Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Requesting Diretions To Cure Infection


  • This topic is locked This topic is locked
11 replies to this topic

#1 Captain__Al

Captain__Al

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 20 July 2008 - 06:45 PM

Hello,

I have encountered a system bug last week and seeking advice on its removal. The computer is a Gateway Model GM5424, about 1 year old equipped with an Intel CoreTM2 CPU 6400 @ 2.13 GHZ. And 2 gig. of memory. Operating system is Vista Ultimate. Also installed is Mcafee AV – all items configured active on except for firewall which defaults to the Active on Microsoft OS firewall. The subscription to Mcafee expired this weekend. Also active is Windows Defender which continuously delivers error messages of requests to accept or deny changes.

The problem from analyzing the Windows defender history are attempts to modify Auto Start Run Keys identified as registry key entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\e48f2143

This is followed by numerously different *.dll files with a new one (different file name) generated every time permission is denied in Windows defender. All *.dll files are located in the System32 directory.

The infection does not allow me to install the Panda Active Scan, nor install Hijackthis. I have been able to execute a stand-alone Hijackthis.exe. file. I can not access this web site (I am using a second computer to write this), nor access Trendsecure.com. DSS is runs a Hijack Clone but Notepad fails to run.

Following is the best I could hack from Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:42 PM, on 7/20/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\WindowsMobile\wmdc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\rundll32.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\Explorer.exe
C:\Users\Alan\Desktop\Tech Support\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {1E19AEDD-F402-4343-A251-EFF3C234B521} - C:\Windows\system32\wvUMggDw.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {43FCD2CF-5569-4208-97D2-52748E0EF6A0} - C:\Windows\system32\ljJCuUoP.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ljJCuUoP.dll,#1
O4 - HKLM\..\Run: [e48f2143] rundll32.exe "C:\Windows\system32\lcvmfbgr.dll",b
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3191100265-1004868845-1035269041-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O13 - Gopher Prefix:
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 14714 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:56 AM

Posted 20 July 2008 - 06:51 PM

Hello Captain__Al,

Welcome to Bleeping Computer :thumbsup:

If the subscription to McAfee is already up, then I suggest you go ahead and uninstall it and get another going.....same with the Firewall. AVG, Avira OR Avast are good FREE antivirus. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.
Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

Disable Defender before you run this tool, as it interferes and may not run at all.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Captain__Al

Captain__Al
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 21 July 2008 - 09:12 PM

Thank you Teacup.

I am grateful that you responded.


1) I downloaded combofix on my good computer, executed the file and it ran fine. I then flash-drived a copy over to the infected Vista Machine where it failed to execute.

2) Just as a reminder, Hijackthis and many other similar security based programs fail to execute on the infected computer. As a mater of fact, it can not execute Notepad as a stand alone command. many security web sites are also prohibited from opening including Bleeping Computer..

3) On an inspection of the start-up Tab in MSConfig is a repeatable "Startup item: MSSServer, Manufacturer: unknown, command: rundll32.exe c:\windows\system32\tuvUKCuu.dll,#1, Location: HKLM Software\Microsoft\Windows\Current Version\ run".

AND......

Startup item: e48f2143, Manufacturer: unknown, command: rundll32.exe c:\windows\system32\qlrptmin.dll*,b, Location: HKLM Software\Microsoft\Windows\Current Version\ run".

I have verified their existence in the registry. Deleting them either in MSConfig or directly in the registry caused them to reappear on the next boot.

4) At any given time, a look at the active running processes indicates between 3 to 12 occurrences of a Rundll32.exe with a description of "Windows Host Process (rundll32)".

5.) My Mcafee is running just fine. The subscription ran out Sunday so all that means is I had my last update and get no further updates until I renew. A newer version is on my desk and ready to install. I intend to keep the existing in place and running until the problem is cured. If needed, we can temporarily disable it.

6.) I am very familiar with Firewalls and yes I run only one. I prefer to use the Microsoft OS Firewall based on Security issues of Vista Ultimate, and XP together with a number of other issues with my numerous computers , my other home networks and corporate VPN's

Thank you again for your response and I look forward to your next comment.

Captain__Al

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:56 AM

Posted 23 July 2008 - 02:48 PM

ello,

I understand, and it's okay. I was just hoping, but there are other things to do. :thumbsup:

See if you can get this. It just scans, but it gives me a starting point, and we can do some things manually until we can get some tools to run. :)

Please download Deckard's System Scanner (DSS)
http://www.techsupportforum.com/sectools/Deckard/dss.exe
and save it to your Desktop.

* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
* When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Captain__Al

Captain__Al
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 23 July 2008 - 10:37 PM

Attached File  hijackthis_7_23_08_11_25pm.log   14.13KB   27 downloads


Hi Tea, Thank you again for your quick response.

I am Sorry Tea, but I had loaded DSS.exe prior to writing my first post. It will execute but after running Hijackthis and searching the registry, it fails to post a *.txt file.

Remember, I can not even execute Notepad as a stand alone program. (From Start - programs-accessories-notepad)

I even went so far as to change the default program of opening *.txt and *.log files to open with Word Pad and not Notepad.

Still nothing.

Perhaps changing the default opening program to use Microsoft Word? I have not done that yet, but believe the virus disallows the creation of any *.txt file.

I am attaching the Hijackthis log that I just ran tonight. Hijack this is not an installed program, it simply is a stand alone executable loaded on the desktop of the infected computer.

Thanks again for all your help Tea. Hope you have a plan "B".

Alan

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:56 AM

Posted 23 July 2008 - 11:13 PM

Hi there......are you kidding? I've got plans B through Z. :thumbsup:

You got HijackThis.......how did it render if you don't have notepad? :)

Try something for me, please. Rename ComboFix.exe to something else, like Captain.exe and try to run it that way on the infected machine. Before you do, be sure you're offline and disable any protection programs that might be running. They interfere sometimes and we don't need any more of that than there already is. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Captain__Al

Captain__Al
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 25 July 2008 - 06:02 AM

Tea - YOU DA MAN!

Renaming the file worked. The answer to your question I believe, is that when one executes Hijackthis as a stand alone executable, it produces a *.log file and not a *.Txt file.

Help me understand what you ment by " I've got plans B through Z. "

Anyway, here is the combo fix log and the Hijackthis file. log:

I hae also attached them if that is easier.

As always, Thanks a whole bunch!

Alan

ComboFix 08-07-21.1 - Alan 2008-07-24 22:56:29.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.979 [GMT -4:00]
Running from: C:\Users\Alan\Desktop\Tech Support\Captain.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Alan\g2mdlhlpx.exe
C:\Windows\system32\ahwqhysw.dll
C:\Windows\System32\aoerjkfg.ini
C:\Windows\system32\bdghttbb.dll
C:\Windows\system32\bjgwhhba.dll
C:\Windows\system32\bmoruf.dll
C:\Windows\system32\bxvwkywn.ini
C:\Windows\system32\bywzah.dll
C:\Windows\System32\caddooqm.ini
C:\Windows\System32\cbpadisn.ini
C:\Windows\system32\cdbkgi.dll
C:\Windows\system32\cduvhfjv.ini
C:\Windows\system32\cehweoxe.dll
C:\Windows\system32\cfkiww.dll
C:\Windows\system32\cjsphkyv.dll
C:\Windows\system32\ckplxx.dll
C:\Windows\system32\clbdll.dll
C:\Windows\system32\clbdll.old
C:\Windows\system32\clbinit.dll
C:\Windows\system32\cldakv.dll
C:\Windows\system32\cmubgasy.dll
C:\Windows\system32\cxoxrblq.dll
C:\Windows\system32\dmiexiye.dll
C:\Windows\system32\drivers\beep.sys
C:\Windows\system32\drivers\clbdriver.sys
C:\Windows\system32\dxkpby.dll
C:\Windows\system32\dztvos.dll
C:\Windows\system32\eacnddph.dll
C:\Windows\system32\efcCtuVn.dll
C:\Windows\system32\efcDSKCt.dll
C:\Windows\system32\egsgtlhg.ini
C:\Windows\system32\eindun.dll
C:\Windows\system32\elmpuitc.dll
C:\Windows\system32\etcklght.dll
C:\Windows\system32\etpfgf.dll
C:\Windows\system32\eyehlewx.ini
C:\Windows\system32\faoqrd.dll
C:\Windows\system32\fdflnlek.ini
C:\Windows\system32\fiiipu.dll
C:\Windows\system32\fnxriomq.dll
C:\Windows\system32\fwoeqidx.dll
C:\Windows\system32\gjydkk.dll
C:\Windows\system32\gmqsns.dll
C:\WINDOWS\System32\GOWFNqru.ini
C:\WINDOWS\System32\GOWFNqru.ini2
C:\Windows\system32\hgGyvstQ.dll
C:\Windows\system32\hgGyxWoM.dll
C:\Windows\system32\hjwdgnla.dll
C:\Windows\system32\hlrwelyh.dll
C:\Windows\system32\hoxticrg.ini
C:\Windows\system32\hvbzzl.dll
C:\Windows\system32\ightnaao.dll
C:\Windows\system32\ihnclkqd.dll
C:\Windows\system32\ioxphicn.ini
C:\Windows\system32\iyowbnvr.dll
C:\Windows\system32\jeerpf.dll
C:\Windows\system32\jggruqas.dll
C:\Windows\system32\jgmqfblv.ini
C:\Windows\system32\jkkJbBTK.dll
C:\Windows\system32\jkkKEUkl.dll
C:\Windows\system32\jldmda.dll
C:\Windows\system32\jvmyjxkw.dll
C:\Windows\system32\kelnlfdf.dll
C:\Windows\system32\kfevzr.dll
C:\Windows\system32\khntmvdf.ini
C:\Windows\System32\kkmnnnpo.ini
C:\WINDOWS\System32\kkmnnnpo.ini2
C:\Windows\system32\kqwgdnmh.ini
C:\Windows\system32\krxydjga.dll
C:\Windows\system32\kvmpmxag.dll
C:\Windows\system32\kwqlsiuv.ini
C:\Windows\system32\kxtunayd.ini
C:\Windows\system32\lautjf.dll
C:\Windows\system32\leircftb.dll
C:\Windows\system32\lgsoinqn.dll
C:\WINDOWS\System32\liavdkqq.ini
C:\Windows\system32\ljnxoj.dll
C:\WINDOWS\System32\lkUEKkkj.ini
C:\WINDOWS\System32\lkUEKkkj.ini2
C:\Windows\system32\lkuyhuwc.dll
C:\Windows\System32\lshpweao.ini
C:\Windows\system32\lxounhrn.dll
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\museticx.ini
C:\Windows\system32\naqjtttd.dll
C:\Windows\system32\ncihpxoi.dll
C:\Windows\system32\ngjwuirc.ini
C:\Windows\system32\nmesstaj.dll
C:\Windows\system32\nnnnLdeF.dll
C:\Windows\system32\nqhqnvgg.dll
C:\WINDOWS\System32\nVutCcfe.ini
C:\WINDOWS\System32\nVutCcfe.ini2
C:\WINDOWS\System32\NWDceMoq.ini
C:\WINDOWS\System32\NWDceMoq.ini2
C:\Windows\system32\nwknuf.dll
C:\Windows\system32\ogccspmh.dll
C:\Windows\system32\omxosv.dll
C:\Windows\system32\oojkrmiq.ini
C:\Windows\system32\opnnnmkk.dll
C:\Windows\system32\pnuylnrs.dll
C:\Windows\System32\poubsupc.ini
C:\Windows\system32\ptissxfc.dll
C:\Windows\system32\qcigvb.dll
C:\Windows\system32\qfmrsfem.dll
C:\Windows\system32\qnitcoye.dll
C:\Windows\system32\qoehmjpi.dll
C:\Windows\system32\qoMecDWN.dll
C:\Windows\system32\qqkdvail.dll
C:\Windows\system32\qteireft.dll
C:\Windows\system32\qzbbeg.dll
C:\Windows\system32\repvdi.dll
C:\Windows\System32\rgbfmvcl.ini
C:\Windows\system32\rkkimayu.ini
C:\Windows\system32\rmsxut.dll
C:\WINDOWS\System32\saqurggj.ini
C:\Windows\system32\sbkdyiha.dll
C:\Windows\system32\slswfehg.dll
C:\Windows\system32\stteye.dll
C:\WINDOWS\System32\tCKSDcfe.ini
C:\WINDOWS\System32\tCKSDcfe.ini2
C:\Windows\System32\thglkcte.ini
C:\Windows\system32\tkywbqvk.dll
C:\Windows\system32\tmwqar.dll
C:\WINDOWS\System32\ttDdLlRu.ini
C:\WINDOWS\System32\ttDdLlRu.ini2
C:\Windows\system32\txdwbrmu.dll
C:\Windows\System32\ulsxvldf.ini
C:\Windows\system32\urjvhr.dll
C:\Windows\system32\uRlLdDtt.dll
C:\Windows\system32\utimqp.dll
C:\Windows\system32\utlcmb.dll
C:\Windows\system32\uwlwfipo.ini
C:\Windows\system32\uxtfahav.dll
C:\Windows\system32\vahaftxu.ini
C:\Windows\system32\vkcqmlwp.dll
C:\Windows\system32\vkpvlfpi.dll
C:\WINDOWS\System32\wDggMUvw.ini
C:\WINDOWS\System32\wDggMUvw.ini2
C:\Windows\system32\wdjxdf.dll
C:\Windows\system32\wnycnsak.ini
C:\Windows\system32\wsegay.dll
C:\Windows\system32\wsyhqwha.ini
C:\Windows\system32\wvUMggDw.dll
C:\Windows\system32\wvwhjjtj.dll
C:\Windows\system32\wwwtduwa.ini
C:\Windows\system32\wzxbgh.dll
C:\Windows\system32\xgaejscx.ini
C:\Windows\system32\xvthbd.dll
C:\Windows\system32\yblokbga.ini
C:\Windows\system32\ykontfph.ini
C:\Windows\system32\ykoukamk.dll
C:\Windows\system32\zdifpx.dll
C:\Windows\system32\zltdbn.dll
C:\Windows\system32\zmezoe.dll
C:\Windows\system32\ztdfbv.dll
C:\Windows\system32\zvkedp.dll
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-23 17:41 . 2008-07-23 17:41 <DIR> d-------- C:\Temp\T1
2008-07-23 17:41 . 2008-07-23 17:41 <DIR> d-------- C:\Temp\Needs Reload
2008-07-23 17:41 . 2008-07-23 17:41 <DIR> d-------- C:\Temp\Checked Out
2008-07-23 07:18 . 2008-07-23 07:18 323,072 --a------ C:\WINDOWS\System32\urqNFWOG.dll
2008-07-22 21:09 . 2008-07-23 07:13 44,001 ---hs---- C:\WINDOWS\System32\jhgkiwgq.ini
2008-07-22 20:47 . 2008-07-22 20:47 43,821 ---hs---- C:\WINDOWS\System32\befrxnfr.ini
2008-07-22 12:21 . 2008-07-22 20:36 43,761 ---hs---- C:\WINDOWS\System32\vasgpwua.ini
2008-07-22 09:26 . 2008-07-22 12:21 43,581 ---hs---- C:\WINDOWS\System32\uaunlbbs.ini
2008-07-21 21:31 . 2008-07-21 21:31 43,521 ---hs---- C:\WINDOWS\System32\nimtprlq.ini
2008-07-20 17:52 . 2008-07-20 17:52 <DIR> d-------- C:\Deckard
2008-07-20 08:38 . 2008-07-21 20:59 <DIR> d-a------ C:\Users\All Users\TEMP
2008-07-20 08:38 . 2008-07-21 20:59 <DIR> d-a------ C:\ProgramData\TEMP
2008-07-20 08:38 . 2008-07-20 13:18 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-20 08:30 . 2008-07-20 08:30 <DIR> d-------- C:\ie-spyad_zo
2008-07-17 16:40 . 2008-07-17 16:41 <DIR> d-------- C:\Users\Alan\AppData\Roaming\Perfect Design
2008-07-16 08:32 . 2008-07-16 08:32 294 ---hs---- C:\WINDOWS\System32\lxwpbmmf.ini
2008-07-13 08:49 . 2006-11-02 04:51 6,144 --a------ C:\WINDOWS\System32\beep.sys
2008-07-12 19:37 . 2008-07-12 19:37 0 --ah----- C:\WINDOWS\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-07-12 19:37 . 2008-07-12 19:37 0 --ah----- C:\WINDOWS\System32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-07-12 16:35 . 2008-07-16 13:57 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-07-11 19:17 . 2008-07-11 19:17 1,772,950 ---hs---- C:\WINDOWS\System32\jgmqfblv.tmp
2008-07-07 13:28 . 2008-07-16 12:57 <DIR> d-------- C:\Users\All Users\Autodesk
2008-07-07 13:28 . 2008-07-16 12:57 <DIR> d-------- C:\Users\Alan\AppData\Roaming\Autodesk
2008-07-07 13:28 . 2008-07-16 12:57 <DIR> d-------- C:\ProgramData\Autodesk
2008-07-07 13:28 . 2008-07-07 13:33 <DIR> d-------- C:\Program Files\AutoCAD LT 2008
2008-07-07 13:27 . 2008-07-07 13:33 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-07-07 13:27 . 2008-07-07 13:54 <DIR> d-------- C:\Program Files\Autodesk
2008-07-06 19:35 . 2008-07-06 19:51 <DIR> d-------- C:\Program Files\Snapshot Viewer
2008-07-06 19:31 . 2008-07-06 19:31 <DIR> d-------- C:\Program Files\MsgFilter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 11:38 --------- d-----w C:\Program Files\Paint Shop Pro 6
2008-07-17 20:50 --------- d-----w C:\Program Files\CityMultiDesignTool
2008-07-16 18:02 --------- d-----w C:\Program Files\Logitech
2008-07-16 17:57 --------- d-----w C:\ProgramData\Logitech
2008-07-13 00:00 --------- d-----w C:\ProgramData\SiteAdvisor
2008-07-12 20:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-11 16:28 174 --sha-w C:\Program Files\desktop.ini
2008-07-11 16:12 --------- d-----w C:\Program Files\Windows Mail
2008-07-08 11:34 --------- d-----w C:\Users\Alan\AppData\Roaming\GARMIN
2008-06-30 11:00 --------- d-----w C:\Users\Alan\AppData\Roaming\Image Zone Express
2008-06-25 20:57 --------- d-----w C:\ProgramData\HPSSUPPLY
2008-06-20 22:14 --------- d-----w C:\Users\Alan\AppData\Roaming\Download Manager
2008-06-15 16:27 --------- d-----w C:\Users\Alan\AppData\Roaming\Microsoft Office Mobile
2008-06-08 12:36 --------- d-----w C:\Program Files\HP
2008-06-08 11:30 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-05-30 15:25 --------- d-----w C:\Program Files\Palm
2008-05-28 12:39 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-04-26 08:02 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:23 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-25 04:23 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-25 04:23 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-25 04:22 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-07-06 00:45 7 ----a-w C:\Users\Alan\AppData\Roaming\Kigamger.dat
2007-05-30 02:29 262,144 ----a-w C:\ProgramData\ntuser.dat
2007-05-27 11:43 0 ----a-w C:\Users\Alan\AppData\Roaming\wklnhst.dat
.
<pre>
----a-w			78,848 2007-04-13 00:35:21  C:\Archive\Programs\Utilities - General\Vista Boot Pro\regmagik (no work) .exe
----a-w		 2,068,627 2007-03-03 09:24:51  C:\Archive\Programs\Utilities - General\Vista Boot Pro\VistaBootPRO_3.1.0 (works must register) .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:34 125440]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-23 14:46 249856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 08:33 201728]
"Power2GoExpress"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"MSServer"="C:\Windows\system32\nnnnLdeF.dll" [N/A]
"NMSSupport"="C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 10:56 423424]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 19:04 2348584]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08 813912]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 16:58 151552]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-28 10:43 1831936]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-02-08 22:39 36904]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33 582992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 22:52 49152]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 18:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 18:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 18:06 81920]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2007-08-23 14:46 81920]
"BMe7bc12df"="C:\Windows\system32\naqjtttd.dll" [N/A]
"e48f2143"="C:\Windows\system32\uyamikkr.dll" [N/A]
"NWEReboot"="" [N/A]
"SigmatelSysTrayApp"="sttray.exe" [2007-03-29 11:17 303104 C:\WINDOWS\sttray.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]

C:\Users\Alan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2007-04-10 18:35:18 267784]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\Windows\pss\HotSync Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e48f2143]
C:\Windows\system32\criuwjgn.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Nero\Nero 7\InCD\InCD.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-10-25 17:33 563984 C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
C:\Windows\system32\cbXNGwwv.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-11 18:06 81920 C:\WINDOWS\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3191100265-1004868845-1035269041-1001]
"EnableNotificationsRef"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3191100265-1004868845-1035269041-500]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C583A8A1-CBCE-4D38-993B-A337337262FC}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{0EA1273E-E2EB-4748-AD8E-DB89E8477E18}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{7793D825-1587-410B-99A0-252EAF365AA8}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{56D9723A-BA69-4EA7-A517-A2B81D97F31A}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{BA602AB7-7ADF-4CA5-91BC-9EC68E6B4C02}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{91FC8FDC-BD13-424A-8670-1D22944599D7}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{9436A2E1-CCC3-4610-ACBC-7FA916894B11}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{89FD3257-E2DF-4BA1-8989-CE9D12D9053F}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{7CBD5380-6AD4-48AC-B53C-1A3195521AF9}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FA12C86A-59B0-41A3-A152-A152D84D10A5}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C02DBDA3-E9A2-46F8-9512-94DA07298657}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{B20CE8E1-D048-40ED-B469-F690FAD1EE0B}"= TCP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{7D001AD0-7224-4221-AF80-45FAF247FD57}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8E83C7CC-516F-4257-A077-C08F8246921D}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FA3AB691-0C09-4BBD-BA8D-3376142FC4CE}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{7A861417-1106-4A78-9E57-8A8F68D42888}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{5F1AD9DD-2956-4C7D-9AAE-5807D24EC19E}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{42F9D561-B7FA-42AE-952D-A4448245BD89}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{4FAF6754-6657-424C-AD3A-3857F1B1FB50}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{AACC7DE5-751E-41B8-A7F4-52EB9B4A9232}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{9A8361DC-EF82-4435-8E8E-CAA8E9771FC0}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{80C311C8-FA34-4684-A0E7-7BCF6E53C741}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{E03196D2-CF83-44D9-9AB8-398BD434A16A}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{EDAB8BB9-6258-4AE3-B364-F9DA51263979}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{DE86C441-56E0-4479-B408-A84DDE0A49AF}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{3674D638-C492-4724-B8C4-8BC30E7B2DF2}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{53E3DC0C-86C6-489B-936F-B9FA28C14ACB}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{9ED5A08B-9BDA-4BC7-AD25-1EC1D84E4B38}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{B24E02F1-687B-4C49-8E4F-9EE28A138283}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zS7B63.tmp\setup\HPZnui01.exe:hpznui01.exe
"{91F398B0-9BB3-4098-9898-8BF9AD553F92}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zS7B63.tmp\setup\HPZnui01.exe:hpznui01.exe
"{F5056A39-E891-4CE1-A534-FD41BD116F42}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zS89CF.tmp\setup\HPZnui01.exe:hpznui01.exe
"{DBDF288B-C57B-4B3D-A1EE-F629915F0BA2}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zS89CF.tmp\setup\HPZnui01.exe:hpznui01.exe
"{73146E3F-E8C1-4F13-885F-1A6696B2AD25}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zSFDBA.tmp\setup\HPZnui01.exe:hpznui01.exe
"{505DE8DB-28CF-4311-A0FA-835B645C92D0}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zSFDBA.tmp\setup\HPZnui01.exe:hpznui01.exe
"{3FECBA1D-AD73-4782-8B51-09444EBB7CEF}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{6CC53E7B-B77F-4C05-8D33-5A8F7D290A23}"= TCP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{69E35DBB-49F0-4726-B9AE-0A10F949F44E}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zSC8DA.tmp\setup\HPZnui01.exe:hpznui01.exe
"{D63E8A8F-97C4-4F9C-B576-8248C7BC9991}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zSC8DA.tmp\setup\HPZnui01.exe:hpznui01.exe
"{43FDE473-9C50-4D9C-8B4E-404EE9074E7B}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B8EA9CB1-BC79-46D8-98BB-157ABA0C9C20}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{4253646C-E868-4E51-B6C9-AA2A37C4F7A5}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zSD891.tmp\setup\HPZnui01.exe:hpznui01.exe
"{390066AF-E0B5-458B-B1F8-2014BE447DF2}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zSD891.tmp\setup\HPZnui01.exe:hpznui01.exe
"{E28A24D9-CDFD-4E36-B07C-1A5F93CC99BE}"= Disabled:UDP:F:\setup\HPZNUI01.EXE:hpznui01.exe
"{A7D63DBE-4441-4BB0-9C0C-F2668FC2A9AF}"= Disabled:TCP:F:\setup\HPZNUI01.EXE:hpznui01.exe
"{3D89462C-165E-428F-8039-53D7197B6AF3}"= Disabled:UDP:F:\setup\HPONICIFS01.EXE:hponicifs01.exe
"{49B3A538-6C90-4258-AA05-741783AD108B}"= Disabled:TCP:F:\setup\HPONICIFS01.EXE:hponicifs01.exe
"{DBEEDC90-26D3-41D9-9836-32E11BD214CE}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zSB6AD.tmp\setup\HPZnui01.exe:hpznui01.exe
"{07AEA6BC-62B9-4910-A356-656DDE416BB2}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zSB6AD.tmp\setup\HPZnui01.exe:hpznui01.exe
"{835F138C-4FE5-47FA-B4BF-9E5BE3042643}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zSB6AD.tmp\setup\hponicifs01.exe:hponicifs01.exe
"{4CF2FA7E-D193-4C8F-917D-7F3E6F4BA96E}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zSB6AD.tmp\setup\hponicifs01.exe:hponicifs01.exe
"{52399E39-3646-4C07-9531-B3FCC7BFF00C}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{C653DFFB-6428-4593-B098-3EB009885400}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{B04C6441-CA54-450C-ADC8-7D921B579012}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{7D150DD7-951E-4270-9EC2-9A1C273770AD}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{FC10A70D-11EC-46F0-A03D-0757DD226F09}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{ACB54A81-F6BB-4616-B9DE-B99E3CC2A9B1}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{56095D63-CD36-47EC-84D9-916D34894C74}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{48315E9C-6A4E-41B7-999F-A5458E5FF87E}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{B749CD86-F6CE-4370-85BC-E45B251F225E}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{20CBEDE7-23A3-4787-9A49-652F65B5303D}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{59C37048-8492-4A48-B6AB-569EEDBAD51C}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{3D8D0CB6-55E1-4A66-878C-5FD879C33566}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{6642268B-4E08-42BF-9B38-7AEA52CFAF08}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{9C962E41-3C1D-4A66-8BB0-F10F07AAF012}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{6D2F6537-F40F-44AC-B409-D2DAF59B2B3A}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{6AC3B53C-229F-4903-AE77-A6025F829550}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{9B85CC4C-D877-471A-8F92-EA3A35964302}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{27B433EB-1830-4A71-8CFA-2F03F45F442C}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{6862A757-D429-45ED-B92C-E7E92FEE31A4}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe
"{05A472A0-0BBF-4485-BE87-2C753D0193A3}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 DQLWinService;DQLWinService;C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 09:03]
R2 nmsgopro;GoProto Protocol Driver for NMS;C:\Windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 19:37]
R2 nmsunidr;UniDriver for NMS;C:\Windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 15:49]
R3 AVMNgBasM780;AVerMedia M780 Base Driver;C:\Windows\system32\DRIVERS\AVerBas.sys [2008-04-14 11:42]
R3 AVMNgCapM780;AVerMedia M780 Audio/Video Capture Driver;C:\Windows\system32\DRIVERS\AVerCap.sys [2008-04-14 11:42]
R3 AVMNgTunM780;AVerMedia M780 TVTuner Driver;C:\Windows\system32\DRIVERS\AVerTun.sys [2008-04-14 11:42]
R3 IntelDH;IntelDH Driver;C:\Windows\system32\Drivers\IntelDH.sys [2007-04-08 13:58]
R3 NmPar;MosChip PCI Parallel Port;C:\Windows\system32\DRIVERS\NmPar.sys [2006-12-19 06:22]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 03:30]
S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 03:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
"2008-07-25 09:44:00 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-15 07:52:18 C:\Windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-12-01 06:00:11 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-07-07 13:06:58 C:\Windows\Tasks\NewSweep_07072007090646-Default-610.job"
- C:\Program Files\Fungusware\LojiklSweep\LojiklSweepRunner.exe@
"2008-07-25 10:20:18 C:\Windows\Tasks\User_Feed_Synchronization-{33F04D1A-4304-4EF3-A8EA-27890FDBDAE6}.job"
- C:\Windows\system32\msfeedssync.exe
"2008-07-25 10:20:00 C:\Windows\Tasks\User_Feed_Synchronization-{7775C84B-E667-4621-AA57-0D75477C8BEE}.job"
- C:\Windows\system32\msfeedssync.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
C:\Windows\Downloaded Program Files\DownloadManagerV2.inf
C:\WINDOWS\Downloaded Program Files\Manager.exe
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 06:18:56
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Users\Alan\AppData\Local\Temp\FXSAPIDebugLogFile.txt 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\audiodg.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\logishrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
C:\WINDOWS\System32\drivers\XAudio.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\issm.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\System32\WUDFHost.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
C:\WINDOWS\ehome\ehsched.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\Program Files\Common Files\logishrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\WindowsMobile\wmdc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
.
**************************************************************************
.
Completion time: 2008-07-25 6:22:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-25 10:22:15

Pre-Run: 286,096,146,432 bytes free
Post-Run: 283,947,442,176 bytes free

508 --- E O F --- 2008-07-11 16:14:13





Here is the HIJACK This file:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:27 AM, on 7/25/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\WindowsMobile\wmdc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Users\Alan\Desktop\Tech Support\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\nnnnLdeF.dll,#1
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BMe7bc12df] Rundll32.exe "C:\Windows\system32\naqjtttd.dll",s
O4 - HKLM\..\Run: [e48f2143] rundll32.exe "C:\Windows\system32\uyamikkr.dll",b
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3191100265-1004868845-1035269041-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13339 bytes

Attached Files



#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:56 AM

Posted 25 July 2008 - 12:00 PM

Hello,

YAY! Glad it worked. :thumbsup: Heh, you said you hope I have a plan B, and my reply was that I have plans B through Z. :)

How is it running now please?

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\System32\urqNFWOG.dll
C:\WINDOWS\System32\jhgkiwgq.ini
C:\WINDOWS\System32\befrxnfr.ini
C:\WINDOWS\System32\vasgpwua.ini
C:\WINDOWS\System32\uaunlbbs.ini
C:\WINDOWS\System32\nimtprlq.ini
C:\WINDOWS\System32\jgmqfblv.tmp

RenV::
----a-w 78,848 2007-04-13 00:35:21 C:\Archive\Programs\Utilities - General\Vista Boot Pro\regmagik (no work) .exe
----a-w 2,068,627 2007-03-03 09:24:51 C:\Archive\Programs\Utilities - General\Vista Boot Pro\VistaBootPRO_3.1.0 (works must register) .exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e48f2143]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Captain__Al

Captain__Al
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 25 July 2008 - 09:55 PM

Looking Better - Every Boot!

Here ya go Tea,

ComboFix 08-07-21.1 - Alan 2008-07-25 22:33:19.3 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.945 [GMT -4:00]
Running from: C:\Users\Alan\Desktop\ComboFix.exe
.
/wow section - STAGE 45
SED: can't read MWindows.dat: No such file or directory
Access is denied.


((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 06:55 . 2008-07-25 06:55 510 --a------ C:\WINDOWS\WORDPAD.INI
2008-07-25 06:45 . 2008-06-25 20:33 11,722,752 --a------ C:\WINDOWS\System32\NlsLexicons0001.dll
2008-07-23 17:41 . 2008-07-23 17:41 <DIR> d-------- C:\Temp\T1
2008-07-23 17:41 . 2008-07-23 17:41 <DIR> d-------- C:\Temp\Needs Reload
2008-07-23 17:41 . 2008-07-23 17:41 <DIR> d-------- C:\Temp\Checked Out
2008-07-20 17:52 . 2008-07-20 17:52 <DIR> d-------- C:\Deckard
2008-07-20 08:38 . 2008-07-25 07:05 <DIR> d-a------ C:\Users\All Users\TEMP
2008-07-20 08:38 . 2008-07-25 07:05 <DIR> d-a------ C:\ProgramData\TEMP
2008-07-20 08:38 . 2008-07-20 13:18 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-20 08:30 . 2008-07-20 08:30 <DIR> d-------- C:\ie-spyad_zo
2008-07-17 16:40 . 2008-07-17 16:41 <DIR> d-------- C:\Users\Alan\AppData\Roaming\Perfect Design
2008-07-16 08:32 . 2008-07-16 08:32 294 ---hs---- C:\WINDOWS\System32\lxwpbmmf.ini
2008-07-13 08:49 . 2006-11-02 04:51 6,144 --a------ C:\WINDOWS\System32\beep.sys
2008-07-12 19:37 . 2008-07-12 19:37 0 --ah----- C:\WINDOWS\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-07-12 19:37 . 2008-07-12 19:37 0 --ah----- C:\WINDOWS\System32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-07-12 16:35 . 2008-07-16 13:57 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-07-07 13:28 . 2008-07-16 12:57 <DIR> d-------- C:\Users\All Users\Autodesk
2008-07-07 13:28 . 2008-07-16 12:57 <DIR> d-------- C:\Users\Alan\AppData\Roaming\Autodesk
2008-07-07 13:28 . 2008-07-16 12:57 <DIR> d-------- C:\ProgramData\Autodesk
2008-07-07 13:28 . 2008-07-07 13:33 <DIR> d-------- C:\Program Files\AutoCAD LT 2008
2008-07-07 13:27 . 2008-07-07 13:33 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-07-07 13:27 . 2008-07-07 13:54 <DIR> d-------- C:\Program Files\Autodesk
2008-07-06 19:35 . 2008-07-06 19:51 <DIR> d-------- C:\Program Files\Snapshot Viewer
2008-07-06 19:31 . 2008-07-06 19:31 <DIR> d-------- C:\Program Files\MsgFilter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 00:00 --------- d-----w C:\ProgramData\SiteAdvisor
2008-07-23 11:38 --------- d-----w C:\Program Files\Paint Shop Pro 6
2008-07-17 20:50 --------- d-----w C:\Program Files\CityMultiDesignTool
2008-07-16 18:02 --------- d-----w C:\Program Files\Logitech
2008-07-16 17:57 --------- d-----w C:\ProgramData\Logitech
2008-07-12 20:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-11 16:28 174 --sha-w C:\Program Files\desktop.ini
2008-07-11 16:12 --------- d-----w C:\Program Files\Windows Mail
2008-07-08 11:34 --------- d-----w C:\Users\Alan\AppData\Roaming\GARMIN
2008-06-30 11:00 --------- d-----w C:\Users\Alan\AppData\Roaming\Image Zone Express
2008-06-26 00:34 7,964,672 ----a-w C:\Windows\System32\NlsLexicons0024.dll
2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-06-25 20:57 --------- d-----w C:\ProgramData\HPSSUPPLY
2008-06-20 22:14 --------- d-----w C:\Users\Alan\AppData\Roaming\Download Manager
2008-06-15 16:27 --------- d-----w C:\Users\Alan\AppData\Roaming\Microsoft Office Mobile
2008-06-08 12:36 --------- d-----w C:\Program Files\HP
2008-06-08 11:30 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-05-30 15:25 --------- d-----w C:\Program Files\Palm
2008-05-28 12:39 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-04-26 08:02 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-07-06 00:45 7 ----a-w C:\Users\Alan\AppData\Roaming\Kigamger.dat
2007-05-30 02:29 262,144 ----a-w C:\ProgramData\ntuser.dat
2007-05-27 11:43 0 ----a-w C:\Users\Alan\AppData\Roaming\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot_2008-07-25_22.08.32.33 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-26 01:57:32 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-07-26 02:27:35 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-07-26 01:57:32 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-07-26 02:27:35 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-07-26 01:59:16 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-26 02:30:14 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-26 02:30:14 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-07-26 02:07:23 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-26 02:36:47 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-26 02:36:47 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-07-25 22:05:58 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-26 02:22:57 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-25 22:05:58 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-26 02:22:57 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-25 22:05:58 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-26 02:22:57 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-26 02:00:05 16,414 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3191100265-1004868845-1035269041-1001_UserData.bin
+ 2008-07-26 02:30:59 16,414 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3191100265-1004868845-1035269041-1001_UserData.bin
- 2008-07-26 02:00:04 91,358 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-26 02:30:57 91,374 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-07-26 01:59:58 79,834 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-07-26 02:30:55 79,972 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:34 125440]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-23 14:46 249856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 08:33 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"NMSSupport"="C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 10:56 423424]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 19:04 2348584]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08 813912]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 16:58 151552]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-28 10:43 1831936]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-02-08 22:39 36904]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33 582992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 22:52 49152]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 18:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 18:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 18:06 81920]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2007-08-23 14:46 81920]
"SigmatelSysTrayApp"="sttray.exe" [2007-03-29 11:17 303104 C:\WINDOWS\sttray.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]

C:\Users\Alan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2007-04-10 18:35:18 267784]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\Windows\pss\HotSync Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-10-25 17:33 563984 C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-11 18:06 81920 C:\WINDOWS\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3191100265-1004868845-1035269041-1001]
"EnableNotificationsRef"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3191100265-1004868845-1035269041-500]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C583A8A1-CBCE-4D38-993B-A337337262FC}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{0EA1273E-E2EB-4748-AD8E-DB89E8477E18}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{7793D825-1587-410B-99A0-252EAF365AA8}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{56D9723A-BA69-4EA7-A517-A2B81D97F31A}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{BA602AB7-7ADF-4CA5-91BC-9EC68E6B4C02}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{91FC8FDC-BD13-424A-8670-1D22944599D7}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{9436A2E1-CCC3-4610-ACBC-7FA916894B11}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{89FD3257-E2DF-4BA1-8989-CE9D12D9053F}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{7CBD5380-6AD4-48AC-B53C-1A3195521AF9}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FA12C86A-59B0-41A3-A152-A152D84D10A5}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C02DBDA3-E9A2-46F8-9512-94DA07298657}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{B20CE8E1-D048-40ED-B469-F690FAD1EE0B}"= TCP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{7D001AD0-7224-4221-AF80-45FAF247FD57}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8E83C7CC-516F-4257-A077-C08F8246921D}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FA3AB691-0C09-4BBD-BA8D-3376142FC4CE}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{7A861417-1106-4A78-9E57-8A8F68D42888}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{5F1AD9DD-2956-4C7D-9AAE-5807D24EC19E}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{42F9D561-B7FA-42AE-952D-A4448245BD89}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{4FAF6754-6657-424C-AD3A-3857F1B1FB50}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{AACC7DE5-751E-41B8-A7F4-52EB9B4A9232}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{9A8361DC-EF82-4435-8E8E-CAA8E9771FC0}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{80C311C8-FA34-4684-A0E7-7BCF6E53C741}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{E03196D2-CF83-44D9-9AB8-398BD434A16A}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{EDAB8BB9-6258-4AE3-B364-F9DA51263979}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{DE86C441-56E0-4479-B408-A84DDE0A49AF}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{3674D638-C492-4724-B8C4-8BC30E7B2DF2}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{53E3DC0C-86C6-489B-936F-B9FA28C14ACB}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{9ED5A08B-9BDA-4BC7-AD25-1EC1D84E4B38}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{B24E02F1-687B-4C49-8E4F-9EE28A138283}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zS7B63.tmp\setup\HPZnui01.exe:hpznui01.exe
"{91F398B0-9BB3-4098-9898-8BF9AD553F92}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zS7B63.tmp\setup\HPZnui01.exe:hpznui01.exe
"{F5056A39-E891-4CE1-A534-FD41BD116F42}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zS89CF.tmp\setup\HPZnui01.exe:hpznui01.exe
"{DBDF288B-C57B-4B3D-A1EE-F629915F0BA2}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zS89CF.tmp\setup\HPZnui01.exe:hpznui01.exe
"{73146E3F-E8C1-4F13-885F-1A6696B2AD25}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zSFDBA.tmp\setup\HPZnui01.exe:hpznui01.exe
"{505DE8DB-28CF-4311-A0FA-835B645C92D0}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zSFDBA.tmp\setup\HPZnui01.exe:hpznui01.exe
"{3FECBA1D-AD73-4782-8B51-09444EBB7CEF}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{6CC53E7B-B77F-4C05-8D33-5A8F7D290A23}"= TCP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{69E35DBB-49F0-4726-B9AE-0A10F949F44E}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zSC8DA.tmp\setup\HPZnui01.exe:hpznui01.exe
"{D63E8A8F-97C4-4F9C-B576-8248C7BC9991}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zSC8DA.tmp\setup\HPZnui01.exe:hpznui01.exe
"{43FDE473-9C50-4D9C-8B4E-404EE9074E7B}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B8EA9CB1-BC79-46D8-98BB-157ABA0C9C20}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{4253646C-E868-4E51-B6C9-AA2A37C4F7A5}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zSD891.tmp\setup\HPZnui01.exe:hpznui01.exe
"{390066AF-E0B5-458B-B1F8-2014BE447DF2}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zSD891.tmp\setup\HPZnui01.exe:hpznui01.exe
"{E28A24D9-CDFD-4E36-B07C-1A5F93CC99BE}"= Disabled:UDP:F:\setup\HPZNUI01.EXE:hpznui01.exe
"{A7D63DBE-4441-4BB0-9C0C-F2668FC2A9AF}"= Disabled:TCP:F:\setup\HPZNUI01.EXE:hpznui01.exe
"{3D89462C-165E-428F-8039-53D7197B6AF3}"= Disabled:UDP:F:\setup\HPONICIFS01.EXE:hponicifs01.exe
"{49B3A538-6C90-4258-AA05-741783AD108B}"= Disabled:TCP:F:\setup\HPONICIFS01.EXE:hponicifs01.exe
"{DBEEDC90-26D3-41D9-9836-32E11BD214CE}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zSB6AD.tmp\setup\HPZnui01.exe:hpznui01.exe
"{07AEA6BC-62B9-4910-A356-656DDE416BB2}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zSB6AD.tmp\setup\HPZnui01.exe:hpznui01.exe
"{835F138C-4FE5-47FA-B4BF-9E5BE3042643}"= Disabled:UDP:C:\Users\Alan\AppData\Local\Temp\7zSB6AD.tmp\setup\hponicifs01.exe:hponicifs01.exe
"{4CF2FA7E-D193-4C8F-917D-7F3E6F4BA96E}"= Disabled:TCP:C:\Users\Alan\AppData\Local\Temp\7zSB6AD.tmp\setup\hponicifs01.exe:hponicifs01.exe
"{52399E39-3646-4C07-9531-B3FCC7BFF00C}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{C653DFFB-6428-4593-B098-3EB009885400}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{B04C6441-CA54-450C-ADC8-7D921B579012}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{7D150DD7-951E-4270-9EC2-9A1C273770AD}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{FC10A70D-11EC-46F0-A03D-0757DD226F09}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{ACB54A81-F6BB-4616-B9DE-B99E3CC2A9B1}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{56095D63-CD36-47EC-84D9-916D34894C74}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{48315E9C-6A4E-41B7-999F-A5458E5FF87E}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{B749CD86-F6CE-4370-85BC-E45B251F225E}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{20CBEDE7-23A3-4787-9A49-652F65B5303D}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{59C37048-8492-4A48-B6AB-569EEDBAD51C}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{3D8D0CB6-55E1-4A66-878C-5FD879C33566}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{6642268B-4E08-42BF-9B38-7AEA52CFAF08}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{9C962E41-3C1D-4A66-8BB0-F10F07AAF012}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{6D2F6537-F40F-44AC-B409-D2DAF59B2B3A}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{6AC3B53C-229F-4903-AE77-A6025F829550}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{9B85CC4C-D877-471A-8F92-EA3A35964302}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{27B433EB-1830-4A71-8CFA-2F03F45F442C}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{6862A757-D429-45ED-B92C-E7E92FEE31A4}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe
"{05A472A0-0BBF-4485-BE87-2C753D0193A3}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 DQLWinService;DQLWinService;C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 09:03]
R2 nmsgopro;GoProto Protocol Driver for NMS;C:\Windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 19:37]
R2 nmsunidr;UniDriver for NMS;C:\Windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 15:49]
R3 AVMNgBasM780;AVerMedia M780 Base Driver;C:\Windows\system32\DRIVERS\AVerBas.sys [2008-04-14 11:42]
R3 AVMNgCapM780;AVerMedia M780 Audio/Video Capture Driver;C:\Windows\system32\DRIVERS\AVerCap.sys [2008-04-14 11:42]
R3 AVMNgTunM780;AVerMedia M780 TVTuner Driver;C:\Windows\system32\DRIVERS\AVerTun.sys [2008-04-14 11:42]
R3 IntelDH;IntelDH Driver;C:\Windows\system32\Drivers\IntelDH.sys [2007-04-08 13:58]
R3 NmPar;MosChip PCI Parallel Port;C:\Windows\system32\DRIVERS\NmPar.sys [2006-12-19 06:22]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 03:30]
S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 03:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
"2008-07-26 01:44:00 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-15 07:52:18 C:\Windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-12-01 06:00:11 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-07-07 13:06:58 C:\Windows\Tasks\NewSweep_07072007090646-Default-610.job"
- C:\Program Files\Fungusware\LojiklSweep\LojiklSweepRunner.exe@
"2008-07-26 02:35:07 C:\Windows\Tasks\User_Feed_Synchronization-{33F04D1A-4304-4EF3-A8EA-27890FDBDAE6}.job"
- C:\Windows\system32\msfeedssync.exe
"2008-07-26 02:35:00 C:\Windows\Tasks\User_Feed_Synchronization-{7775C84B-E667-4621-AA57-0D75477C8BEE}.job"
- C:\Windows\system32\msfeedssync.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
C:\Windows\Downloaded Program Files\DownloadManagerV2.inf
C:\WINDOWS\Downloaded Program Files\Manager.exe
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 22:36:53
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
Completion time: 2008-07-25 22:38:55
ComboFix-quarantined-files.txt 2008-07-26 02:38:24
ComboFix2.txt 2008-07-26 02:09:55
ComboFix3.txt 2008-07-25 10:22:24

Pre-Run: 277,393,084,416 bytes free
Post-Run: 277,354,504,192 bytes free

298 --- E O F --- 2008-07-25 22:07:46




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:05 PM, on 7/25/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\WindowsMobile\wmdc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Users\Alan\Desktop\Tech Support\HiJackThis.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3191100265-1004868845-1035269041-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12983 bytes





As always, I am most greatful for our assistance. Thanks a bunch,

Alan

Attached Files



#10 Captain__Al

Captain__Al
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 July 2008 - 09:52 PM

Hi Tea, Not sure if you're out there still but I do believe I am cured.


Thank you Thank you Thank you !!!!!

Just as a follow up could you please look over my last post and confirm that for me? The 'Puter's running GREAT

Just a few follow-up questions if you have the answers.

1) Do you know the name / strain of the infection?

2) Can I delete the QooBox Directory?

3) Any thoughts why Mcafee did not catch this? it was fully updated and all systems where configured on.

4) Is there a web site I can go to for learning more about ComboFix. I believe the URL comes up as you execute the program initially, but since it appears to be fixed, that option no longer comes up.

Thanks again for all your help.

Alan

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:56 AM

Posted 16 August 2008 - 12:20 AM

Hello Sir Captain Alan! :thumbsup: Yes, I'm still out here.....somewhere. ;)

To answer your questions :

1) Vundo/Virtumonde was a huge part of it.

2) Yes you can, and please do, along with ComboFix.

3) Nothing is perfect, and McAfee is not a super strong AV anyway, comparatively speaking. Now that opinion is formed on experience. I don't tend to listen to statistical reports, as sometimes they are biased. The nasty stuff is really nasty these days, and it's only going to get worse. We fight every day just to keep up. :)

4) You won't find any authorized tutorials on ComboFix outside of the private classrooms we have to teach malware fighting as a whole. We don't need the bad guys getting to our tools! :)

You're most welcome, and please let me know if you have any further questions. :)

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:56 AM

Posted 11 September 2008 - 05:18 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users