# Trying to removal this virus Mal/EncPK-BP



## N2bnfunn (Jan 2, 2008)

Hello I have been trying to removal this virus for a while now and I was wondering if someone to walk me through removing it for good, I have try every spy ware and McAfee
anti virus and still it is there. He is my hijack log: Thanks in advance for any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:06 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\1175828319\ee\AOLSoftware.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.1\waol.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Dun74\VLC360\vlc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [36X Raid Configurer] "C:\WINDOWS\system32\JMRaidSetup.exe" boot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1175828319\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: VLC360.lnk = C:\Program Files\Dun74\VLC360\VLC360.bat
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6376 bytes


----------



## Cheeseball81 (Mar 3, 2004)

Hi and welcome

What location is it being detected in?


----------



## N2bnfunn (Jan 2, 2008)

Not really sure on what you mean it is just up on by my Spy sweeper on my hard drive


----------



## Cheeseball81 (Mar 3, 2004)

I mean, did it give a directory of where it was found? 
Example: C:\WINDOWS


----------



## N2bnfunn (Jan 2, 2008)

No it did my guess since it keeps comes back it must be in the registry


----------



## Cheeseball81 (Mar 3, 2004)

Can you copy and paste your SpySweeper results in this thread?


----------



## N2bnfunn (Jan 2, 2008)

Ok give me a few but if you look at my hijack log I think I see where it is at I think it has
lock on to this

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll


----------



## N2bnfunn (Jan 2, 2008)

Ok here is my log from SpySweep

Spy Cookie found: 2o7.net cookie
Spy Cookie found: advertising cookie
Spy Cookie found: atlas dmt cookie
Spy Cookie found: overture cookie
Spy Cookie found: rambler cookie
Spy Cookie found: tacoda cookie
Spy Cookie found: tribalfusion cookie
Behavioral found: Mal/EncPk-BP


----------



## Cheeseball81 (Mar 3, 2004)

N2bnfunn said:


> Ok give me a few but if you look at my hijack log I think I see where it is at I think it has
> lock on to this
> 
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
> O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll


These are legit.


----------



## Cheeseball81 (Mar 3, 2004)

Run *ActiveScan* online virus scan:
http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. 
Post the contents of the ActiveScan report.


----------



## N2bnfunn (Jan 2, 2008)

Ok here it is

Incident Status Location

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\My Computer\Cookies\my [email protected][1].txt 
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\My Computer\Cookies\my [email protected][2].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\My Computer\Cookies\my [email protected][2].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\My Computer\Cookies\my [email protected][1].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\My Computer\Cookies\my [email protected][1].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\My Computer\Cookies\my [email protected][1].txt 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\My Computer\Cookies\my [email protected][2].txt 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\My Computer\Cookies\my [email protected][1].txt 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\My Computer\Cookies\my [email protected][1].txt 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\My Computer\Cookies\my [email protected][2].txt 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\My Computer\Local Settings\Temporary Internet Files\Content.IE5\W3B7AKXT\SDFix[1].exe[SDFix\apps\Process.exe] 
Potentially unwanted tool:Application/Processor Not disinfected C:\sdfix\SDFix\apps\Process.exe 
Virus:Trj/BHO.AB Disinfected C:\WINDOWS\system32\IEDFix.exe 
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe


----------



## Cheeseball81 (Mar 3, 2004)

Now please rerun SpySweeper. See if it still shows "Behavioral found: Mal/EncPk-BP"


----------



## N2bnfunn (Jan 2, 2008)

Yes I just did it and it still shows MalEncPk-BP that is the only thing I am now seeing
is MalEncPk-BP on spysweep.


----------



## Cheeseball81 (Mar 3, 2004)

It's quite bizarre that SpySweeper gives absolutely no location of this
Did it give any option to fix it?


----------



## N2bnfunn (Jan 2, 2008)

Yes but when you spysweeper to fix it just comes right back


----------



## Cheeseball81 (Mar 3, 2004)

I see you've maybe used some malware removal tools? Such as Smitfraudfix and SDfix.
Please uninstall/remove those - or any others that have been downloaded.

Download Deckard's System Scanner (DSS): http://www.techsupportforum.com/sectools/Deckard/dss.exe to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows. 
Double-click on dss.exe to run it, and follow the prompts. 
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized 
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in the HijackThis Log Help Forum. 
Please attach extra.txt to your post. 
To attach a file to a new post, simply
Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and 
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt

Click Upload.

What DSS will do:
create a new System Restore point in Windows XP and Vista. 
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. 
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


----------



## N2bnfunn (Jan 2, 2008)

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-01-08 10:35:16
Computer is in Normal Mode.
--------------------------------------------------

------------------------------

-- System Restore

--------------------------------------------------

------------

-- Last 2 Restore Point(s) --
2: 2008-01-08 15:31:17 UTC - RP2 - Deckard's

System Scanner Restore Point
1: 2008-01-08 15:29:58 UTC - RP1 - System

Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Administrator.exe)

---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:54 AM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\download\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

O4 - HKLM\..\Run: [ehTray]

C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Windows Media Connect 2]

"C:\Program Files\Windows Media Connect

2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [36X Raid Configurer]

"C:\WINDOWS\system32\JMRaidSetup.exe" boot
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program

Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [HostManager] "C:\Program

Files\Common

Files\AOL\1175828319\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE"

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE"

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] C:\Program

Files\Webroot\Spy Sweeper\SpySweeperUI.exe

/startintray
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Extender Resource Monitor.lnk

= C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: VLC360.lnk = C:\Program

Files\Dun74\VLC360\VLC360.bat
O16 - DPF: Yahoo! Spades -

http://download2.games.yahoo.com/games/clients/y/s

t3_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}

(Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedContent/v

c/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}

(Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedContent/c

ommon/bin/cabsa.cab
O23 - Service: Acronis Scheduler2 Service

(AcrSch2Svc) - Unknown owner - C:\Program

Files\Common Files\Acronis\Schedule2\schedul2.exe

(file missing)
O23 - Service: AOL Connectivity Service (AOL ACS)

- AOL LLC - C:\Program Files\Common

Files\AOL\ACS\AOLAcsd.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) -

McAfee, Inc. -

C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1150\Intel

32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc

Labeling Service (LightScribeService) -

Hewlett-Packard Company - C:\Program Files\Common

Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service -

McAfee, Inc. - C:\Program Files\Common

Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager

(mcmispupdmgr) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) -

McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) -

McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee,

Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager

(mcpromgr) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service

(McRedirector) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield)

- McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) -

McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: nTune Service (nTuneService) -

NVIDIA - C:\Program Files\NVIDIA

Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service

(NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS)

(RichVideo) - Unknown owner - C:\Program

Files\CyberLink\Shared files\RichVideo.exe (file

missing)
O23 - Service: Webroot Spy Sweeper Engine

(WebrootSpySweeperService) - Webroot Software,

Inc. - C:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe

--
End of file - 4494 bytes

-- HijackThis Fixed Entries

(C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

-----------

backup-20071112-095755-895 O4 - HKLM\..\Run:

[JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
backup-20071220-194522-215 O4 - HKLM\..\Run:

[Alcmtr] ALCMTR.EXE
backup-20080105-030348-421 O2 - BHO: AcroIEHlprObj

Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
backup-20080105-030348-839 O2 - BHO: scriptproxy -

{7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll

-- File Associations

--------------------------------------------------

---------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand,

4-Disabled ---------------------

R3 GP8PSK (Genpix USB Driver) -

c:\windows\system32\drivers\genpix.sys <Not

Verified; Cypress Semiconductor; Cypress Generic

USB Device Driver>
R3 pfc (Padus ASPI Shell) -

c:\windows\system32\drivers\pfc.sys <Not Verified;

Padus, Inc.; Padus(R) ASPI Shell>

S2 MaVctrl -

c:\windows\system32\drivers\mavc2k.sys <Not

Verified; Mobile Action Technology Inc.; Handset

Manager>
S3 AEAudio (AE Audio Service) -

c:\windows\system32\drivers\aeaudio.sys (file

missing)
S3 ALCXWDM (Service for Realtek AC97 Audio (WDM))

- c:\windows\system32\drivers\alcxwdm.sys (file

missing)
S3 catchme -

c:\docume~1\mycomp~1\locals~1\temp\catchme.sys

(file missing)
S3 DtvAudio -

c:\windows\system32\drivers\dtvaudio.sys <Not

Verified; TwinHan Provide; DTVAudio>
S3 DtvVideo -

c:\windows\system32\drivers\dtvvideo.sys <Not

Verified; TwinHan Provide; DTV Video Controller.>
S3 mamovec -

c:\windows\system32\drivers\mamovec.sys <Not

Verified; Mobile Action Technology Inc.; Handset

Manager>
S3 mamovem -

c:\windows\system32\drivers\mamovem.sys <Not

Verified; Mobile Action Technology Inc.; Handset

Manager>
S3 mamoveu -

c:\windows\system32\drivers\mamoveu.sys <Not

Verified; Mobile Action Technology Inc.; Handset

Manager>
S3 motmodem (Motorola USB CDC ACM Driver) -

c:\windows\system32\drivers\motmodem.sys (file

missing)
S3 NVR0Dev - c:\windows\nvoclock.sys <Not

Verified; NVidia Corp.; NVidia System Utility

Driver>
S3 Profos - c:\program files\common

files\bitdefender\bitdefender threat

scanner\profos.sys (file missing)
S3 SDTHOOK -

c:\windows\system32\drivers\sdthook.sys <Not

Verified; Panda Software; Panda® Antivirus>
S3 Trufos - c:\program files\common

files\bitdefender\bitdefender threat

scanner\trufos.sys (file missing)
S3 usbsermpt (Motorola USB Modem Driver for MPT) -

c:\windows\system32\drivers\usbsermpt.sys <Not

Verified; Microsoft Corporation; Microsoft(R)

Windows (R) 2000 Operating System>
S4 SI3112 (SiI-3112 SATALink Controller) -

c:\windows\system32\drivers\si3112.sys <Not

Verified; Silicon Image, Inc.; SiI 3112 SATALink

controller>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand,

4-Disabled --------------------

S2 AcrSch2Svc (Acronis Scheduler2 Service) -

"c:\program files\common

files\acronis\schedule2\schedul2.exe" (file

missing)
S2 nTuneService (nTune Service) - c:\program

files\nvidia corporation\ntune\ntuneservice.exe

/startservice <Not Verified; NVIDIA; NVIDIA nTune>
S2 RichVideo (Cyberlink RichVideo Service(CRVS)) -

"c:\program files\cyberlink\shared

files\richvideo.exe" (file missing)

-- Device Manager: Disabled

--------------------------------------------------

--

No disabled devices found.

-- Scheduled Tasks

--------------------------------------------------

-----------

2008-01-01 01:59:32 344 --a------

C:\WINDOWS\Tasks\McQcTask.job
2007-12-15 01:05:03 352 --a------

C:\WINDOWS\Tasks\McDefragTask.job

-- Files created between 2007-12-08 and 2008-01-08

-----------------------------

2008-01-07 08:17:18 0 d-------- C:\Program

Files\Enigma Software Group
2008-01-07 07:56:43 0 d--------

C:\antivirus
2008-01-07 07:52:03 0 d-------- C:\Program

Files\Common Files\BitDefender
2008-01-05 11:30:51 44928 --a------

C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not

Verified; Panda Software; Panda® Antivirus>
2008-01-05 02:43:45 0 d--------

C:\WINDOWS\ERUNT
2008-01-04 06:40:58 0 d--------

C:\Documents and Settings\My Computer\DoctorWeb
2008-01-04 05:02:44 0 d--------

C:\Documents and Settings\All Users\Application

Data\SUPERAntiSpyware.com
2008-01-04 05:02:40 0 d-------- C:\Program

Files\SUPERAntiSpyware
2008-01-04 04:23:34 0 d-------- C:\Program

Files\Steam
2008-01-02 20:27:11 36625 --a------

C:\WINDOWS\system32\drivers\mavcomm.sys <Not

Verified; Mobile Action Technology Inc.; Handset

Manager>
2008-01-02 20:27:11 51584 --a------

C:\WINDOWS\system32\drivers\mamoveu.sys <Not

Verified; Mobile Action Technology Inc.; Handset

Manager>
2008-01-02 20:27:11 25044 --a------

C:\WINDOWS\system32\drivers\mamovem.sys <Not

Verified; Mobile Action Technology Inc.; Handset

Manager>
2008-01-02 20:27:11 24784 --a------

C:\WINDOWS\system32\drivers\mamovec.sys <Not

Verified; Mobile Action Technology Inc.; Handset

Manager>
2008-01-02 20:26:16 49399 --a------

C:\WINDOWS\system32\drivers\mamotou.sys <Not

Verified; Mobile Action Technology Inc.; Handset

Manager>
2008-01-02 20:26:11 24789 --a------

C:\WINDOWS\system32\drivers\MaVctrl.sys <Not

Verified; Mobile Action Technology Inc.; Handset

Manager>
2008-01-02 20:26:11 11473 --a------

C:\WINDOWS\system32\drivers\MaVc2K.sys <Not

Verified; Mobile Action Technology Inc.; Handset

Manager>
2008-01-02 20:26:11 49484 --a------

C:\WINDOWS\system32\drivers\mardpnp.sys <Not

Verified; Mobile Action Technology Inc.; Handset

Manager>
2008-01-02 20:14:08 0 d--------

C:\WINDOWS\Application Data
2008-01-02 19:57:22 0 d-------- C:\Program

Files\Motorola
2008-01-02 19:36:59 6947 --a------

C:\Documents and Settings\My

Computer\1199320619-(null)
2007-12-31 14:19:29 0 d-------- C:\Program

Files\MyTheatre
2007-12-30 21:20:32 0 d-------- C:\Verzion
2007-12-30 21:08:00 0 d--------

C:\Documents and Settings\My Computer\Application

Data\InstallShield
2007-12-29 04:01:20 0 d-------- C:\card
2007-12-26 06:29:40 0 d--------

C:\Documents and Settings\All Users\Application

Data\AOL OCP
2007-12-26 06:29:29 0 d--------

C:\WINDOWS\aolshare
2007-12-26 06:29:27 0 d-------- C:\Program

Files\AOL 9.1
2007-12-20 18:42:17 0 d--------

C:\Documents and Settings\My Computer\Application

Data\Ahead
2007-12-19 19:16:30 0 d--------

C:\Documents and Settings\All Users\Application

Data\Spybot - Search & Destroy
2007-12-19 18:47:14 0 d-------- C:\Program

Files\XoftSpySE
2007-12-16 20:28:55 0 d-------- C:\Program

Files\PrevxCSI
2007-12-16 20:27:12 0 d--------

C:\Documents and Settings\All Users\Application

Data\Prevx
2007-12-16 20:27:08 0 d--------

C:\Documents and Settings\My Computer\Application

Data\PrevxCSI
2007-12-16 20:06:21 2308 --a------

C:\WINDOWS\system32\tmp.reg
2007-12-16 19:53:59 25600 --a------

C:\WINDOWS\system32\WS2Fix.exe
2007-12-16 19:53:59 289144 --a------

C:\WINDOWS\system32\VCCLSID.exe <Not Verified;

S!Ri; >
2007-12-16 19:53:58 288417 --a------

C:\WINDOWS\system32\SrchSTS.exe <Not Verified;

S!Ri; SrchSTS>
2007-12-16 19:53:58 51200 --a------

C:\WINDOWS\system32\dumphive.exe
2007-12-15 18:21:31 25600 --a------

C:\WINDOWS\system32\Partizan.exe <Not Verified;

Greatis Software; RegRun Security Suite>
2007-12-15 18:07:50 63 --a------

C:\WINDOWS\system\SysSD.dll
2007-12-15 18:07:26 0 d-------- C:\Program

Files\SpywareDetector
2007-12-10 20:02:01 49152 -r-------

C:\WINDOWS\system32\ChCfg.exe
2007-12-10 20:01:20 0 d-------- C:\Program

Files\Realtek
2007-12-10 18:39:35 2916352 -----n---

C:\WINDOWS\UNNMP.exe <Not Verified; Nero AG; Nero

Web Engine>
2007-12-10 18:38:29 2977792 -----n---

C:\WINDOWS\UNNeroVision.exe <Not Verified; Nero

AG; Nero Web Engine>
2007-12-10 18:38:11 0 d--------

C:\Documents and Settings\All Users\Application

Data\Ahead
2007-12-09 20:29:07 0 d-------- C:\dvbapp
2007-12-08 11:58:03 0 d--------

C:\Documents and Settings\All Users\Application

Data\NVIDIA

-- Find3M Report

--------------------------------------------------

-------------

2008-01-07 07:52:03 0 d-------- C:\Program

Files\Common Files
2008-01-05 12:18:58 0 d-------- C:\Program

Files\Windows Media Connect 2
2008-01-05 12:15:06 0 d-------- C:\Program

Files\Messenger
2008-01-05 12:13:17 0 d-------- C:\Program

Files\Common Files\LightScribe
2008-01-04 07:01:21 0 d-------- C:\Program

Files\Common Files\Wise Installation Wizard
2008-01-04 04:49:55 0 d-------- C:\Program

Files\NVIDIA Corporation
2008-01-04 04:00:51 8 --a------

C:\WINDOWS\system32\nvModes.dat
2008-01-02 19:38:33 0 d-------- C:\Program

Files\Motorola Phone Tools
2007-12-30 21:08:02 0 d-------- C:\Program

Files\Avanquest update
2007-12-30 19:33:26 0 d-------- C:\Program

Files\ASUS
2007-12-29 01:48:43 0 d-------- C:\Program

Files\mIRC
2007-12-26 06:30:17 0 d-------- C:\Program

Files\Common Files\aol
2007-12-26 06:29:30 0 d-------- C:\Program

Files\Common Files\aolshare
2007-12-18 18:43:18 0 d-------- C:\Program

Files\McAfee
2007-12-10 18:39:29 0 d-------- C:\Program

Files\Ahead
2007-12-10 18:38:51 0 d-------- C:\Program

Files\Common Files\Nero
2007-12-05 21:35:21 0 d-------- C:\Program

Files\NCH Swift Sound
2007-12-05 21:30:00 0 d-------- C:\Program

Files\DVDVideoSoft
2007-12-05 20:35:19 0 d-------- C:\Program

Files\NCH Software
2007-12-05 20:13:23 0 d-------- C:\Program

Files\MP3 WAV Converter
2007-12-05 01:41:00 1626112 --a------

C:\WINDOWS\system32\nwiz.exe
2007-12-05 01:41:00 1019904 --a------

C:\WINDOWS\system32\nvwimg.dll
2007-12-05 01:41:00 1703936 --a------

C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 01:41:00 466944 --a------

C:\WINDOWS\system32\nvshell.dll
2007-12-05 01:41:00 1474560 --a------

C:\WINDOWS\system32\nview.dll
2007-12-05 01:41:00 1339392 --a------

C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 01:41:00 442368 --a------

C:\WINDOWS\system32\nvappbar.exe
2007-12-05 01:41:00 425984 --a------

C:\WINDOWS\system32\keystone.exe
2007-12-02 22:25:17 0 d-------- C:\Program

Files\Acronis
2007-12-01 19:19:34 0 d--------

C:\Documents and

Settings\Administrator\Application Data\Webroot
2007-11-30 19:47:57 0 d-------- C:\Program

Files\Common Files\Axara
2007-11-29 19:30:15 0 d-------- C:\Program

Files\Microsoft CAPICOM 2.1.0.2
2007-11-23 08:11:54 51800 --ah-----

C:\WINDOWS\system32\mlfcache.dat
2007-11-21 09:54:49 0 d-------- C:\Program

Files\Microsoft SQL Server
2007-11-21 09:00:05 0 d-------- C:\Program

Files\Microsoft SQL Server(2)
2007-11-20 20:10:01 0 d-------- C:\Program

Files\Vstplugins
2007-11-20 20:09:43 0 d-------- C:\Program

Files\Sony
2007-11-13 19:44:54 0 d-------- C:\Program

Files\VDJ5
2007-11-12 09:43:11 0 d-------- C:\Program

Files\Trend Micro
2007-11-11 20:25:02 0 d-------- C:\Program

Files\Webroot
2007-11-11 20:23:03 164 --a------

C:\install.dat
2007-11-11 14:35:18 0 d-------- C:\Program

Files\DVBPortal
2007-11-11 13:00:57 0 d-------- C:\Program

Files\VirtualDJ
2007-11-10 23:09:56 0 d-------- C:\Program

Files\Common Files\McAfee
2007-11-10 23:09:43 0 d-------- C:\Program

Files\McAfee.com
2007-11-10 14:24:18 0 d-------- C:\Program

Files\Analog Devices

-- Registry Dump

--------------------------------------------------

-------------

*Note* empty entries & legit default entries are

not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur

rentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005

12:56 PM]
"Windows Media Connect 2"="C:\Program

Files\Windows Media Connect 2\WMCCFG.exe"

[10/06/2005 06:12 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e

xe" [01/12/2006 04:40 PM]
"36X Raid

Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe"

[11/16/2006 04:05 AM]
"PrevxCSI"="C:\Program

Files\PrevxCSI\prevxcsi.exe" []
"HostManager"="C:\Program Files\Common

Files\AOL\1175828319\ee\AOLSoftware.exe"

[05/25/2007 12:16 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0

-k" []
"RTHDCPL"="RTHDCPL.EXE" [03/21/2007 01:49 AM

C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 05:43 AM

C:\WINDOWS\Alcmtr.exe]
"NvCplDaemon"="RUNDLL32.exe" [08/10/2004 07:00 AM

C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM

C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [08/10/2004 07:00

AM C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy

Sweeper\SpySweeperUI.exe" [10/01/2007 04:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curr

entVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe"

[08/10/2004 07:00 AM]

C:\Documents and Settings\All Users\Start

Menu\Programs\Startup\
Extender Resource Monitor.lnk -

C:\WINDOWS\ehome\RMSysTry.exe [10/20/2005 7:55:40

PM]
VLC360.lnk - C:\Program

Files\Dun74\VLC360\VLC360.bat [3/27/2006 3:39:06

PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\cur

rentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\R

oyale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.

theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr

ol\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr

ol\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared

tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared

tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared

tools\msconfig\startupreg\P2kAutostart]

[HKEY_LOCAL_MACHINE\software\microsoft\windows

nt\currentversion\svchost]
QWAVE	QWAVE

-- End of Deckard's System Scanner: finished at

2008-01-08 10:36:52 ------------


----------



## Cheeseball81 (Mar 3, 2004)

Upon discussion with other security techs here, we suspect maybe it's in System Restore.
Do you have a lot of restore points set?


----------



## N2bnfunn (Jan 2, 2008)

Yes but I do, but I have had it turn off for a while now, the restore point feature.


----------



## Cheeseball81 (Mar 3, 2004)

This is another way to run SpySweeper and get more in depth results:



> Open SpySweeper, by double-clicking the icon on your desktop.
> Click Options on the left side.
> Click the Sweep tab.
> Under Items to Sweep make sure the following are checked:
> ...


----------



## N2bnfunn (Jan 2, 2008)

Well thank you for all your help but I FINALLY was able to get rid of the Mal/EncPK-BP
It was like you said it was in the restore back up files. delete them and scan and NO
MAL virus I did create a new back up and turn of restore command. Thank for all your help!!


----------



## Cheeseball81 (Mar 3, 2004)

That is great news! 

You're welcome and have a great day!

You can mark your thread "Solved" from the *Thread Tools* drop down menu.


----------

