It seems that somehow some kind of spyware got put on my pc and now it keeps saying that I need to buy a certain program in order to get rid of it. When I run my SpyWare Doctor, it keeps saying:
Malicious Action Blocked
mgmrwmrv.exe is attempting to access registry
HKLM\SOFTWARE\microsoft\windows\currentversion\explorer\BrowserHelperObjects\{bunchof numbers here}\

It also pops up with a message saying a TROJAN DOWNLOADER is on my PC and then it leads me to the page where I can buy the program to get rid of it.

I tried running SpyWare Doctor, but the problems persist. Today it must have affected my Nortons, my Auto Protect will not turn on. Here is the Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:33 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\mgmrwmrv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINNT\system32\regsvr32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Batco\X_bat.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\PSIService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINNT\System32\alg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Batco\bat.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8ce18bde-1dd2-11b2-985a-e8e208fe6d8c} - C:\WINNT\otsbuxsh.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [sjcbargh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\sjcbargh.dll"
O4 - HKLM\..\Run: [XPdefender] "C:\Program Files\XPdefender\XPdefender.exe" hide
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Batco\bat.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178400207501
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/SCJohnson/Coupons.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - https://music.msn.com/client/msnmusax3913.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINNT\system32\PSIService.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 15681 bytes

Recommended Answers

All 16 Replies

Hi Vegasgal,

You have a few malware issues showing in the log. Let's start by running two tools:

Please download Malwarebytes' Anti-Malware (MBA-M) to your desktop.

  • DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When MBAM finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

THEN:

  • Download combofix.exe by sUBs to your computer's Desktop.
  • Alternate Download
  • (If you already have a previous version, delete it and download a new version).
  • Double click combofix.exe & follow the prompts.
    Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

  • Produce a log for you. ( C:\ComboFix\ComboFix.txt)
  • Restore your Internet connection.

IMPORTANT:

  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Please post that log for us along with the MBA-M log and a fresh HJT log from after the above was run. Let us know if you run into any difficulty.

Best Luck :)
PP

Everything seems to be normal once again. Thank You So Much for all your help in getting rid of this nasty booger. Here are the 3 logs you've requested and I hope you can come back here and give me the thumbs up!

Happy to help! There are still a couple steps left to do, but it is waaay late in my neck of the woods, so I may not be able to post them until tomorrow.

This is very similar to a thread I worked in another forum. I had thought somebody manually installed the spyware on her computer, but now that I see it again, it looks like this is being done remotely. As yet, I am not sure what to make of this - many of the downloaded malware are the same including these:
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\unsetup.exe
C:\WINNT\system32\acespy\systune.exe
C:\WINNT\system32\acespy\__acelog.ndx etc.......

These are commercial keyloggers/spyware. We can only assume that your computer was compromised. If you do online banking, shopping etc...., you might want to change passwords and notify your bank that your accounts may have been compromised. Do this from a clean computer or by phone.
http://www.symantec.com/security_response/writeup.jsp?docid=2004-062111-2932-99&tabid=2

At this point, I'm not certain what the damage is - better safe than sorry!

-- Also, please DELETE your copy of ComboFix. When I post back with further steps, we'll need to download a fresh copy and place it on the DESKTOP.

Anyhoo, I've got to get some sleep (4AM in my neighborhood - gotta love insomnia).
Will post those next steps tomorrow evening.

PP :)

My Internet Explorer browser is not stable, I'm getting not responding more than I should. I also have Firefox, but switch between the 2 of them.

When I clicked on the first link for ComboFix, it did not give me an option as to where to install it. I've searched for it and I think this is it: Its in a folder called: C:\QooBox and inside the folder there are a few other items, one of the items has the ComboFix Quarantine txt so I am sure this is the one. I won't delete it until I hear back from you.

We do not bank online, but I do love shopping online. Yesterday I did purchase Spyware Doctor so I will keep an eye out on my credit card account.

Its late out west and will check here first thing!

Thanks Again

We do not bank online, but I do love shopping online. Yesterday I did purchase Spyware Doctor so I will keep an eye out on my credit card account.
Thanks Again

Hi Vegasgal,

I'll post the next steps in a few minutes (slow typist).

-- Regarding all the malware, I am still not sure if those are active baddies or if your computer has been "salted" by smitfraud so it can extort you to buy their Spyware Remover and it can "remove" all these "baddies" that it planted in the first place . . .. If that makes any sense LOL!

Those keyloggers, to my knowledge, must be installed manually. Also, I did not see the Run Keys, so perhaps they are not active and only there to provide extra motivation for the extortion.
-- But, I'd rather err on the side of caution and operate under the assumption that your machine may have been compromised.... Keep an eye on the creditcards, etc...


For the ComboFix download, in Firefox click Tools > Options > select the Main Tab and make sure to check the box under Downloads where is says Always ask me where to save files and click OK

Then, download Combofix to the Desktop.

Back in a few with the next steps :)
PP

AllRightyThen!

-- Are you able to Uninstall/Remove XPdefender in Add/Remove Programs?
See if you can do that first. If not, no worries - keep going with the rest of the steps.

-- Please DELETE your copy of ComboFix and download a fresh one to your Desktop. Be sure you get it onto the Desktop this time, please ! If you still have trouble, let me know!
-- Download the attached file CFScript.txt to your Desktop as well.
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post me that log.

ALSO:
Please run http://www.eset.com/onlinescan/
-- You will need to temporarily disable your current Anti-virus program.
-- Make sure that the option Remove found threats is Unchecked, and the option Scan unwanted applications is checked.
-- Remember to Re-enable your Resident Anti-virus program after the scan has finished.
-- A logfile ought to be found at C:\\Program Files\\EsetOnlineScanner\\log.txt.
Please post that for me.

One More Thing:

Run HijackThis and Open the Misc Tools section.
Open the Uninstall Manager and Click Save list
Save it to your desktop.

Please post the fresh ComboFix log, the ESET Log and the Uninstall List for me and we'll go from there. I will try to check back in a timely manner, but I'm a bit overextended ato the moment...

Best Luck :)
PP

This afternoon when I logged on Nortons found and fixed 3 trojans. I ran SpyWare Doctor and came clean. Here are the 3 reports you wanted and from what I can read we still have a nasty little booger around. I hope that we can remove it soon.

XP Defender was not on the Add/Remove List nor is it listed in All Programs. I do remember seeing it the other day and with all this happening not sure if I deleted or not.

This afternoon when I logged on Nortons found and fixed 3 trojans. I ran SpyWare Doctor and came clean. Here are the 3 reports you wanted and from what I can read we still have a nasty little booger around. I hope that we can remove it soon.

I don't see much there - I think Norton got three of the baddies I had targeted in the CFScript.

--You should use Add/Remove Programs to remove the following:

Adobe Acrobat 5.0 --> Remove and update to latest version. I think it's 8.
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java(TM) 6 Update 3
---> Remove all of these older Java versions. Help deter Vundo.
Do not remove this one --> Java(TM) 6 Update 5
Pando --> P2P stuff is a good way to get reinfested. A number of forums deny help to people until they remove or disable these.
URGE -->your choice
Viewpoint Media Player (Remove Only)

-- Can you tell me what is in this folder --> C:\WINNT\hvrqkcro
If you don't recognize it as something you need, DELETE it.

-- Also, please go here ---> and use the Browse Button at the top of the page to navigate to C:\WINNT\system32\953BEBAFA6.sys and Upload it for analysis. Please Copy&Paste the results for me.
You might want to do the same for these two, as well:
C:\WINNT\QTFont.qfn
C:\WINNT\QTFont.for

How are things running now?
If you'd like, you could run MBA-M again (after updating it as before) and see if that shows clean.

Cheers :)
PP

I removed all the old Java's and left the current one. Deleted Pando, Urge and Viewpoint Media Player. I also deleted C:\WINNT\hvrqkcro <---had no idea what was in this folder. Adobe Acrobat 5.0 I couldn't find anywhere to check for updates, will I have to purchase the v8.0?

I looked 2 X in the C:\WINNT\system32 Folder for: 953BEBAFA6.sys - then looked 2 X in the C:\WINNT Folder and still couldn't find it.

I ran analysis on both QTFont.qfn and QTFont.for see attachments below.

pc is running much better now Thank You:icon_smile:

Adobe Acrobat 5.0 I couldn't find anywhere to check for updates, will I have to purchase the v8.0?

My fault there - Was doing 10 things at once. I confused myself. I must've been thinking of Adobe Reader
If you already removed Acrobat 5.0, you can get it here --> http://www.download.com/Adobe-Acrobat-5-0-5-Update/3000-6675_4-10069848.html

I looked 2 X in the C:\WINNT\system32 Folder for: 953BEBAFA6.sys - then looked 2 X in the C:\WINNT Folder and still couldn't find it.

My fault again - That is a hidden file and you need to enable the viewing of hidden files to see it: http://www.bleepingcomputer.com/tutorials/tutorial62.html
You might want to check again just to make sure it is/isn't there. Looks a bit iffy to me. It could very well be gone.

pc is running much better now Thank You:icon_smile:

You're welcome - Happy to help :)

Let's go ahead and remove Combofix:

• Click Start > Run
• Type or Copy&Paste ComboFix /u into the Run Box. (be sure there is a space between the x and the / if you type it)
• Click OK

Everything else looks OK to me. If things are running well and you don't find 953BEBAFA6.sys for Jotti scan, then I think you can mark the thread as solved!

Have a look at my "Protect Yourself" linky below - Definitely install Spyware Blaster!

Cheers :)
PP

I did not remove Adobe Acrobat 5.0 and will take a look at Adobe Reader though.

Found that hidden file and ran a scan see attachment.

I want you to know that I truly appreciate all your help with this problem, it means alot to me that there are people like you who take precious time away from yourself to help others. Thank You

Until Next Time (NOT),
Vegasgal

Found that hidden file and ran a scan see attachment.

Good deal - it looked kinda hinky to me, but that's why we scan them at Jotti before killing them ;)

I want you to know that I truly appreciate all your help with this problem, it means alot to me that there are people like you who take precious time away from yourself to help others. Thank You
Until Next Time (NOT),
Vegasgal

You're Welcome!
-- I've had a few "repeat customers" over the years in various forums. I'll keep my fingers crossed for you :)

PP

Hi
I was flapping all day yesterday trying to get rid of mgmrwmrv.exe, then i googled it and got your advice.
I owe you a beer as it seems to have worked a treat.
I logged all the stuff as below.
Not sure if its fair of me to ask you to have a look, however would appreciate if you could tell me if there is anything alarming.
I have since reset my banking password and I think my SpyDoctor was blocking any attempt to access 'the registry'.(as it was telling me 10 times a minute!).
Thanks for your advice - much appreciated,
cheers
Doc..


Malwarebytes' Anti-Malware 1.08
Database version: 493

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 118445
Time elapsed: 1 hour(s), 8 minute(s), 5 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 15
Files Infected: 50

Memory Processes Infected:
C:\WINDOWS\system32\mgmrwmrv.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\mgmrwmrv.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\180searchassistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\stc (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055212.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055213.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055214.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055215.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP354\A0055256.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C200E678-4030-4114-8926-2723D1EDF1D8}\RP367\A0059024.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\saap.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\sac.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions\sais.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango\zango.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo\seekmohook.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\180sa.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\sau.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\stc\csv5p070.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt\Ssmgr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bjam.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bokja.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mspphe.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssvr.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\saiemod.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\salm.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\stcloader.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\swin32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\updatetc.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\voiceip.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIXU.DLL (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSNSA32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntnut32.exe (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdocpe.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SIPSPI32.dll (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WER8274.DLL (=Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winfrun32.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljjgggf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqnnnl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mgmrwmrv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
ComboFix 08-03-14.4 - Gary 2008-03-15 18:40:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.434 [GMT 0:00]
Running from: C:\Documents and Settings\Gary\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Gary\Application Data\FunWebProducts
C:\Documents and Settings\Gary\Application Data\FunWebProducts\Data\Gary\avatar.dat
C:\Documents and Settings\Gary\Application Data\FunWebProducts\Data\Gary\register.dat
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\assys.dll
C:\WINDOWS\default.htm
C:\WINDOWS\ffnsys.dll
C:\WINDOWS\gstcore.dll
C:\WINDOWS\mfnsys.dll
C:\WINDOWS\rsczsys.dll
C:\WINDOWS\snsys.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\nqtwa.ini2
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\uawin.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.

2008-03-15 17:22 . 2008-03-15 17:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-15 17:22 . 2008-03-15 17:22 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\Malwarebytes
2008-03-15 17:22 . 2008-03-15 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-15 16:54 . 2008-03-15 16:54 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-15 16:40 . 2008-03-15 16:40 24,320 --a------ C:\WINDOWS\apphelp32.dll
2008-03-15 12:02 . 2008-03-15 12:02 32,512 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-03-15 12:02 . 2008-03-15 12:02 32,000 --a------ C:\WINDOWS\123messenger.per
2008-03-15 12:02 . 2008-03-15 12:02 26,368 --a------ C:\WINDOWS\asferror32.dll
2008-03-15 12:02 . 2008-03-15 12:02 22,016 --a------ C:\WINDOWS\asycfilt32.dll
2008-03-15 12:02 . 2008-03-15 12:02 17,664 --a------ C:\WINDOWS\autodisc32.dll
2008-03-15 12:02 . 2008-03-15 12:02 16,128 --a------ C:\WINDOWS\audiosrv32.dll
2008-03-15 12:02 . 2008-03-15 12:02 11,776 --a------ C:\WINDOWS\athprxy32.dll
2008-03-15 12:02 . 2008-03-15 12:02 9,984 --a------ C:\WINDOWS\ati2dvag32.dll
2008-03-11 20:30 . 2008-03-14 07:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-11 20:30 . 2008-03-11 20:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-05 22:53 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-05 22:53 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-05 22:53 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-05 22:53 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-05 22:52 . 2008-03-06 06:51 <DIR> d-------- C:\Program Files\Spyware Doctor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 18:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-15 16:21 --------- d-----w C:\Documents and Settings\Gary\Application Data\AVG7
2008-03-15 11:48 --------- d-----w C:\Documents and Settings\Gary\Application Data\uTorrent
2008-03-15 08:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-20 07:01 --------- d-----w C:\Program Files\MSN Messenger
2008-02-14 17:50 --------- d-----w C:\Program Files\McAfee
2008-01-31 21:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-27 19:30 --------- d-----w C:\Program Files\Guitar Pro 5
2008-01-22 22:20 --------- d-----w C:\Program Files\greenstreet
2008-01-22 22:20 --------- d-----w C:\Program Files\Common Files\gst
2008-01-22 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 11:00 --------- d-----w C:\Documents and Settings\Gary\Application Data\Samsung
2008-01-19 10:40 --------- d-----w C:\Program Files\Samsung
2007-09-21 17:45 3,517,504 ----a-w C:\Program Files\TVUPlayer2.3.3beta2.exe
2007-09-09 02:59 9,389,672 ----a-w C:\Program Files\gorvedi.exe
2007-09-08 22:19 55,816 ----a-w C:\Program Files\NOTEPAD.EXE
2007-02-13 20:55 342,957 ----a-w C:\Program Files\mozactivex-ff-15.xpi
1993-05-12 00:00 398,416 ----a-w C:\Program Files\VBRUN300.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 04:21 4687352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 16:28 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 10:12 139264]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2004-09-10 02:16 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 10:24 579072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-17 17:12 180269]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"EPSON Stylus C86 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.exe" [2003-11-25 02:00 99840]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-03-18 02:24 184320]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6028\SiteAdv.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-14 18:22 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-12-15 19:01 40960]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 17:12 219136]

C:\Documents and Settings\Gary\Start Menu\Programs\Startup\
Event Minder Reminders.lnk - C:\HALLMARK\EMREMIND.EXE [2007-11-26 21:40:48 6240]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 03:43:54 11000]
JoyAct.lnk - C:\Program Files\Gaming Devices\JoyAct.exe [2007-06-06 19:34:05 299008]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxyyv]
byxxyyv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Documents and Settings\\Gary\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

S2 smss;FireDaemon Service: smss;c:\Windows\system32\Kilot\\mssvchost.exe [2004-07-15 20:59]
S2 WindowsUpdate;FireDaemon Service: WindowsUpdate;c:\Windows\system32\Kilot\\mssvchost.exe [2004-07-15 20:59]
S3 Dual Mode;Dual Mode Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys [2002-10-09 20:24]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1340683-6626-11dc-9037-000b6a192cae}]
\Shell\AutoRun\command - H:\loader.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 02:24:15 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2006-11-16 18:17:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 18:50:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-03-15 19:00:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 19:00:15

I owe you a beer as it seems to have worked a treat.
Not sure if its fair of me to ask you to have a look, however would appreciate if you could tell me if there is anything alarming.

A beer sounds good right now....

There are a few items in the ComboFix log that need attention - You should start your own thread so one of the volunteers can help you. I am not going to be around much for a while, so I am hesitant to take on new threads. If nobody replies here at Daniweb, you could try my friend Judy at iamnotageek.com.

-- You ought to get rid of the P2P stuff as many forums do not help P2P users unless they remove or disable the clients due to the risk of re-infection.

Also, you should definitely Update your Java as per the instructions in my "Protect Yourself..." Linky below!


Cheers :)
PP

Hello Philly Phan , Vegas Gal
Thanks a million Philly for your detailed post. Glad there are people like you investing their knowledge in helping others instead of creating viruses for fun!
I have followed the steps from your first post and it helped.
I have spend 17 hours searching the net of an answer, downloaded 3 softwares and it was still nada!
proud to say your post was #1 on the net!
the cleaning part was a little scary:

Anyway I ran the cleaning took a wile had to guess some close or ignore decisions in pop up windows...I got done and: Tatahhhh...a blank screen no task bar no icons...noting buttons wont work no start up menu...
I shut the PC off manually put back on no loading or nothing 1 second straight to the blank screen...kind of like a TV!
I thought OK PC you wana be a TV lets try a TV trick shut it off and the pressed the on button for 10 seconds (kind of like resetting the satellite receiver) and there it started booting...and here I am back and running...no more malware, got my task manager back...
Again thanks, I have registered in this site just to say :THANK YOU!

PhillyPhan,
I wanted to say thank you for this thread. My computer was infected 2 days ago by mgmrwmrv.exe, and I searched and searched for a solution. Your's is fantastic. I ran HijackThis, Malewarebytes, and ComboFix and my problems were solved. I'm running some final spyware and virus scans to make sure that everything really is gone. Thank you SO MUCH!! I'm so happy my computer is no longer in danger of becoming an expensive paperweight. Words cannot express how happy I am!
Thanks again!!!!!
~Thom

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.