 |  |  |  |  |  |  |  |
Please Help With MGMRWMRV.EXE
Thread Solved |
•
•
•
•
Originally Posted by vegasgal 
Adobe Acrobat 5.0 I couldn't find anywhere to check for updates, will I have to purchase the v8.0?
If you already removed Acrobat 5.0, you can get it here --> http://www.download.com/Adobe-Acroba...-10069848.html
•
•
•
•
Originally Posted by vegasgal
I looked 2 X in the C:\WINNT\system32 Folder for: 953BEBAFA6.sys - then looked 2 X in the C:\WINNT Folder and still couldn't find it.
You might want to check again just to make sure it is/isn't there. Looks a bit iffy to me. It could very well be gone.
•
•
•
•
Originally Posted by vegasgal
pc is running much better now Thank You
Let's go ahead and remove Combofix:
• Click Start > Run
• Type or Copy&Paste ComboFix /u into the Run Box. (be sure there is a space between the x and the / if you type it)
• Click OK
Everything else looks OK to me. If things are running well and you don't find 953BEBAFA6.sys for Jotti scan, then I think you can mark the thread as solved!
Have a look at my "Protect Yourself" linky below - Definitely install Spyware Blaster!
Cheers
PP
Last edited by PhilliePhan; Mar 5th, 2008 at 1:25 am. Reason: Mispeled a few wurds
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
I did not remove Adobe Acrobat 5.0 and will take a look at Adobe Reader though.
Found that hidden file and ran a scan see attachment.
I want you to know that I truly appreciate all your help with this problem, it means alot to me that there are people like you who take precious time away from yourself to help others. Thank You
Until Next Time (NOT),
Vegasgal
Found that hidden file and ran a scan see attachment.
I want you to know that I truly appreciate all your help with this problem, it means alot to me that there are people like you who take precious time away from yourself to help others. Thank You
Until Next Time (NOT),
Vegasgal
•
•
•
•
Originally Posted by vegasgal
Found that hidden file and ran a scan see attachment.
•
•
•
•
Originally Posted by vegasgal
I want you to know that I truly appreciate all your help with this problem, it means alot to me that there are people like you who take precious time away from yourself to help others. Thank You
Until Next Time (NOT),
Vegasgal
-- I've had a few "repeat customers" over the years in various forums. I'll keep my fingers crossed for you
PP
Last edited by PhilliePhan; Mar 5th, 2008 at 4:09 am.
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
Hi
I was flapping all day yesterday trying to get rid of mgmrwmrv.exe, then i googled it and got your advice.
I owe you a beer as it seems to have worked a treat.
I logged all the stuff as below.
Not sure if its fair of me to ask you to have a look, however would appreciate if you could tell me if there is anything alarming.
I have since reset my banking password and I think my SpyDoctor was blocking any attempt to access 'the registry'.(as it was telling me 10 times a minute!).
Thanks for your advice - much appreciated,
cheers
Doc..
Malwarebytes' Anti-Malware 1.08
Database version: 493
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 118445
Time elapsed: 1 hour(s), 8 minute(s), 5 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 15
Files Infected: 50
Memory Processes Infected:
C:\WINDOWS\system32\mgmrwmrv.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\mgmrwmrv.exe -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\180searchassistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\stc (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
Files Infected:
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055212.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055213.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055214.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055215.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055256.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP367\A0059024.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\saap.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\sac.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions\sais.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango\zango.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo\seekmohook.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\180sa.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\sau.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\stc\csv5p070.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt\Ssmgr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bjam.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bokja.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mspphe.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssvr.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\saiemod.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\salm.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\stcloader.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\swin32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\updatetc.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\voiceip.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIXU.DLL (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSNSA32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntnut32.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdocpe.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SIPSPI32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WER8274.DLL (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winfrun32.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljjgggf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqnnnl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mgmrwmrv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
ComboFix 08-03-14.4 - Gary 2008-03-15 18:40:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.434 [GMT 0:00]
Running from: C:\Documents and Settings\Gary\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Gary\Application Data\FunWebProducts
C:\Documents and Settings\Gary\Application Data\FunWebProducts\Data\Gary\avatar.dat
C:\Documents and Settings\Gary\Application Data\FunWebProducts\Data\Gary\register.dat
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\assys.dll
C:\WINDOWS\default.htm
C:\WINDOWS\ffnsys.dll
C:\WINDOWS\gstcore.dll
C:\WINDOWS\mfnsys.dll
C:\WINDOWS\rsczsys.dll
C:\WINDOWS\snsys.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\nqtwa.ini2
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\uawin.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.
2008-03-15 17:22 . 2008-03-15 17:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-15 17:22 . 2008-03-15 17:22 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\Malwarebytes
2008-03-15 17:22 . 2008-03-15 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-15 16:54 . 2008-03-15 16:54 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-15 16:40 . 2008-03-15 16:40 24,320 --a------ C:\WINDOWS\apphelp32.dll
2008-03-15 12:02 . 2008-03-15 12:02 32,512 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-03-15 12:02 . 2008-03-15 12:02 32,000 --a------ C:\WINDOWS\123messenger.per
2008-03-15 12:02 . 2008-03-15 12:02 26,368 --a------ C:\WINDOWS\asferror32.dll
2008-03-15 12:02 . 2008-03-15 12:02 22,016 --a------ C:\WINDOWS\asycfilt32.dll
2008-03-15 12:02 . 2008-03-15 12:02 17,664 --a------ C:\WINDOWS\autodisc32.dll
2008-03-15 12:02 . 2008-03-15 12:02 16,128 --a------ C:\WINDOWS\audiosrv32.dll
2008-03-15 12:02 . 2008-03-15 12:02 11,776 --a------ C:\WINDOWS\athprxy32.dll
2008-03-15 12:02 . 2008-03-15 12:02 9,984 --a------ C:\WINDOWS\ati2dvag32.dll
2008-03-11 20:30 . 2008-03-14 07:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-11 20:30 . 2008-03-11 20:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-05 22:53 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-05 22:53 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-05 22:53 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-05 22:53 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-05 22:52 . 2008-03-06 06:51 <DIR> d-------- C:\Program Files\Spyware Doctor
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 18:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-15 16:21 --------- d-----w C:\Documents and Settings\Gary\Application Data\AVG7
2008-03-15 11:48 --------- d-----w C:\Documents and Settings\Gary\Application Data\uTorrent
2008-03-15 08:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-20 07:01 --------- d-----w C:\Program Files\MSN Messenger
2008-02-14 17:50 --------- d-----w C:\Program Files\McAfee
2008-01-31 21:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-27 19:30 --------- d-----w C:\Program Files\Guitar Pro 5
2008-01-22 22:20 --------- d-----w C:\Program Files\greenstreet
2008-01-22 22:20 --------- d-----w C:\Program Files\Common Files\gst
2008-01-22 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 11:00 --------- d-----w C:\Documents and Settings\Gary\Application Data\Samsung
2008-01-19 10:40 --------- d-----w C:\Program Files\Samsung
2007-09-21 17:45 3,517,504 ----a-w C:\Program Files\TVUPlayer2.3.3beta2.exe
2007-09-09 02:59 9,389,672 ----a-w C:\Program Files\gorvedi.exe
2007-09-08 22:19 55,816 ----a-w C:\Program Files\NOTEPAD.EXE
2007-02-13 20:55 342,957 ----a-w C:\Program Files\mozactivex-ff-15.xpi
1993-05-12 00:00 398,416 ----a-w C:\Program Files\VBRUN300.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 04:21 4687352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 16:28 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 10:12 139264]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2004-09-10 02:16 53248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 10:24 579072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-17 17:12 180269]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"EPSON Stylus C86 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.exe" [2003-11-25 02:00 99840]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-03-18 02:24 184320]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6028\SiteAdv.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-14 18:22 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-12-15 19:01 40960]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 17:12 219136]
C:\Documents and Settings\Gary\Start Menu\Programs\Startup\
Event Minder Reminders.lnk - C:\HALLMARK\EMREMIND.EXE [2007-11-26 21:40:48 6240]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 03:43:54 11000]
JoyAct.lnk - C:\Program Files\Gaming Devices\JoyAct.exe [2007-06-06 19:34:05 299008]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxyyv]
byxxyyv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Documents and Settings\\Gary\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
S2 smss;FireDaemon Service: smss;c:\Windows\system32\Kilot\\mssvchost.exe [2004-07-15 20:59]
S2 WindowsUpdate;FireDaemon Service: WindowsUpdate;c:\Windows\system32\Kilot\\mssvchost.exe [2004-07-15 20:59]
S3 Dual Mode;Dual Mode Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys [2002-10-09 20:24]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1340683-6626-11dc-9037-000b6a192cae}]
\Shell\AutoRun\command - H:\loader.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 02:24:15 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2006-11-16 18:17:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 18:50:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-03-15 19:00:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 19:00:15
I was flapping all day yesterday trying to get rid of mgmrwmrv.exe, then i googled it and got your advice.
I owe you a beer as it seems to have worked a treat.
I logged all the stuff as below.
Not sure if its fair of me to ask you to have a look, however would appreciate if you could tell me if there is anything alarming.
I have since reset my banking password and I think my SpyDoctor was blocking any attempt to access 'the registry'.(as it was telling me 10 times a minute!).
Thanks for your advice - much appreciated,
cheers
Doc..
Malwarebytes' Anti-Malware 1.08
Database version: 493
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 118445
Time elapsed: 1 hour(s), 8 minute(s), 5 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 15
Files Infected: 50
Memory Processes Infected:
C:\WINDOWS\system32\mgmrwmrv.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\mgmrwmrv.exe -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\180searchassistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\stc (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
Files Infected:
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055212.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055213.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055214.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055215.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055256.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP367\A0059024.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\saap.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\sac.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions\sais.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango\zango.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo\seekmohook.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\180sa.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\sau.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\stc\csv5p070.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt\Ssmgr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bjam.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bokja.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mspphe.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssvr.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\saiemod.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\salm.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\stcloader.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\swin32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\updatetc.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\voiceip.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIXU.DLL (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSNSA32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntnut32.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdocpe.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SIPSPI32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WER8274.DLL (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winfrun32.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljjgggf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqnnnl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mgmrwmrv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
ComboFix 08-03-14.4 - Gary 2008-03-15 18:40:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.434 [GMT 0:00]
Running from: C:\Documents and Settings\Gary\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Gary\Application Data\FunWebProducts
C:\Documents and Settings\Gary\Application Data\FunWebProducts\Data\Gary\avatar.dat
C:\Documents and Settings\Gary\Application Data\FunWebProducts\Data\Gary\register.dat
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\assys.dll
C:\WINDOWS\default.htm
C:\WINDOWS\ffnsys.dll
C:\WINDOWS\gstcore.dll
C:\WINDOWS\mfnsys.dll
C:\WINDOWS\rsczsys.dll
C:\WINDOWS\snsys.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\nqtwa.ini2
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\uawin.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.
2008-03-15 17:22 . 2008-03-15 17:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-15 17:22 . 2008-03-15 17:22 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\Malwarebytes
2008-03-15 17:22 . 2008-03-15 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-15 16:54 . 2008-03-15 16:54 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-15 16:40 . 2008-03-15 16:40 24,320 --a------ C:\WINDOWS\apphelp32.dll
2008-03-15 12:02 . 2008-03-15 12:02 32,512 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-03-15 12:02 . 2008-03-15 12:02 32,000 --a------ C:\WINDOWS\123messenger.per
2008-03-15 12:02 . 2008-03-15 12:02 26,368 --a------ C:\WINDOWS\asferror32.dll
2008-03-15 12:02 . 2008-03-15 12:02 22,016 --a------ C:\WINDOWS\asycfilt32.dll
2008-03-15 12:02 . 2008-03-15 12:02 17,664 --a------ C:\WINDOWS\autodisc32.dll
2008-03-15 12:02 . 2008-03-15 12:02 16,128 --a------ C:\WINDOWS\audiosrv32.dll
2008-03-15 12:02 . 2008-03-15 12:02 11,776 --a------ C:\WINDOWS\athprxy32.dll
2008-03-15 12:02 . 2008-03-15 12:02 9,984 --a------ C:\WINDOWS\ati2dvag32.dll
2008-03-11 20:30 . 2008-03-14 07:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-11 20:30 . 2008-03-11 20:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-05 22:53 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-05 22:53 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-05 22:53 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-05 22:53 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-05 22:52 . 2008-03-06 06:51 <DIR> d-------- C:\Program Files\Spyware Doctor
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 18:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-15 16:21 --------- d-----w C:\Documents and Settings\Gary\Application Data\AVG7
2008-03-15 11:48 --------- d-----w C:\Documents and Settings\Gary\Application Data\uTorrent
2008-03-15 08:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-20 07:01 --------- d-----w C:\Program Files\MSN Messenger
2008-02-14 17:50 --------- d-----w C:\Program Files\McAfee
2008-01-31 21:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-27 19:30 --------- d-----w C:\Program Files\Guitar Pro 5
2008-01-22 22:20 --------- d-----w C:\Program Files\greenstreet
2008-01-22 22:20 --------- d-----w C:\Program Files\Common Files\gst
2008-01-22 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 11:00 --------- d-----w C:\Documents and Settings\Gary\Application Data\Samsung
2008-01-19 10:40 --------- d-----w C:\Program Files\Samsung
2007-09-21 17:45 3,517,504 ----a-w C:\Program Files\TVUPlayer2.3.3beta2.exe
2007-09-09 02:59 9,389,672 ----a-w C:\Program Files\gorvedi.exe
2007-09-08 22:19 55,816 ----a-w C:\Program Files\NOTEPAD.EXE
2007-02-13 20:55 342,957 ----a-w C:\Program Files\mozactivex-ff-15.xpi
1993-05-12 00:00 398,416 ----a-w C:\Program Files\VBRUN300.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 04:21 4687352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 16:28 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 10:12 139264]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2004-09-10 02:16 53248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 10:24 579072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-17 17:12 180269]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"EPSON Stylus C86 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.exe" [2003-11-25 02:00 99840]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-03-18 02:24 184320]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6028\SiteAdv.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-14 18:22 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-12-15 19:01 40960]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 17:12 219136]
C:\Documents and Settings\Gary\Start Menu\Programs\Startup\
Event Minder Reminders.lnk - C:\HALLMARK\EMREMIND.EXE [2007-11-26 21:40:48 6240]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 03:43:54 11000]
JoyAct.lnk - C:\Program Files\Gaming Devices\JoyAct.exe [2007-06-06 19:34:05 299008]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxyyv]
byxxyyv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Documents and Settings\\Gary\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
S2 smss;FireDaemon Service: smss;c:\Windows\system32\Kilot\\mssvchost.exe [2004-07-15 20:59]
S2 WindowsUpdate;FireDaemon Service: WindowsUpdate;c:\Windows\system32\Kilot\\mssvchost.exe [2004-07-15 20:59]
S3 Dual Mode;Dual Mode Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys [2002-10-09 20:24]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1340683-6626-11dc-9037-000b6a192cae}]
\Shell\AutoRun\command - H:\loader.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 02:24:15 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2006-11-16 18:17:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 18:50:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-03-15 19:00:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 19:00:15
•
•
•
•
Originally Posted by DocBelfast
I owe you a beer as it seems to have worked a treat.
Not sure if its fair of me to ask you to have a look, however would appreciate if you could tell me if there is anything alarming.
There are a few items in the ComboFix log that need attention - You should start your own thread so one of the volunteers can help you. I am not going to be around much for a while, so I am hesitant to take on new threads. If nobody replies here at Daniweb, you could try my friend Judy at iamnotageek.com.
-- You ought to get rid of the P2P stuff as many forums do not help P2P users unless they remove or disable the clients due to the risk of re-infection.
Also, you should definitely Update your Java as per the instructions in my "Protect Yourself..." Linky below!
Cheers
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
Hello Philly Phan , Vegas Gal
Thanks a million Philly for your detailed post. Glad there are people like you investing their knowledge in helping others instead of creating viruses for fun!
I have followed the steps from your first post and it helped.
I have spend 17 hours searching the net of an answer, downloaded 3 softwares and it was still nada!
proud to say your post was #1 on the net!
the cleaning part was a little scary:
Anyway I ran the cleaning took a wile had to guess some close or ignore decisions in pop up windows...I got done and: Tatahhhh...a blank screen no task bar no icons...noting buttons wont work no start up menu...
I shut the PC off manually put back on no loading or nothing 1 second straight to the blank screen...kind of like a TV!
I thought OK PC you wana be a TV lets try a TV trick shut it off and the pressed the on button for 10 seconds (kind of like resetting the satellite receiver) and there it started booting...and here I am back and running...no more malware, got my task manager back...
Again thanks, I have registered in this site just to say :THANK YOU!
Thanks a million Philly for your detailed post. Glad there are people like you investing their knowledge in helping others instead of creating viruses for fun!
I have followed the steps from your first post and it helped.
I have spend 17 hours searching the net of an answer, downloaded 3 softwares and it was still nada!
proud to say your post was #1 on the net!
the cleaning part was a little scary:
Anyway I ran the cleaning took a wile had to guess some close or ignore decisions in pop up windows...I got done and: Tatahhhh...a blank screen no task bar no icons...noting buttons wont work no start up menu...
I shut the PC off manually put back on no loading or nothing 1 second straight to the blank screen...kind of like a TV!
I thought OK PC you wana be a TV lets try a TV trick shut it off and the pressed the on button for 10 seconds (kind of like resetting the satellite receiver) and there it started booting...and here I am back and running...no more malware, got my task manager back...
Again thanks, I have registered in this site just to say :THANK YOU!
PhillyPhan,
I wanted to say thank you for this thread. My computer was infected 2 days ago by mgmrwmrv.exe, and I searched and searched for a solution. Your's is fantastic. I ran HijackThis, Malewarebytes, and ComboFix and my problems were solved. I'm running some final spyware and virus scans to make sure that everything really is gone. Thank you SO MUCH!! I'm so happy my computer is no longer in danger of becoming an expensive paperweight. Words cannot express how happy I am!
Thanks again!!!!!
~Thom
I wanted to say thank you for this thread. My computer was infected 2 days ago by mgmrwmrv.exe, and I searched and searched for a solution. Your's is fantastic. I ran HijackThis, Malewarebytes, and ComboFix and my problems were solved. I'm running some final spyware and virus scans to make sure that everything really is gone. Thank you SO MUCH!! I'm so happy my computer is no longer in danger of becoming an expensive paperweight. Words cannot express how happy I am!
Thanks again!!!!!
~Thom
 |
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: clickmanu.com
- Next Thread: External Hard Drive Virus - F:\MGT_reg32.dll.vbs
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus sans scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista warning windows worm yahoo
