Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

computer infection from hell


  • Please log in to reply
15 replies to this topic

#1 boman

boman

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 20 December 2008 - 06:38 PM

I have windows vista. Ever since I restored my system after the window update failed to install, I can not open the windows update anymore, not even in safe mode. Also I cannot open window defender, mcafee antivirus, system restore, network connection, and task manager in regular mode. Heck I even have trouble shuting down the computer. Both Mcafee and Systemetic online scan returns with no result.
Here is my HijackThis Log, hope it can solve my problem:
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:55 PM, on 12/20/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\RunRetriever.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\EnergyCut\utilty.exe
C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxsrvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\Users\bo10029094\Downloads\mpas-fe.exe
d:\7124c8ec0c8162c2490c\mpsigstub.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\RacAgent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Windows\system32\wusa.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EnergyUtility] C:\Program Files\Lenovo\EnergyCut\utilty.exe
O4 - HKLM\..\Run: [EnergyCut] C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\Windows\TEMP\E_SB747.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.1; .NET CLR 1.1.4322)" -"http://www.miniclip.com/games/snowmen-invaders/en/"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O9 - Extra 'Tools' menuitem: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} (IASRunner Class) - http://download.boulder.ibm.com/ibmdl/pub/...pc/acpirexe.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...327/mcfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 12620 bytes

BC AdBot (Login to Remove)

 


#2 boman

boman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 20 December 2008 - 08:08 PM

Topic title was: This is madness, this is vista ~ OB

I have a Vista 32bp on a laptop from Lenovo ideapad series. On December 18th, the system informed me to restart for windows update. The update froze on "config update 3 out 3, 100%" completly for an hour, so I was forced to shut the program down and restore the system to right before the update. Back at the restored state, I tried to open up the windows update program. To may dismay, window's update freezes. I tried to call up the task manager, except it, too, won't show up. That's when I noticed the sorry conditionss of my task bar. The logo for my virus scan program dispeared and was replaced by the red cross from the window's security center. Eventhough I had perfect wireless connection the task manual indicates that I was not connected to the internet. I tried to open up my virus program with no luck. I decided to restart the system, but the computer frozed at logout state for an extremely long time, forcing me to manually shutting it off.
I booted my system up in safe mood. I finnally was able to access my mcafee virus scan. My virus scan informed me that I was not protected and an error occured when i tried to fix it. From what's left of my anti-virus, I learned that it observed and removed a Trojan, Fakealert-ab!htm, just five days before (i don't know if this is important or not). I tried to install a replacement for my anti-virus, but an error occured during installation. Online scaning from systemetic website discovered no virus.
I still could not open windows update even in the safe mode. Worse yet, when i tried to manually download the updates and install it, the system would freeze.
A view at my problem report indicates Nlasvc, SstpSvc, WinHttpAutoProxySvc all had multiple cases of service hang report in the past 2 days. Window Defender had MpTelemetry issues.

Edited by Orange Blossom, 20 December 2008 - 08:29 PM.
Merged topics. ~ OB


#3 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:08:37 PM

Posted 28 December 2008 - 02:57 AM

Hi boman,

Step 1

Please download DDS from Tech Support Forum and save it to your desktop.

Double click on dds to run it.

When done, DDS.txt will open. Another file, Attach.txt will open after a short while. Please save these 2 files to your desktop as they will be deleted once you close them.

Please attach Attach.txt in your next reply by scrolling down to Attachments and clicking on Browse....

An image is below for your reference:

Posted Image

Step 2

Please download gmer.zip from Gmer and save it to your desktop.
  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.
  • When done, you may receive another notice. Click OK.
  • Click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.
If you receive no notice, click on the Scan button.
  • It will start scanning again.
  • When done, click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.
Note: Do not run any programs while Gmer is running.

In your next reply, please post:
  • DDS.txt
  • Attach.txt (attached to this topic)
  • Gmer.txt

Posted Image

Done your best? Really?


#4 boman

boman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 30 December 2008 - 02:11 AM

Thank you for your help.
Here is my DDS log:

DDS (Version 1.1.0) - NTFSx86
Run by bo10029094 at 0:04:18.66 on Tue 12/30/2008
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.1078 [GMT -6:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\RunRetriever.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\EnergyCut\utilty.exe
C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\bo10029094\Desktop\dds.com
C:\Windows\ehome\ehmsas.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.lenovo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\windows\temp\E_SB747.tmp" /EF "HKCU"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.1; .NET CLR 1.1.4322)" -"http://www.miniclip.com/games/snowmen-invaders/en/"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [EnergyUtility] c:\program files\lenovo\energycut\utilty.exe
mRun: [EnergyCut] c:\program files\lenovo\energycut\EnergyCut.exe
mRun: [PCMService] "c:\program files\lenovo\shuttlecenter\PCMService.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Skytel] Skytel.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\users\bo1002~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - c:\program files\lenovo\veriface\OpenWnd.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bo1002~1\appdata\roaming\mozilla\firefox\profiles\cg706s6j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
FF - component: c:\program files\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\yahoo!\common\npyaxmpb.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-12-26 00:41 <DIR> --d----- c:\users\bo1002~1\appdata\roaming\McAfee
2008-12-20 16:55 <DIR> --d----- C:\6fa7c404b5a67a9bc59d36ddb5cc2d04
2008-12-20 15:24 0 a---h--t c:\windows\wusa.lock
2008-12-20 15:24 <DIR> --d----- C:\4eee0c844ec7cc4b7f031e927f9404
2008-12-19 00:06 39 a------- c:\windows\sfshell.tmp
2008-12-18 20:58 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2008-12-18 20:58 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-18 20:58 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2008-12-18 20:19 <DIR> --d----- C:\ae5bc420fc420ea24b0481d8119ad6
2008-12-18 19:04 <DIR> --d----- c:\program files\Trend Micro
2008-12-10 00:25 2,048 a------- c:\windows\system32\tzres.dll
2008-12-10 00:20 827,392 a------- c:\windows\system32\wininet.dll
2008-12-10 00:20 1,383,424 a------- c:\windows\system32\mshtml.tlb
2008-12-10 00:20 296,960 a------- c:\windows\system32\gdi32.dll
2008-12-10 00:19 2,927,104 a------- c:\windows\explorer.exe
2008-12-10 00:19 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-12-10 00:19 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-12-10 00:17 2,868,736 a------- c:\windows\system32\mf.dll
2008-12-10 00:17 996,352 a------- c:\windows\system32\WMNetMgr.dll
2008-12-10 00:17 94,720 a------- c:\windows\system32\logagent.exe
2008-12-04 10:30 <DIR> --d----- c:\program files\Hero Editor
2008-12-04 10:30 249,856 -------- c:\windows\Setup1.exe
2008-12-04 10:30 73,216 a------- c:\windows\ST6UNST.EXE

==================== Find3M ====================

2008-11-02 19:39 32,575 a------- c:\windows\DIIUnin.dat
2008-11-02 19:38 21,840 a------t c:\windows\system32\SIntfNT.dll
2008-11-02 19:38 17,212 a------t c:\windows\system32\SIntf32.dll
2008-11-02 19:38 12,067 a------t c:\windows\system32\SIntf16.dll
2008-11-02 19:15 94,208 a------- c:\windows\DIIUnin.exe
2008-11-02 19:15 2,829 a------- c:\windows\DIIUnin.pif
2008-11-02 18:12 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-10-31 21:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 21:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 21:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 21:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 21:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-26 01:16 86,016 a------- c:\windows\inf\infstrng.dat
2008-10-26 01:16 86,016 a------- c:\windows\inf\infstor.dat
2008-10-26 01:16 51,200 a------- c:\windows\inf\infpub.dat
2008-10-21 21:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-20 23:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-16 14:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-16 14:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-06-20 21:03 174 a--sh--- c:\program files\desktop.ini
2008-06-20 20:56 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat


============= FINISH: 0:06:21.37 ===============

Since Gmer.txt is way too long to fit on to this log I will attach it to the reply as well

Attached Files


Edited by boman, 30 December 2008 - 02:31 AM.


#5 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 01 January 2009 - 12:22 PM

Hello boman,

My name is Carolyn. mayi is having internet connection problems so I will pick up helping you where she left off.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
  • Download this file from one of the three below listed places :
    For information regarding this download, please visit this webpage:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Link1
    Link2
    Link3

    **Note: It is important that it is saved directly to your desktop**

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Then right click combofix.exe, select Run as administrator & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Please post the Combofix log and a fresh HijackThis log.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#6 boman

boman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 02 January 2009 - 01:29 AM

I had trouble running Combofix in regular mode. It gets stuck on the preparing to scan page. and since I can't get my task manager to load in normal mode, I was forced to scan in safe mode. I hope safe mode does not affect it too much. The following is the log

ComboFix 08-12-31.01 - bo10029094 2009-01-02 0:15:21.1 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.1487 [GMT -6:00]
Running from: c:\users\bo10029094\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2008-12-30 00:23 . 2008-12-30 00:47 250 --a------ c:\windows\gmer.ini
2008-12-26 00:41 . 2008-12-26 00:41 <DIR> d-------- c:\users\bo10029094\AppData\Roaming\McAfee
2008-12-26 00:41 . 2008-12-26 00:41 <DIR> d-------- c:\users\BO1002~1\AppData\Roaming\McAfee
2008-12-26 00:29 . 2008-12-26 00:31 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-20 16:55 . 2008-12-20 16:55 <DIR> d-------- C:\6fa7c404b5a67a9bc59d36ddb5cc2d04
2008-12-20 15:24 . 2008-12-20 15:24 <DIR> d-------- C:\4eee0c844ec7cc4b7f031e927f9404
2008-12-20 15:24 . 2008-12-20 16:55 0 --ah---t- c:\windows\wusa.lock
2008-12-19 00:06 . 2008-12-19 00:06 39 --a------ c:\windows\sfshell.tmp
2008-12-18 20:58 . 2009-01-01 23:48 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2008-12-18 20:58 . 2008-12-27 00:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-18 20:58 . 2009-01-01 23:48 <DIR> d-------- c:\progra~2\Spybot - Search & Destroy
2008-12-18 20:19 . 2008-12-18 20:19 <DIR> d-------- C:\ae5bc420fc420ea24b0481d8119ad6
2008-12-18 19:04 . 2008-12-18 19:04 <DIR> d-------- c:\program files\Trend Micro
2008-12-10 20:48 . 2008-12-10 20:48 <DIR> d-------- c:\users\bo10029094\AppData\Roaming\Move Networks
2008-12-10 20:48 . 2008-12-10 20:48 <DIR> d-------- c:\users\BO1002~1\AppData\Roaming\Move Networks
2008-12-10 00:25 . 2008-10-21 19:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-10 00:20 . 2008-10-15 20:23 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-12-10 00:20 . 2008-10-15 22:47 827,392 --a------ c:\windows\System32\wininet.dll
2008-12-10 00:20 . 2008-10-20 23:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-10 00:19 . 2008-10-31 19:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-10 00:19 . 2008-10-29 00:29 2,927,104 --a------ c:\windows\explorer.exe
2008-12-10 00:19 . 2008-10-31 21:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-10 00:17 . 2008-06-22 19:59 2,868,736 --a------ c:\windows\System32\mf.dll
2008-12-10 00:17 . 2008-06-22 19:59 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-10 00:17 . 2008-06-22 19:58 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-07 11:32 . 2008-12-07 11:32 <DIR> d-------- c:\program files\QuickTime
2008-12-04 10:30 . 2008-12-04 10:31 <DIR> d-------- c:\program files\Hero Editor
2008-12-04 10:30 . 2008-12-04 10:30 249,856 --------- c:\windows\Setup1.exe
2008-12-04 10:30 . 2008-12-04 10:30 73,216 --a------ c:\windows\ST6UNST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 06:14 --------- d---a-w c:\progra~2\TEMP
2009-01-02 05:36 --------- d-----w c:\progra~2\Google Updater
2009-01-01 06:25 --------- d-----w c:\program files\Spyware Doctor
2008-12-26 06:42 --------- d-----w c:\progra~2\McAfee
2008-12-24 21:30 --------- d-----w c:\program files\Warcraft III
2008-12-20 19:48 --------- d-----w c:\program files\Lenovo
2008-12-19 04:39 --------- d-----w c:\program files\CCleaner
2008-12-19 02:48 --------- d-----w c:\users\bo10029094\AppData\Roaming\Ruckus Network
2008-12-19 02:48 --------- d-----w c:\users\BO1002~1\AppData\Roaming\Ruckus Network
2008-12-13 08:12 --------- d-----w c:\program files\McAfee
2008-12-10 06:47 --------- d-----w c:\program files\Windows Mail
2008-11-11 05:34 --------- d-----w c:\program files\Common Files\Adobe
2008-11-06 05:21 --------- d-----w c:\users\bo10029094\AppData\Roaming\ArcSoft
2008-11-06 05:21 --------- d-----w c:\users\BO1002~1\AppData\Roaming\ArcSoft
2008-11-03 01:38 21,840 ----atw c:\windows\System32\SIntfNT.dll
2008-11-03 01:38 17,212 ----atw c:\windows\System32\SIntf32.dll
2008-11-03 01:38 12,067 ----atw c:\windows\System32\SIntf16.dll
2008-11-03 01:15 94,208 ----a-w c:\windows\DIIUnin.exe
2008-11-03 01:15 2,829 ----a-w c:\windows\DIIUnin.pif
2008-11-03 01:00 --------- d-----w c:\users\bo10029094\AppData\Roaming\DAEMON Tools
2008-11-03 01:00 --------- d-----w c:\users\BO1002~1\AppData\Roaming\DAEMON Tools
2008-11-03 01:00 --------- d-----w c:\program files\DAEMON Tools Toolbar
2008-11-03 01:00 --------- d-----w c:\program files\DAEMON Tools Lite
2008-11-03 00:12 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-11-02 23:47 --------- d-----w c:\progra~2\NCH Swift Sound
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 20:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 19:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-06-21 03:03 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2008-03-26 21:30 241752 --a------ c:\program files\Lenovo\VeriFace\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-07 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"EPSON Stylus CX7400 Series"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-01 857648]
"EnergyUtility"="c:\program files\Lenovo\EnergyCut\utilty.exe" [2006-02-26 2502656]
"EnergyCut"="c:\program files\Lenovo\EnergyCut\EnergyCut.exe" [2007-08-27 1232896]
"PCMService"="c:\program files\Lenovo\ShuttleCenter\PCMService.exe" [2007-10-26 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-07 185896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-10-30 1168264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-24 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-10-10 c:\windows\SkyTel.exe]

c:\users\bo10029094\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\users\BO1002~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\Lenovo\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{593F9D6C-914F-4577-9719-612B442EDE0B}"= c:\program files\Lenovo\ShuttleCenter\PowerCinema.exe:CyberLink PowerCinema
"{01546A3F-189D-45A5-AFE4-2FB1531171D1}"= c:\program files\Lenovo\ShuttleCenter\PCMService.exe:CyberLink PowerCinema Resident Program
"{CE32602F-24CE-47AF-841E-6433D562AEB8}"= c:\program files\Lenovo\ShuttleCenter\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{B2C0DAA4-E49B-4174-A36B-3B1137F939A6}"= c:\program files\Lenovo\ShuttleCenter\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{D84C8460-4086-453B-BCD3-4C9E3E39D519}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{7D48A04A-891B-41C1-9141-3DB3205ACBDD}"= UDP:c:\program files\Sega\Gas Powered Games\Space Siege Demo\SpaceSiege.exe:Space Siege Demo
"{2367513E-B653-4BEC-AF8F-02EA0F18EB4F}"= TCP:c:\program files\Sega\Gas Powered Games\Space Siege Demo\SpaceSiege.exe:Space Siege Demo
"TCP Query User{355C5E9A-2EAF-485F-B6AE-F3A9E8572DA9}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{AEE1EAD3-D51B-493E-84E7-F0DE80BAC4C0}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{2B2C8FEB-C473-4E59-9553-697DCD9C754A}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{68A2FD87-43C6-4B53-A659-6F4C60F9FF73}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{6ED3D197-D5AD-4826-87F0-BCAE51B9B396}c:\\program files\\ruckus player\\ruckus.exe"= UDP:c:\program files\ruckus player\ruckus.exe:Ruckus Player
"UDP Query User{E61877F4-573D-430E-B730-DE121F13C1B4}c:\\program files\\ruckus player\\ruckus.exe"= TCP:c:\program files\ruckus player\ruckus.exe:Ruckus Player
"TCP Query User{A98D0323-43BA-46B2-8E53-70A99C7BDB18}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{B3F3B126-E797-4037-80E3-AF28D26AA361}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{9D30FE2E-BC26-4F66-BCB6-2F38AC96FF8F}d:\\diablo2\\diablo ii\\game.exe"= UDP:d:\diablo2\diablo ii\game.exe:Diablo II
"UDP Query User{6DDC2D5D-041D-4E48-8B7D-60710312FA0C}d:\\diablo2\\diablo ii\\game.exe"= TCP:d:\diablo2\diablo ii\game.exe:Diablo II
"TCP Query User{F86320B8-4A28-47D4-A623-2333BECF6411}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{58A41997-CE78-4189-952D-B120B5A156C6}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-30 356920]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2008-03-26 11776]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-09-05 206096]
S3 CapFilt;CapFilt;c:\windows\system32\drivers\CapFilt.sys [2008-03-26 18048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{758b86dc-a93d-11dd-9a08-001fc65775bf}]
\shell\AutoRun\command - F:\SETUP.EXE

*Newly Created Service* - ECACHE
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-Shockwave Updater - c:\windows\System32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.1; .NET


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.internet
Trusted Zone: *.mcafee.com

O16 -: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://download.boulder.ibm.com/ibmdl/pub/pc/pccbbs/bp_pc/acpirexe.cab
c:\windows\Downloaded Program Files\AcpIRExe.inf
FF - ProfilePath - c:\users\BO1002~1\AppData\Roaming\Mozilla\Firefox\Profiles\cg706s6j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 00:17:37
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1976)
c:\program files\Lenovo\VeriFace\IcnOvrly.dll
.
Completion time: 2009-01-02 0:18:20
ComboFix-quarantined-files.txt 2009-01-02 06:18:13

Pre-Run: 6,440,087,552 bytes free
Post-Run: 6,448,316,416 bytes free

205 --- E O F --- 2008-12-13 08:18:11


THe following is my hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:18 AM, on 1/2/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files\Spyware Doctor\pctsTray.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\Explorer.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EnergyUtility] C:\Program Files\Lenovo\EnergyCut\utilty.exe
O4 - HKLM\..\Run: [EnergyCut] C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\Windows\TEMP\E_SB747.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O9 - Extra 'Tools' menuitem: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} (IASRunner Class) - http://download.boulder.ibm.com/ibmdl/pub/...pc/acpirexe.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...474/mcfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9160 bytes

Edited by boman, 02 January 2009 - 01:33 AM.


#7 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 02 January 2009 - 04:25 PM

Hi,

Please do not use Safe Mode with Networking unless you have absolutely no other way of accessing the internet. Your computer is more vulnerable to malware when you boot to Safe Mode with Networking .

Please run HijackThis in Normal Mode and post a fresh log.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#8 boman

boman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 03 January 2009 - 03:43 AM

Thank you for your tip. I ran HijackThis in Normal mode:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:22 AM, on 1/3/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\RunRetriever.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Windows\System32\svchost.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\EnergyCut\utilty.exe
C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EnergyUtility] C:\Program Files\Lenovo\EnergyCut\utilty.exe
O4 - HKLM\..\Run: [EnergyCut] C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\Windows\TEMP\E_SB747.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O9 - Extra 'Tools' menuitem: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} (IASRunner Class) - http://download.boulder.ibm.com/ibmdl/pub/...pc/acpirexe.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...480/mcfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 12180 bytes

#9 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 05 January 2009 - 11:37 AM

Hi,

Show All Files And Folders in Vista
Now you need to show all files and folders
  • Click Start.
  • Open "Computer".
  • Select the Organize menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
--------------------------------------------------------------------

End process: (if present)

1. Press the CTRL+ALT+DEL keys simultaneously to open the Task Manager.
2. Find C:\Windows\System32\RunRetriever.exe and click on it.
3. Click End Process.
4. If it gives a warning than click yes.
5. Close the Task Manager.

--------------------------------------------------------------------

Upload files for scanning
I'd like you to check a file/some files for malware.

C:\Windows\System32\RunRetriever.exe
C:\Windows\System32\Drivers\aawtllh9.SYS

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.
  • Repeat for all files on the list.
--------------------------------------------------------------------

Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.

--------------------------------------------------------------------

Disable SPYWARE DOCTOR

* Click the Spyware Doctor icon in the System Tray.
* Click Settings.
* Click Startup Settings under Pick a Category.
* Uncheck "Run at Windows startup".
* Click Apply and Exit Spyware Doctor.
* From within Spyware Doctor, click the "OnGuard" button on the left side.
* Uncheck "Activate OnGuard".
* (You can reenable Spyware Doctor after your computer is clean)

--------------------------------------------------------------------

Disable MS Defender until the computer is clean

Microsoft Defender normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

- Open Windows Defender
- Select Tools and then General Settings
- Under Real Time Protection Options uncheck Turn on real-time protection
- Select Save
Don't forget to re-enable it, when your computer is clean.

--------------------------------------------------------------------

MCAFEE SECURITY CENTER
Please navigate to the system tray and double-click the taskbar icon to open Security Center.

* Click Advanced Menu (bottom mid-left).
* Click Configure (left).
* Click Computer & Files (top left).
* VirusScan can be disabled in the right-hand module and set when it should resume or you can do that manually later on.

Do the same via Internet & Network for Firewall Plus.

--------------------------------------------------------------------

Run a custom CFScript

Please try to run this first in Normal Mode - if that fails, then try Safe Mode

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

File::
c:\program files\desktop.ini
C:\Windows\System32\RunRetriever.exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


--------------------------------------------------------------------

Please re-enable your McAfee Anti-virus

--------------------------------------------------------------------

Please post the following in your next reply:
  • The VirusTotal results
  • The ComboFix log
  • A fresh HijackThis log

Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#10 boman

boman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 06 January 2009 - 01:14 AM

Thankyou once again. I followed your instructions as best as the computer would allow me.
The following is my scan on runretriever.exe, but I can not find C:\Windows\System32\Drivers\aawtllh9.SYS

File RunRetriever.exe received on 01.06.2009 05:14:28 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 46 and 66 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.06 -
AhnLab-V3 2009.1.5.3 2009.01.05 -
AntiVir 7.9.0.45 2009.01.05 -
Authentium 5.1.0.4 2009.01.05 -
Avast 4.8.1281.0 2009.01.05 -
AVG 8.0.0.199 2009.01.05 -
BitDefender 7.2 2009.01.06 -
CAT-QuickHeal 10.00 2009.01.05 -
ClamAV 0.94.1 2009.01.06 -
Comodo 878 2009.01.05 -
DrWeb 4.44.0.09170 2009.01.06 -
eTrust-Vet 31.6.6289 2009.01.02 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.05 -
F-Secure 8.0.14470.0 2009.01.06 -
Fortinet 3.117.0.0 2009.01.06 -
GData 19 2009.01.06 -
Ikarus T3.1.1.45.0 2009.01.06 -
K7AntiVirus 7.10.576 2009.01.05 -
Kaspersky 7.0.0.125 2009.01.06 -
McAfee 5486 2009.01.05 -
McAfee+Artemis 5486 2009.01.05 -
Microsoft 1.4205 2009.01.06 -
NOD32 3741 2009.01.05 -
Norman 5.80.02 2009.01.02 -
Panda 9.0.0.4 2009.01.05 -
PCTools 4.4.2.0 2009.01.05 -
Prevx1 V2 2009.01.06 -
Rising 21.11.10.00 2009.01.06 -
SecureWeb-Gateway 6.7.6 2009.01.05 -
Sophos 4.37.0 2009.01.05 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.06 -
TheHacker 6.3.1.4.205 2009.01.05 -
TrendMicro 8.700.0.1004 2009.01.06 -
VBA32 3.12.8.10 2009.01.05 -
ViRobot 2009.1.6.1545 2009.01.06 -
VirusBuster 4.5.11.0 2009.01.05 -
Additional information
File size: 14336 bytes
MD5...: 4adbdc101f8bf99ccbbf02590adf0836
SHA1..: df4495f0015750c2b8388d22aec1c6eed09b3af1
SHA256: 596678f74e2b355916f903d6fb2fd68f65088ea7295f8bdbf3c8cf2c3b16b0f2
SHA512: 634cc11d86d79c57b07fd07b46e3600edbf177e22c9af93e7474028cf37b5836
56bbe350caab4f43ff32295672f92130c992c5fc30689d58c851c8df2212ba19

ssdeep: 384:b/K4DNk2jeG98pKQnAsfUxj5jkgNk1A5oMTJs6yE:b/lDNk2KGKZAssxlogN
i5kv

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402403
timedatestamp.....: 0x487e19d6 (Wed Jul 16 15:55:02 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1b2e 0x1c00 5.94 aae590b29b69eb96e7bf97f0848dd82e
.rdata 0x3000 0x139e 0x1400 5.10 6f702ea946b6a80e6d9497389d735490
.data 0x5000 0x3a4 0x200 0.50 a4ebfe6b103b4a7ef931821bb1963a04
.rsrc 0x6000 0x1ac 0x200 5.29 44c356767879ca79354af54d08a8717b

( 7 imports )
> PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameA
> KERNEL32.dll: CloseHandle, CopyFileA, OpenProcess, lstrlenA, LocalFree, GetProcAddress, GetTickCount, GetLastError, LoadLibraryA, CreateProcessA, GetCurrentProcessId, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, InterlockedCompareExchange, Sleep, InterlockedExchange, IsDebuggerPresent, SetUnhandledExceptionFilter, GetCurrentThreadId, QueryPerformanceCounter
> USER32.dll: MessageBeep
> ADVAPI32.dll: RegCloseKey, RegSetValueExA, RegCreateKeyExA
> MSVCP80.dll: __4_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV01@PBD@Z, __$_8DU_$char_traits@D@std@@V_$allocator@D@1@@std@@YA_NABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@PBD@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@PBD@Z, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV01@@Z, _compare@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBEHPBD@Z
> CRYPT32.dll: CryptProtectData
> MSVCR80.dll: _exit, _XcptFilter, exit, __initenv, _initterm, _initterm_e, _configthreadlocale, __setusermatherr, _adjust_fdiv, _cexit, __p__fmode, _encode_pointer, __set_app_type, _crt_debugger_hook, _terminate@@YAXXZ, _unlock, __dllonexit, _lock, _onexit, _decode_pointer, _except_handler4_common, _invoke_watson, _controlfp_s, memset, _amsg_exit, __2@YAPAXI@Z, ___V@YAXPAX@Z, __p__commode, _itoa, __CxxFrameHandler3, printf, __getmainargs

( 0 exports )

-----------------------------------------------------------------------
I ran the code on Combofix in Safe mode but I got the following error: "window cannot find 32788R22FWJFW\nircmd.com; permission denined." After it finished, the message remotely excuted program has failed appears and I had to reboot. But I think both got deleted

ComboFix 09-01-05.04 - bo10029094 2009-01-05 23:31:24.1 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.1602 [GMT -6:00]
Running from: c:\users\bo10029094\Desktop\ComboFix.exe
Command switches used :: c:\users\bo10029094\Desktop\CFScript.txt

FILE ::
c:\program files\desktop.ini
c:\windows\System32\RunRetriever.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\desktop.ini
c:\windows\System32\RunRetriever.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2008-12-30 00:23 . 2008-12-30 00:47 250 --a------ c:\windows\gmer.ini
2008-12-26 00:41 . 2008-12-26 00:41 <DIR> d-------- c:\users\bo10029094\AppData\Roaming\McAfee
2008-12-26 00:29 . 2008-12-26 00:31 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-20 16:55 . 2008-12-20 16:55 <DIR> d-------- C:\6fa7c404b5a67a9bc59d36ddb5cc2d04
2008-12-20 15:24 . 2008-12-20 15:24 <DIR> d-------- C:\4eee0c844ec7cc4b7f031e927f9404
2008-12-20 15:24 . 2008-12-20 16:55 0 --ah---t- c:\windows\wusa.lock
2008-12-19 00:06 . 2008-12-19 00:06 39 --a------ c:\windows\sfshell.tmp
2008-12-18 20:58 . 2009-01-05 22:30 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2008-12-18 20:58 . 2008-12-27 00:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-18 20:58 . 2009-01-05 22:30 <DIR> d-------- c:\progra~2\Spybot - Search & Destroy
2008-12-18 20:19 . 2008-12-18 20:19 <DIR> d-------- C:\ae5bc420fc420ea24b0481d8119ad6
2008-12-18 19:04 . 2008-12-18 19:04 <DIR> d-------- c:\program files\Trend Micro
2008-12-10 20:48 . 2008-12-10 20:48 <DIR> d-------- c:\users\bo10029094\AppData\Roaming\Move Networks
2008-12-10 00:25 . 2008-10-21 19:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-10 00:20 . 2008-10-15 20:23 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-12-10 00:20 . 2008-10-15 22:47 827,392 --a------ c:\windows\System32\wininet.dll
2008-12-10 00:20 . 2008-10-20 23:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-10 00:19 . 2008-10-31 19:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-10 00:19 . 2008-10-29 00:29 2,927,104 --a------ c:\windows\explorer.exe
2008-12-10 00:19 . 2008-10-31 21:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-10 00:17 . 2008-06-22 19:59 2,868,736 --a------ c:\windows\System32\mf.dll
2008-12-10 00:17 . 2008-06-22 19:59 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-10 00:17 . 2008-06-22 19:58 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-07 11:32 . 2008-12-07 11:32 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 05:14 --------- d---a-w c:\progra~2\TEMP
2009-01-06 04:21 --------- d-----w c:\program files\Spyware Doctor
2009-01-06 04:14 --------- d-----w c:\progra~2\Google Updater
2008-12-26 06:42 --------- d-----w c:\progra~2\McAfee
2008-12-24 21:30 --------- d-----w c:\program files\Warcraft III
2008-12-20 19:48 --------- d-----w c:\program files\Lenovo
2008-12-19 04:39 --------- d-----w c:\program files\CCleaner
2008-12-19 02:48 --------- d-----w c:\users\bo10029094\AppData\Roaming\Ruckus Network
2008-12-13 08:12 --------- d-----w c:\program files\McAfee
2008-12-10 06:47 --------- d-----w c:\program files\Windows Mail
2008-12-04 16:31 --------- d-----w c:\program files\Hero Editor
2008-12-04 16:30 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-12-04 16:30 249,856 ------w c:\windows\Setup1.exe
2008-11-11 05:34 --------- d-----w c:\program files\Common Files\Adobe
2008-11-06 05:21 --------- d-----w c:\users\bo10029094\AppData\Roaming\ArcSoft
2008-11-03 01:15 94,208 ----a-w c:\windows\DIIUnin.exe
2008-11-03 01:15 2,829 ----a-w c:\windows\DIIUnin.pif
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2008-03-26 21:30 241752 --a------ c:\program files\Lenovo\VeriFace\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-07 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"EPSON Stylus CX7400 Series"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-01 857648]
"EnergyUtility"="c:\program files\Lenovo\EnergyCut\utilty.exe" [2006-02-26 2502656]
"EnergyCut"="c:\program files\Lenovo\EnergyCut\EnergyCut.exe" [2007-08-27 1232896]
"PCMService"="c:\program files\Lenovo\ShuttleCenter\PCMService.exe" [2007-10-26 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-07 185896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-24 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-10-10 c:\windows\SkyTel.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\bo10029094\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\Lenovo\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{593F9D6C-914F-4577-9719-612B442EDE0B}"= c:\program files\Lenovo\ShuttleCenter\PowerCinema.exe:CyberLink PowerCinema
"{01546A3F-189D-45A5-AFE4-2FB1531171D1}"= c:\program files\Lenovo\ShuttleCenter\PCMService.exe:CyberLink PowerCinema Resident Program
"{CE32602F-24CE-47AF-841E-6433D562AEB8}"= c:\program files\Lenovo\ShuttleCenter\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{B2C0DAA4-E49B-4174-A36B-3B1137F939A6}"= c:\program files\Lenovo\ShuttleCenter\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{D84C8460-4086-453B-BCD3-4C9E3E39D519}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{7D48A04A-891B-41C1-9141-3DB3205ACBDD}"= UDP:c:\program files\Sega\Gas Powered Games\Space Siege Demo\SpaceSiege.exe:Space Siege Demo
"{2367513E-B653-4BEC-AF8F-02EA0F18EB4F}"= TCP:c:\program files\Sega\Gas Powered Games\Space Siege Demo\SpaceSiege.exe:Space Siege Demo
"TCP Query User{355C5E9A-2EAF-485F-B6AE-F3A9E8572DA9}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{AEE1EAD3-D51B-493E-84E7-F0DE80BAC4C0}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{2B2C8FEB-C473-4E59-9553-697DCD9C754A}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{68A2FD87-43C6-4B53-A659-6F4C60F9FF73}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{6ED3D197-D5AD-4826-87F0-BCAE51B9B396}c:\\program files\\ruckus player\\ruckus.exe"= UDP:c:\program files\ruckus player\ruckus.exe:Ruckus Player
"UDP Query User{E61877F4-573D-430E-B730-DE121F13C1B4}c:\\program files\\ruckus player\\ruckus.exe"= TCP:c:\program files\ruckus player\ruckus.exe:Ruckus Player
"TCP Query User{A98D0323-43BA-46B2-8E53-70A99C7BDB18}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{B3F3B126-E797-4037-80E3-AF28D26AA361}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{9D30FE2E-BC26-4F66-BCB6-2F38AC96FF8F}d:\\diablo2\\diablo ii\\game.exe"= UDP:d:\diablo2\diablo ii\game.exe:Diablo II
"UDP Query User{6DDC2D5D-041D-4E48-8B7D-60710312FA0C}d:\\diablo2\\diablo ii\\game.exe"= TCP:d:\diablo2\diablo ii\game.exe:Diablo II
"TCP Query User{F86320B8-4A28-47D4-A623-2333BECF6411}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{58A41997-CE78-4189-952D-B120B5A156C6}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\System32\drivers\AcpiVpc.sys [2008-03-26 11776]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2007-07-22 180736]
S3 CapFilt;CapFilt;c:\windows\System32\drivers\CapFilt.sys [2008-03-26 18048]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-30 356920]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-05 206096]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE
*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{758b86dc-a93d-11dd-9a08-001fc65775bf}]
\shell\AutoRun\command - F:\SETUP.EXE
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.internet
Trusted Zone: *.mcafee.com

O16 -: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://download.boulder.ibm.com/ibmdl/pub/pc/pccbbs/bp_pc/acpirexe.cab
c:\windows\Downloaded Program Files\AcpIRExe.inf
FF - ProfilePath - c:\users\BO1002~1\AppData\Roaming\Mozilla\Firefox\Profiles\cg706s6j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 23:35:59
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1932)
c:\program files\Lenovo\VeriFace\IcnOvrly.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\HelpPane.exe
.
**************************************************************************
.
Completion time: 2009-01-05 23:38:34 - machine was rebooted [bo10029094]
ComboFix-quarantined-files.txt 2009-01-06 05:38:25
ComboFix2.txt 2009-01-02 06:18:21

Pre-Run: 6,323,712,000 bytes free
Post-Run: 6,353,039,360 bytes free

216 --- E O F --- 2008-12-13 08:18:11

This is the hijathis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:30 AM, on 1/6/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\EnergyCut\utilty.exe
C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EnergyUtility] C:\Program Files\Lenovo\EnergyCut\utilty.exe
O4 - HKLM\..\Run: [EnergyCut] C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\Windows\TEMP\E_SB747.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O9 - Extra 'Tools' menuitem: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} (IASRunner Class) - http://download.boulder.ibm.com/ibmdl/pub/...pc/acpirexe.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...480/mcfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9706 bytes

Edited by boman, 06 January 2009 - 01:29 AM.


#11 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 07 January 2009 - 08:12 AM

Hi,

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

File::
c:\windows\wusa.lock
c:\windows\sfshell.tmp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please post the ComboFix log along with a fresh HijackThis log. Try Windows Update again and let me know what happens, including details of any error messages received.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#12 boman

boman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 07 January 2009 - 11:56 AM

Hi, Once again thank you.

I followed your steps. The window update still freezes when I try to open it. THere are no error messages, it is just the window update will not load. I still don't have control of task manager, network and sharing center, mcaffee in normal mode. I can do every thing in safemode except I can not open window update. Another interesting thing I noticed for the past weeks is that the system crashes frequently while starting up in normal mode, only a blank screen with a mouse arrow in the middle appears.

the following is the combofix log

ComboFix 09-01-05.04 - bo10029094 2009-01-07 9:33:29.1 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.1610 [GMT -6:00]
Running from: c:\users\bo10029094\Desktop\ComboFix.exe
Command switches used :: c:\users\bo10029094\Desktop\CFScript.txt

FILE ::
c:\windows\sfshell.tmp
c:\windows\wusa.lock
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\sfshell.tmp
c:\windows\wusa.lock

.
((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 05:14 --------- d-----w c:\progra~2\Google Updater
2009-01-06 15:09 --------- d-----w c:\progra~2\Spybot - Search & Destroy
2009-01-06 06:23 --------- d-----w c:\program files\CCleaner
2009-01-06 05:14 --------- d---a-w c:\progra~2\TEMP
2009-01-06 04:21 --------- d-----w c:\program files\Spyware Doctor
2008-12-27 06:34 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-26 06:42 --------- d-----w c:\progra~2\McAfee
2008-12-26 06:41 --------- d-----w c:\users\bo10029094\AppData\Roaming\McAfee
2008-12-26 06:31 --------- d-----w c:\program files\Windows Live Safety Center
2008-12-24 21:30 --------- d-----w c:\program files\Warcraft III
2008-12-20 19:48 --------- d-----w c:\program files\Lenovo
2008-12-19 02:48 --------- d-----w c:\users\bo10029094\AppData\Roaming\Ruckus Network
2008-12-19 01:04 --------- d-----w c:\program files\Trend Micro
2008-12-13 08:12 --------- d-----w c:\program files\McAfee
2008-12-11 02:48 --------- d-----w c:\users\bo10029094\AppData\Roaming\Move Networks
2008-12-10 06:47 --------- d-----w c:\program files\Windows Mail
2008-12-07 17:32 --------- d-----w c:\program files\QuickTime
2008-12-04 16:31 --------- d-----w c:\program files\Hero Editor
2008-12-04 16:30 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-12-04 16:30 249,856 ------w c:\windows\Setup1.exe
2008-11-11 05:34 --------- d-----w c:\program files\Common Files\Adobe
2008-11-03 01:15 94,208 ----a-w c:\windows\DIIUnin.exe
2008-11-03 01:15 2,829 ----a-w c:\windows\DIIUnin.pif
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2008-03-26 21:30 241752 --a------ c:\program files\Lenovo\VeriFace\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-07 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"EPSON Stylus CX7400 Series"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-01 857648]
"EnergyUtility"="c:\program files\Lenovo\EnergyCut\utilty.exe" [2006-02-26 2502656]
"EnergyCut"="c:\program files\Lenovo\EnergyCut\EnergyCut.exe" [2007-08-27 1232896]
"PCMService"="c:\program files\Lenovo\ShuttleCenter\PCMService.exe" [2007-10-26 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-07 185896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-24 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-10-10 c:\windows\SkyTel.exe]

c:\users\bo10029094\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\Lenovo\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{593F9D6C-914F-4577-9719-612B442EDE0B}"= c:\program files\Lenovo\ShuttleCenter\PowerCinema.exe:CyberLink PowerCinema
"{01546A3F-189D-45A5-AFE4-2FB1531171D1}"= c:\program files\Lenovo\ShuttleCenter\PCMService.exe:CyberLink PowerCinema Resident Program
"{CE32602F-24CE-47AF-841E-6433D562AEB8}"= c:\program files\Lenovo\ShuttleCenter\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{B2C0DAA4-E49B-4174-A36B-3B1137F939A6}"= c:\program files\Lenovo\ShuttleCenter\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{D84C8460-4086-453B-BCD3-4C9E3E39D519}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{7D48A04A-891B-41C1-9141-3DB3205ACBDD}"= UDP:c:\program files\Sega\Gas Powered Games\Space Siege Demo\SpaceSiege.exe:Space Siege Demo
"{2367513E-B653-4BEC-AF8F-02EA0F18EB4F}"= TCP:c:\program files\Sega\Gas Powered Games\Space Siege Demo\SpaceSiege.exe:Space Siege Demo
"TCP Query User{355C5E9A-2EAF-485F-B6AE-F3A9E8572DA9}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{AEE1EAD3-D51B-493E-84E7-F0DE80BAC4C0}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{2B2C8FEB-C473-4E59-9553-697DCD9C754A}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{68A2FD87-43C6-4B53-A659-6F4C60F9FF73}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{6ED3D197-D5AD-4826-87F0-BCAE51B9B396}c:\\program files\\ruckus player\\ruckus.exe"= UDP:c:\program files\ruckus player\ruckus.exe:Ruckus Player
"UDP Query User{E61877F4-573D-430E-B730-DE121F13C1B4}c:\\program files\\ruckus player\\ruckus.exe"= TCP:c:\program files\ruckus player\ruckus.exe:Ruckus Player
"TCP Query User{A98D0323-43BA-46B2-8E53-70A99C7BDB18}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{B3F3B126-E797-4037-80E3-AF28D26AA361}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{9D30FE2E-BC26-4F66-BCB6-2F38AC96FF8F}d:\\diablo2\\diablo ii\\game.exe"= UDP:d:\diablo2\diablo ii\game.exe:Diablo II
"UDP Query User{6DDC2D5D-041D-4E48-8B7D-60710312FA0C}d:\\diablo2\\diablo ii\\game.exe"= TCP:d:\diablo2\diablo ii\game.exe:Diablo II
"TCP Query User{F86320B8-4A28-47D4-A623-2333BECF6411}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{58A41997-CE78-4189-952D-B120B5A156C6}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 0 (0x0)

R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\System32\drivers\AcpiVpc.sys [2008-03-26 11776]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2007-07-22 180736]
S3 CapFilt;CapFilt;c:\windows\System32\drivers\CapFilt.sys [2008-03-26 18048]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-30 356920]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-05 206096]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{758b86dc-a93d-11dd-9a08-001fc65775bf}]
\shell\AutoRun\command - F:\SETUP.EXE
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.internet
Trusted Zone: *.mcafee.com

O16 -: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://download.boulder.ibm.com/ibmdl/pub/pc/pccbbs/bp_pc/acpirexe.cab
c:\windows\Downloaded Program Files\AcpIRExe.inf
FF - ProfilePath - c:\users\BO1002~1\AppData\Roaming\Mozilla\Firefox\Profiles\cg706s6j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 09:37:56
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(752)
c:\program files\Lenovo\VeriFace\IcnOvrly.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\HelpPane.exe
.
**************************************************************************
.
Completion time: 2009-01-07 9:40:32 - machine was rebooted [bo10029094]
ComboFix-quarantined-files.txt 2009-01-07 15:40:23
ComboFix2.txt 2009-01-06 05:38:34
ComboFix3.txt 2009-01-02 06:18:21

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 6,353,608,704 bytes free

195 --- E O F --- 2008-12-13 08:18:11

-----------------------------------------------------------------------------------------------
this is my hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:51 AM, on 1/7/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\EnergyCut\utilty.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EnergyUtility] C:\Program Files\Lenovo\EnergyCut\utilty.exe
O4 - HKLM\..\Run: [EnergyCut] C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\Windows\TEMP\E_SB747.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O9 - Extra 'Tools' menuitem: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} (IASRunner Class) - http://download.boulder.ibm.com/ibmdl/pub/...pc/acpirexe.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...480/mcfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9655 bytes

#13 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 07 January 2009 - 12:06 PM

What happens when you try to access task manager? Any error messages?
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#14 boman

boman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 07 January 2009 - 12:33 PM

There's no error message. A taskmanager icon appears on the system tray, and the task manager does not show up.

#15 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 07 January 2009 - 01:23 PM

Well the good news is that I am not seeing any signs of malware on your computer.

I think your best bet now is to post in the Vista support room for continued assistance. The helpers there are better equipped to handle general troubleshooting issues than I am.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users