32533 2010-07-02 3.99 -
ClamAV 0.96.1 11304 2010-07-02 0.23 -
Comodo 3.13.579 5282 2010-07-01 0.96 -
CP Secure 1.3.0.5 2010.07.02 2010-07-02 0.10 -
Dr.Web 5.0.2.3300 2010.07.02 2010-07-02 8.77 -
F-Prot 4.4.4.56 20100701 2010-07-01 1.31 -
F-Secure 7.02.73807 2010.07.01.07 2010-07-01 6.75 -
Fortinet 4.1.133 12.106 2010-07-01 0.20 -
GData 21.446/21.162 20100702 2010-07-02 13.68 -
ViRobot 20100701 2010.07.01 2010-07-01 0.49 -
Ikarus T3.1.01.84 2010.07.01.76178 2010-07-01 7.10 -
JiangMin 13.0.900 2010.07.01 2010-07-01 2.38 -
Kaspersky 5.5.10 2010.07.01 2010-07-01 0.08 -
KingSoft 2009.2.5.15 2010.7.1.17 2010-07-01 1.18 -
McAfee 5400.1158 6030 2010-07-01 18.38 -
Microsoft 1.5902 2010.07.01 2010-07-01 7.14 -
Norman 6.05.10 6.05.00 2010-07-01 6.03 -
Panda 9.05.01 2010.06.30 2010-06-30 2.89 -
Trend Micro 9.120-1004 7.278.19 2010-07-01 0.03 -
Quick Heal 10.00 2010.06.30 2010-06-30 1.91 -
Rising 20.0 22.54.03.05 2010-07-01 1.31 -
Sophos 3.09.0 4.55 2010-07-02 3.53 -
Sunbelt 3.9.2426.2 6533 2010-07-01 17.44 -
Symantec 1.3.0.24 20100630.004 2010-06-30 0.00 -
nProtect 20100701.01 8871763 2010-07-01 8.29 -
The Hacker 6.5.2.1 v00307 2010-07-01 0.43 -
VBA32 3.12.12.5 20100701.0827 2010-07-01 5.31 -
VirusBuster 4.5.11.10 10.126.113/20435502010-07-01 2.71 -

VirSCAN.org Scanned Report :
Scanned time : 2010/07/01 22:00:44 (EDT)
Scanner results: Scanners did not find malware!
File Name : autochk(7).exe
File Size : 588800 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : f42425e955b88da6b04a5fca4ca5bca2
SHA1 : a20a93a769d5905299dea477ed7b15f952848736
Online report : http://virscan.org/report/742e83fb0e9d0846395386a19fb3e7c9.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.13 20100702040342 2010-07-02 15.12 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 2.46 -
AntiVir 8.2.4.2 7.10.8.241 2010-07-01 0.28 -
Antiy 2.0.18 20100701.4813005 2010-07-01 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.01 -
Authentium 5.1.1 201007012201 2010-07-01 1.33 -
AVAST! 4.7.4 100701-1 2010-07-01 0.04 -
AVG 8.5.793 271.1.1/2976 2010-07-02 0.26 -
BitDefender 7.90123.6359448 7.32535 2010-07-02 3.91 -
ClamAV 0.96.1 11304 2010-07-02 0.24 -
Comodo 3.13.579 5282 2010-07-01 2.11 -
CP Secure 1.3.0.5 2010.07.02 2010-07-02 0.10 -
Dr.Web 5.0.2.3300 2010.07.02 2010-07-02 8.78 -
F-Prot 4.4.4.56 20100701 2010-07-01 1.43 -
F-Secure 7.02.73807 2010.07.01.07 2010-07-01 0.16 -
Fortinet 4.1.133 12.106 2010-07-01 0.35 -
GData 21.446/21.162 20100702 2010-07-02 11.50 -
ViRobot 20100701 2010.07.01 2010-07-01 0.54 -
Ikarus T3.1.01.84 2010.07.01.76178 2010-07-01 7.10 -
JiangMin 13.0.900 2010.07.01 2010-07-01 2.78 -
Kaspersky 5.5.10 2010.07.01 2010-07-01 0.08 -
KingSoft 2009.2.5.15 2010.7.1.17 2010-07-01 2.01 -
McAfee 5400.1158 6030 2010-07-01 16.79 -
Microsoft 1.5902 2010.07.01 2010-07-01 8.63 -
Norman 6.05.10 6.05.00 2010-07-01 6.01 -
Panda 9.05.01 2010.06.30 2010-06-30 3.58 -
Trend Micro 9.120-1004 7.278.19 2010-07-01 0.03 -
Quick Heal 10.00 2010.06.30 2010-06-30 2.07 -
Rising 20.0 22.54.03.05 2010-07-01 1.74 -
Sophos 3.09.0 4.55 2010-07-02 3.96 -
Sunbelt 3.9.2426.2 6533 2010-07-01 19.26 -
Symantec 1.3.0.24 20100630.004 2010-06-30 0.00 -
nProtect 20100701.01 8871763 2010-07-01 12.62 -
The Hacker 6.5.2.1 v00307 2010-07-01 0.79 -
VBA32 3.12.12.5 20100701.0827 2010-07-01 3.19 -
VirusBuster 4.5.11.10 10.126.113/20435502010-07-01 3.40 -


descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
when I try to upload c:\windows\Qkutubetoguma.bin it says error cannot upload file!

descriptionAV Security Suite and other issues - Page 2 EmptyRe: AV Security Suite and other issues

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum