also @ TechSpot: Google, Samsung unveil Chromebook, Chromebox with Chrome OS 19

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Active] Tsk manager/anti-virus programs blocked, Smart engine virus?

Discussion in 'Virus and Malware Removal' started by Surferdude34, Nov 5, 2010.

Thread Status:
Not open for further replies.
Page 2 of 2

  1. Surferdude34 Newcomer, in training

    mbam dds eset log?

    i didnt receive a eset log after the scan, i copied the entries though.
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5033

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    12/13/2010 3:28:39 PM
    mbam-log-2010-12-13 (15-28-39).txt

    Scan type: Quick scan
    Objects scanned: 149898
    Time elapsed: 9 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    DDS:

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Brandon von Unruh at 15:21:47.50 on Mon 12/13/2010
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.432 [GMT 1:00]

    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\idt\wdm\STacSV.exe
    svchost.exe
    C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\Program Files\PDF Complete\pdfsvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
    C:\WINDOWS\system32\AESTFltr.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Brandon von Unruh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Brandon von Unruh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Brandon von Unruh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Brandon von Unruh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Brandon von Unruh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Documents and Settings\Brandon von Unruh\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/intl/en/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_be&c=91&bd=all&pf=cmnb
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_be&c=91&bd=all&pf=cmnb
    mURLSearchHooks: H - No File
    BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [Google Update] "c:\documents and settings\brandon von unruh\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
    mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [zCpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-2 217032]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-8-18 214024]
    R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-11-2 112592]
    R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-8-18 635416]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-8-18 113664]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-8-18 228408]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-31 39424]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-3 38224]
    S2 eiu9aue5;BsHelpCS;c:\windows\system32\pulic.exe --> c:\windows\system32\pulic.exe [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-11 136176]
    S2 nluvhqe;\??\c:\;\??\c:\docume~1\brando~1\locals~1\temp\cztcpvhliizox.sys --> c:\docume~1\brando~1\locals~1\temp\cztcpvhliizox.sys [?]
    S2 USBPropagator;USBPropagator;c:\temp\iexplorer.exe --> c:\temp\iexplorer.exe [?]
    S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys --> c:\windows\system32\drivers\avgfwdx.sys [?]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys --> c:\windows\system32\drivers\avgfwdx.sys [?]
    S3 cpuz132;cpuz132;\??\c:\docume~1\brando~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\brando~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
    S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-8-18 79816]
    S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-8-18 35272]
    S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-8-18 34248]
    S4 0036851274465276mcinstcleanup;McAfee Application Installer Cleanup (0036851274465276);c:\docume~1\brando~1\locals~1\temp\003685~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\brando~1\locals~1\temp\003685~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
    S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\toolbarbroker.exe --> c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [?]

    =============== Created Last 30 ================

    2010-12-02 17:21:09 -------- d-sha-r- C:\cmdcons
    2010-12-02 17:18:17 98816 ----a-w- c:\windows\sed.exe
    2010-12-02 17:18:17 89088 ----a-w- c:\windows\MBR.exe
    2010-12-02 17:18:17 256512 ----a-w- c:\windows\PEV.exe
    2010-12-02 17:18:17 161792 ----a-w- c:\windows\SWREG.exe
    2010-12-02 17:18:06 -------- d-----w- C:\ComboFix
    2010-12-01 15:48:36 -------- d-----w- C:\surferfix

    ==================== Find3M ====================

    2010-09-18 10:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

    ============= FINISH: 15:22:53.42 ===============

    and eset:

    C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\smss.exe.vir a variant of Win32/TrojanDownloader.Unruy.BR trojan
    C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\svchost.exe.vir a variant of Win32/TrojanDownloader.Unruy.BR trojan
    C:\_OTM\MovedFiles\11082010_131321\C_Documents and Settings\All Users\Application Data\0599ce\2556.mof Win32/RogueAV.A trojan
    C:\_OTM\MovedFiles\11082010_131321\C_Documents and Settings\Brandon von Unruh\My Documents\Downloads\Win-32.Trojan.Crypt-Removal-Tool.exe a variant of Win32/SecurityStronghold application
    C:\_OTM\MovedFiles\11082010_131321\C_WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan
    Surferdude34, Dec 13, 2010
    #21

  2. Bobbye Helper on the Fringe

    I was just finishing up script for you to run but now see entries for both AVG and McAfee. Please decide which you want to keep and remove the other, Tools to help:

    McAfee Removal
    AVG Removal: Note: You may have to reinstall AVG to uninstall it fully.

    Reboot the computer when through
    Let me know which AV you're keeping and if there are any left-over entries from the AV you remove, I can remove them with script.
    ================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
c:\windows\system32\pulic.exe
c:\docume~1\BRANDO~1\LOCALS~1\Temp\cztcpvhliizox.sys
c:\temp\iexplorer.exe
c:\docume~1\BRANDO~1\LOCALS~1\Temp\003685~1.EXE
c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
c:\docume~1\brando~1\locals~1\temp\cpuz132\cpuz132_x32

DDS::
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_be&c=91&bd=all&pf=cmnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_be&c=91&bd=all&pf=cmnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_be&c=91&bd=all&pf=cmnb
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_be&c=91&bd=all&pf=cmnb
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
SSODL: PostBootReminder - - - No File
IFEO: image file execution options - svchost.exe
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File


Registry::
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
zCpqset =-
 
Driver::
eiu9aue5
nluvhqe
USBPropagator
cpuz132
0036851274465276mcinstcleanup;McAfee Application Installer Cleanup (0036851274465276)

FCopy::
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ===================
    Please let me know if any of the original problems remain.
    Bobbye, Dec 15, 2010
    #22

  3. Surferdude34 Newcomer, in training

    kept avg

    I fully removed mcafee, avg seems more of a pain to remove. Do you suggest any other good free antivirus programs? is Avira good? I heard AVG uses alot of ram

    heres my log, and I hope i'm not including any personal info for hackers in all these logs...

    ComboFix 10-12-16.05 - Brandon von Unruh 12/17/2010 18:46:45.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.653 [GMT 1:00]
    Running from: c:\documents and settings\Brandon von Unruh\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Brandon von Unruh\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    FILE ::
    "c:\docume~1\BRANDO~1\LOCALS~1\Temp\003685~1.EXE"
    "c:\docume~1\brando~1\locals~1\temp\cpuz132\cpuz132_x32"
    "c:\docume~1\BRANDO~1\LOCALS~1\Temp\cztcpvhliizox.sys"
    "c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service"
    "c:\temp\iexplorer.exe"
    "c:\windows\system32\pulic.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_CPUZ132
    -------\Legacy_EIU9AUE5
    -------\Legacy_NLUVHQE
    -------\Legacy_USBPROPAGATOR
    -------\Service_cpuz132
    -------\Service_eiu9aue5
    -------\Service_nluvhqe
    -------\Service_USBPropagator


    ((((((((((((((((((((((((( Files Created from 2010-11-17 to 2010-12-17 )))))))))))))))))))))))))))))))
    .

    2010-12-01 15:48 . 2010-12-01 15:58 -------- d-----w- C:\surferfix
    2010-11-21 13:49 . 2010-11-21 13:49 -------- d-----w- c:\program files\7-Zip

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-01_15.56.30 )))))))))))))))))))))))))))))))))))))))))
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
    "Google Update"="c:\documents and settings\Brandon von Unruh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-03 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-06-24 320056]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-04-21 737280]
    "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2009-06-18 563736]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
    "WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
    "zCpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2009-07-22 75264]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-23 1434920]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
    "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-5-5 607584]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/2/2010 9:05 PM 217032]
    R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [11/2/2010 9:10 PM 112592]
    R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [8/18/2009 7:34 PM 635416]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/18/2009 7:28 PM 113664]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [8/18/2009 7:24 PM 228408]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/31/2009 8:11 AM 39424]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/11/2010 5:16 PM 136176]
    S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
    S4 0036851274465276mcinstcleanup;McAfee Application Installer Cleanup (0036851274465276);c:\docume~1\BRANDO~1\LOCALS~1\Temp\003685~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\BRANDO~1\LOCALS~1\Temp\003685~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
    S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-11 16:16]

    2010-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-11 16:16]

    2010-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4217450374-4257929312-2634162936-1007Core.job
    - c:\documents and settings\Brandon von Unruh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 23:08]

    2010-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4217450374-4257929312-2634162936-1007UA.job
    - c:\documents and settings\Brandon von Unruh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 23:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/intl/en/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-17 18:55
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    zCpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3052)
    c:\windows\system32\btmmhook.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\idt\wdm\STacSV.exe
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    c:\program files\Hewlett-Packard\Shared\hpqToaster.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-17 18:59:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-17 17:59
    ComboFix2.txt 2010-12-02 17:31
    ComboFix3.txt 2010-12-01 15:58

    Pre-Run: 139,730,571,264 bytes free
    Post-Run: 139,676,069,888 bytes free

    - - End Of File - - 740A461C6A1C5823B845B6F2140D270D
    Surferdude34, Dec 19, 2010
    #23

  4. Bobbye Helper on the Fringe

    Both of the following programs are free and known to be good:
    [o]Avira Free
    [o]Avast Home

    Combofix looks good- just a couple of McAfee entries to remove:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    KillAll::
File::
c:\docume~1\BRANDO~1\LOCALS~1\Temp\003685~1.EXE
c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service 

Driver::
0036851274465276mcinstcleanup
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Do any of the original problems remain?
    Bobbye, Dec 19, 2010
    #24
Page 2 of 2
Thread Status:
Not open for further replies.