InterviewSolution
Saved Bookmarks
InterviewSolution
| 1. |
Solve : How do I know if I have a RAT?? |
|
Answer» I received an evil e-mail that was opened by an unsuspecting family member and now I don't know what to do.
Malwarebyte's found 3 trojan vundos. Here is that log: Malwarebytes' Anti-Malware 1.20 Database version: 941 Windows 5.1.2600 Service Pack 3 4:05:38 PM 2/5/2009 mbam-log-2-5-2009 (16-05-38).txt Scan type: Quick Scan Objects scanned: 47300 Time elapsed: 7 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 I was CONCERNED that this so-called RAT was possibly undetected. I will post the other requests in two separate posts. They are too long for one. log file: Logfile of random's system information tool 1.05 (written by random/random) Run by airhalling at 2009-02-05 16:42:10 Microsoft Windows XP Professional Service Pack 3 System drive C: has 58 GB (77%) free of 76 GB Total RAM: 1015 MB (45% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:42:16 PM, on 2/5/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Rhapsody\rhaphlpr.exe c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\airhalling\Desktop\RSIT.exe C:\Program Files\Trend Micro\HijackThis\airhalling.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=20011&l=dis R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:/Documents and Settings/airhalling/My Documents/My Music/Temp/Tunebite/.downloading/profile/rrproxy_ie_49791246.pac R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe O4 - HKCU\..\Run: [RegistryCleanerProMFCT] C:\Program Files\RegistryCleanerPro\RegistryCleanerPro.exe O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe O4 - Global Startup: PowerReg Scheduler.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU) O15 - Trusted Zone: http://*.mcafee.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx O20 - AppInit_DLLs: xooqxv.dll yuvgjm.dll spixsm.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O24 - Desktop Component 0: (no name) - C:\Documents and Settings\airhalling\My Documents\My Pictures\Yosemite.jpg -- End of file - 7969 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\Tune-up Application Start.job C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job C:\WINDOWS\tasks\Symantec NetDetect.job C:\WINDOWS\tasks\McQcTask.job C:\WINDOWS\tasks\McDefragTask.job C:\WINDOWS\tasks\odwguswb.job ======Registry dump====== still too long, see next post...rest of log... ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}] Yahoo! Companion BHO - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL [2005-03-04 327246] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] AskBar BHO - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-07-17 279944] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}] RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-09-24 308832] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}] C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2004-05-12 744960] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll [2007-07-12 501136] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA102584-3B97-47e7-B9BC-75D54C110A7D}] Tunebite_WebRipPlugin Class - C:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll [2008-09-15 144688] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL [2005-03-04 327246] {3041d03e-fd4b-44e0-b742-2d9b88305f98} - Ask Toolbar - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-07-17 279944] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-11-28 98304] "igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-11-28 77824] "igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-11-28 118784] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2007-06-29 286720] "mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-11-01 582992] "TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-09-24 185872] "SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [2007-07-12 132496] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"=C:\Program Files\MSN Messenger\msnmsgr.exe [2005-06-14 6856704] "MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360] "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe [2008-12-12 9555968] "RegistryCleanerProMFCT"=C:\Program Files\RegistryCleanerPro\RegistryCleanerPro.exe [2008-09-16 13422592] C:\Documents and Settings\All Users\Start Menu\Programs\Startup America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe PowerReg Scheduler.exe Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="xooqxv.dll yuvgjm.dll spixsm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINDOWS\system32\igfxdev.dll [2005-11-28 135168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "notification packages"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll, [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:xpsp2res.dll,-22019" "C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe"="C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:xpsp3res.dll,-20000" "C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0" "C:\WINDOWS\EXPLORER.EXE"="C:\WINDOWS\EXPLORER.EXE:*:Enabled:Windows Explorer" "C:\Program Files\MySpace\IM\MySpaceIM.exe"="C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpaceIM" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:xpsp3res.dll,-20000" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0" ======File associations====== .reg - open - regedit.exe "%1" %* .scr - open - "%1" %* ======List of files/folders created in the last 1 months====== 2009-02-05 16:42:10 ----D---- C:\rsit 2009-01-30 15:43:56 ----D---- C:\Program Files\AskBarDis 2009-01-28 17:57:36 ----D---- C:\Program Files\A360 2009-01-26 16:11:36 ----ASH---- C:\WINDOWS\system32\yJikmUvw.ini2 2009-01-26 16:11:36 ----ASH---- C:\WINDOWS\system32\yJikmUvw.ini 2009-01-25 14:21:02 ----ASH---- C:\WINDOWS\system32\mnVxayxx.ini2 2009-01-25 14:21:02 ----ASH---- C:\WINDOWS\system32\mnVxayxx.ini 2009-01-15 03:01:41 ----HD---- C:\WINDOWS\$NtUninstallKB958687$ 2009-01-13 20:12:37 ----D---- C:\Program Files\NOS 2009-01-13 20:12:37 ----D---- C:\Documents and Settings\All Users\Application Data\NOS ======List of files/folders modified in the last 1 months====== 2064-04-14 12:20:40 ----D---- C:\WDSTW 2009-02-05 14:44:26 ----A---- C:\WINDOWS\LEXSTAT.INI 2009-02-01 14:26:18 ----A---- C:\WINDOWS\system32\4b5ea7be-.txt 2009-01-23 18:19:32 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-01-09 19:35:28 ----A---- C:\WINDOWS\system32\MRT.exe ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 DcCam;Kodak Camera Proxy; C:\WINDOWS\system32\DRIVERS\DcCam.sys [2004-05-20 36918] R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352] R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320] R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952] R2 DCFS2K;Kodak DCFS2K Driver; C:\WINDOWS\system32\drivers\dcfs2k.sys [2004-06-02 38705] R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384] R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368] R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-11-28 1353820] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-11-15 4225920] R3 IntelC51;IntelC51; C:\WINDOWS\system32\DRIVERS\IntelC51.sys [2003-05-16 2202674] R3 IntelC52;IntelC52; C:\WINDOWS\system32\DRIVERS\IntelC52.sys [2003-05-16 451625] R3 IntelC53;IntelC53; C:\WINDOWS\system32\DRIVERS\IntelC53.sys [2003-05-16 29541] R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304] R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240] R3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832] R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488] R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128] R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-12-14 85120] R3 tbhsd;Tunebite High-Speed Dubbing; C:\WINDOWS\system32\drivers\tbhsd.sys [2008-09-15 43552] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520] R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608] R3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528] R3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S1 Exportit;Exportit; C:\WINDOWS\system32\DRIVERS\exportit.sys [2004-06-02 151985] S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [] S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\system32\DRIVERS\ctljystk.sys [2001-08-17 3712] S3 DcFpoint;DcFpoint; C:\WINDOWS\system32\DRIVERS\DcFpoint.sys [2004-05-20 61564] S3 DcLps;Legacy Polling Service; C:\WINDOWS\system32\DRIVERS\DcLps.sys [2004-05-20 8022] S3 DcPTP;dcptp; C:\WINDOWS\system32\DRIVERS\DcPTP.sys [2004-05-20 68950] S3 EL90X;3Com EtherLink XL 90X Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xnd5.sys [] S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys [] S3 NtApm;NT Apm/Legacy INTERFACE Driver; C:\WINDOWS\system32\DRIVERS\NtApm.sys [2006-02-28 9344] S3 S3SAVAGE4M;S3SAVAGE4M; C:\WINDOWS\system32\DRIVERS\s3sav4m.sys [2001-08-17 77824] S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-08-15 106496] R2 KodakCCS;Kodak Camera Connection Software; C:\WINDOWS\system32\drivers\KodakCCS.exe [2004-05-24 322104] R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2004-01-13 311296] R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976] R2 McNASvc;McAfee Network Agent; c:\program files\common files\mcafee\mna\mcnasvc.exe [2008-01-25 2458128] R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248] R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704] R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864] R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336] R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768] S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752] S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184] S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] -----------------EOF----------------- info file: info.txt logfile of random's system information tool 1.05 2009-02-05 16:42:20 ======Uninstall list====== -->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 -->C:\Program Files\Creative\SBLive\PROGRAM\CTZAPDEV.EXE -->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\AudioHQ.isu" -->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Launcher\Launcher.isu" -->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Recorder\Recorder.isu" -->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SurMixer.isu" -->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Uninstall\Installer.isu" -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adaptec DirectCD-->C:\WINDOWS\uninst.exe -fc:\progra~1\cd-wri~1\directcd\DeIsL2.isu -c"c:\progra~1\cd-wri~1\directcd\\Dcduhlp.dll" Ad-Aware SE Personal-->C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG Adobe Atmosphere Player for Acrobat and Adobe Reader-->C:\WINDOWS\atmoUn.exe Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Shockwave Player-->C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~2\Install.log America Online-->C:\Program Files\Common Files\aolshare\Aolunins_us.exe AOL Coach Version 1.0(Build:20020823.1)-->C:\WINDOWS\AolCInUn.exe Ask Toolbar-->"C:\Program Files\AskBarDis\unins000.exe" Belarc Advisor 7.0-->C:\PROGRA~1\BELARC\ADVISOR\Uninstall.exe C:\PROGRA~1\BELARC\ADVISOR\INSTALL.LOG CD-Writer Plus software-->C:\Program Files\CD-Writer Plus\hpremove.exe Chutes and Ladders-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\Chutes\DeIsL1.isu" Comcast High-Speed Internet Install Wizard-->C:\Program Files\support.com\uninstall\chsi_uninstaller.exe High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe" HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe" Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe" Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" Intel(R) Graphics Media Accelerator Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772 Kodak EasyShare software-->C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_9_14d8e\Setup.exe /APR-REMOVE Lexmark 4200 Series-->C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBMUN5C.EXE -dLexmark 4200 Series LiveUpdate 2.0 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" MathPlayer-->C:\Program Files\Design Science\MathPlayer\Setup.exe -u McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp" Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft IntelliType Pro-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft Hardware\Keyboard\Uninst.isu" -c"C:\Program Files\Microsoft Hardware\Keyboard\sutils.dll" Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe" Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe" Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP MySpaceIM-->C:\Program Files\MySpace\IM\Uninstall.exe PartyPokerNet-->"C:\Program Files\PartyGaming.Net\PartyPokerNet\Uninstall.exe" "C:\Program Files\PartyGaming.Net\PartyPokerNet\install.log" PokerStars.net-->"C:\Program Files\PokerStars.NET\PokerStarsUninstall.exe" /u:PokerStars.net PokerStars-->C:\Program Files\PokerStars\Uninstall.EXE /u:"PokerStars" RealArcade-->C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2 RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 RegistryCleanerPro 1.0-->C:\Program Files\RegistryCleanerPro\uninst.exe Roxio UDF Reader-->C:\WINDOWS\SYSTEM32\udfrunin.exe Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe" Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe" Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe" Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe" Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe" Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe" Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe" Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe" Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe" Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe" Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe" Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe" Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe" Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe" Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe" Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe" Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe" Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe" Sound Blaster Live! Value-->C:\Program Files\Creative\Uninstall\CTUNINST.EXE /U:UNINST1.INI Spybot - Search & Destroy 1.3-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe" TaxCut Standard 2005-->C:\PROGRA~1\TaxCut05\Program\removetc.exe Uninstall InControl Tools 99-->C:\Program Files\Diamond\Setup99\install.exe -uh Unity Web Player-->C:\Program Files\Unity\WebPlayer\Uninstall.exe Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe" Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe" Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe" Westwood Shared Internet Components-->C:\Westwood\Internet\UnstllAP.EXE Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe" Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" WinZip-->"C:\PROGRAM FILES\WINZIP\WINZIP32.EXE" /uninstall ======Security center information====== AV: McAfee VirusScan FW: McAfee Personal Firewall System event log Computer Name: PII300MHZ Event Code: 36 Message: The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized. Record Number: 10653 Source Name: W32Time Time Written: 20080806001117.000000-300 Event Type: warning User: Computer Name: PII300MHZ Event Code: 7036 Message: The IMAPI CD-Burning COM Service service entered the stopped state. Record Number: 10652 Source Name: Service Control Manager Time Written: 20080805210439.000000-300 Event Type: information User: Computer Name: PII300MHZ Event Code: 7036 Message: The IMAPI CD-Burning COM Service service entered the running state. Record Number: 10651 Source Name: Service Control Manager Time Written: 20080805210429.000000-300 Event Type: information User: Computer Name: PII300MHZ Event Code: 7035 Message: The IMAPI CD-Burning COM Service service was successfully sent a start control. Record Number: 10650 Source Name: Service Control Manager Time Written: 20080805210428.000000-300 Event Type: information User: NT AUTHORITY\SYSTEM Computer Name: PII300MHZ Event Code: 7036 Message: The IMAPI CD-Burning COM Service service entered the stopped state. Record Number: 10649 Source Name: Service Control Manager Time Written: 20080805103708.000000-300 Event Type: information User: Application event log Computer Name: PII300MHZ Event Code: 5000 Message: McShield service started. Engine version : 5300.2777 DAT version : 5478.0000 Number of signatures in EXTRA.DAT : None Names of threats that EXTRA.DAT can detect : None Record Number: 6712 Source Name: McLogEvent Time Written: 20081229221153.000000-360 Event Type: information User: NT AUTHORITY\SYSTEM Computer Name: PII300MHZ Event Code: 1000 Message: Faulting application firefox.exe, version 1.9.0.3257, faulting module unknown, version 0.0.0.0, fault address 0x1000cea6. Record Number: 6711 Source Name: Application Error Time Written: 20081224194653.000000-360 Event Type: error User: Computer Name: PII300MHZ Event Code: 5000 Message: McShield service started. Engine version : 5300.2777 DAT version : 5474.0000 Number of signatures in EXTRA.DAT : None Names of threats that EXTRA.DAT can detect : None Record Number: 6710 Source Name: McLogEvent Time Written: 20081224194600.000000-360 Event Type: information User: NT AUTHORITY\SYSTEM Computer Name: PII300MHZ Event Code: 7 Message: Successful auto update retrieval of third-party root list sequence number from: Record Number: 6709 Source Name: crypt32 Time Written: 20081223211642.000000-360 Event Type: information User: Computer Name: PII300MHZ Event Code: 5000 Message: McShield service started. Engine version : 5300.2777 DAT version : 5473.0000 Number of signatures in EXTRA.DAT : None Names of threats that EXTRA.DAT can detect : None Record Number: 6708 Source Name: McLogEvent Time Written: 20081223173336.000000-360 Event Type: information User: NT AUTHORITY\SYSTEM ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;%SYSTEMROOT%\COMMAND;C:\Program Files\QuickTime\QTSystem\ "windir"=C:\WINDOWS "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=15 "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 9, GenuineIntel "PROCESSOR_REVISION"=0409 "NUMBER_OF_PROCESSORS"=1 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=C:\WINDOWS\TEMP "TMP"=C:\WINDOWS\TEMP "winbootdir"=C:\WINDOWS "PROMPT"=$p$g "BLASTER"=A220 I7 D1 H5 P330 T6 "CLASSPATH"=.;C:\Program Files\Java\jre1.5.0\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files\Java\jre1.5.0\lib\ext\QTJava.zip -----------------EOF----------------- Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) - R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=20011&l=dis - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll - O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll - O4 - HKCU\..\Run: [RegistryCleanerProMFCT] C:\Program Files\RegistryCleanerPro\RegistryCleanerPro.exe <-This is a rouge tool. - O4 - Global Startup: PowerReg Scheduler.exe - O20 - AppInit_DLLs: xooqxv.dll yuvgjm.dll spixsm.dll Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- Go to Add/Remove Programs and uninstall:
---------- Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.
I did not remove spybot. I realize it is old. My question though is that is gave me a message about removing the program and having some issues with quarantined files. I will post that later since I didn't write it down exactly. Here is the result of the Lop S&D. Looks like my vundo isn't gone. --------------------\\ Lop S&D 4.2.5-0 XP/Vista Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3 X86-based PC ( Uniprocessor Free : Intel(R) Celeron(R) CPU 2.66GHz ) BIOS : Award Modular BIOS v6.00PG USER : airhalling ( Administrator ) BOOT : Normal boot Antivirus : McAfee VirusScan (Activated) Firewall : McAfee Personal Firewall (Activated) A:\ (USB) C:\ (Local Disk) - FAT32 - Total:74 Go (Free:56 Go) E:\ (CD or DVD) "C:\Lop SD" ( MAJ : 19-12-2008|23:40 ) Option : [1] ( Fri 02/06/2009|21:12 ) --------------------\\ Listing folders in APPLIC~1 [07/20/2007|10:44] C:\DOCUME~1\DEFAUL~1\APPLIC~1\ Microsoft [07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ 4200Series [05/27/2008|07:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Adobe [07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ AOL [08/19/2007|06:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Apple [08/19/2007|06:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Apple Computer [07/11/2008|09:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Citrix [07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Kodak [07/11/2008|10:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Malwarebytes [08/24/2007|02:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ McAfee [07/20/2007|10:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Microsoft [07/20/2007|11:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ MSN6 [01/13/2009|08:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ NOS [07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ QuickTime [09/26/2008|08:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ RapidSolution [07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Spybot - Search & Destroy [08/10/2007|11:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Support.com [07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Symantec [07/20/2007|11:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Trymedia [07/20/2007|11:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Viewpoint [01/03/2008|08:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Windows Genuine Advantage [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ 4200Series [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Adobe [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ AdobeUM [09/07/2007|09:26] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Apple [08/19/2007|06:16] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Apple Computer [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ ApplicationHistory [07/11/2008|09:11] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Citrix [01/09/2008|10:48] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ FunWebProducts [11/29/2008|04:42] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Google [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Identities [07/21/2007|04:00] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ InstallShield [08/19/2007|06:23] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Lavasoft [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Macromedia [07/11/2008|10:08] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Malwarebytes [07/11/2008|09:00] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ McAfee [07/20/2007|10:44] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Microsoft [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Microsoft Web Folders [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Mozilla [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ MSN6 [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ MSNInstaller [08/29/2008|03:32] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ MySpace [05/27/2008|07:50] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ NOS [09/26/2008|08:26] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ RapidSolution [12/25/2007|12:39] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Real [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Snapfish [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Sun [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Support.com [03/30/2008|03:43] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ SupportSoft [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Talkback [07/16/2008|11:36] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Unity [10/23/2007|01:40] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Viewpoint [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Wildfire [08/24/2007|02:10] C:\DOCUME~1\NETWOR~1\APPLIC~1\ Apple [07/20/2007|10:44] C:\DOCUME~1\NETWOR~1\APPLIC~1\ Microsoft [07/16/2008|12:11] C:\DOCUME~1\LOCALS~1\APPLIC~1\ Help [07/20/2007|10:44] C:\DOCUME~1\LOCALS~1\APPLIC~1\ Microsoft --------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks [02/05/2009 11:00 PM][--a------] C:\WINDOWS\tasks\odwguswb.job [01/15/2009 02:18 AM][--a------] C:\WINDOWS\tasks\McDefragTask.job [02/01/2009 01:00 AM][--a------] C:\WINDOWS\tasks\McQcTask.job [02/06/2009 04:52 PM][--a------] C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job [02/04/2009 11:00 PM][--a------] C:\WINDOWS\tasks\Tune-up Application Start.job [06/08/2000 05:00 PM][-r-h-----] C:\WINDOWS\tasks\DESKTOP.INI [01/30/2009 08:22 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT --------------------\\ Listing Folders in C:\Program Files [01/28/2009|05:57] C:\Program Files\ A360 [02/14/2005|04:00] C:\Program Files\ ABBYY FineReader 5.0 Sprint [02/14/2005|04:00] C:\Program Files\ ABBYY FineReader 6.0 [01/01/1998|12:06] C:\Program Files\ Accessories [02/03/2006|03:11] C:\Program Files\ Actiontec [01/31/2002|02:41] C:\Program Files\ Adaptec [01/01/1998|12:32] C:\Program Files\ Adobe [09/22/2001|07:41] C:\Program Files\ AIM95 [11/05/2002|08:10] C:\Program Files\ America Online 8.0 [11/05/2002|08:20] C:\Program Files\ AOL Companion [01/31/2002|09:10] C:\Program Files\ Audiogalaxy Satellite [07/06/2005|10:24] C:\Program Files\ Belarc [09/02/2008|03:09] C:\Program Files\ Best Buy Digital Music Store Powered by Rhapsody [12/25/2007|12:39] C:\Program Files\ Best Buy Rhapsody [02/01/2007|05:24] C:\Program Files\ BFG [01/01/1998|10:35] C:\Program Files\ CD-Writer Plus [01/01/1998|12:06] C:\Program Files\ CHAT [01/01/1998|12:06] C:\Program Files\ Common Files [07/20/2007|11:03] C:\Program Files\ ComPlus Applications [01/01/1998|01:27] C:\Program Files\ Creative [02/03/2006|04:11] C:\Program Files\ Design Science [01/01/1998|01:15] C:\Program Files\ Diamond [01/01/1998|12:03] C:\Program Files\ DirectCD [01/01/1998|12:07] C:\Program Files\ DIRECTX [09/08/2001|08:56] C:\Program Files\ EACom [12/25/2007|01:15] C:\Program Files\ eMusic Download Manager [02/13/2002|09:00] C:\Program Files\ Franklin Covey [01/01/1998|12:06] C:\Program Files\ FrontPage Express [10/31/2001|01:41] C:\Program Files\ Hasbro Interactive [01/01/1998|12:21] C:\Program Files\ InstallShield Installation Information [07/21/2007|04:38] C:\Program Files\ Intel [01/01/1998|12:06] C:\Program Files\ Internet Explorer [03/31/2006|11:35] C:\Program Files\ Java [04/04/2005|07:20] C:\Program Files\ Kodak [07/06/2005|10:26] C:\Program Files\ Lavasoft [12/25/2001|08:08] C:\Program Files\ LEGO Media [02/14/2005|03:57] C:\Program Files\ Lexmark 4200 Series [07/11/2008|10:08] C:\Program Files\ Malwarebytes' Anti-Malware [08/24/2007|02:45] C:\Program Files\ McAfee [08/24/2007|02:45] C:\Program Files\ McAfee.com [07/20/2007|11:02] C:\Program Files\ Messenger [01/01/1998|01:50] C:\Program Files\ Microsoft FrontPage [01/01/1998|12:21] C:\Program Files\ Microsoft Hardware [01/01/1998|02:00] C:\Program Files\ Microsoft Money [01/01/1998|01:48] C:\Program Files\ Microsoft Office [02/03/2006|04:14] C:\Program Files\ Microsoft Picture It! 9 [01/01/1998|01:51] C:\Program Files\ Microsoft Visual Studio [01/01/1998|12:33] C:\Program Files\ Movie Maker [07/06/2005|12:44] C:\Program Files\ Mozilla Firefox [02/03/2006|03:54] C:\Program Files\ MSN [02/07/2006|12:25] C:\Program Files\ MSN Games [01/01/1998|12:49] C:\Program Files\ MSN Gaming Zone [02/03/2006|04:07] C:\Program Files\ MSN Messenger [07/21/2007|05:45] C:\Program Files\ MSXML 4.0 [08/29/2008|03:37] C:\Program Files\ MySpace [01/01/1998|12:06] C:\Program Files\ NetMeeting [01/13/2009|08:12] C:\Program Files\ NOS [01/01/1998|12:09] C:\Program Files\ Online Services [01/01/1998|12:06] C:\Program Files\ Outlook Express [02/17/2006|03:27] C:\Program Files\ PartyGaming.net [02/12/2006|11:37] C:\Program Files\ PartyPoker.net [09/26/2008|08:24] C:\Program Files\ PixiePack Codec Pack [01/01/1998|12:06] C:\Program Files\ PLUS! [08/18/2007|09:30] C:\Program Files\ Poker.com [02/13/2006|04:24] C:\Program Files\ PokerStars [11/29/2007|06:22] C:\Program Files\ PokerStars.NET [04/14/2004|02:38] C:\Program Files\ PowerQuest [02/03/2006|04:08] C:\Program Files\ QMgr [08/19/2007|06:18] C:\Program Files\ QuickTime [09/26/2008|08:21] C:\Program Files\ RapidSolution [09/08/2001|06:02] C:\Program Files\ Real [09/23/2008|12:12] C:\Program Files\ RegistryCleanerPro [09/05/2008|11:20] C:\Program Files\ Rhapsody [07/06/2005|11:18] C:\Program Files\ SAV9 [07/06/2005|11:02] C:\Program Files\ Spybot - Search & Destroy [03/30/2008|03:43] C:\Program Files\ support.com [07/06/2005|11:23] C:\Program Files\ Symantec [07/06/2005|11:21] C:\Program Files\ Symantec Client Security [02/12/2006|08:20] C:\Program Files\ TaxCut05 [09/23/2008|10:55] C:\Program Files\ Trend Micro [01/01/1998|01:08] C:\Program Files\ Uninstall Information [07/16/2008|11:36] C:\Program Files\ Unity [11/05/2002|08:19] C:\Program Files\ Viewpoint [01/01/1998|01:53] C:\Program Files\ Web Publish [09/02/2008|06:22] C:\Program Files\ Windows Media Connect 2 [01/01/1998|12:33] C:\Program Files\ Windows Media Player [07/20/2007|11:01] C:\Program Files\ Windows NT [01/01/1998|01:10] C:\Program Files\ WindowsUpdate [07/06/2005|02:21] C:\Program Files\ WinZip [07/20/2007|11:57] C:\Program Files\ xerox [12/07/2005|12:56] C:\Program Files\ Yahoo! --------------------\\ Listing Folders in C:\Program Files\Common Files [01/01/1998|12:32] C:\Program Files\Common Files\ Adobe [11/05/2002|07:33] C:\Program Files\Common Files\ AOL [11/05/2002|08:10] C:\Program Files\Common Files\ aolshare [08/19/2007|06:17] C:\Program Files\Common Files\ Apple [01/01/1998|01:51] C:\Program Files\Common Files\ Designer [01/01/1998|12:21] C:\Program Files\Common Files\ InstallShield [03/31/2006|11:33] C:\Program Files\Common Files\ Java [01/04/2007|05:16] C:\Program Files\Common Files\ Kodak [08/24/2007|02:45] C:\Program Files\Common Files\ McAfee [01/01/1998|12:06] C:\Program Files\Common Files\ Microsoft Shared [04/04/2005|07:20] C:\Program Files\Common Files\ MSSoap [01/01/1998|01:02] C:\Program Files\Common Files\ ODBC [02/17/2006|08:11] C:\Program Files\Common Files\ PokerStars.com [09/08/2001|06:02] C:\Program Files\Common Files\ Real [01/01/1998|12:11] C:\Program Files\Common Files\ SERVICES [07/20/2007|10:47] C:\Program Files\Common Files\ SpeechEngines [03/30/2008|03:42] C:\Program Files\Common Files\ SupportSoft [07/06/2005|11:21] C:\Program Files\Common Files\ Symantec Shared [01/01/1998|12:08] C:\Program Files\Common Files\ SYSTEM [09/24/2008|01:56] C:\Program Files\Common Files\ xing shared --------------------\\ Process ( 38 Processes ) ... OK ! --------------------\\ Searching with S_Lop No Lop folder found ! --------------------\\ Searching for Lop Files - Folders C:\DOCUME~1\AIRHAL~1\Cookies\[email protected][1].txt --------------------\\ Searching within the Registry ..... OK ! --------------------\\ Checking the Hosts file Hosts file CLEAN --------------------\\ Searching for hidden files with Catchme catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-06 21:15:02 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden files: 0 --------------------\\ Searching for other infections C:\WINDOWS\system32\mnVxayxx.ini C:\WINDOWS\system32\mnVxayxx.ini2 C:\WINDOWS\system32\yJikmUvw.ini C:\WINDOWS\system32\yJikmUvw.ini2 ==> VUNDO <== [F:241][D:20]-> C:\DOCUME~1\AIRHAL~1\LOCALS~1\Temp [F:21][D:0]-> C:\DOCUME~1\AIRHAL~1\Cookies [F:7150][D:9]-> C:\DOCUME~1\AIRHAL~1\LOCALS~1\TEMPOR~1\content.IE5 [F:2][D:0]-> C:\Recycled 1 - "C:\Lop SD\LopR_1.txt" - Fri 02/06/2009|21:16 - Option : [1] --------------------\\ Scan completed at 21:16:00 Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop DO NOT run it yet! Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code BOX by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: File:: C:\WINDOWS\system32\mnVxayxx.ini C:\WINDOWS\system32\mnVxayxx.ini2 C:\WINDOWS\system32\yJikmUvw.ini C:\WINDOWS\system32\yJikmUvw.ini2 C:\DOCUME~1\AIRHAL~1\Cookies\[email protected][1].txt 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeThe log is huge so here it comes in three parts: ComboFix 09-02-06.01 - airhalling 2009-02-06 21:57:46.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.378 [GMT -6:00] Running from: c:\documents and settings\airhalling\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\airhalling\Desktop\CFScript.txt AV: McAfee VirusScan *On-access scanning enabled* (Updated) FW: McAfee Personal Firewall *enabled* * Created a new restore point FILE :: c:\docume~1\AIRHAL~1\Cookies\[email protected][1].txt c:\windows\system32\mnVxayxx.ini c:\windows\system32\mnVxayxx.ini2 c:\windows\system32\yJikmUvw.ini c:\windows\system32\yJikmUvw.ini2 . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\AIRHAL~1\Cookies\[email protected][1].txt c:\documents and settings\airhalling\Application Data\FunWebProducts c:\documents and settings\airhalling\Application Data\FunWebProducts\Data\airhalling\avatar.dat c:\documents and settings\airhalling\Application Data\Google\T-Scan c:\documents and settings\airhalling\Application Data\Google\T-Scan\n.gif c:\documents and settings\airhalling\Application Data\Google\T-Scan\t.gif c:\documents and settings\airhalling\Application Data\Google\T-Scan\y.gif c:\program files\A360 c:\program files\A360\av360.exe.tmp c:\program files\Internet Explorer\msimg32.dll c:\windows\start.exe c:\windows\system32\mnVxayxx.ini c:\windows\system32\mnVxayxx.ini2 c:\windows\system32\yJikmUvw.ini c:\windows\system32\yJikmUvw.ini2 c:\windows\Tasks\odwguswb.job c:\windows\Web\default.htt c:\windows\wiaserviv.log Infected copy of c:\windows\system32\winlogon.exe was found and disinfected Restored copy from - c:\windows\$NtServicePackUninstall$\winlogon.exe . ((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 ))))))))))))))))))))))))))))))) . 2009-02-06 21:11 . 2009-02-06 21:11 d-------- C:\Lop SD 2009-02-05 16:42 . 2009-02-05 16:42 d-------- C:\rsit 2009-02-04 00:52 . 2009-02-04 00:52 36,398 --a------ C:\EasyShare.dmp 2009-01-13 20:12 . 2009-01-13 20:12 d-------- c:\program files\NOS 2009-01-13 20:12 . 2009-01-13 20:12 d-------- c:\documents and settings\All Users\Application Data\NOS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-01 17:22 34 ----a-w c:\documents and settings\airhalling\jagex_runescape_preferences.dat 2008-12-13 06:40 3,593,216 ------w c:\windows\SYSTEM32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\dllcache\srv.sys 2008-11-29 22:39 295,424 ----a-w c:\windows\SYSTEM32\termsrv.dll 2008-08-29 21:38 34,928 ----a-w c:\documents and settings\airhalling\Application Data\GDIPFONTCACHEV1.DAT 2008-07-12 03:11 61,224 ----a-w c:\documents and settings\airhalling\GoToAssistDownloadHelper.exe 2008-01-13 17:08 774,144 ----a-w c:\program files\RngInterstitial.dll 2006-03-22 01:04 75 ----a-w c:\documents and settings\airhalling\Application Data\fusioncache.dat 1998-01-01 07:01 271 --sh--w c:\program files\desktop.ini 1998-01-01 07:01 23,357 ---h--w c:\program files\folder.htt 2008-08-12 05:09 32,768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081120080812\index.dat . ------- Sigcheck -------------- Sigcheck ------- 2008-11-29 16:39 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\SYSTEM32\termsrv.dll 2006-02-28 12:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll 2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2005-06-14 6856704] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-24 185872] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968] c:\documents and settings\All Users\Start Menu\Programs\Startup\ America Online 8.0 Tray Icon.lnk - c:\program files\America Online 8.0\aoltray.exe [2002-11-05 36939] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 757760] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= c:\documents and settings\airhalling\My Documents\My Pictures\Yosemite.jpg FriendlyName= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= ctwdm32.dll "VIDC.VDOM"= vdowave.drv [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "IntelSMAPL"=IntelCdx.exe "PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s "RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER "FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" /s ""= "QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime "KodakCCS"=c:\windows\System32\Drivers\KodakCCS.exe "tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "AudioHQ"=c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE "CTAVTray"=c:\program files\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE "POINTER"=point32.exe "Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" "LexStart"=lexstart.exe "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" "vptray"=c:\progra~1\SYMANT~1\SYMANT~2\VPTRAY.EXE "LoadQM"=loadqm.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-] ""= "StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-13 33752] S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\SYSTEM32\DRIVERS\NtApm.sys [2001-08-17 9344] S3 S3SAVAGE4M;S3SAVAGE4M;c:\windows\SYSTEM32\DRIVERS\s3sav4m.sys [2007-07-20 77824] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install "c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install "c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}] c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder 2009-02-06 c:\windows\Tasks\PCHealth Scheduler for Data Collection.job - c:\windows\PCHEALTH\SUPPORT\PCHSCHD.EXE [] 2009-02-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2009-01-15 c:\windows\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] . - - - - ORPHANS REMOVED - - - -- - - - ORPHANS REMOVED - - - - ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file) . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = iexplore IE: &Search IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe Trusted Zone: internet Trusted Zone: mcafee.com DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\airhalling\Application Data\Mozilla\Firefox\Profiles\rweu1nvh.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-offrhap&p= FF - prefs.js: browser.search.selectedEngine - Ask FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis FF - prefs.js: keyword.URL - hxxp://errorpage.comcast.net/?cat=Web&con=dc&safe=on&q= FF - prefs.js: network.proxy.ftp - :0 FF - prefs.js: network.proxy.gopher - :0 FF - prefs.js: network.proxy.http - :0 FF - prefs.js: network.proxy.socks - :0 FF - prefs.js: network.proxy.ssl - :0 FF - prefs.js: network.proxy.type - 1 FF - component: c:\program files\RapidSolution\Tunebite\plugins\GeckoBased\[email protected]\components\TB_WebRipFFPlugin.dll FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\RapidSolution\Tunebite\plugins\GeckoBased\[email protected]\plugins\np_TB_OgloPlugin.dll FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-06 22:03:27 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\LEXBCES.EXE c:\windows\SYSTEM32\LEXPPS.EXE c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE c:\program files\MCAFEE\MSC\MCMSCSVC.EXE c:\program files\COMMON FILES\MCAFEE\MNA\MCNASVC.EXE c:\program files\COMMON FILES\MCAFEE\MCPROXY\MCPROXY.EXE c:\program files\MCAFEE\VIRUSSCAN\MCSHIELD.EXE c:\program files\MCAFEE\MPF\MPFSRV.EXE c:\progra~1\mcafee\msc\mcuimgr.exe . ************************************************************************** . Completion time: 2009-02-06 22:05:51 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-07 04:05:44 Pre-Run: 61,045,899,264 bytes free Post-Run: 61,254,008,832 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 233 --- E O F --- 2009-01-15 09:01:46 |
|