Hi
I was flapping all day yesterday trying to get rid of mgmrwmrv.exe, then i googled it and got your advice.
I owe you a beer as it seems to have worked a treat.
I logged all the stuff as below.
Not sure if its fair of me to ask you to have a look, however would appreciate if you could tell me if there is anything alarming.
I have since reset my banking password and I think my SpyDoctor was blocking any attempt to access 'the registry'.(as it was telling me 10 times a minute!).
Thanks for your advice - much appreciated,
cheers
Doc..
Malwarebytes' Anti-Malware 1.08
Database version: 493
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 118445
Time elapsed: 1 hour(s), 8 minute(s), 5 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 15
Files Infected: 50
Memory Processes Infected:
C:\WINDOWS\system32\mgmrwmrv.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\mgmrwmrv.exe -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\180searchassistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\stc (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
Files Infected:
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055212.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055213.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055214.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055215.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055256.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP367\A0059024.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\saap.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\sac.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions\sais.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango\zango.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo\seekmohook.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\180sa.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\sau.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\stc\csv5p070.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt\Ssmgr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bjam.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bokja.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mspphe.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssvr.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\saiemod.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\salm.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\stcloader.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\swin32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\updatetc.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\voiceip.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIXU.DLL (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSNSA32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntnut32.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdocpe.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SIPSPI32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WER8274.DLL (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winfrun32.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljjgggf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqnnnl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mgmrwmrv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
ComboFix 08-03-14.4 - Gary 2008-03-15 18:40:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.434 [GMT 0:00]
Running from: C:\Documents and Settings\Gary\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Gary\Application Data\FunWebProducts
C:\Documents and Settings\Gary\Application Data\FunWebProducts\Data\Gary\avatar.dat
C:\Documents and Settings\Gary\Application Data\FunWebProducts\Data\Gary\register.dat
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\assys.dll
C:\WINDOWS\default.htm
C:\WINDOWS\ffnsys.dll
C:\WINDOWS\gstcore.dll
C:\WINDOWS\mfnsys.dll
C:\WINDOWS\rsczsys.dll
C:\WINDOWS\snsys.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\nqtwa.ini2
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\uawin.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.
2008-03-15 17:22 . 2008-03-15 17:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-15 17:22 . 2008-03-15 17:22 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\Malwarebytes
2008-03-15 17:22 . 2008-03-15 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-15 16:54 . 2008-03-15 16:54 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-15 16:40 . 2008-03-15 16:40 24,320 --a------ C:\WINDOWS\apphelp32.dll
2008-03-15 12:02 . 2008-03-15 12:02 32,512 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-03-15 12:02 . 2008-03-15 12:02 32,000 --a------ C:\WINDOWS\123messenger.per
2008-03-15 12:02 . 2008-03-15 12:02 26,368 --a------ C:\WINDOWS\asferror32.dll
2008-03-15 12:02 . 2008-03-15 12:02 22,016 --a------ C:\WINDOWS\asycfilt32.dll
2008-03-15 12:02 . 2008-03-15 12:02 17,664 --a------ C:\WINDOWS\autodisc32.dll
2008-03-15 12:02 . 2008-03-15 12:02 16,128 --a------ C:\WINDOWS\audiosrv32.dll
2008-03-15 12:02 . 2008-03-15 12:02 11,776 --a------ C:\WINDOWS\athprxy32.dll
2008-03-15 12:02 . 2008-03-15 12:02 9,984 --a------ C:\WINDOWS\ati2dvag32.dll
2008-03-11 20:30 . 2008-03-14 07:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-11 20:30 . 2008-03-11 20:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-05 22:53 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-05 22:53 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-05 22:53 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-05 22:53 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-05 22:52 . 2008-03-06 06:51 <DIR> d-------- C:\Program Files\Spyware Doctor
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 18:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-15 16:21 --------- d-----w C:\Documents and Settings\Gary\Application Data\AVG7
2008-03-15 11:48 --------- d-----w C:\Documents and Settings\Gary\Application Data\uTorrent
2008-03-15 08:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-20 07:01 --------- d-----w C:\Program Files\MSN Messenger
2008-02-14 17:50 --------- d-----w C:\Program Files\McAfee
2008-01-31 21:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-27 19:30 --------- d-----w C:\Program Files\Guitar Pro 5
2008-01-22 22:20 --------- d-----w C:\Program Files\greenstreet
2008-01-22 22:20 --------- d-----w C:\Program Files\Common Files\gst
2008-01-22 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 11:00 --------- d-----w C:\Documents and Settings\Gary\Application Data\Samsung
2008-01-19 10:40 --------- d-----w C:\Program Files\Samsung
2007-09-21 17:45 3,517,504 ----a-w C:\Program Files\TVUPlayer2.3.3beta2.exe
2007-09-09 02:59 9,389,672 ----a-w C:\Program Files\gorvedi.exe
2007-09-08 22:19 55,816 ----a-w C:\Program Files\NOTEPAD.EXE
2007-02-13 20:55 342,957 ----a-w C:\Program Files\mozactivex-ff-15.xpi
1993-05-12 00:00 398,416 ----a-w C:\Program Files\VBRUN300.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 04:21 4687352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 16:28 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 10:12 139264]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2004-09-10 02:16 53248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 10:24 579072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-17 17:12 180269]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"EPSON Stylus C86 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.exe" [2003-11-25 02:00 99840]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-03-18 02:24 184320]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6028\SiteAdv.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-14 18:22 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-12-15 19:01 40960]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 17:12 219136]
C:\Documents and Settings\Gary\Start Menu\Programs\Startup\
Event Minder Reminders.lnk - C:\HALLMARK\EMREMIND.EXE [2007-11-26 21:40:48 6240]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 03:43:54 11000]
JoyAct.lnk - C:\Program Files\Gaming Devices\JoyAct.exe [2007-06-06 19:34:05 299008]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxyyv]
byxxyyv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Documents and Settings\\Gary\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
S2 smss;FireDaemon Service: smss;c:\Windows\system32\Kilot\\mssvchost.exe [2004-07-15 20:59]
S2 WindowsUpdate;FireDaemon Service: WindowsUpdate;c:\Windows\system32\Kilot\\mssvchost.exe [2004-07-15 20:59]
S3 Dual Mode;Dual Mode Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys [2002-10-09 20:24]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1340683-6626-11dc-9037-000b6a192cae}]
\Shell\AutoRun\command - H:\loader.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 02:24:15 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2006-11-16 18:17:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-03-15 18:50:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-03-15 19:00:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 19:00:15
Marked Solved 
Offline 
