Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Zlob.G infection?


  • Please log in to reply
1 reply to this topic

#1 UncleChuck

UncleChuck

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 10 December 2008 - 07:04 PM

Our company president's laptop appears to have the Trojan.Zlob.G Trojan. I am not well versed in virus removal, so would appreciate any help you can give.
Below is the RSIT report. I did run Kaspersky and McAfee on the computer with much difficulty, but that was before I read the instructions on this site about posting the Kaspersky report. I don't have access to the laptop at this time, but will for a few minutes at a time in the future. By shutting down many of the services and startup settings in MSCONFIG I was able to get the computer to run fast enought for the boss to use it.

Earlier there was a message that I don't have a copy of, that indicated that the computer was infected with Trojan.Zlob.G I went to websites that had detailed instructions for manual removal of that kind of infection, but the laptop didn't have any of the files or registry entries that were listed, so I didn't remove anything.

Currently the following message is the only one that pops up from time to time, which seems to be unrelated to the Zlob:

The page at <hxxp://advancedscanner.com> says:
ATTENTION If your computer is struck by the spyware, you could suffer data loss, erratic PC
behaviour, PC freezes and creahes.

Detect and remove viruses before they damage your computer!
Antivirus 2009 will perform a 100% FREE and quick scan of your computer for Viruses, Spyware
and Adware.

Do you want to install Antivirus 2009 to scan your computer for malware now? (Recommended)

[OK] [Cancel]

Below is the RSIT file:

Logfile of random's system information tool 1.04 (written by random/random)
Run by chuck.paulien at 2008-12-10 13:03:36
Microsoft® Windows Vistaâ„¢ Ultimate Service Pack 1
System drive C: has 192 GB (50%) free of 382 GB
Total RAM: 1534 MB (14% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:26 PM, on 12/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\palmOne\Palm.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\PROGRA~1\palmOne\AlarmApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\chuck.paulien\Downloads\RandomSystemInformationTool.exe
C:\Program Files\Trend Micro\HijackThis\chuck.paulien.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12

\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12

\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network

Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

http://www.update.microsoft.com/microsoftu...b?1201718598453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...b?1222718408812
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-

03.sun.com/s/ESD5/JSCDL/jdk/6u10/jinstall-6u10-windows-i586-jc.cab?

e=1224777061951&h=eecbdbd9b993928aaf2a4dc3d2da2761/&filename=jinstall-6u10-windows-i586-jc.cab
O16 - DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} (CLVistaGenie Control) -

http://www.cyberlink.com/vista/prog/CLVistaGenie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

https://dell.webex.com/client/T25L/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EDMFortCollins.local
O17 - HKLM\Software\..\Telephony: DomainName = EDMFortCollins.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EDMFortCollins.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = EDMFortCollins.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12

\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Apricorn Scheduler Service (AcrSch2Svc) - Apricorn - C:\Program Files\Common Files\Apricorn\Schedule2

\schedul2.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop

Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed

VirusScan\Agent\myAgtSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe

--
End of file - 8288 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{089FD14D-132B-48FC-8861-

0048AE113215}]
C:\Program Files\SiteAdvisor\6173\SiteAdv.dll [2007-08-28 910624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-

0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-

D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-10-23 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-

9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-10-23 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0} - McAfee SiteAdvisor - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll [2007-08-28

910624]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-08-01 61440]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2008-10-09 333120]
"MVS Splash"=C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe [2008-01-22 468288]
"McAfee Managed Services Tray"=C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe [2008-01-22 87360]
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6173\SiteAdv.exe [2007-08-28 36640]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-10-23 136600]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe [2006-09-14 61440]
"bcmwltry"=C:\Windows\system32\bcmwltry.exe [2003-07-25 462848]
"removecpl"=RemoveCpl.exe []
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 1406024]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apricorn Scheduler Service]
C:\Program Files\Common Files\Apricorn\Schedule2\schedhlp.exe [2007-10-09 148712]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\Windows\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\Windows\system32\wpdshserviceobj.dll [2008-01-19 131584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll [2007-07-19 233888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24

2212224]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"legalnoticecaption"=
"legalnoticetext"=
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplic

ations\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Windows\system32\msiexec.exe"="C:\Windows\system32\msiexec.exe:*:Enabled:Windows® installer"
"D:\Assist.exe"="D:\Assist.exe:*:Enabled:Assist"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplicat

ions\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-12-10 13:03:36 ----D---- C:\rsit
2008-12-09 11:43:46 ----D---- C:\Program Files\Trend Micro
2008-12-09 08:07:02 ----D---- C:\Program Files\Citrix
2008-12-08 13:34:11 ----D---- C:\Program Files\Remove on Reboot
2008-11-25 16:06:07 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2008-11-25 16:06:07 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2008-11-25 16:06:06 ----A---- C:\Windows\system32\WindowsCodecs.dll
2008-11-25 16:06:00 ----A---- C:\Windows\system32\connect.dll
2008-11-25 12:19:34 ----A---- C:\Windows\ntbtlog.txt
2008-11-20 09:44:59 ----D---- C:\Users\chuck.paulien\AppData\Roaming\FileZilla
2008-11-20 09:44:39 ----D---- C:\Program Files\FileZilla FTP Client
2008-11-17 08:10:15 ----D---- C:\Program Files\palmOne - Copy
2008-11-14 10:27:58 ----D---- C:\Program Files\HOYA CORPORATION
2008-11-14 09:59:24 ----A---- C:\AdobeDebug.txt
2008-11-14 08:57:15 ----D---- C:\Users\chuck.paulien\AppData\Roaming\Opera
2008-11-13 20:05:23 ----A---- C:\Windows\system32\wups2.dll
2008-11-13 20:05:23 ----A---- C:\Windows\system32\wucltux.dll
2008-11-13 20:05:23 ----A---- C:\Windows\system32\wuaueng.dll
2008-11-13 20:05:23 ----A---- C:\Windows\system32\wuauclt.exe
2008-11-13 20:04:30 ----A---- C:\Windows\system32\wups.dll
2008-11-13 20:04:30 ----A---- C:\Windows\system32\wudriver.dll
2008-11-13 20:04:30 ----A---- C:\Windows\system32\wuapi.dll
2008-11-13 20:04:11 ----A---- C:\Windows\system32\wuwebv.dll
2008-11-13 20:04:10 ----A---- C:\Windows\system32\wuapp.exe
2008-11-12 08:26:56 ----A---- C:\Windows\system32\DreamScene.dll
2008-11-12 08:02:14 ----A---- C:\Windows\system32\msxml6.dll
2008-11-11 14:25:05 ----D---- C:\Users\chuck.paulien\AppData\Roaming\Canneverbe_Limited
2008-11-11 14:24:48 ----D---- C:\Program Files\CDBurnerXP

======List of files/folders modified in the last 1 months======

2008-12-10 13:03:48 ----D---- C:\Windows\Prefetch
2008-12-10 12:48:34 ----D---- C:\Windows\Temp
2008-12-10 12:42:17 ----D---- C:\Windows\tracing
2008-12-10 09:36:14 ----D---- C:\Windows\System32
2008-12-10 09:36:13 ----D---- C:\Windows\inf
2008-12-10 09:36:13 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-12-10 09:28:00 ----A---- C:\Windows\SchedLgU.Txt
2008-12-10 01:52:52 ----SHD---- C:\System Volume Information
2008-12-09 16:41:46 ----A---- C:\Windows\win.ini
2008-12-09 11:43:46 ----RD---- C:\Program Files
2008-12-08 13:40:38 ----D---- C:\Users\chuck.paulien\AppData\Roaming\SiteAdvisor
2008-12-05 14:33:41 ----SD---- C:\Users\chuck.paulien\AppData\Roaming\Microsoft
2008-12-02 16:40:01 ----SD---- C:\ProgramData\Microsoft
2008-12-02 09:08:41 ----D---- C:\Windows\Downloaded Installations
2008-11-25 16:16:16 ----SHD---- C:\Windows\Installer
2008-11-25 16:16:16 ----D---- C:\ProgramData\Microsoft Help
2008-11-25 16:16:01 ----D---- C:\Windows\winsxs
2008-11-25 16:05:53 ----D---- C:\Windows\system32\catroot
2008-11-25 16:05:52 ----D---- C:\Windows\system32\catroot2
2008-11-25 12:19:34 ----D---- C:\Windows
2008-11-14 10:28:10 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-14 09:59:24 ----D---- C:\ProgramData\Adobe
2008-11-14 09:59:23 ----D---- C:\Users\chuck.paulien\AppData\Roaming\Adobe
2008-11-14 09:30:08 ----D---- C:\Users\chuck.paulien\AppData\Roaming\ZipGenius
2008-11-14 08:14:06 ----D---- C:\Windows\rescache
2008-11-14 07:56:25 ----D---- C:\Windows\system32\en-US
2008-11-13 20:06:50 ----D---- C:\Windows\PolicyDefinitions
2008-11-13 16:41:56 ----D---- C:\Users\chuck.paulien\AppData\Roaming\gtk-2.0
2008-11-13 07:06:05 ----D---- C:\Windows\system32\WDI
2008-11-12 08:32:49 ----D---- C:\Windows\Web
2008-11-12 08:32:47 ----D---- C:\Windows\system32\drivers
2008-11-12 08:22:40 ----D---- C:\Windows\system32\zh-TW
2008-11-12 08:22:40 ----D---- C:\Windows\system32\zh-CN
2008-11-12 08:22:40 ----D---- C:\Windows\system32\uk-UA
2008-11-12 08:22:40 ----D---- C:\Windows\system32\tr-TR
2008-11-12 08:22:40 ----D---- C:\Windows\system32\th-TH
2008-11-12 08:22:39 ----D---- C:\Windows\system32\sv-SE
2008-11-12 08:22:39 ----D---- C:\Windows\system32\sr-Latn-CS
2008-11-12 08:22:39 ----D---- C:\Windows\system32\sl-SI
2008-11-12 08:22:39 ----D---- C:\Windows\system32\sk-SK
2008-11-12 08:22:39 ----D---- C:\Windows\system32\ru-RU
2008-11-12 08:22:38 ----D---- C:\Windows\system32\ro-RO
2008-11-12 08:22:38 ----D---- C:\Windows\system32\pt-PT
2008-11-12 08:22:38 ----D---- C:\Windows\system32\pt-BR
2008-11-12 08:22:38 ----D---- C:\Windows\system32\pl-PL
2008-11-12 08:22:38 ----D---- C:\Windows\system32\nl-NL
2008-11-12 08:22:38 ----D---- C:\Windows\system32\nb-NO
2008-11-12 08:22:38 ----D---- C:\Windows\system32\lv-LV
2008-11-12 08:22:37 ----D---- C:\Windows\system32\lt-LT
2008-11-12 08:22:37 ----D---- C:\Windows\system32\ko-KR
2008-11-12 08:22:37 ----D---- C:\Windows\system32\ja-JP
2008-11-12 08:22:37 ----D---- C:\Windows\system32\it-IT
2008-11-12 08:22:37 ----D---- C:\Windows\system32\hu-HU
2008-11-12 08:22:37 ----D---- C:\Windows\system32\hr-HR
2008-11-12 08:22:37 ----D---- C:\Windows\system32\he-IL
2008-11-12 08:22:36 ----D---- C:\Windows\system32\fr-FR
2008-11-12 08:22:36 ----D---- C:\Windows\system32\fi-FI
2008-11-12 08:22:36 ----D---- C:\Windows\system32\et-EE
2008-11-12 08:22:36 ----D---- C:\Windows\system32\es-ES
2008-11-12 08:22:36 ----D---- C:\Windows\system32\el-GR
2008-11-12 08:22:36 ----D---- C:\Windows\system32\de-DE
2008-11-12 08:22:35 ----D---- C:\Windows\system32\da-DK
2008-11-12 08:22:35 ----D---- C:\Windows\system32\cs-CZ
2008-11-12 08:22:35 ----D---- C:\Windows\system32\bg-BG
2008-11-12 08:22:35 ----D---- C:\Windows\system32\ar-SA
2008-11-12 08:22:26 ----RSD---- C:\Windows\Media

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_xp;Cdr4_xp; C:\Windows\system32\drivers\Cdr4_xp.sys [2008-06-05 61424]
R1 Cdralw2k;Cdralw2k; C:\Windows\system32\drivers\Cdralw2k.sys [2008-06-05 23420]
R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-01-18 350720]
R1 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2007-12-01 201320]
R1 mfetdik;McAfee Inc. mfetdik; C:\Windows\system32\drivers\mfetdik.sys [2007-12-01 55016]
R1 MPFP;MPFP; C:\Windows\System32\Drivers\Mpfp.sys [2007-03-02 120360]
R1 OMCI;OMCI; C:\Windows\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R3 aeaudio;aeaudio; C:\Windows\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-09-23 3976192]
R3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
R3 E100B;Intel® PRO Adapter Driver; C:\Windows\system32\DRIVERS\e100b325.sys [2008-01-18 159744]
R3 MfeAVFK;McAfee Inc. MfeAVFK; C:\Windows\system32\drivers\MfeAVFK.sys [2007-12-01 79304]
R3 MfeBOPK;McAfee Inc. MfeBOPK; C:\Windows\system32\drivers\MfeBOPK.sys [2007-12-01 35240]
R3 MfeRKDK;McAfee Inc. MfeRKDK; C:\Windows\system32\drivers\MfeRKDK.sys [2007-12-01 33832]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\Windows\system32\DRIVERS\point32k.sys [2008-06-10 33352]
R3 smwdm;smwdm; C:\Windows\system32\drivers\smwdm.sys [2002-08-05 545208]
R3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\Windows\system32\DRIVERS\wudfrd.sys [2008-01-

18 83328]
S3 CVirtA;Cisco Systems VPN Adapter; C:\Windows\system32\DRIVERS\CVirtA.sys [2007-01-18 5275]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 MTK;Media Technology Kernel Driver; C:\Windows\System32\Drivers\mtk.sys [2008-06-06 16896]
S3 PalmUSBD;PalmUSBD; C:\Windows\system32\drivers\PalmUSBD.sys [2008-10-17 16694]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\Windows\system32\DRIVERS\WudfPf.sys

[2008-01-18 51200]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcrSch2Svc;Apricorn Scheduler Service; C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe [2007-10-09 410856]
R2 AdobeActiveFileMonitor5.0;Adobe Active File Monitor V5; C:\Program Files\Adobe\Photoshop Elements 5.0

\PhotoshopElementsFileAgent.exe [2006-09-14 102400]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2008-09-23 704512]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 EngineServer;EngineServer; C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2007-12-01 14144]
R2 McAfee HackerWatch Service;McAfee HackerWatch Service; C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe [2007-

02-13 540776]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-05-23 841256]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service; C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-

01-22 169280]
R2 NMSAccessU;NMSAccessU; C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-10-20 71096]
R2 SiteAdvisor Service;SiteAdvisor Service; C:\Program Files\SiteAdvisor\6173\SAService.exe [2008-10-16 341280]
R3 McShield;McShield; C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe [2007-12-01 144704]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2008-01-19 523776]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005

-11-14 69632]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12

\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-

24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\HPZipm12.exe [2004-09-29 69632]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2008-01-19 917504]
S4 TlntSvr;@%SystemRoot%\system32\tlntsvr.exe,-119; C:\Windows\System32\tlntsvr.exe [2008-01-19 75776]

-----------------EOF-----------------

Edited by Orange Blossom, 11 February 2013 - 02:56 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 17 December 2008 - 12:50 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users