Requested by Neal-It Worked

**billwar** · 01-11-2007

Followed your directions carefully. Pop-up spyware advertisement is now gone. My control Panel is restored. Neal, Here is what you requested:

SDFix: Version 1.113

Run by ward puckett on Thu 11/01/2007 at 04:53 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\WARDPU~1\Desktop\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
kprof
poof

ImagePath:
\??\C:\WINDOWS\System32\kprof
\??\C:\WINDOWS\System32\poof

kprof - Deleted
poof - Deleted

Killing PID 844 'shell.exe'

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\-16652~1 - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe - Deleted
C:\Documents and Settings\ward puckett\Start Menu\Programs\Startup\findfast.exe - Deleted
C:\dbg.txt - Deleted
C:\WINDOWS\shell.exe - Deleted
C:\WINDOWS\system32\printer.exe - Deleted
C:\WINDOWS\system32\spoolvs.exe - Deleted
C:\WINDOWS\system32\TFTP2672 - Deleted
C:\WINDOWS\tcb.pmw - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 17:03:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"C:\\DOCUME~1\\WARDPU~1\\LOCALS~1\\Templx10045.exe "="C:\\DOCUME~1\\WARDPU~1\\LOCALS~1\\Templx10045.e xe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\ \System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\ \System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:* :Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\ward puckett\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Docume nts and Settings\\ward puckett\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@x psp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documen ts and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xp sp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system3 2\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\ward puckett\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\ward puckett\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Docume nts and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@x psp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"C:\\DOCUME~1\\WARDPU~1\\LOCALS~1\\Templx10045.exe "="C:\\DOCUME~1\\WARDPU~1\\LOCALS~1\\Templx10045.e xe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\ \System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\ \System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:* :Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\ward puckett\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Docume nts and Settings\\ward puckett\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@x psp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documen ts and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xp sp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system3 2\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\ward puckett\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\ward puckett\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Docume nts and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@x psp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\WARDPU~1\Desktop\SDFix\SDFix\backups\b ackups.zip

Files with Hidden Attributes:

Wed 22 Aug 2001 967 ...H. --- "C:\SKYDELETER.PIF"
Thu 21 Oct 2004 12,565,421 A.SH. --- "C:\WINDOWS\vrdcm.bak2"
Tue 12 Oct 2004 784,085 A.SH. --- "C:\WINDOWS\ADDINS\gmissv.bak2"
Sun 24 Oct 2004 75,852,448 A.SH. --- "C:\WINDOWS\REPAIR\sbew.bak2"
Sat 4 Feb 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 26 Oct 2004 53 A..H. --- "C:\Program Files\InterActual\InterActual Player\itiA.tmp"
Sun 24 Oct 2004 151,704,464 A.SH. --- "C:\WINDOWS\MSAGENT\CHARS\ipatyek.bak1"
Mon 25 Oct 2004 606,867,606 A.SH. --- "C:\WINDOWS\MSAGENT\CHARS\ipatyek.bak2"

Finished!
D Fix info:

Now the "HiJack That" info you requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5

42 PM, on 11/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O8 - Extra context menu item: IE Zoom &In - C:\PROGRA~1\IEZOOM~1\IE Zoom In.htm
O8 - Extra context menu item: IE Zoom O&ut - C:\PROGRA~1\IEZOOM~1\IE Zoom Out.htm
O8 - Extra context menu item: IE Zoomer Help... - C:\PROGRA~1\IEZOOM~1\IE Zoomer Help.htm
O8 - Extra context menu item: Linked Ima&ges - C:\IEimage.htm
O8 - Extra context menu item: Open in IE &Zoomer - C:\PROGRA~1\IEZOOM~1\Open in IE Zoomer.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .psd: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\dnrq0195e.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0073451191973917) (0073451191973917mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\007345~1.EXE (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O24 - Desktop Component 0: (no name) - http://www.pynnacle.net/SkylobbyThree/GifBareS.GIF
O24 - Desktop Component 1: (no name) - http://www.delounge.com/img/bkgrnd/abg0007.gif
O24 - Desktop Component 2: (no name) - https://a248.e.akamai.net/sec.yimg.com/i/reg/bnr_21.jpg

--
End of file - 8193 bytes

Before I send my donation which your website certainly deserves I have one more question: I have been unable to download Microsoft's Service Pack 2. It will freeze halfway thru download with statement (unable to complete download). I ordered the CD to try to download from it but it freezes halfway also. I reviewed the troubleshooter from Microsoft and went into the registry ( it told me to change a key from "no" to Yes" to allow download) but that didn't help download still gets halfway thru and freezes. ( When I went back in to the registry to check it the key had automatically changed to "no" again. With this newly repaired registry do you think that it would download properly or not? Can you help me get this important file downloaded to better protect my computer?? Thanks for everything.

**Neal** · 02-11-2007

HI,

Please post into this thread instead of starting a new one.

1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Post a new hijackthis log also please.

Thanks.

As a side note, you should never try to install service pack 2 on an infected computer, all kinds of problems can and will occur.

**billwar** · 05-11-2007

Neal, here is log from ComboFix, per your request Hope I'll be able to download Service Pack 2 without it freezing. Let me know the results of log. Thanks

ComboFix 07-11-05.2 - ward puckett 2007-11-05 16:41:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.235 [GMT -5:00]
Running from: C:\Documents and Settings\ward puckett\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\popupwithcast
C:\Program Files\popupwithcast\CastGen\h45168b0529.dat
C:\Program Files\popupwithcast\CastGen\u45168b074ae1.dat
C:\Program Files\popupwithcast\CastGen\ward puckett\f45168b134d06.dat
C:\Program Files\popupwithcast\CastStat\cast.dat
C:\Program Files\popupwithcast\CastSys\log.txt
C:\Program Files\popupwithcast\cload.dat
C:\Program Files\popupwithcast\cp.dat
C:\Program Files\popupwithcast\csys.dat
C:\WINDOWS\system32\_002587_.tmp.dll
C:\WINDOWS\system32\_002593_.tmp.dll
C:\WINDOWS\system32\_002601_.tmp.dll
C:\WINDOWS\system32\_002604_.tmp.dll
C:\WINDOWS\system32\_002609_.tmp.dll
C:\WINDOWS\system32\_002612_.tmp.dll
C:\WINDOWS\system32\_002617_.tmp.dll
C:\WINDOWS\system32\_002625_.tmp.dll
C:\WINDOWS\system32\_002633_.tmp.dll
C:\WINDOWS\system32\_002641_.tmp.dll
C:\WINDOWS\system32\_002649_.tmp.dll
C:\WINDOWS\system32\_002652_.tmp.dll
C:\WINDOWS\system32\_002655_.tmp.dll
C:\WINDOWS\system32\_002767_.tmp.dll
C:\WINDOWS\system32\_002768_.tmp.dll
C:\WINDOWS\system32\_002769_.tmp.dll
C:\WINDOWS\system32\_002770_.tmp.dll
C:\WINDOWS\system32\_002773_.tmp.dll
C:\WINDOWS\system32\_002774_.tmp.dll
C:\WINDOWS\system32\_002775_.tmp.dll
C:\WINDOWS\system32\_002776_.tmp.dll
C:\WINDOWS\system32\_002781_.tmp.dll
C:\WINDOWS\system32\_002782_.tmp.dll
C:\WINDOWS\system32\_002783_.tmp.dll
C:\WINDOWS\system32\_002784_.tmp.dll
C:\WINDOWS\system32\_002789_.tmp.dll
C:\WINDOWS\system32\_002790_.tmp.dll
C:\WINDOWS\system32\_002791_.tmp.dll
C:\WINDOWS\system32\_002792_.tmp.dll
C:\WINDOWS\system32\_002797_.tmp.dll
C:\WINDOWS\system32\_002798_.tmp.dll
C:\WINDOWS\system32\_002799_.tmp.dll
C:\WINDOWS\system32\_002800_.tmp.dll
C:\WINDOWS\system32\_002805_.tmp.dll
C:\WINDOWS\system32\_002806_.tmp.dll
C:\WINDOWS\system32\_002807_.tmp.dll
C:\WINDOWS\system32\_002808_.tmp.dll
C:\WINDOWS\system32\_002813_.tmp.dll
C:\WINDOWS\system32\_002814_.tmp.dll
C:\WINDOWS\system32\_002815_.tmp.dll
C:\WINDOWS\system32\_002816_.tmp.dll
C:\WINDOWS\system32\_002821_.tmp.dll
C:\WINDOWS\system32\_002822_.tmp.dll
C:\WINDOWS\system32\_002823_.tmp.dll
C:\WINDOWS\system32\_002824_.tmp.dll
C:\WINDOWS\system32\_002829_.tmp.dll
C:\WINDOWS\system32\_002830_.tmp.dll
C:\WINDOWS\system32\_002831_.tmp.dll
C:\WINDOWS\system32\_002832_.tmp.dll
C:\WINDOWS\system32\_002839_.tmp.dll
C:\WINDOWS\system32\_002840_.tmp.dll
C:\WINDOWS\system32\_002841_.tmp.dll
C:\WINDOWS\system32\_002843_.tmp.dll
C:\WINDOWS\system32\_002844_.tmp.dll
C:\WINDOWS\system32\_002847_.tmp.dll
C:\WINDOWS\system32\_002848_.tmp.dll
C:\WINDOWS\system32\_002850_.tmp.dll
C:\WINDOWS\system32\_002851_.tmp.dll
C:\WINDOWS\system32\_002852_.tmp.dll
C:\WINDOWS\system32\_002854_.tmp.dll
C:\WINDOWS\system32\_002855_.tmp.dll
C:\WINDOWS\system32\_002857_.tmp.dll
C:\WINDOWS\system32\_002861_.tmp.dll
C:\WINDOWS\system32\_002862_.tmp.dll
C:\WINDOWS\system32\_002864_.tmp.dll
C:\WINDOWS\system32\_002865_.tmp.dll
C:\WINDOWS\system32\_002867_.tmp.dll
C:\WINDOWS\system32\_002869_.tmp.dll
C:\WINDOWS\system32\_002870_.tmp.dll
C:\WINDOWS\system32\_002871_.tmp.dll
C:\WINDOWS\system32\_002872_.tmp.dll
C:\WINDOWS\system32\_002875_.tmp.dll
C:\WINDOWS\system32\_002877_.tmp.dll
C:\WINDOWS\system32\_002878_.tmp.dll
C:\WINDOWS\system32\_002879_.tmp.dll
C:\WINDOWS\system32\_002883_.tmp.dll
C:\WINDOWS\system32\_002886_.tmp.dll
C:\WINDOWS\system32\_003250_.tmp.dll
C:\WINDOWS\system32\_003251_.tmp.dll
C:\WINDOWS\system32\_003252_.tmp.dll
C:\WINDOWS\system32\_003253_.tmp.dll
C:\WINDOWS\system32\_003260_.tmp.dll
C:\WINDOWS\system32\_003261_.tmp.dll
C:\WINDOWS\system32\_003262_.tmp.dll
C:\WINDOWS\system32\_003263_.tmp.dll
C:\WINDOWS\system32\_003264_.tmp.dll
C:\WINDOWS\system32\_003265_.tmp.dll
C:\WINDOWS\system32\_003268_.tmp.dll
C:\WINDOWS\system32\_003269_.tmp.dll
C:\WINDOWS\system32\_003271_.tmp.dll
C:\WINDOWS\system32\_003272_.tmp.dll
C:\WINDOWS\system32\_003273_.tmp.dll
C:\WINDOWS\system32\_003275_.tmp.dll
C:\WINDOWS\system32\_003276_.tmp.dll
C:\WINDOWS\system32\_003278_.tmp.dll
C:\WINDOWS\system32\_003282_.tmp.dll
C:\WINDOWS\system32\_003283_.tmp.dll
C:\WINDOWS\system32\_003285_.tmp.dll
C:\WINDOWS\system32\_003288_.tmp.dll
C:\WINDOWS\system32\_003290_.tmp.dll
C:\WINDOWS\system32\_003291_.tmp.dll
C:\WINDOWS\system32\_003292_.tmp.dll
C:\WINDOWS\system32\_003293_.tmp.dll
C:\WINDOWS\system32\_003294_.tmp.dll
C:\WINDOWS\system32\_003296_.tmp.dll
C:\WINDOWS\system32\_003298_.tmp.dll
C:\WINDOWS\system32\_003299_.tmp.dll
C:\WINDOWS\system32\_003300_.tmp.dll
C:\WINDOWS\system32\_003304_.tmp.dll
C:\WINDOWS\system32\_003429_.tmp.dll
C:\WINDOWS\system32\_003435_.tmp.dll
C:\WINDOWS\system32\_003441_.tmp.dll
C:\WINDOWS\system32\_003609_.tmp.dll
C:\WINDOWS\system32\_003610_.tmp.dll
C:\WINDOWS\system32\_003611_.tmp.dll
C:\WINDOWS\system32\_003612_.tmp.dll
C:\WINDOWS\system32\_003614_.tmp.dll
C:\WINDOWS\system32\_003615_.tmp.dll
C:\WINDOWS\system32\_003616_.tmp.dll
C:\WINDOWS\system32\_003617_.tmp.dll
C:\WINDOWS\system32\_003624_.tmp.dll
C:\WINDOWS\system32\_003625_.tmp.dll
C:\WINDOWS\system32\_003626_.tmp.dll
C:\WINDOWS\system32\_003628_.tmp.dll
C:\WINDOWS\system32\_003629_.tmp.dll
C:\WINDOWS\system32\_003632_.tmp.dll
C:\WINDOWS\system32\_003633_.tmp.dll
C:\WINDOWS\system32\_003635_.tmp.dll
C:\WINDOWS\system32\_003636_.tmp.dll
C:\WINDOWS\system32\_003637_.tmp.dll
C:\WINDOWS\system32\_003639_.tmp.dll
C:\WINDOWS\system32\_003640_.tmp.dll
C:\WINDOWS\system32\_003642_.tmp.dll
C:\WINDOWS\system32\_003646_.tmp.dll
C:\WINDOWS\system32\_003647_.tmp.dll
C:\WINDOWS\system32\_003649_.tmp.dll
C:\WINDOWS\system32\_003652_.tmp.dll
C:\WINDOWS\system32\_003654_.tmp.dll
C:\WINDOWS\system32\_003655_.tmp.dll
C:\WINDOWS\system32\_003656_.tmp.dll
C:\WINDOWS\system32\_003657_.tmp.dll
C:\WINDOWS\system32\_003660_.tmp.dll
C:\WINDOWS\system32\_003662_.tmp.dll
C:\WINDOWS\system32\_003663_.tmp.dll
C:\WINDOWS\system32\_003664_.tmp.dll
C:\WINDOWS\system32\_003668_.tmp.dll
C:\WINDOWS\system32\_003670_.tmp.dll
C:\WINDOWS\system32\guard.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_POOF

((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-05 16:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 16:52 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-01 16:44 <DIR> d-------- C:\desktop
2007-10-31 15:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2007-10-30 20:19 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-30 20:17 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-10-30 19:28 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-10-30 19:28 <DIR> d-------- C:\Program Files\ComcastToolbar
2007-10-30 19:28 <DIR> d-------- C:\Documents and Settings\ward puckett\Application Data\ComcastToolbar
2007-10-30 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-30 16:13 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-10-09 19:24 10,240 --a------ C:\WINDOWS\fwv9jklc.exe
2007-10-09 19:24 10,240 --a------ C:\WINDOWS\5reeeicf.exe
2007-10-09 18:49 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-30 21:33 --------- d-----w C:\Program Files\Google
2007-10-29 16:37 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-09 23:56 --------- d-----w C:\Program Files\McAfee
2007-10-04 16:26 --------- d-----w C:\Documents and Settings\ward puckett\Application Data\SiteAdvisor
2007-09-30 17:44 --------- d-----w C:\Program Files\McAfee.com
2007-09-30 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-09-30 17:42 --------- d-----w C:\Program Files\SiteAdvisor
2007-09-30 17:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-09-30 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-09-30 17:39 --------- d-----w C:\Program Files\Common Files\McAfee
2007-09-24 00:01 --------- d-----w C:\Program Files\Common Files\Real
2007-09-23 23:59 --------- d-----w C:\Program Files\QuickTime
2007-09-23 23:58 --------- d-----w C:\Program Files\Logitech
2007-09-23 22:55 --------- d-----w C:\Program Files\Startup Optimizer
2007-09-23 21:41 --------- d-----w C:\Program Files\ePrompter
2007-09-23 21:17 --------- d-----w C:\Program Files\KODAK
2007-08-23 23:40 68,480 -c--a-w C:\Documents and Settings\ward puckett\Application Data\GDIPFONTCACHEV1.DAT
2004-06-13 11:36 449 -c--a-w C:\Documents and Settings\ward puckett\UpdateReg.reg
2003-02-04 04:16 784 -c--a-w C:\Documents and Settings\ward puckett\Application Data\mpauth.dat
2003-01-07 15:37 3,330,048 -c--a-w C:\Program Files\all_plugins.exe
2003-01-07 15:26 827,392 -c--a-w C:\Program Files\iview375.exe
2002-12-26 22:02 1,151,712 -c--a-w C:\Program Files\psych45.exe
2002-12-26 21:51 623,840 -c--a-w C:\Program Files\cdsp2002.exe
2004-10-21 16:49:52 12,565,421 -csha-w C:\WINDOWS\vrdcm.bak2
2004-10-12 19:38:00 784,085 -csha-w C:\WINDOWS\ADDINS\gmissv.bak2
2004-10-24 22:06:50 151,704,464 -csha-w C:\WINDOWS\MSAGENT\CHARS\ipatyek.bak1
2004-10-25 15:28:13 606,867,606 -csha-w C:\WINDOWS\MSAGENT\CHARS\ipatyek.bak2
2004-10-24 22:03:28 75,852,448 -csha-w C:\WINDOWS\REPAIR\sbew.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 C:\WINDOWS\BCMSMMSG.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 00:04]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-10-30 16:14]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 00:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-12-13 15:13]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-03 11:29]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Notification Packages"= scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^ward puckett^Start Menu^Programs^Startup^ePrompter.lnk]
path=C:\Documents and Settings\ward puckett\Start Menu\Programs\Startup\ePrompter.lnk
backup=C:\WINDOWS\pss\ePrompter.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^ward puckett^Start Menu^Programs^Startup^Runner.LNK]
path=C:\Documents and Settings\ward puckett\Start Menu\Programs\Startup\Runner.LNK
backup=C:\WINDOWS\pss\Runner.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
"C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
"C:\Program Files\Microsoft Location Finder\LocationFinder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
"C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Tray]

C:\Documents and Settings\ward puckett\Local Settings\Temporary Internet Files\Content.IE5\858JWNG7\password[1].pif

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\rundisabled]
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
"Printer"=C:\WINDOWS\System32\printer.exe
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
"DVDSentry"=C:\WINDOWS\System32\DSentry.exe
"Microsoft Works Update Detection"=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" /Spoil /RemAdvDef /Migration32
"DwlClient"=C:\Program Files\Common Files\Dell\EUSW\Support.exe
"ATIModeChange"=Ati2mdxx.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

R3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINDOWS\System32\DRIVERS\vnet558x.sys
S2 0073451191973917mcinstcleanup;McAfee Application Installer Cleanup (0073451191973917);C:\WINDOWS\TEMP\007345~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe
S3 ser2plms;Microsoft USB GPS driver;C:\WINDOWS\System32\DRIVERS\ser2plms.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-01 22:55:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1091310860.job"
"2007-11-05 21:47:23 C:\WINDOWS\Tasks\McAfee SecurityCenter.job"
"2007-05-31 15:17:13 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-05-31 15:17:07 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
************************************************** ************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 16:48:48
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************
.
Completion time: 2007-11-05 16:53:55 - machine was rebooted
.
--- E O F ---
.

**Neal** · 06-11-2007

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\fwv9jklc.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

If that one is to busy here is another option:

http://virusscan.jotti.org

And

http://www.kaspersky.com/scanforvirus.html

This one also:

C:\WINDOWS\5reeeicf.exe

How is she behaving now?

**billwar** · 08-11-2007

Neal, here is latest scan you requested (before trying to download Service Pack2). What next?

| Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File fwv9jklc.exe received on 11.08.2007 13:04:02 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 22/32 (68.75%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 48 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.11.8.1 2007.11.08 -
AntiVir 7.6.0.34 2007.11.08 TR/Agent.10240.53
Authentium 4.93.8 2007.11.07 Possibly a new variant of W32/Blocker-based!Maximus
Avast 4.7.1074.0 2007.11.08 -
AVG 7.5.0.503 2007.11.08 Downloader.Small.ASK
BitDefender 7.2 2007.11.08 Generic.Malware.SDYd!wdld.DAFAB0A5
CAT-QuickHeal 9.00 2007.11.08 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.11.08 -
DrWeb 4.44.0.09170 2007.11.08 Trojan.Fakealert.354
eSafe 7.0.15.0 2007.11.06 Downloader.MisleadAp
eTrust-Vet 31.2.5278 2007.11.07 Win32/VMalum.AZPQ
Ewido 4.0 2007.11.08 -
FileAdvisor 1 2007.11.08 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.07 W32/Blocker-based!Maximus
F-Secure 6.70.13030.0 2007.11.08 W32/Renos.JS
Ikarus T3.1.1.12 2007.11.08 Win32.SuspectCrc
Kaspersky 7.0.0.125 2007.11.08 Heur.Trojan.Generic
McAfee 5158 2007.11.07 potentially unwanted program Winfixer
Microsoft 1.3007 2007.11.08 TrojanDownloader:Win32/Renos.gen!A
NOD32v2 2645 2007.11.08 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.11.08 W32/Renos.JS
Panda 9.0.0.4 2007.11.07 Generic Malware
Prevx1 V2 2007.11.08 -
Rising 20.17.31.00 2007.11.08 -
Sophos 4.23.0 2007.11.08 Mal/Emogen-G
Sunbelt 2.2.907.0 2007.11.07 Trojan.FakeAlert
Symantec 10 2007.11.08 Downloader.MisleadApp
TheHacker 6.2.9.119 2007.11.07 -
VBA32 3.12.2.4 2007.11.08 Trojan.Fakealert.354
VirusBuster 4.3.26:9 2007.11.07 -
Webwasher-Gateway 6.0.1 2007.11.08 Trojan.Agent.10240.53
Additional information
File size: 10240 bytes
MD5: 06c6619cf5c9d8f3df3308f8e65cdcc5
SHA1: e7f3f2fdcfa318390fd375061da25bdf0437b5a6
packers: UPX
packers: UPX
packers: UPX, UPX
Sunbelt info: Trojan.FakeAlert consists of files that cause false warnings of spyware on the computer. Usually the alerts are displayed in a balloon type pop-up from an icon in the system tray.

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com

**Neal** · 08-11-2007

Thanks for the info.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found:

* If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

New hijackthis log also please.

**billwar** · 10-11-2007

As requested Here is Dr.Web's report:

00516375.FIL;C:\$VAULT$.AVG;Win32.HLLM.Bid;Deleted .;
03632562.FIL;C:\$VAULT$.AVG;Trojan.Sklog;Deleted.;
05974875.FIL;C:\$VAULT$.AVG;Win32.HLLM.Bid;Deleted .;
05975000.FIL;C:\$VAULT$.AVG;Trojan.Sklog;Deleted.;
05975359.FIL;C:\$VAULT$.AVG;Trojan.NtRootKit.219;D eleted.;
05975406.FIL;C:\$VAULT$.AVG;Trojan.NtRootKit.218;D eleted.;
07031359.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.1899 8;Deleted.;
07033421.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.1897 1;Deleted.;
07034000.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.1899 8;Deleted.;
26678875.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.6360;De leted.;
Process.exe;C:\desktop\SDFix\apps;Tool.Prockill;In curable.Moved.;
Process.exe;C:\Documents and Settings\ward puckett\Desktop\SDFix\SDFix\apps;Tool.Prockill;Inc urable.Moved.;
Templx10045.exe;C:\Documents and Settings\ward puckett\Local Settings;Trojan.Fakealert.354;Deleted.;
installer_en.exe;C:\Documents and Settings\ward puckett\My Documents\Downloads;Trojan.DownLoader.36408;Delete d.;
shell.exe;C:\Documents and Settings\ward puckett\My Documents\Downloads;Trojan.Fakealert.354;Deleted.;
findfast.exe.vir;C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Start Menu\Programs\Startup;Trojan.Fakealert.354;Deleted .;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable. Moved.;
A0022965.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0022969.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0022970.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0022981.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0022982.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0022983.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0022994.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0022996.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0022999.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0023008.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0023009.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0023011.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0023021.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0023022.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0023024.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP40;Trojan.Fakealert.354;Deleted.;
A0023039.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP41;Trojan.Fakealert.354;Deleted.;
A0023040.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP41;Trojan.Fakealert.354;Deleted.;
A0023041.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP41;Trojan.Fakealert.354;Deleted.;
A0023056.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP41;Trojan.Fakealert.354;Deleted.;
A0023058.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP41;Trojan.Fakealert.354;Deleted.;
A0023059.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP41;Trojan.Fakealert.354;Deleted.;
A0023071.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023072.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023073.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023086.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023087.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023088.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023102.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023103.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023104.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023131.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023133.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023134.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023152.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023153.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023161.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023162.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023165.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023166.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023188.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023190.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023192.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023202.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023207.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023208.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023215.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023216.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023217.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023218.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023223.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023224.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023225.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023226.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023227.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42;Trojan.Fakealert.354;Deleted.;
A0023286.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP44;Trojan.Fakealert.354;Deleted.;
A0023479.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP44;Trojan.Fakealert.354;Deleted.;
A0023480.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP44;Trojan.Fakealert.354;Deleted.;
A0023481.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP44;Trojan.Fakealert.354;Deleted.;
A0023484.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP44;Trojan.Fakealert.354;Deleted.;
A0023489.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP44;Trojan.Fakealert.354;Deleted.;
A0023490.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP44;Trojan.Fakealert.354;Deleted.;
A0023491.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP44;Trojan.Fakealert.354;Deleted.;
A0023492.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP44;Trojan.Fakealert.354;Deleted.;
A0023493.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP44;Trojan.Fakealert.354;Deleted.;
A0023552.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP45;Trojan.Fakealert.354;Deleted.;
5reeeicf.exe;C:\WINDOWS;Trojan.Fakealert.354;Delet ed.;
fwv9jklc.exe;C:\WINDOWS;Trojan.Fakealert.354;Delet ed.;
msbbi.exe;C:\WINDOWS;Trojan.MulDrop.4313;Deleted.;

Then as requested ran Hijack This. Here are results:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:54 AM, on 11/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O8 - Extra context menu item: IE Zoom &In - C:\PROGRA~1\IEZOOM~1\IE Zoom In.htm
O8 - Extra context menu item: IE Zoom O&ut - C:\PROGRA~1\IEZOOM~1\IE Zoom Out.htm
O8 - Extra context menu item: IE Zoomer Help... - C:\PROGRA~1\IEZOOM~1\IE Zoomer Help.htm
O8 - Extra context menu item: Linked Ima&ges - C:\IEimage.htm
O8 - Extra context menu item: Open in IE &Zoomer - C:\PROGRA~1\IEZOOM~1\Open in IE Zoomer.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .psd: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O23 - Service: McAfee Application Installer Cleanup (0073451191973917) (0073451191973917mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\007345~1.EXE (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O24 - Desktop Component 0: (no name) - http://www.pynnacle.net/SkylobbyThree/GifBareS.GIF
O24 - Desktop Component 1: (no name) - http://www.delounge.com/img/bkgrnd/abg0007.gif
O24 - Desktop Component 2: (no name) - https://a248.e.akamai.net/sec.yimg.com/i/reg/bnr_21.jpg

--
End of file - 7818 bytes
What's next before trying to download Service Pack2 without it freezing?

**Neal** · 10-11-2007

Does it feel like your PC is back to normal?

If so then have at it!

Here is some info for installing SP2:

http://support.microsoft.com/xpsp2getinstall

**billwar** · 14-11-2007

Neal, tried to download updates but cannot get into update page. ( I have automatic Downloads on) I get the following: Website encountered a problem and cannot display page Error number 0x8024D007. Tried to look up error message but couldn't find it so still can't download Service Pack2 or any other downloads.

Please help. Machine is completly cleaned of viruses, trojans, etc.,Thanks.

**Neal** · 14-11-2007

I think you are supposed to have automatic updates turned off while installing, you can also request a disk from microsoft and it will arrive pretty quick.

info on the error:

http://www.google.com/search?hl=en&q...=Google+Search

Free service pack disk from microsoft:

http://www.microsoft.com/windowsxp/d...s/default.mspx

The folks on the other side of this forum can help you better then I can with this problem as we deal with malware issues only.

good luck

Requested by Neal-It Worked

Requested by Neal-It Worked

Similar Threads

After re-install windows xp sound not working on system...3 days i worked on this but

Here is copy of logfile as requested by Neal

Installed new xp on old computer worked now it doesn't

spy bot hasnt worked nor adware

Hijacked by bravenet-nothing's worked! Log incl. (Resolved)