Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde infection


  • This topic is locked This topic is locked
26 replies to this topic

#1 srutherford024

srutherford024

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, East Coast
  • Local time:11:59 PM

Posted 22 December 2008 - 05:18 PM

Hi,

Yesterday while looking something up on the web, my virus scanner (McAfee w/latest updates) reported it had intercepted and removed a trojan. According to McAfee the trojan was named "A.exe". Much to my dismay, about 5 mins later my browser (Internet Explorer ver 7.0.5730.13) began acting strange - taking me to websites I hadnt asked for, poping up new browser windows with ads, etc. I immediately ran a Spybot Search and Destroy scan, and it reported back numerous trojans, most of them variants of virtumonde. I used Spybot S&D to remove them, rebooted and rescanned, and as you can no doubt guess, some of the entries were back. I did some reading, and downloaded Malwarebytes Anti-Malware and ran a scan and clean with it. Next, I rebooted and scanned again with the same results - some versions of virtumonde were able to persist. I have been a regular lurker here on BleepingComputer for quite a while now, and have been able to resolve several issues myself with the information Ive discovered, but this one scares me a bit. Any help would be seriously appreciated. Please find below my Kapersky log and my 2 RSIT logs. Big thanks in advance for the help here :thumbsup:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Scott Rutherford at 2008-12-22 16:53:29
Microsoft Windows XP Home Edition Service Pack 3
System drive D: has 96 GB (91%) free of 105 GB
Total RAM: 2047 MB (62% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:03 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Creative\Shared Files\CTAudSvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE
D:\WINDOWS\BCMSMMSG.exe
D:\Program Files\McAfee.com\Agent\mcagent.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\WINDOWS\system32\CTXFIHLP.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\WINDOWS\SYSTEM32\CTXFISPI.EXE
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
D:\Program Files\McAfee\SiteAdvisor\McSACore.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\rundll32.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Scott Rutherford\Desktop\RSIT.exe
D:\Program Files\trend micro\Scott Rutherford.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: {47893aee-ee71-87eb-4344-5fec59079261} - {16297095-cef5-4434-be78-17eeeea39874} - D:\WINDOWS\system32\qtyrhj.dll
O2 - BHO: (no name) - {1E846A95-3E17-43C6-83B6-682FCB5D2A95} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {8187c523-8479-4151-b5e3-f2644a3ff492} - (no file)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [mcagent_exe] D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600 (Copy 1)] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P33 "EPSON Stylus Photo RX600 (Copy 1)" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [prunnet] "D:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [nuloharosa] Rundll32.exe "D:\WINDOWS\system32\vewalimu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [nuloharosa] Rundll32.exe "D:\WINDOWS\system32\vewalimu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Winamp Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: qtyrhj.dll,D:\WINDOWS\system32\vewalimu.dll
O20 - Winlogon Notify: qoMcBtqo - D:\WINDOWS\
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - D:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - D:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - D:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - D:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9087 bytes

======Scheduled tasks folder======

D:\WINDOWS\tasks\AppleSoftwareUpdate.job
D:\WINDOWS\tasks\McDefragTask.job
D:\WINDOWS\tasks\McQcTask.job
D:\WINDOWS\tasks\obsvlkll.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16297095-cef5-4434-be78-17eeeea39874}]
D:\WINDOWS\system32\qtyrhj.dll [2008-12-21 135680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E846A95-3E17-43C6-83B6-682FCB5D2A95}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - D:\Program Files\Java\jre6\bin\ssv.dll [2008-12-21 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8187c523-8479-4151-b5e3-f2644a3ff492}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-14 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - D:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-21 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-21 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-14 150032]
{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - Winamp Toolbar - D:\Program Files\Winamp Toolbar\winamptb.dll [2008-07-16 1266992]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Launch LGDCore"=D:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe [2007-07-17 2094352]
"Launch LCDMon"=D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe [2007-07-17 1687824]
"Kernel and Hardware Abstraction Layer"=D:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304]
"NvCplDaemon"=D:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"nwiz"=nwiz.exe /install []
"UpdReg"=D:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"EPSON Stylus Photo RX600"=D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE [2003-09-09 99840]
"BCMSMMSG"=D:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880]
"mcagent_exe"=D:\Program Files\McAfee.com\Agent\mcagent.exe [2007-08-03 582992]
"Adobe Reader Speed Launcher"=D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"CTHelper"=D:\WINDOWS\system32\CTHELPER.EXE [2008-02-20 19456]
"CTxfiHlp"=D:\WINDOWS\system32\CTXFIHLP.EXE [2008-07-11 19968]
"QuickTime Task"=D:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"NvMediaCenter"=D:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016]
"NeroFilterCheck"=D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"EPSON Stylus Photo RX600 (Copy 1)"=D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE [2003-09-09 99840]
"WinampAgent"=D:\Program Files\Winamp\winampa.exe []
"prunnet"=D:\WINDOWS\system32\prunnet.exe []
"SunJavaUpdateSched"=D:\Program Files\Java\jre6\bin\jusched.exe [2008-12-21 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=D:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-10-09 139264]
"SpybotSD TeaTimer"=D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logitech SetPoint.lnk - D:\Program Files\Logitech\SetPoint\SetPoint.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="qtyrhj.dll,D:\WINDOWS\system32\vewalimu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
d:\program files\common files\logitech\bluetooth\LBTWlgn.dll [2008-05-02 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMcBtqo]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
D:\WINDOWS\system32\vewalimu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="D:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"D:\Program Files\Ventrilo\Ventrilo.exe"="D:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"D:\Program Files\Winamp Remote\bin\Orb.exe"="D:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb"
"D:\Program Files\Winamp Remote\bin\OrbTray.exe"="D:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray"
"D:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe"="D:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"D:\WINDOWS\system32\logonui.exe"="D:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"D:\WINDOWS\system32\winlogon.exe"="D:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-12-22 16:53:29 ----D---- D:\rsit
2008-12-22 16:53:29 ----D---- D:\Program Files\trend micro
2008-12-21 19:55:37 ----D---- D:\WINDOWS\Sun
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\javaws.exe
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\javaw.exe
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\java.exe
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\deploytk.dll
2008-12-21 19:51:55 ----D---- D:\Program Files\Java
2008-12-21 19:51:18 ----D---- D:\Documents and Settings\Scott Rutherford\Application Data\Sun
2008-12-21 19:10:13 ----D---- D:\Documents and Settings\Scott Rutherford\Application Data\Malwarebytes
2008-12-21 19:10:00 ----D---- D:\Program Files\Malwarebytes' Anti-Malware
2008-12-21 19:10:00 ----D---- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-21 16:15:51 ----D---- D:\Program Files\Spybot - Search & Destroy
2008-12-21 16:15:51 ----D---- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-21 16:03:07 ----A---- D:\WINDOWS\system32\qtyrhj.dll
2008-12-21 16:03:04 ----A---- D:\WINDOWS\system32\pjdfamqp.dll
2008-12-21 15:55:35 ----N---- D:\WINDOWS\system32\qoakuwjg.dll
2008-12-21 15:53:07 ----A---- D:\WINDOWS\system32\1fafabb3-.txt
2008-12-10 03:01:11 ----HDC---- D:\WINDOWS\$NtUninstallKB955839$
2008-12-10 03:00:42 ----HDC---- D:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-10 03:00:37 ----HDC---- D:\WINDOWS\$NtUninstallKB954600$
2008-12-10 03:00:31 ----HDC---- D:\WINDOWS\$NtUninstallKB956802$
2008-11-26 22:07:46 ----D---- D:\Program Files\Winamp Toolbar
2008-11-26 22:07:46 ----D---- D:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2008-11-26 22:06:49 ----N---- D:\WINDOWS\system32\vxblock.dll
2008-11-26 22:06:49 ----N---- D:\WINDOWS\system32\pxwave.dll
2008-11-26 22:06:49 ----N---- D:\WINDOWS\system32\pxsfs.dll
2008-11-26 22:06:49 ----N---- D:\WINDOWS\system32\pxmas.dll
2008-11-26 22:06:49 ----N---- D:\WINDOWS\system32\pxinsa64.exe
2008-11-26 22:06:49 ----N---- D:\WINDOWS\system32\pxhpinst.exe
2008-11-26 22:06:49 ----N---- D:\WINDOWS\system32\pxdrv.dll
2008-11-26 22:06:49 ----N---- D:\WINDOWS\system32\pxcpya64.exe
2008-11-26 22:06:49 ----N---- D:\WINDOWS\system32\pxafs.dll
2008-11-26 22:06:49 ----N---- D:\WINDOWS\system32\px.dll
2008-11-26 20:45:13 ----A---- D:\WINDOWS\system32\ECBTEG.DLL
2008-11-26 20:45:13 ----A---- D:\WINDOWS\system32\EBPCHP.DLL
2008-11-26 20:43:28 ----A---- D:\WINDOWS\EPSTPLOG.TXT
2008-11-26 20:43:28 ----A---- D:\WINDOWS\EPSMTL32.TXT
2008-11-26 20:42:28 ----A---- D:\WINDOWS\system32\escimgd.dll
2008-11-26 20:42:28 ----A---- D:\WINDOWS\system32\esccmd.dll
2008-11-26 20:42:27 ----A---- D:\WINDOWS\system32\escwiad.dll

======List of files/folders modified in the last 1 months======

2008-12-22 16:53:46 ----D---- D:\WINDOWS\Temp
2008-12-22 16:53:36 ----D---- D:\WINDOWS\Prefetch
2008-12-22 16:53:29 ----RD---- D:\Program Files
2008-12-21 19:55:37 ----D---- D:\WINDOWS
2008-12-21 19:52:12 ----SHD---- D:\WINDOWS\Installer
2008-12-21 19:52:09 ----D---- D:\WINDOWS\system32
2008-12-21 19:17:59 ----D---- D:\WINDOWS\system32\drivers
2008-12-21 19:17:38 ----A---- D:\WINDOWS\SchedLgU.Txt
2008-12-21 16:57:39 ----HD---- D:\WINDOWS\inf
2008-12-21 16:57:37 ----D---- D:\WINDOWS\system32\CatRoot2
2008-12-21 15:47:24 ----SD---- D:\WINDOWS\Tasks
2008-12-21 10:10:05 ----RSD---- D:\WINDOWS\assembly
2008-12-21 10:10:05 ----D---- D:\WINDOWS\Microsoft.NET
2008-12-21 10:08:37 ----D---- D:\Program Files\McAfee
2008-12-18 07:52:47 ----RSHDC---- D:\WINDOWS\system32\dllcache
2008-12-18 07:52:23 ----HD---- D:\WINDOWS\$hf_mig$
2008-12-13 01:40:02 ----A---- D:\WINDOWS\system32\mshtml.dll
2008-12-10 03:01:14 ----A---- D:\WINDOWS\imsins.BAK
2008-12-10 03:00:59 ----D---- D:\Program Files\Internet Explorer
2008-12-04 17:04:01 ----A---- D:\WINDOWS\NeroDigital.ini
2008-12-03 20:45:04 ----D---- D:\Documents and Settings\Scott Rutherford\Application Data\Ahead
2008-11-26 20:45:24 ----A---- D:\WINDOWS\EPSONRX600.ini
2008-11-26 20:43:53 ----D---- D:\Program Files\EPSON
2008-11-26 20:42:25 ----D---- D:\WINDOWS\twain_32
2008-11-26 20:06:58 ----HD---- D:\Program Files\InstallShield Installation Information
2008-11-26 20:06:58 ----D---- D:\Program Files\Smart Panel
2008-11-24 17:00:44 ----D---- D:\WINDOWS\Help

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; D:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; D:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfehidk;McAfee Inc. mfehidk; D:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; D:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R1 OMCI;OMCI; D:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R3 BCMModem;BCM V.92 56K Modem; D:\WINDOWS\system32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 CT20XUT.DLL;CT20XUT.DLL; D:\WINDOWS\system32\CT20XUT.DLL [2008-07-15 170520]
R3 ctac32k;Creative AC3 Software Decoder; D:\WINDOWS\system32\drivers\ctac32k.sys [2008-07-15 511000]
R3 ctaud2k;Creative Audio Driver (WDM); D:\WINDOWS\system32\drivers\ctaud2k.sys [2008-07-15 527384]
R3 CTEXFIFX.DLL;CTEXFIFX.DLL; D:\WINDOWS\system32\CTEXFIFX.DLL [2008-07-15 1323544]
R3 CTHWIUT.DLL;CTHWIUT.DLL; D:\WINDOWS\system32\CTHWIUT.DLL [2008-07-15 72728]
R3 ctprxy2k;Creative Proxy Driver; D:\WINDOWS\system32\drivers\ctprxy2k.sys [2008-07-15 14360]
R3 ctsfm2k;Creative SoundFont Management Device Driver; D:\WINDOWS\system32\drivers\ctsfm2k.sys [2008-07-15 157208]
R3 E100B;Intel® PRO Network Connection Driver; D:\WINDOWS\System32\DRIVERS\e100b325.sys [2007-11-16 165496]
R3 emupia;E-mu Plug-in Architecture Driver; D:\WINDOWS\system32\drivers\emupia2k.sys [2008-07-15 92696]
R3 ha20x2k;Creative 20X HAL Driver; D:\WINDOWS\system32\drivers\ha20x2k.sys [2008-07-15 1173016]
R3 HidBatt;HID UPS Battery Driver; D:\WINDOWS\System32\DRIVERS\HidBatt.sys [2008-04-13 20352]
R3 hidusb;Microsoft HID Class Driver; D:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; D:\WINDOWS\System32\DRIVERS\LHidFilt.Sys [2008-02-29 35344]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; D:\WINDOWS\System32\DRIVERS\LMouFilt.Sys [2008-02-29 36880]
R3 mfeavfk;McAfee Inc. mfeavfk; D:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; D:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 mferkdk;McAfee Inc. mferkdk; D:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
R3 mfesmfk;McAfee Inc. mfesmfk; D:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
R3 mouhid;Mouse HID Driver; D:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; D:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 ossrv;Creative OS Services Driver; D:\WINDOWS\system32\drivers\ctoss2k.sys [2008-07-15 127000]
R3 usbccgp;Microsoft USB Generic Parent Driver; D:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; D:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; D:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbstor;USB Mass Storage Driver; D:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; D:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 Wdf01000;Wdf01000; D:\WINDOWS\System32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 COMMONFX.DLL;COMMONFX.DLL; D:\WINDOWS\system32\COMMONFX.DLL [2008-02-25 98328]
S3 CTAUDFX.DLL;CTAUDFX.DLL; D:\WINDOWS\system32\CTAUDFX.DLL [2008-02-25 551960]
S3 ctdvda2k;Creative DVD-Audio Device Driver; D:\WINDOWS\system32\drivers\ctdvda2k.sys [2008-07-15 347080]
S3 CTEAPSFX.DLL;CTEAPSFX.DLL; D:\WINDOWS\system32\CTEAPSFX.DLL [2008-02-25 174104]
S3 CTEDSPFX.DLL;CTEDSPFX.DLL; D:\WINDOWS\system32\CTEDSPFX.DLL [2008-02-25 286232]
S3 CTEDSPIO.DLL;CTEDSPIO.DLL; D:\WINDOWS\system32\CTEDSPIO.DLL [2008-02-25 134680]
S3 CTEDSPSY.DLL;CTEDSPSY.DLL; D:\WINDOWS\system32\CTEDSPSY.DLL [2008-02-25 329240]
S3 CTERFXFX.DLL;CTERFXFX.DLL; D:\WINDOWS\system32\CTERFXFX.DLL [2008-02-25 100888]
S3 CTSBLFX.DLL;CTSBLFX.DLL; D:\WINDOWS\system32\CTSBLFX.DLL [2008-02-25 566296]
S3 MODEMCSA;Unimodem Streaming Filter Device; D:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 usbprint;Microsoft USB PRINTER Class; D:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; D:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; D:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; D:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; D:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 CTAudSvcService;Creative Audio Service; D:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-04-30 417792]
R2 JavaQuickStarterService;Java Quick Starter; D:\Program Files\Java\jre6\bin\jqs.exe [2008-12-21 152984]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; D:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-12-05 206096]
R2 mcmscsvc;McAfee Services; D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; d:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704]
R2 NVSvc;NVIDIA Display Driver Service; D:\WINDOWS\system32\nvsvc32.exe [2008-09-17 163908]
R3 McSysmon;McAfee SystemGuards; D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
R3 MpfService;McAfee Personal Firewall Service; D:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
S3 aspnet_state;ASP.NET State Service; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service; D:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-09-13 79360]
S3 LBTServ;Logitech Bluetooth Service; D:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [2008-05-02 121360]
S3 McODS;McAfee Scanner; D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 NBService;NBService; D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-10-09 724992]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; D:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; D:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.05 2008-12-22 16:54:06

======Uninstall list======

-->"D:\Program Files\Creative\Sound Blaster X-Fi\Program\SETUP.EXE" /S /U /W
-->D:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->D:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->D:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->D:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->D:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->D:\WINDOWS\UNRecode.exe /UNINSTALL
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x9
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x9 /remove
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x9
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x9 /remove
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x9
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x9 /remove
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x9
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x9 /remove
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9 /remove
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x9
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x9 /remove
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{CC3D3A93-C433-4329-AC3A-7EFC52A332C2}\setup.exe" -l0x9
-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{CC3D3A93-C433-4329-AC3A-7EFC52A332C2}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint Plus-->MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Flash Player 10 ActiveX-->D:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Advertisement Service-->D:\WINDOWS\system32\prunnet.exe Uninstall
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ArcSoft Software Suite-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{66C8BE35-8BBB-472B-96C7-C7C9A499F988}\Setup.exe" -l0x9
BCM V.92 56K Modem-->D:\WINDOWS\BCMSMU.exe quiet
CDDRV_Installer-->MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Comcast High-Speed Internet Install Wizard-->D:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Creative Audio Console-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 /remove
Creative System Information-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Dell ResourceCD-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Driver Detective-->D:\Program Files\InstallShield Installation Information\{621C02EA-AAFF-4026-A903-165D59529A16}\setup.exe -runfromtemp -l0x0409
EPSON CardMonitor-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\Setup.exe" -l0x9 uninst
EPSON Copy Utility-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B69CC1A5-0404-11D6-ABCB-005004C21D30}\setup.exe" -l0x9 ADDREMOVEDLG
EPSON Photo Print-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0B53B71D-9E2F-42B8-9123-96354872D166}\setup.exe" -l0x9 MyUninstall
EPSON PhotoStarter3.2-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{AE704636-ECD0-426C-952E-05B8DABD1949}\Setup.exe" -l0x9 uninst
EPSON Printer Software-->D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0E0131B2-CF18-40D9-A331-60A3746C1204}\Setup.exe" -l0x9 UNINSTALL
HijackThis 2.0.2-->"D:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"D:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"D:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"D:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"D:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel® Network Connections 13.0.42.0-->MsiExec.exe /i{2223FC2F-B862-4F83-BC9E-DDF2DADF2859} ARPREMOVE=1
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
KhalInstallWrapper-->MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
Logitech GamePanel Software 2.00-->MsiExec.exe /X{948BE614-F37B-4A73-AD43-0245F23C110D}
Logitech SetPoint-->D:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
Malwarebytes' Anti-Malware-->"D:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->D:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"D:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"D:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"D:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"D:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"D:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Nero 7 Ultra Edition-->MsiExec.exe /I{F14B8ECC-BDA0-4987-9201-D7B7DBE11033}
NVIDIA Drivers-->D:\WINDOWS\system32\nvuninst.exe UninstallGUI
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
ScanToWeb-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG
Security Update for Windows Internet Explorer 7 (KB938127)-->"D:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"D:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"D:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"D:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"D:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"D:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"D:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"D:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"D:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"D:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"D:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"D:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"D:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"D:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"D:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"D:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"D:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"D:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"D:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"D:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"D:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"D:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"D:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"D:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"D:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"D:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"D:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"D:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"D:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"D:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"D:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"D:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"D:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"D:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"D:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"D:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Sound Blaster X-Fi-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}\SETUP.EXE" -l0x9 /remove
Spybot - Search & Destroy-->"D:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Windows XP (KB951072-v2)-->"D:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"D:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"D:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Winamp Toolbar for Firefox-->"\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\uninstall.exe"
Winamp Toolbar for Internet Explorer-->"D:\Program Files\Winamp Toolbar\uninstall.exe"
Windows Media Format 11 runtime-->"D:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"D:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"D:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"D:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"D:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
World of Warcraft-->D:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: McAfee VirusScan
FW: McAfee Personal Firewall

System event log

Computer Name: SCOTT-LOFT
Event Code: 7036
Message: The SSDP Discovery Service service entered the running state.

Record Number: 4491
Source Name: Service Control Manager
Time Written: 20080819160940.000000-240
Event Type: information
User:

Computer Name: SCOTT-LOFT
Event Code: 7035
Message: The SSDP Discovery Service service was successfully sent a start control.

Record Number: 4490
Source Name: Service Control Manager
Time Written: 20080819160940.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: SCOTT-LOFT
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the running state.

Record Number: 4489
Source Name: Service Control Manager
Time Written: 20080819160940.000000-240
Event Type: information
User:

Computer Name: SCOTT-LOFT
Event Code: 7035
Message: The IMAPI CD-Burning COM Service service was successfully sent a start control.

Record Number: 4488
Source Name: Service Control Manager
Time Written: 20080819160940.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: SCOTT-LOFT
Event Code: 7036
Message: The Fast User Switching Compatibility service entered the running state.

Record Number: 4487
Source Name: Service Control Manager
Time Written: 20080819160940.000000-240
Event Type: information
User:

Application event log

Computer Name: SCOTT-LOFT
Event Code: 2
Message: Successful auto update retrieval of third-party root list cab from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

Record Number: 886
Source Name: crypt32
Time Written: 20080725075721.000000-240
Event Type: information
User:

Computer Name: SCOTT-LOFT
Event Code: 7
Message: Successful auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

Record Number: 885
Source Name: crypt32
Time Written: 20080725075721.000000-240
Event Type: information
User:

Computer Name: SCOTT-LOFT
Event Code: 5000
Message: McShield service started.

Engine version : 5200.2160

DAT version : 5346.0000



Number of signatures in EXTRA.DAT : None

Names of threats that EXTRA.DAT can detect : None

Record Number: 884
Source Name: McLogEvent
Time Written: 20080724201712.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: SCOTT-LOFT
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 883
Source Name: SecurityCenter
Time Written: 20080724201707.000000-240
Event Type: information
User:

Computer Name: SCOTT-LOFT
Event Code: 1517
Message: Windows saved user SCOTT-LOFT\Scott Rutherford registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 882
Source Name: Userenv
Time Written: 20080724201549.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;D:\Program Files\Intel\DMIX;D:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;D:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=D:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 21, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 21, 2008 23:11:43
Records in database: 1497661


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned 149367
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 02:33:40

File name Threat name Threats count
D:\Documents and Settings\Scott Rutherford\Local Settings\Temporary Internet Files\Content.IE5\LCSGEBJ3\apstpldr.dll[1].htm Infected: Trojan.Win32.Monder.aehd 1

The selected area was scanned.

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:59 PM

Posted 23 December 2008 - 05:29 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 srutherford024

srutherford024
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, East Coast
  • Local time:11:59 PM

Posted 24 December 2008 - 03:15 PM

Hello Sam,

First off let me thank you for your attention - I know it's the holiday and you are busy. I really appreciate the assistance here :) I downloaded SDFix and extracted it as instructed. McAfee detected one of the extracted files as a Potentially Unwanted Program (lol - It detcets the tool to help fix the problem, but allows the bad stuff to get through). I trusted it, and immediately McAfee detected and removed 2 instances of what it called "Trojan: Generic.dx". At this point I rebooted into safe mode, located the batch file RunThis.bat, and executed it. After It finished and I restarted, SDFix completed its scan, but when my desktop loaded, McAfee virus scan was disabled. Im not sure if this was an intended function of SDFix, so I left it disabled.When I came back here to the forum to post the log, My firewall (also McAfee) detected "Java Platform SE Binary" wanting to access the internet. I had read that one of the ways these types of infections can propagate is thru Java, so this time I blocked it. In case it matters the path to this blocked file was D:\Program Files\Java\JReg\Bin\Jusched.exe. Could be that this is just the update program for java wanting to run, and Im being overly paranoid in light of recent events :thumbsup: I should also mention that I have been getting random full screen blank IE windows popping up while posting this and also the windows "error" sound, but no error messages. Both of these things have been occuring since the infection started, and I dont think they are related to anything SDFix did at all. I have pasted in my log below for you to review, and once again I offer my thanks and appreciation for your help.


SDFix: Version 1.240
Run by Scott Rutherford on Wed 12/24/2008 at 02:31 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: D:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMP1C.tmp - Deleted
D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMP25.tmp - Deleted
D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMP38.tmp - Deleted
D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMP3B.tmp - Deleted
D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMP43.tmp - Deleted
D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMP8.tmp - Deleted
D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMPE.tmp - Deleted





Removing Temp Files

ADS Check :


Checking Files :

Trojan Files Found:

D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMP1C.tmp - Deleted
D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMP25.tmp - Deleted
D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMP38.tmp - Deleted
D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMP3B.tmp - Deleted
D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMP43.tmp - Deleted
D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMP8.tmp - Deleted
D:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\TMPE.tmp - Deleted





Removing Temp Files

ADS Check :

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:59 PM

Posted 25 December 2008 - 06:42 PM

Well it looks like we made some progress with SDFix, but not as much as I would have hoped.

Let's update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Also post a new log from RSIT.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 srutherford024

srutherford024
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, East Coast
  • Local time:11:59 PM

Posted 26 December 2008 - 02:00 AM

Ok, Ive updated MBAM, scanned all hard drives, and cleaned everything the scan picked up. MBAM did not request a restart on the completion of the clean. Still getting those full screen blank pop-ups, and sluggish performance from IE. Here is the requested log:

Malwarebytes' Anti-Malware 1.31
Database version: 1546
Windows 5.1.2600 Service Pack 3

12/26/2008 1:48:09 AM
mbam-log-2008-12-26 (01-48-09).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 192441
Time elapsed: 1 hour(s), 15 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:59 PM

Posted 26 December 2008 - 10:26 AM

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..


Also post a new log from RSIT.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 srutherford024

srutherford024
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, East Coast
  • Local time:11:59 PM

Posted 26 December 2008 - 06:34 PM

Allright Sam, I have the gmer log for you. One thing I want to metion to you here is that I had to reboot my computer earlier today, and when I did SpyBot S&D detected and blocked an attempted registry change by "prunnet". Dont know if that would have any bearing on the current phase of troubleshooting, but thought I would let you know just in case. Gmer ran fine, no crashes or need to use safe mode. Here is the log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-26 18:23:02
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB2B279B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB2B27A49]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB2B2795D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB2B27976]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB2B27A5D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB2B27A89]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB2B27AF7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB2B27AE1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB2B279F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB2B27B23]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB2B27A35]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB2B27930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB2B27944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB2B279C6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB2B27B5F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB2B27ACB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB2B27AB5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB2B27A73]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB2B27B4B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB2B27B37]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB2B2799E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB2B2798A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB2B27A9F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB2B27A21]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB2B27B0D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB2B27A08]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB2B279DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwYieldExecution 80515A6A 7 Bytes JMP B2B279E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80572BF4 5 Bytes JMP B2B27A39 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 80573037 7 Bytes JMP B2B27AB9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057791D 5 Bytes JMP B2B27A4D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80578A14 7 Bytes JMP B2B27B63 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 7 Bytes JMP B2B27AFB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP B2B279B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8057CFC0 5 Bytes JMP B2B2798E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP B2B27A0C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP B2B279F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80581702 5 Bytes JMP B2B27934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP B2B279CA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 8058228C 7 Bytes JMP B2B27AA3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80587693 7 Bytes JMP B2B27AE5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B7CD 7 Bytes JMP B2B2797A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP B2B27A25 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80591F8B 7 Bytes JMP B2B27A8D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80593334 7 Bytes JMP B2B27A61 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0470 5 Bytes JMP B2B27961 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 805E1939 5 Bytes JMP B2B27948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 805E218F 5 Bytes JMP B2B27B27 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 80635947 5 Bytes JMP B2B279A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 80654DB2 7 Bytes JMP B2B27B11 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 806556D8 7 Bytes JMP B2B27ACF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 80655B56 7 Bytes JMP B2B27A77 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 80656049 5 Bytes JMP B2B27B3B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 806564B2 5 Bytes JMP B2B27B4F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070076
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F77
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F92
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007005B
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070040
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700B3
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700A2
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700E2
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F49
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00070F2E
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070FB9
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0007000A
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070091
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FCA
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070025
.text D:\WINDOWS\system32\services.exe[696] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070F5A
.text D:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FC3
.text D:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060F72
.text D:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060014
.text D:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060FD4
.text D:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060F8D
.text D:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FE5
.text D:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0006002F
.text D:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060FA8
.text D:\WINDOWS\system32\services.exe[696] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FA0FEF
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FA0F66
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FA0051
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FA0F83
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FA0F94
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FA0025
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FA0087
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FA0076
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FA00C4
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FA00A9
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FA0F06
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FA0036
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FA0FDE
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FA0F55
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FA0FC3
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FA0014
.text D:\WINDOWS\system32\lsass.exe[708] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FA0098
.text D:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F90025
.text D:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F90F86
.text D:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F90FD4
.text D:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F90FE5
.text D:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F90F97
.text D:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F90000
.text D:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F90FA8
.text D:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 19, 89 ]
.text D:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F90FB9
.text D:\WINDOWS\system32\lsass.exe[708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F7000A
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F20000
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F20093
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F20F9E
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F20078
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F20051
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F20FB9
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F200D5
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F20F83
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F20101
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F20F72
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F2011C
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F20040
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F20FE5
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F200A4
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F20FCA
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F20011
.text D:\WINDOWS\system32\svchost.exe[868] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F200F0
.text D:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F10F9E
.text D:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F10F6B
.text D:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F10FC3
.text D:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F10FDE
.text D:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F10028
.text D:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F10FEF
.text D:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F10F7C
.text D:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 11, 89 ]
.text D:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F10F8D
.text D:\WINDOWS\system32\svchost.exe[868] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF0FEF
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0FE5
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0051
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0F5C
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0F6D
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB0F8A
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0FAF
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB0F13
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB0F24
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB0EDD
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB0EF8
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CB0091
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CB002C
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CB0000
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CB0F41
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CB0FCA
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CB001B
.text D:\WINDOWS\system32\svchost.exe[936] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CB0080
.text D:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CA0FCA
.text D:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CA0FA5
.text D:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CA0025
.text D:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CA000A
.text D:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CA0062
.text D:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CA0FEF
.text D:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00CA0051
.text D:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CA0040
.text D:\WINDOWS\system32\svchost.exe[936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C80FE5
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02DA0FEF
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02DA0F63
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02DA0F7E
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02DA0F9B
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02DA0FAC
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02DA0047
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02DA0F3C
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02DA0084
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02DA0F10
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02DA00B3
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02DA0EFF
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02DA0058
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02DA000A
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02DA0073
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02DA002C
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02DA001B
.text D:\WINDOWS\System32\svchost.exe[976] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02DA0F2B
.text D:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02D1001B
.text D:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02D10051
.text D:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02D10000
.text D:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02D10FD4
.text D:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02D10F94
.text D:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02D10FEF
.text D:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02D10FAF
.text D:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ F1, 8A ]
.text D:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02D10036
.text D:\WINDOWS\System32\svchost.exe[976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02CF0FEF
.text D:\WINDOWS\System32\svchost.exe[976] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02D20000
.text D:\WINDOWS\System32\svchost.exe[976] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02D2001B
.text D:\WINDOWS\System32\svchost.exe[976] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02D20036
.text D:\WINDOWS\System32\svchost.exe[976] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02D20051
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007C0000
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007C0FA3
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007C0098
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007C007D
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007C006C
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007C0FCA
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007C00BA
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007C00A9
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007C00ED
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007C00DC
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 007C0F39
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 007C005B
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 007C001B
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 007C0F7E
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 007C0FDB
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 007C0036
.text D:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 007C00CB
.text D:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007B0022
.text D:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007B0F5B
.text D:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007B0FD1
.text D:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007B0011
.text D:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007B0F80
.text D:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007B0000
.text D:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 007B0F91
.text D:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 9B, 88 ]
.text D:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007B0FB6
.text D:\WINDOWS\System32\svchost.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0FE5
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC0000
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC0F66
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC005B
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0F77
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0036
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0FA5
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0F44
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0F55
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC0F0E
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC0F1F
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DC00C2
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DC0F94
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DC0FDB
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DC0076
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DC0011
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DC0FCA
.text D:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DC00A7
.text D:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DA0FD4
.text D:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DA0054
.text D:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DA0025
.text D:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DA0FE5
.text D:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DA0F8D
.text D:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DA0000
.text D:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00DA0FA8
.text D:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ FA, 88 ]
.text D:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DA0FB9
.text D:\WINDOWS\System32\svchost.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D80FEF
.text D:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00DB0FEF
.text D:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00DB0FD4
.text D:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00DB0FC3
.text D:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00DB0014
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03010FE5
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [ E9 ]
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!VirtualProtectEx + 2 7C801A63 3 Bytes [ E5, 80, 86 ]
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03010054
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03010F86
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03010043
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03010FB2
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0301008A
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03010F4E
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 030100BD
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 030100AC
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 03010F09
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 03010F97
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03010FD4
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 03010F5F
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 03010014
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 03010FC3
.text D:\WINDOWS\Explorer.EXE[1596] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 0301009B
.text D:\WINDOWS\Explorer.EXE[1596] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02770FA5
.text D:\WINDOWS\Explorer.EXE[1596] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0277002F
.text D:\WINDOWS\Explorer.EXE[1596] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02770FCA
.text D:\WINDOWS\Explorer.EXE[1596] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02770000
.text D:\WINDOWS\Explorer.EXE[1596] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02770F68
.text D:\WINDOWS\Explorer.EXE[1596] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02770FEF
.text D:\WINDOWS\Explorer.EXE[1596] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02770F79
.text D:\WINDOWS\Explorer.EXE[1596] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 97, 8A ]
.text D:\WINDOWS\Explorer.EXE[1596] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02770F8A
.text D:\WINDOWS\Explorer.EXE[1596] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02780FEF
.text D:\WINDOWS\Explorer.EXE[1596] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02780FD4
.text D:\WINDOWS\Explorer.EXE[1596] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02780FB9
.text D:\WINDOWS\Explorer.EXE[1596] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02780FA8
.text D:\WINDOWS\Explorer.EXE[1596] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02750000
.text d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1772] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1772] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F3F
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0034
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F50
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0F61
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0F8D
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F11
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F2E
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA008F
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA006A
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BA00A0
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BA0F7C
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BA0FD4
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BA004F
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BA0F9E
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BA0FB9
.text D:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BA0EF6
.text D:\WINDOWS\System32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B90FAF
.text D:\WINDOWS\System32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B90036
.text D:\WINDOWS\System32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B90000
.text D:\WINDOWS\System32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B90FD4
.text D:\WINDOWS\System32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B90025
.text D:\WINDOWS\System32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B90FE5
.text D:\WINDOWS\System32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B90F79
.text D:\WINDOWS\System32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ D9, 88 ]
.text D:\WINDOWS\System32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B90F9E
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F7E
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B007D
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B006C
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FB9
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FD4
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00A4
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F5C
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00BF
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F26
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B0F15
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B005B
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B0014
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B0F6D
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0040
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B0025
.text D:\WINDOWS\system32\wuauclt.exe[3828] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B0F41
.text D:\WINDOWS\system32\wuauclt.exe[3828] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B0FA8
.text D:\WINDOWS\system32\wuauclt.exe[3828] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B0039
.text D:\WINDOWS\system32\wuauclt.exe[3828] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FB9
.text D:\WINDOWS\system32\wuauclt.exe[3828] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B0FD4
.text D:\WINDOWS\system32\wuauclt.exe[3828] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B0F7C
.text D:\WINDOWS\system32\wuauclt.exe[3828] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B0FEF
.text D:\WINDOWS\system32\wuauclt.exe[3828] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 002B0F97
.text D:\WINDOWS\system32\wuauclt.exe[3828] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4B, 88 ]
.text D:\WINDOWS\system32\wuauclt.exe[3828] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B001E
.text D:\WINDOWS\system32\wuauclt.exe[3828] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003E0000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B149AD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:59 PM

Posted 27 December 2008 - 11:25 AM

You forgot to post the new RSIT log.


I'm concerned that Spybot is working against us here. Malwarebytes tried to remove that registry value in the last step. The file prunnet.exe is no longer present on your computer so I don't see it restoring itself. It's possible that Spybot is actually trying to undo the removal step. I'll know when I see the new RSIT log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 srutherford024

srutherford024
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, East Coast
  • Local time:11:59 PM

Posted 27 December 2008 - 04:20 PM

Sorry about that, Sam - I missed the last line there where you asked for the RSIT log, my bad. Here it is:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Scott Rutherford at 2008-12-27 16:15:01
Microsoft Windows XP Home Edition Service Pack 3
System drive D: has 96 GB (91%) free of 105 GB
Total RAM: 2047 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:28 PM, on 12/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Creative\Shared Files\CTAudSvc.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\McAfee\SiteAdvisor\McSACore.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE
D:\WINDOWS\BCMSMMSG.exe
D:\Program Files\McAfee.com\Agent\mcagent.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\WINDOWS\system32\CTXFIHLP.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
D:\WINDOWS\SYSTEM32\CTXFISPI.EXE
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\WINDOWS\system32\rundll32.exe
D:\Documents and Settings\Scott Rutherford\Desktop\RSIT.exe
D:\Program Files\trend micro\Scott Rutherford.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: {47893aee-ee71-87eb-4344-5fec59079261} - {16297095-cef5-4434-be78-17eeeea39874} - D:\WINDOWS\system32\qtyrhj.dll
O2 - BHO: (no name) - {1E846A95-3E17-43C6-83B6-682FCB5D2A95} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {8187c523-8479-4151-b5e3-f2644a3ff492} - (no file)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [mcagent_exe] D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600 (Copy 1)] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P33 "EPSON Stylus Photo RX600 (Copy 1)" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [prunnet] "D:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [nuloharosa] Rundll32.exe "D:\WINDOWS\system32\vewalimu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [nuloharosa] Rundll32.exe "D:\WINDOWS\system32\vewalimu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Winamp Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: qtyrhj.dll,D:\WINDOWS\system32\vewalimu.dll
O20 - Winlogon Notify: qoMcBtqo - D:\WINDOWS\
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - D:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - D:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - D:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - D:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9123 bytes

======Scheduled tasks folder======

D:\WINDOWS\tasks\AppleSoftwareUpdate.job
D:\WINDOWS\tasks\McDefragTask.job
D:\WINDOWS\tasks\McQcTask.job
D:\WINDOWS\tasks\obsvlkll.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16297095-cef5-4434-be78-17eeeea39874}]
D:\WINDOWS\system32\qtyrhj.dll [2008-12-21 135680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E846A95-3E17-43C6-83B6-682FCB5D2A95}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - D:\Program Files\Java\jre6\bin\ssv.dll [2008-12-21 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8187c523-8479-4151-b5e3-f2644a3ff492}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-14 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - D:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-21 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-21 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-14 150032]
{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - Winamp Toolbar - D:\Program Files\Winamp Toolbar\winamptb.dll [2008-07-16 1266992]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Launch LGDCore"=D:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe [2007-07-17 2094352]
"Launch LCDMon"=D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe [2007-07-17 1687824]
"Kernel and Hardware Abstraction Layer"=D:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304]
"NvCplDaemon"=D:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"nwiz"=nwiz.exe /install []
"UpdReg"=D:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"EPSON Stylus Photo RX600"=D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE [2003-09-09 99840]
"BCMSMMSG"=D:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880]
"mcagent_exe"=D:\Program Files\McAfee.com\Agent\mcagent.exe [2007-08-03 582992]
"Adobe Reader Speed Launcher"=D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"CTHelper"=D:\WINDOWS\system32\CTHELPER.EXE [2008-02-20 19456]
"CTxfiHlp"=D:\WINDOWS\system32\CTXFIHLP.EXE [2008-07-11 19968]
"QuickTime Task"=D:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"NvMediaCenter"=D:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016]
"NeroFilterCheck"=D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"EPSON Stylus Photo RX600 (Copy 1)"=D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE [2003-09-09 99840]
"WinampAgent"=D:\Program Files\Winamp\winampa.exe []
"SunJavaUpdateSched"=D:\Program Files\Java\jre6\bin\jusched.exe [2008-12-21 136600]
"prunnet"=D:\WINDOWS\system32\prunnet.exe []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=D:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-10-09 139264]
"SpybotSD TeaTimer"=D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logitech SetPoint.lnk - D:\Program Files\Logitech\SetPoint\SetPoint.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="qtyrhj.dll,D:\WINDOWS\system32\vewalimu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
d:\program files\common files\logitech\bluetooth\LBTWlgn.dll [2008-05-02 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMcBtqo]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
D:\WINDOWS\system32\vewalimu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="D:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"D:\Program Files\Ventrilo\Ventrilo.exe"="D:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"D:\Program Files\Winamp Remote\bin\Orb.exe"="D:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb"
"D:\Program Files\Winamp Remote\bin\OrbTray.exe"="D:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray"
"D:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe"="D:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"D:\WINDOWS\system32\logonui.exe"="D:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"D:\WINDOWS\system32\winlogon.exe"="D:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-12-26 18:03:44 ----A---- D:\WINDOWS\gmer.ini
2008-12-26 18:03:43 ----A---- D:\WINDOWS\gmer_uninstall.cmd
2008-12-26 18:03:42 ----A---- D:\WINDOWS\gmer.exe
2008-12-26 18:03:42 ----A---- D:\WINDOWS\gmer.dll
2008-12-24 14:26:42 ----D---- D:\WINDOWS\ERUNT
2008-12-24 14:25:03 ----A---- D:\WINDOWS\ntbtlog.txt
2008-12-24 14:16:09 ----D---- D:\SDFix
2008-12-22 16:53:29 ----D---- D:\rsit
2008-12-22 16:53:29 ----D---- D:\Program Files\trend micro
2008-12-21 19:55:37 ----D---- D:\WINDOWS\Sun
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\javaws.exe
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\javaw.exe
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\java.exe
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\deploytk.dll
2008-12-21 19:51:55 ----D---- D:\Program Files\Java
2008-12-21 19:51:18 ----D---- D:\Documents and Settings\Scott Rutherford\Application Data\Sun
2008-12-21 19:10:13 ----D---- D:\Documents and Settings\Scott Rutherford\Application Data\Malwarebytes
2008-12-21 19:10:00 ----D---- D:\Program Files\Malwarebytes' Anti-Malware
2008-12-21 19:10:00 ----D---- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-21 16:15:51 ----D---- D:\Program Files\Spybot - Search & Destroy
2008-12-21 16:15:51 ----D---- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-21 16:03:07 ----A---- D:\WINDOWS\system32\qtyrhj.dll
2008-12-21 16:03:04 ----A---- D:\WINDOWS\system32\pjdfamqp.dll
2008-12-21 15:55:35 ----N---- D:\WINDOWS\system32\qoakuwjg.dll
2008-12-21 15:53:07 ----A---- D:\WINDOWS\system32\1fafabb3-.txt
2008-12-10 03:01:11 ----HDC---- D:\WINDOWS\$NtUninstallKB955839$
2008-12-10 03:00:42 ----HDC---- D:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-10 03:00:37 ----HDC---- D:\WINDOWS\$NtUninstallKB954600$
2008-12-10 03:00:31 ----HDC---- D:\WINDOWS\$NtUninstallKB956802$

======List of files/folders modified in the last 1 months======

2008-12-27 16:15:07 ----D---- D:\WINDOWS\Temp
2008-12-27 09:51:17 ----D---- D:\WINDOWS\Prefetch
2008-12-26 18:06:51 ----D---- D:\WINDOWS
2008-12-26 18:06:07 ----A---- D:\WINDOWS\SchedLgU.Txt
2008-12-26 18:03:43 ----D---- D:\WINDOWS\system32\drivers
2008-12-22 16:53:29 ----RD---- D:\Program Files
2008-12-21 19:52:12 ----SHD---- D:\WINDOWS\Installer
2008-12-21 19:52:09 ----D---- D:\WINDOWS\system32
2008-12-21 16:57:39 ----HD---- D:\WINDOWS\inf
2008-12-21 16:57:37 ----D---- D:\WINDOWS\system32\CatRoot2
2008-12-21 15:47:24 ----SD---- D:\WINDOWS\Tasks
2008-12-21 10:10:05 ----RSD---- D:\WINDOWS\assembly
2008-12-21 10:10:05 ----D---- D:\WINDOWS\Microsoft.NET
2008-12-21 10:08:37 ----D---- D:\Program Files\McAfee
2008-12-18 07:52:47 ----RSHDC---- D:\WINDOWS\system32\dllcache
2008-12-18 07:52:23 ----HD---- D:\WINDOWS\$hf_mig$
2008-12-13 01:40:02 ----A---- D:\WINDOWS\system32\mshtml.dll
2008-12-10 03:01:14 ----A---- D:\WINDOWS\imsins.BAK
2008-12-10 03:00:59 ----D---- D:\Program Files\Internet Explorer
2008-12-04 17:04:01 ----A---- D:\WINDOWS\NeroDigital.ini
2008-12-03 20:45:04 ----D---- D:\Documents and Settings\Scott Rutherford\Application Data\Ahead

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 gmer;gmer; D:\WINDOWS\System32\DRIVERS\gmer.sys [2008-12-26 85969]
R1 intelppm;Intel Processor Driver; D:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; D:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfehidk;McAfee Inc. mfehidk; D:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; D:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R1 OMCI;OMCI; D:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R3 BCMModem;BCM V.92 56K Modem; D:\WINDOWS\system32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 CT20XUT.DLL;CT20XUT.DLL; D:\WINDOWS\system32\CT20XUT.DLL [2008-07-15 170520]
R3 ctac32k;Creative AC3 Software Decoder; D:\WINDOWS\system32\drivers\ctac32k.sys [2008-07-15 511000]
R3 ctaud2k;Creative Audio Driver (WDM); D:\WINDOWS\system32\drivers\ctaud2k.sys [2008-07-15 527384]
R3 CTEXFIFX.DLL;CTEXFIFX.DLL; D:\WINDOWS\system32\CTEXFIFX.DLL [2008-07-15 1323544]
R3 CTHWIUT.DLL;CTHWIUT.DLL; D:\WINDOWS\system32\CTHWIUT.DLL [2008-07-15 72728]
R3 ctprxy2k;Creative Proxy Driver; D:\WINDOWS\system32\drivers\ctprxy2k.sys [2008-07-15 14360]
R3 ctsfm2k;Creative SoundFont Management Device Driver; D:\WINDOWS\system32\drivers\ctsfm2k.sys [2008-07-15 157208]
R3 E100B;Intel® PRO Network Connection Driver; D:\WINDOWS\System32\DRIVERS\e100b325.sys [2007-11-16 165496]
R3 emupia;E-mu Plug-in Architecture Driver; D:\WINDOWS\system32\drivers\emupia2k.sys [2008-07-15 92696]
R3 ha20x2k;Creative 20X HAL Driver; D:\WINDOWS\system32\drivers\ha20x2k.sys [2008-07-15 1173016]
R3 HidBatt;HID UPS Battery Driver; D:\WINDOWS\System32\DRIVERS\HidBatt.sys [2008-04-13 20352]
R3 hidusb;Microsoft HID Class Driver; D:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; D:\WINDOWS\System32\DRIVERS\LHidFilt.Sys [2008-02-29 35344]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; D:\WINDOWS\System32\DRIVERS\LMouFilt.Sys [2008-02-29 36880]
R3 mfeavfk;McAfee Inc. mfeavfk; D:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; D:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 mfesmfk;McAfee Inc. mfesmfk; D:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
R3 mouhid;Mouse HID Driver; D:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; D:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 ossrv;Creative OS Services Driver; D:\WINDOWS\system32\drivers\ctoss2k.sys [2008-07-15 127000]
R3 usbccgp;Microsoft USB Generic Parent Driver; D:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; D:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; D:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbstor;USB Mass Storage Driver; D:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; D:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 Wdf01000;Wdf01000; D:\WINDOWS\System32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 COMMONFX.DLL;COMMONFX.DLL; D:\WINDOWS\system32\COMMONFX.DLL [2008-02-25 98328]
S3 CTAUDFX.DLL;CTAUDFX.DLL; D:\WINDOWS\system32\CTAUDFX.DLL [2008-02-25 551960]
S3 ctdvda2k;Creative DVD-Audio Device Driver; D:\WINDOWS\system32\drivers\ctdvda2k.sys [2008-07-15 347080]
S3 CTEAPSFX.DLL;CTEAPSFX.DLL; D:\WINDOWS\system32\CTEAPSFX.DLL [2008-02-25 174104]
S3 CTEDSPFX.DLL;CTEDSPFX.DLL; D:\WINDOWS\system32\CTEDSPFX.DLL [2008-02-25 286232]
S3 CTEDSPIO.DLL;CTEDSPIO.DLL; D:\WINDOWS\system32\CTEDSPIO.DLL [2008-02-25 134680]
S3 CTEDSPSY.DLL;CTEDSPSY.DLL; D:\WINDOWS\system32\CTEDSPSY.DLL [2008-02-25 329240]
S3 CTERFXFX.DLL;CTERFXFX.DLL; D:\WINDOWS\system32\CTERFXFX.DLL [2008-02-25 100888]
S3 CTSBLFX.DLL;CTSBLFX.DLL; D:\WINDOWS\system32\CTSBLFX.DLL [2008-02-25 566296]
S3 mferkdk;McAfee Inc. mferkdk; D:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
S3 MODEMCSA;Unimodem Streaming Filter Device; D:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 usbprint;Microsoft USB PRINTER Class; D:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; D:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; D:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; D:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; D:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 CTAudSvcService;Creative Audio Service; D:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-04-30 417792]
R2 JavaQuickStarterService;Java Quick Starter; D:\Program Files\Java\jre6\bin\jqs.exe [2008-12-21 152984]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; D:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-12-05 206096]
R2 mcmscsvc;McAfee Services; D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; d:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704]
R2 NVSvc;NVIDIA Display Driver Service; D:\WINDOWS\system32\nvsvc32.exe [2008-09-17 163908]
R3 McSysmon;McAfee SystemGuards; D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
R3 MpfService;McAfee Personal Firewall Service; D:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
S3 aspnet_state;ASP.NET State Service; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service; D:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-09-13 79360]
S3 LBTServ;Logitech Bluetooth Service; D:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [2008-05-02 121360]
S3 McODS;McAfee Scanner; D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 NBService;NBService; D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-10-09 724992]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; D:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; D:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:59 PM

Posted 28 December 2008 - 05:34 AM

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    D:\WINDOWS\tasks\obsvlkll.job
    D:\WINDOWS\system32\qtyrhj.dll
    D:\WINDOWS\system32\pjdfamqp.dll
    D:\WINDOWS\system32\qoakuwjg.dll
    D:\WINDOWS\system32\1fafabb3-.txt
    
    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16297095-cef5-4434-be78-17eeeea39874}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E846A95-3E17-43C6-83B6-682FCB5D2A95}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8187c523-8479-4151-b5e3-f2644a3ff492}]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "prunnet"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMcBtqo]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):"msv1_0"
    
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Also post a new RSIT log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 srutherford024

srutherford024
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, East Coast
  • Local time:11:59 PM

Posted 28 December 2008 - 10:10 AM

Sam, when OTMoveIt3 finished its initial clean, but before it asked for a reboot, McAfee gave me a messsage saying It had blocked/removed "Vundo (Trojan)". A split second later, Spybot S&D gave a second message "Denied value "prunnet" (new data: "") deleted in system startup global entry". I love how McAfee trys to take credit for your hard work here lol. I am so getting another security suite when this is over.
here is the OTMoveIt3 log, with the new RSIT log below:

========== FILES ==========
D:\WINDOWS\tasks\obsvlkll.job moved successfully.
DllUnregisterServer procedure not found in D:\WINDOWS\system32\qtyrhj.dll
D:\WINDOWS\system32\qtyrhj.dll NOT unregistered.
D:\WINDOWS\system32\qtyrhj.dll moved successfully.
DllUnregisterServer procedure not found in D:\WINDOWS\system32\pjdfamqp.dll
D:\WINDOWS\system32\pjdfamqp.dll NOT unregistered.
D:\WINDOWS\system32\pjdfamqp.dll moved successfully.
LoadLibrary failed for D:\WINDOWS\system32\qoakuwjg.dll
D:\WINDOWS\system32\qoakuwjg.dll NOT unregistered.
File move failed. D:\WINDOWS\system32\qoakuwjg.dll scheduled to be moved on reboot.
D:\WINDOWS\system32\1fafabb3-.txt moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16297095-cef5-4434-be78-17eeeea39874}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E846A95-3E17-43C6-83B6-682FCB5D2A95}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8187c523-8479-4151-b5e3-f2644a3ff492}\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\prunnet deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLS deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMcBtqo\\ deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Authentication Packages"|hex(7):"msv1_0" /E : value set successfully!
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. D:\WINDOWS\temp\mcmsc_HTzaN4XdbJFDPuH scheduled to be deleted on reboot.
File delete failed. D:\WINDOWS\temp\mcmsc_oaW0bKVIDMbrAg8 scheduled to be deleted on reboot.
File delete failed. D:\WINDOWS\temp\mcmsc_StZBkZKT2L0A3EA scheduled to be deleted on reboot.
File delete failed. D:\WINDOWS\temp\Perflib_Perfdata_628.dat scheduled to be deleted on reboot.
File delete failed. D:\WINDOWS\temp\sqlite_A7cXigWz9og0rM5 scheduled to be deleted on reboot.
File delete failed. D:\WINDOWS\temp\sqlite_bGE2IsqntttLuh7 scheduled to be deleted on reboot.
File delete failed. D:\WINDOWS\temp\sqlite_HzFf1EwtkAcvUz6 scheduled to be deleted on reboot.
File delete failed. D:\WINDOWS\temp\WFVFB.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12282008_094751

Files moved on Reboot...
File D:\WINDOWS\system32\qoakuwjg.dll not found!
File move failed. D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File D:\WINDOWS\temp\mcmsc_HTzaN4XdbJFDPuH not found!
File D:\WINDOWS\temp\mcmsc_oaW0bKVIDMbrAg8 not found!
File D:\WINDOWS\temp\mcmsc_StZBkZKT2L0A3EA not found!
File D:\WINDOWS\temp\Perflib_Perfdata_628.dat not found!
D:\WINDOWS\temp\sqlite_A7cXigWz9og0rM5 moved successfully.
D:\WINDOWS\temp\sqlite_bGE2IsqntttLuh7 moved successfully.
D:\WINDOWS\temp\sqlite_HzFf1EwtkAcvUz6 moved successfully.
File D:\WINDOWS\temp\WFVFB.tmp not found!



Logfile of random's system information tool 1.05 (written by random/random)
Run by Scott Rutherford at 2008-12-28 09:55:25
Microsoft Windows XP Home Edition Service Pack 3
System drive D: has 96 GB (91%) free of 105 GB
Total RAM: 2047 MB (77% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:53 AM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Creative\Shared Files\CTAudSvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\McAfee\SiteAdvisor\McSACore.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\McAfee.com\Agent\mcagent.exe
D:\WINDOWS\notepad.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE
D:\WINDOWS\BCMSMMSG.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\WINDOWS\system32\CTXFIHLP.EXE
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\SYSTEM32\CTXFISPI.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\Documents and Settings\Scott Rutherford\Desktop\RSIT.exe
D:\Program Files\trend micro\Scott Rutherford.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {16297095-cef5-4434-be78-17eeeea39874} - D:\WINDOWS\system32\qtyrhj.dll (file missing)
O2 - BHO: (no name) - {1E846A95-3E17-43C6-83B6-682FCB5D2A95} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {8187c523-8479-4151-b5e3-f2644a3ff492} - (no file)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [mcagent_exe] D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600 (Copy 1)] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P33 "EPSON Stylus Photo RX600 (Copy 1)" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [prunnet] "D:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [nuloharosa] Rundll32.exe "D:\WINDOWS\system32\vewalimu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [nuloharosa] Rundll32.exe "D:\WINDOWS\system32\vewalimu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Winamp Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: qoMcBtqo - D:\WINDOWS\
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - D:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - D:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - D:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - D:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9062 bytes

======Scheduled tasks folder======

D:\WINDOWS\tasks\AppleSoftwareUpdate.job
D:\WINDOWS\tasks\McDefragTask.job
D:\WINDOWS\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16297095-cef5-4434-be78-17eeeea39874}]
D:\WINDOWS\system32\qtyrhj.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E846A95-3E17-43C6-83B6-682FCB5D2A95}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - D:\Program Files\Java\jre6\bin\ssv.dll [2008-12-21 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8187c523-8479-4151-b5e3-f2644a3ff492}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-14 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - D:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-21 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-21 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-14 150032]
{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - Winamp Toolbar - D:\Program Files\Winamp Toolbar\winamptb.dll [2008-07-16 1266992]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Launch LGDCore"=D:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe [2007-07-17 2094352]
"Launch LCDMon"=D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe [2007-07-17 1687824]
"Kernel and Hardware Abstraction Layer"=D:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304]
"NvCplDaemon"=D:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"nwiz"=nwiz.exe /install []
"UpdReg"=D:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"EPSON Stylus Photo RX600"=D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE [2003-09-09 99840]
"BCMSMMSG"=D:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880]
"mcagent_exe"=D:\Program Files\McAfee.com\Agent\mcagent.exe [2007-08-03 582992]
"Adobe Reader Speed Launcher"=D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"CTHelper"=D:\WINDOWS\system32\CTHELPER.EXE [2008-02-20 19456]
"CTxfiHlp"=D:\WINDOWS\system32\CTXFIHLP.EXE [2008-07-11 19968]
"QuickTime Task"=D:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"NvMediaCenter"=D:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016]
"NeroFilterCheck"=D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"EPSON Stylus Photo RX600 (Copy 1)"=D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE [2003-09-09 99840]
"WinampAgent"=D:\Program Files\Winamp\winampa.exe []
"SunJavaUpdateSched"=D:\Program Files\Java\jre6\bin\jusched.exe [2008-12-21 136600]
"prunnet"=D:\WINDOWS\system32\prunnet.exe []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=D:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-10-09 139264]
"SpybotSD TeaTimer"=D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logitech SetPoint.lnk - D:\Program Files\Logitech\SetPoint\SetPoint.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
d:\program files\common files\logitech\bluetooth\LBTWlgn.dll [2008-05-02 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMcBtqo]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
D:\WINDOWS\system32\vewalimu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="D:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"D:\Program Files\Ventrilo\Ventrilo.exe"="D:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"D:\Program Files\Winamp Remote\bin\Orb.exe"="D:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb"
"D:\Program Files\Winamp Remote\bin\OrbTray.exe"="D:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray"
"D:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe"="D:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"D:\WINDOWS\system32\logonui.exe"="D:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"D:\WINDOWS\system32\winlogon.exe"="D:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-12-28 09:47:51 ----D---- D:\_OTMoveIt
2008-12-26 18:03:44 ----A---- D:\WINDOWS\gmer.ini
2008-12-26 18:03:43 ----A---- D:\WINDOWS\gmer_uninstall.cmd
2008-12-26 18:03:42 ----A---- D:\WINDOWS\gmer.exe
2008-12-26 18:03:42 ----A---- D:\WINDOWS\gmer.dll
2008-12-24 14:26:42 ----D---- D:\WINDOWS\ERUNT
2008-12-24 14:25:03 ----A---- D:\WINDOWS\ntbtlog.txt
2008-12-24 14:16:09 ----D---- D:\SDFix
2008-12-22 16:53:29 ----D---- D:\rsit
2008-12-22 16:53:29 ----D---- D:\Program Files\trend micro
2008-12-21 19:55:37 ----D---- D:\WINDOWS\Sun
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\javaws.exe
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\javaw.exe
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\java.exe
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\deploytk.dll
2008-12-21 19:51:55 ----D---- D:\Program Files\Java
2008-12-21 19:51:18 ----D---- D:\Documents and Settings\Scott Rutherford\Application Data\Sun
2008-12-21 19:10:13 ----D---- D:\Documents and Settings\Scott Rutherford\Application Data\Malwarebytes
2008-12-21 19:10:00 ----D---- D:\Program Files\Malwarebytes' Anti-Malware
2008-12-21 19:10:00 ----D---- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-21 16:15:51 ----D---- D:\Program Files\Spybot - Search & Destroy
2008-12-21 16:15:51 ----D---- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-10 03:01:11 ----HDC---- D:\WINDOWS\$NtUninstallKB955839$
2008-12-10 03:00:42 ----HDC---- D:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-10 03:00:37 ----HDC---- D:\WINDOWS\$NtUninstallKB954600$
2008-12-10 03:00:31 ----HDC---- D:\WINDOWS\$NtUninstallKB956802$

======List of files/folders modified in the last 1 months======

2008-12-28 09:55:31 ----D---- D:\WINDOWS\Temp
2008-12-28 09:54:37 ----D---- D:\WINDOWS\Prefetch
2008-12-28 09:51:56 ----A---- D:\WINDOWS\SchedLgU.Txt
2008-12-28 09:48:00 ----D---- D:\WINDOWS\system32
2008-12-28 09:47:51 ----SD---- D:\WINDOWS\Tasks
2008-12-26 18:06:51 ----D---- D:\WINDOWS
2008-12-26 18:03:43 ----D---- D:\WINDOWS\system32\drivers
2008-12-22 16:53:29 ----RD---- D:\Program Files
2008-12-21 19:52:12 ----SHD---- D:\WINDOWS\Installer
2008-12-21 16:57:39 ----HD---- D:\WINDOWS\inf
2008-12-21 16:57:37 ----D---- D:\WINDOWS\system32\CatRoot2
2008-12-21 10:10:05 ----RSD---- D:\WINDOWS\assembly
2008-12-21 10:10:05 ----D---- D:\WINDOWS\Microsoft.NET
2008-12-21 10:08:37 ----D---- D:\Program Files\McAfee
2008-12-18 07:52:47 ----RSHDC---- D:\WINDOWS\system32\dllcache
2008-12-18 07:52:23 ----HD---- D:\WINDOWS\$hf_mig$
2008-12-13 01:40:02 ----A---- D:\WINDOWS\system32\mshtml.dll
2008-12-10 03:01:14 ----A---- D:\WINDOWS\imsins.BAK
2008-12-10 03:00:59 ----D---- D:\Program Files\Internet Explorer
2008-12-04 17:04:01 ----A---- D:\WINDOWS\NeroDigital.ini
2008-12-03 20:45:04 ----D---- D:\Documents and Settings\Scott Rutherford\Application Data\Ahead

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 gmer;gmer; D:\WINDOWS\System32\DRIVERS\gmer.sys [2008-12-26 85969]
R1 intelppm;Intel Processor Driver; D:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; D:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfehidk;McAfee Inc. mfehidk; D:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; D:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R1 OMCI;OMCI; D:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R3 BCMModem;BCM V.92 56K Modem; D:\WINDOWS\system32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 CT20XUT.DLL;CT20XUT.DLL; D:\WINDOWS\system32\CT20XUT.DLL [2008-07-15 170520]
R3 ctac32k;Creative AC3 Software Decoder; D:\WINDOWS\system32\drivers\ctac32k.sys [2008-07-15 511000]
R3 ctaud2k;Creative Audio Driver (WDM); D:\WINDOWS\system32\drivers\ctaud2k.sys [2008-07-15 527384]
R3 CTEXFIFX.DLL;CTEXFIFX.DLL; D:\WINDOWS\system32\CTEXFIFX.DLL [2008-07-15 1323544]
R3 CTHWIUT.DLL;CTHWIUT.DLL; D:\WINDOWS\system32\CTHWIUT.DLL [2008-07-15 72728]
R3 ctprxy2k;Creative Proxy Driver; D:\WINDOWS\system32\drivers\ctprxy2k.sys [2008-07-15 14360]
R3 ctsfm2k;Creative SoundFont Management Device Driver; D:\WINDOWS\system32\drivers\ctsfm2k.sys [2008-07-15 157208]
R3 E100B;Intel® PRO Network Connection Driver; D:\WINDOWS\System32\DRIVERS\e100b325.sys [2007-11-16 165496]
R3 emupia;E-mu Plug-in Architecture Driver; D:\WINDOWS\system32\drivers\emupia2k.sys [2008-07-15 92696]
R3 ha20x2k;Creative 20X HAL Driver; D:\WINDOWS\system32\drivers\ha20x2k.sys [2008-07-15 1173016]
R3 HidBatt;HID UPS Battery Driver; D:\WINDOWS\System32\DRIVERS\HidBatt.sys [2008-04-13 20352]
R3 hidusb;Microsoft HID Class Driver; D:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; D:\WINDOWS\System32\DRIVERS\LHidFilt.Sys [2008-02-29 35344]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; D:\WINDOWS\System32\DRIVERS\LMouFilt.Sys [2008-02-29 36880]
R3 mfeavfk;McAfee Inc. mfeavfk; D:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; D:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 mfesmfk;McAfee Inc. mfesmfk; D:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
R3 mouhid;Mouse HID Driver; D:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; D:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 ossrv;Creative OS Services Driver; D:\WINDOWS\system32\drivers\ctoss2k.sys [2008-07-15 127000]
R3 usbccgp;Microsoft USB Generic Parent Driver; D:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; D:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; D:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbstor;USB Mass Storage Driver; D:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; D:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 Wdf01000;Wdf01000; D:\WINDOWS\System32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 COMMONFX.DLL;COMMONFX.DLL; D:\WINDOWS\system32\COMMONFX.DLL [2008-02-25 98328]
S3 CTAUDFX.DLL;CTAUDFX.DLL; D:\WINDOWS\system32\CTAUDFX.DLL [2008-02-25 551960]
S3 ctdvda2k;Creative DVD-Audio Device Driver; D:\WINDOWS\system32\drivers\ctdvda2k.sys [2008-07-15 347080]
S3 CTEAPSFX.DLL;CTEAPSFX.DLL; D:\WINDOWS\system32\CTEAPSFX.DLL [2008-02-25 174104]
S3 CTEDSPFX.DLL;CTEDSPFX.DLL; D:\WINDOWS\system32\CTEDSPFX.DLL [2008-02-25 286232]
S3 CTEDSPIO.DLL;CTEDSPIO.DLL; D:\WINDOWS\system32\CTEDSPIO.DLL [2008-02-25 134680]
S3 CTEDSPSY.DLL;CTEDSPSY.DLL; D:\WINDOWS\system32\CTEDSPSY.DLL [2008-02-25 329240]
S3 CTERFXFX.DLL;CTERFXFX.DLL; D:\WINDOWS\system32\CTERFXFX.DLL [2008-02-25 100888]
S3 CTSBLFX.DLL;CTSBLFX.DLL; D:\WINDOWS\system32\CTSBLFX.DLL [2008-02-25 566296]
S3 mferkdk;McAfee Inc. mferkdk; D:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
S3 MODEMCSA;Unimodem Streaming Filter Device; D:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 usbprint;Microsoft USB PRINTER Class; D:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; D:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; D:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; D:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; D:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 CTAudSvcService;Creative Audio Service; D:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-04-30 417792]
R2 JavaQuickStarterService;Java Quick Starter; D:\Program Files\Java\jre6\bin\jqs.exe [2008-12-21 152984]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; D:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-12-05 206096]
R2 mcmscsvc;McAfee Services; D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; d:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704]
R2 NVSvc;NVIDIA Display Driver Service; D:\WINDOWS\system32\nvsvc32.exe [2008-09-17 163908]
R3 McSysmon;McAfee SystemGuards; D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
R3 MpfService;McAfee Personal Firewall Service; D:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
S3 aspnet_state;ASP.NET State Service; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service; D:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-09-13 79360]
S3 LBTServ;Logitech Bluetooth Service; D:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [2008-05-02 121360]
S3 McODS;McAfee Scanner; D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 NBService;NBService; D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-10-09 724992]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; D:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; D:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:59 PM

Posted 28 December 2008 - 10:41 AM

Spybot is causing us trouble here.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.



Copy the text below into OTMoveIt3 and click MoveIt just like you did before.

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16297095-cef5-4434-be78-17eeeea39874}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E846A95-3E17-43C6-83B6-682FCB5D2A95}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8187c523-8479-4151-b5e3-f2644a3ff492}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"prunnet"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMcBtqo]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):"msv1_0"


:Commands
[EmptyTemp]
[Reboot]


After rebooting, please post a new log from RSIT.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 srutherford024

srutherford024
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, East Coast
  • Local time:11:59 PM

Posted 28 December 2008 - 04:08 PM

Ive disabled Spybot S&D resident protection as instructed, and ran OTMoveIt again as well. The new RSIT log is pasted here first, after that I pasted in the log from OTMoveIt, just in case you needed that one too.
Logs as follows:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Scott Rutherford at 2008-12-28 16:01:16
Microsoft Windows XP Home Edition Service Pack 3
System drive D: has 96 GB (91%) free of 105 GB
Total RAM: 2047 MB (80% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:27 PM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Creative\Shared Files\CTAudSvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\McAfee\SiteAdvisor\McSACore.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\McAfee.com\Agent\mcagent.exe
D:\WINDOWS\notepad.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE
D:\WINDOWS\BCMSMMSG.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
D:\WINDOWS\system32\CTXFIHLP.EXE
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\SYSTEM32\CTXFISPI.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Scott Rutherford\Desktop\RSIT.exe
D:\Program Files\trend micro\Scott Rutherford.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [mcagent_exe] D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600 (Copy 1)] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P33 "EPSON Stylus Photo RX600 (Copy 1)" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [nuloharosa] Rundll32.exe "D:\WINDOWS\system32\vewalimu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [nuloharosa] Rundll32.exe "D:\WINDOWS\system32\vewalimu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Winamp Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - D:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - D:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - D:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - D:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8386 bytes

======Scheduled tasks folder======

D:\WINDOWS\tasks\AppleSoftwareUpdate.job
D:\WINDOWS\tasks\McDefragTask.job
D:\WINDOWS\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - D:\Program Files\Java\jre6\bin\ssv.dll [2008-12-21 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-14 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - D:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-21 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-21 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - d:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-14 150032]
{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - Winamp Toolbar - D:\Program Files\Winamp Toolbar\winamptb.dll [2008-07-16 1266992]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Launch LGDCore"=D:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe [2007-07-17 2094352]
"Launch LCDMon"=D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe [2007-07-17 1687824]
"Kernel and Hardware Abstraction Layer"=D:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304]
"NvCplDaemon"=D:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"nwiz"=nwiz.exe /install []
"UpdReg"=D:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"EPSON Stylus Photo RX600"=D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE [2003-09-09 99840]
"BCMSMMSG"=D:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880]
"mcagent_exe"=D:\Program Files\McAfee.com\Agent\mcagent.exe [2007-08-03 582992]
"Adobe Reader Speed Launcher"=D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"CTHelper"=D:\WINDOWS\system32\CTHELPER.EXE [2008-02-20 19456]
"CTxfiHlp"=D:\WINDOWS\system32\CTXFIHLP.EXE [2008-07-11 19968]
"QuickTime Task"=D:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"NvMediaCenter"=D:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016]
"NeroFilterCheck"=D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"EPSON Stylus Photo RX600 (Copy 1)"=D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE [2003-09-09 99840]
"WinampAgent"=D:\Program Files\Winamp\winampa.exe []
"SunJavaUpdateSched"=D:\Program Files\Java\jre6\bin\jusched.exe [2008-12-21 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=D:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-10-09 139264]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logitech SetPoint.lnk - D:\Program Files\Logitech\SetPoint\SetPoint.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
d:\program files\common files\logitech\bluetooth\LBTWlgn.dll [2008-05-02 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
D:\WINDOWS\system32\vewalimu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="D:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"D:\Program Files\Ventrilo\Ventrilo.exe"="D:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"D:\Program Files\Winamp Remote\bin\Orb.exe"="D:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb"
"D:\Program Files\Winamp Remote\bin\OrbTray.exe"="D:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray"
"D:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe"="D:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"D:\WINDOWS\system32\logonui.exe"="D:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"D:\WINDOWS\system32\winlogon.exe"="D:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-12-28 09:47:51 ----D---- D:\_OTMoveIt
2008-12-26 18:03:44 ----A---- D:\WINDOWS\gmer.ini
2008-12-26 18:03:43 ----A---- D:\WINDOWS\gmer_uninstall.cmd
2008-12-26 18:03:42 ----A---- D:\WINDOWS\gmer.exe
2008-12-26 18:03:42 ----A---- D:\WINDOWS\gmer.dll
2008-12-24 14:26:42 ----D---- D:\WINDOWS\ERUNT
2008-12-24 14:25:03 ----A---- D:\WINDOWS\ntbtlog.txt
2008-12-24 14:16:09 ----D---- D:\SDFix
2008-12-22 16:53:29 ----D---- D:\rsit
2008-12-22 16:53:29 ----D---- D:\Program Files\trend micro
2008-12-21 19:55:37 ----D---- D:\WINDOWS\Sun
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\javaws.exe
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\javaw.exe
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\java.exe
2008-12-21 19:52:09 ----A---- D:\WINDOWS\system32\deploytk.dll
2008-12-21 19:51:55 ----D---- D:\Program Files\Java
2008-12-21 19:51:18 ----D---- D:\Documents and Settings\Scott Rutherford\Application Data\Sun
2008-12-21 19:10:13 ----D---- D:\Documents and Settings\Scott Rutherford\Application Data\Malwarebytes
2008-12-21 19:10:00 ----D---- D:\Program Files\Malwarebytes' Anti-Malware
2008-12-21 19:10:00 ----D---- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-21 16:15:51 ----D---- D:\Program Files\Spybot - Search & Destroy
2008-12-21 16:15:51 ----D---- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-10 03:01:11 ----HDC---- D:\WINDOWS\$NtUninstallKB955839$
2008-12-10 03:00:42 ----HDC---- D:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-10 03:00:37 ----HDC---- D:\WINDOWS\$NtUninstallKB954600$
2008-12-10 03:00:31 ----HDC---- D:\WINDOWS\$NtUninstallKB956802$

======List of files/folders modified in the last 1 months======

2008-12-28 16:01:21 ----D---- D:\WINDOWS\Prefetch
2008-12-28 16:00:38 ----D---- D:\WINDOWS\Temp
2008-12-28 15:58:44 ----A---- D:\WINDOWS\SchedLgU.Txt
2008-12-28 09:48:00 ----D---- D:\WINDOWS\system32
2008-12-28 09:47:51 ----SD---- D:\WINDOWS\Tasks
2008-12-26 18:06:51 ----D---- D:\WINDOWS
2008-12-26 18:03:43 ----D---- D:\WINDOWS\system32\drivers
2008-12-22 16:53:29 ----RD---- D:\Program Files
2008-12-21 19:52:12 ----SHD---- D:\WINDOWS\Installer
2008-12-21 16:57:39 ----HD---- D:\WINDOWS\inf
2008-12-21 16:57:37 ----D---- D:\WINDOWS\system32\CatRoot2
2008-12-21 10:10:05 ----RSD---- D:\WINDOWS\assembly
2008-12-21 10:10:05 ----D---- D:\WINDOWS\Microsoft.NET
2008-12-21 10:08:37 ----D---- D:\Program Files\McAfee
2008-12-18 07:52:47 ----RSHDC---- D:\WINDOWS\system32\dllcache
2008-12-18 07:52:23 ----HD---- D:\WINDOWS\$hf_mig$
2008-12-13 01:40:02 ----A---- D:\WINDOWS\system32\mshtml.dll
2008-12-10 03:01:14 ----A---- D:\WINDOWS\imsins.BAK
2008-12-10 03:00:59 ----D---- D:\Program Files\Internet Explorer
2008-12-04 17:04:01 ----A---- D:\WINDOWS\NeroDigital.ini
2008-12-03 20:45:04 ----D---- D:\Documents and Settings\Scott Rutherford\Application Data\Ahead

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 gmer;gmer; D:\WINDOWS\System32\DRIVERS\gmer.sys [2008-12-26 85969]
R1 intelppm;Intel Processor Driver; D:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; D:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfehidk;McAfee Inc. mfehidk; D:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; D:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R1 OMCI;OMCI; D:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R3 BCMModem;BCM V.92 56K Modem; D:\WINDOWS\system32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 CT20XUT.DLL;CT20XUT.DLL; D:\WINDOWS\system32\CT20XUT.DLL [2008-07-15 170520]
R3 ctac32k;Creative AC3 Software Decoder; D:\WINDOWS\system32\drivers\ctac32k.sys [2008-07-15 511000]
R3 ctaud2k;Creative Audio Driver (WDM); D:\WINDOWS\system32\drivers\ctaud2k.sys [2008-07-15 527384]
R3 CTEXFIFX.DLL;CTEXFIFX.DLL; D:\WINDOWS\system32\CTEXFIFX.DLL [2008-07-15 1323544]
R3 CTHWIUT.DLL;CTHWIUT.DLL; D:\WINDOWS\system32\CTHWIUT.DLL [2008-07-15 72728]
R3 ctprxy2k;Creative Proxy Driver; D:\WINDOWS\system32\drivers\ctprxy2k.sys [2008-07-15 14360]
R3 ctsfm2k;Creative SoundFont Management Device Driver; D:\WINDOWS\system32\drivers\ctsfm2k.sys [2008-07-15 157208]
R3 E100B;Intel® PRO Network Connection Driver; D:\WINDOWS\System32\DRIVERS\e100b325.sys [2007-11-16 165496]
R3 emupia;E-mu Plug-in Architecture Driver; D:\WINDOWS\system32\drivers\emupia2k.sys [2008-07-15 92696]
R3 ha20x2k;Creative 20X HAL Driver; D:\WINDOWS\system32\drivers\ha20x2k.sys [2008-07-15 1173016]
R3 HidBatt;HID UPS Battery Driver; D:\WINDOWS\System32\DRIVERS\HidBatt.sys [2008-04-13 20352]
R3 hidusb;Microsoft HID Class Driver; D:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; D:\WINDOWS\System32\DRIVERS\LHidFilt.Sys [2008-02-29 35344]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; D:\WINDOWS\System32\DRIVERS\LMouFilt.Sys [2008-02-29 36880]
R3 mfeavfk;McAfee Inc. mfeavfk; D:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; D:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 mouhid;Mouse HID Driver; D:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; D:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 ossrv;Creative OS Services Driver; D:\WINDOWS\system32\drivers\ctoss2k.sys [2008-07-15 127000]
R3 usbccgp;Microsoft USB Generic Parent Driver; D:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; D:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; D:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbstor;USB Mass Storage Driver; D:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; D:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 Wdf01000;Wdf01000; D:\WINDOWS\System32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 COMMONFX.DLL;COMMONFX.DLL; D:\WINDOWS\system32\COMMONFX.DLL [2008-02-25 98328]
S3 CTAUDFX.DLL;CTAUDFX.DLL; D:\WINDOWS\system32\CTAUDFX.DLL [2008-02-25 551960]
S3 ctdvda2k;Creative DVD-Audio Device Driver; D:\WINDOWS\system32\drivers\ctdvda2k.sys [2008-07-15 347080]
S3 CTEAPSFX.DLL;CTEAPSFX.DLL; D:\WINDOWS\system32\CTEAPSFX.DLL [2008-02-25 174104]
S3 CTEDSPFX.DLL;CTEDSPFX.DLL; D:\WINDOWS\system32\CTEDSPFX.DLL [2008-02-25 286232]
S3 CTEDSPIO.DLL;CTEDSPIO.DLL; D:\WINDOWS\system32\CTEDSPIO.DLL [2008-02-25 134680]
S3 CTEDSPSY.DLL;CTEDSPSY.DLL; D:\WINDOWS\system32\CTEDSPSY.DLL [2008-02-25 329240]
S3 CTERFXFX.DLL;CTERFXFX.DLL; D:\WINDOWS\system32\CTERFXFX.DLL [2008-02-25 100888]
S3 CTSBLFX.DLL;CTSBLFX.DLL; D:\WINDOWS\system32\CTSBLFX.DLL [2008-02-25 566296]
S3 mferkdk;McAfee Inc. mferkdk; D:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
S3 mfesmfk;McAfee Inc. mfesmfk; D:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
S3 MODEMCSA;Unimodem Streaming Filter Device; D:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 usbprint;Microsoft USB PRINTER Class; D:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; D:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; D:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; D:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; D:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 CTAudSvcService;Creative Audio Service; D:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-04-30 417792]
R2 JavaQuickStarterService;Java Quick Starter; D:\Program Files\Java\jre6\bin\jqs.exe [2008-12-21 152984]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; D:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-12-05 206096]
R2 mcmscsvc;McAfee Services; D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; d:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704]
R2 NVSvc;NVIDIA Display Driver Service; D:\WINDOWS\system32\nvsvc32.exe [2008-09-17 163908]
S3 aspnet_state;ASP.NET State Service; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service; D:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-09-13 79360]
S3 LBTServ;Logitech Bluetooth Service; D:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [2008-05-02 121360]
S3 McODS;McAfee Scanner; D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 McSysmon;McAfee SystemGuards; D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
S3 MpfService;McAfee Personal Firewall Service; D:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
S3 NBService;NBService; D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-10-09 724992]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; D:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; D:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16297095-cef5-4434-be78-17eeeea39874}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E846A95-3E17-43C6-83B6-682FCB5D2A95}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8187c523-8479-4151-b5e3-f2644a3ff492}\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\prunnet deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLS not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMcBtqo\\ deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Authentication Packages"|hex(7):"msv1_0" /E : value set successfully!
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. D:\WINDOWS\temp\mcmsc_YgQdCRaCgNyBWY7 scheduled to be deleted on reboot.
File delete failed. D:\WINDOWS\temp\Perflib_Perfdata_714.dat scheduled to be deleted on reboot.
File delete failed. D:\WINDOWS\temp\sqlite_wbyhRf34YvNO0GV scheduled to be deleted on reboot.
File delete failed. D:\WINDOWS\temp\sqlite_wmJIqlhUZY0unTy scheduled to be deleted on reboot.
File delete failed. D:\WINDOWS\temp\sqlite_z61vStVLA5m9Deq scheduled to be deleted on reboot.
File delete failed. D:\WINDOWS\temp\WFV1.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12282008_155802

Files moved on Reboot...
File move failed. D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File D:\WINDOWS\temp\mcmsc_YgQdCRaCgNyBWY7 not found!
File D:\WINDOWS\temp\Perflib_Perfdata_714.dat not found!
D:\WINDOWS\temp\sqlite_wbyhRf34YvNO0GV moved successfully.
D:\WINDOWS\temp\sqlite_wmJIqlhUZY0unTy moved successfully.
D:\WINDOWS\temp\sqlite_z61vStVLA5m9Deq moved successfully.
File move failed. D:\WINDOWS\temp\WFV1.tmp scheduled to be moved on reboot.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:59 PM

Posted 29 December 2008 - 09:30 AM

Looks much better. How are things working on your end? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 srutherford024

srutherford024
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, East Coast
  • Local time:11:59 PM

Posted 31 December 2008 - 08:34 AM

Apologies for the delay in getting back to you Sam, I had to go back to work this week and I haven't had alot of time to test IE out. It definately seems to be working better. I have not noticed any pop-ups, either :thumbsup: Thanks so much for all your help, it was a learning experience for me, and I am glad i had the opportunity. Happy New Year!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users