Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer is infected with???


  • This topic is locked This topic is locked
17 replies to this topic

#1 sippingt3

sippingt3

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boston, MA
  • Local time:03:54 AM

Posted 04 May 2009 - 12:16 AM

Here are a couple of things that I have noticed and might assist.

1. At the start up of the computer, the following message displays (error loading c:\WINDOWS\system 23\j3241139.dll The specified module could not be found). The message in the parenthesis has been displaying for the past year.
2. I use comcast high speed internet connection with macafee downloaded and update regularly. Macafee, however has not resolved the issue in the parenthesis.
3. Everytime I turn on my computer I run the comcast spyware scan and as of today 5/4/09, I was unable to run the program.
4. Everytime I turn on my computer I delete the temporary internet files on and offline content
5. Within the past 2 weeks I have noticed the following 2 icons on my desktop and 1 installed program and have no idea how they were down loaded or by which program they snuck in the back of. The programs are > Registry Mechanic and PC Tools Spyware doctor - those are the icons and the 1 program is "System Restore". I receive constant pop ups related to all.
6. Over the past 2 weeks my computer crashes for about 30 seconds with the following message and then begins a count down before it restores- Here is the message "Explorer.exe triggered the fatal error at address 0xAFFA0000, 0xAFFA5600, 0xAFFA5800" I hope I copied it down correctly. I'm only given a 30 sec window to copy it before the system restores.
7. I have tried to uninstall all 3 programs, using "uninstall" and "add or remove programs" however all 3 have connected themselves to another program and a message indicates they are unable to be uninstalled because they are simultaneously being used by another program.
8. I noticed today that I am unable to access "Task Manager" due to a message displaying "Task manager has been disabeled by your administrator" I do not know how to turn it back on.
9. I also noticed today that my "Windows firewall" was disabled and which I do not know how and I enabled it again.
10. Today 5/4/09 I ran a full Macafee scan which detected nothing unusual.

Thanks for your assistance -- see below

Below is the DDS.txt file

DDS (Ver_09-03-16.01) - NTFSx86
Run by Helena at 0:31:16.25 on Mon 05/04/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.70 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Helena\Application Data\lsascs.exe
C:\Spyware Doctor\pctsTray.exe
C:\Program Files\AIM6\aim6.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Helena\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/?cid=toolbar_button&attr=comcast
uSearch Page = hxxp://www.live.com/
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
uSearchMigratedDefaultURL =
uDefault_Search_URL =
mDefault_Search_URL = hxxp://windowsisearch.com
mSearch Page = hxxp://windowsisearch.com
mSearch Bar =
mSearchMigratedDefaultURL =
uInternet Settings,ProxyServer = http=127.0.0.1:9022
uInternet Settings,ProxyOverride = <local>;127.0.0.1;fws.municode.com;localhost
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
uURLSearchHooks: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB1.dll
mWinlogon: SFCDisable=4 (0x4)
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {893fc28c-3e85-4eee-aeb0-f286192f2319} - c:\windows\system32\geedd.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB1.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB1.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
uRun: [RecordNow!]
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [BackupNotify] "c:\program files\hp\digital imaging\bin\backupnotify.exe"
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [A00FF9A741.exe] c:\docume~1\helena\locals~1\temp\_A00FF9A741.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [j3241139] rundll32 c:\windows\system32\j3241139.dll sook
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Umeyovuviyakid] rundll32.exe "c:\windows\otudoqevoy.dll",e
mRun: [System Protector] c:\documents and settings\helena\application data\lsascs.exe
mRun: [ISTray] "c:\spyware doctor\pctsTray.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: 5c15cd7c579 - c:\windows\system32\dpnwsock32.dll
Notify: awtqn - awtqn.dll
Notify: igfxcui - igfxsrvc.dll
Notify: xxyvwvw - xxyvwvw.dll
Notify: __c008FF56 - c:\windows\system32\__c008FF56.dat
AppInit_DLLs: c:\windows\system32\dpnwsock32.dll
LSA: Notification Packages = scecli omgntro.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-01 21:13 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-01 20:25 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-05-01 20:25 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-01 20:24 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-01 20:24 <DIR> --d----- C:\Spyware Doctor
2009-05-01 20:24 <DIR> --d----- c:\docume~1\helena\applic~1\PC Tools
2009-05-01 20:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-01 19:38 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-01 19:38 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-29 16:47 <DIR> --d----- c:\docume~1\helena\applic~1\SpyProtector
2009-04-29 16:47 <DIR> --d----- c:\program files\System Protector
2009-04-25 10:12 55 a------- C:\xcrashdump.dat
2009-04-23 08:51 0 a------- c:\windows\Emasucuyafupey.bin
2009-04-23 08:51 300 a------- c:\windows\Lfelitobab.dat
2009-04-22 15:53 159,744 a------- c:\docume~1\helena\applic~1\shellex.dll
2009-04-22 15:53 1,943,040 a------- c:\docume~1\helena\applic~1\lsascs.exe
2009-04-22 13:33 25,600 a------- c:\windows\system32\__c008FF56.dat
2009-04-22 12:48 25,581 a------- c:\windows\GnuHashes.ini
2009-04-22 12:40 1,462 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-04-22 12:40 <DIR> --dsh--- c:\windows\system32\NetworkService32
2009-04-22 12:38 615 a------- c:\windows\system32\TzUyiqc.vbs
2009-04-17 18:48 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-17 18:48 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-17 18:48 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-17 18:48 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-17 18:48 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 18:48 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 18:48 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 18:48 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-17 18:48 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-17 18:26 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-17 18:26 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 18:25 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 14:58 42,496 a------- c:\windows\system32\spyprotector.cpl

==================== Find3M ====================

2009-05-04 00:16 4,002 a------- c:\windows\viassary-hp.reg
2009-05-04 00:06 178,870 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-04-26 16:27 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2008-09-03 20:57 61,224 a------- c:\documents and settings\helena\GoToAssistDownloadHelper.exe
2007-08-29 18:23 7,052 ---sh--- c:\windows\system32\ddeeg.bak2

============= FINISH: 0:36:10.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:54 AM

Posted 17 May 2009 - 04:34 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 sippingt3

sippingt3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boston, MA
  • Local time:03:54 AM

Posted 17 May 2009 - 09:12 PM

Hello Orangeblossom,

No apologies required for the delay. I am very greatful for your assistance and appreciate the info you offered on the "turn-around-time" from my other post.

In addition to my previous post, here is the latest of what's happening with my system. Also below is my new dds log

1. My 17yrold having received instructions on not to download of make any changes to the computer, ignored my request and has done the following: Deleted Limewire and downloaded Frostwire.
2. I was receiving a virtuomundo memory warning and ignored it. However, once again my lovely 17yrold went ahead and looked up something online and says she fixed it. I've sinced passworded her out of usage for NONCOMPLIANCE.
3. I've been also getting the following messaging when I turn the computer on: when I turned on my computer to the following message appeared "Isass.exe - System Error Object name not found". This message appeared before the password login screen. I tried to click "OK" but the computer did not respond. I had to resort to manually shutting off the computer and turning it back on again. This time the computer proceeded to the password log in screen.
4. I've also experienced this a couple of times at the turnon point "this computer will shut down in 30, 40 or 50 seconds due to some problem"". Unfortunatley, it happens so fast I don't have enough time to write down what it's saying is the problem before it shuts down. This doesn't happen all the time, but it is happening frequently.
5. For some reason "Registry Mechanic" and "SpyDoctor" are downloaded to my system and I wasn't able to delete them. Prior to my 1st initial posting to this site, I tried to do this with no success . I have Macafee through Comcast and do not need them. As to a direct technological computer literate diagnosis of what's the problem, is way above my technological intelligence.

Here are my new dds logs
DDS (Ver_09-05-14.01) - NTFSx86
Run by Helena at 21:47:24.00 on Sun 05/17/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.110 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Spyware Doctor\pctsTray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Helena\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/?cid=toolbar_button&attr=comcast
uSearch Page = hxxp://www.live.com/
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
uSearchMigratedDefaultURL =
uDefault_Search_URL =
mDefault_Search_URL = hxxp://windowsisearch.com
mSearch Page = hxxp://windowsisearch.com
mSearch Bar =
mSearchMigratedDefaultURL =
uInternet Settings,ProxyServer = http=127.0.0.1:9022
uInternet Settings,ProxyOverride = <local>;127.0.0.1;fws.municode.com;localhost
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
mWinlogon: SFCDisable=4 (0x4)
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {893FC28C-3E85-4EEE-AEB0-F286192F2319} - No File
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [BackupNotify] "c:\program files\hp\digital imaging\bin\backupnotify.exe"
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [A00FF9A741.exe] c:\docume~1\helena\locals~1\temp\_A00FF9A741.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [j3241139] rundll32 c:\windows\system32\j3241139.dll sook
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Umeyovuviyakid] rundll32.exe "c:\windows\otudoqevoy.dll",e
mRun: [ISTray] "c:\spyware doctor\pctsTray.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\helena\startm~1\programs\startup\organize.lnk - c:\program files\hewlett-packard\hp organize\bin\displayAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: 5c15cd7c579 - c:\windows\system32\dpnwsock32.dll
Notify: awtqn - awtqn.dll
Notify: igfxcui - igfxsrvc.dll
Notify: xxyvwvw - xxyvwvw.dll
Notify: __c008FF56 - c:\windows\system32\__c008FF56.dat
AppInit_DLLs: c:\windows\system32\dpnwsock32.dll
LSA: Notification Packages = scecli omgntro.dll

============= SERVICES / DRIVERS ===============

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [2006-6-25 16855]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-5-12 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-5-12 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-5-12 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [2006-6-25 21808]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-5-12 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-5-12 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-5-12 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-5-12 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-5-12 33832]

=============== Created Last 30 ================

2009-05-15 16:14 <DIR> --d----- c:\docume~1\helena\applic~1\FrostWire
2009-05-15 16:11 <DIR> --d----- c:\program files\FrostWire
2009-05-15 16:10 <DIR> --d----- c:\program files\AskBarDis
2009-05-01 21:13 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-01 20:24 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-01 20:24 <DIR> --d----- C:\Spyware Doctor
2009-05-01 20:24 <DIR> --d----- c:\docume~1\helena\applic~1\PC Tools
2009-05-01 20:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-01 19:38 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-01 19:38 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-25 10:12 324 a------- C:\xcrashdump.dat
2009-04-23 08:51 0 a------- c:\windows\Emasucuyafupey.bin
2009-04-23 08:51 300 a------- c:\windows\Lfelitobab.dat
2009-04-22 13:33 25,600 a------- c:\windows\system32\__c008FF56.dat
2009-04-22 12:48 25,581 a------- c:\windows\GnuHashes.ini
2009-04-22 12:40 1,462 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-04-22 12:40 <DIR> --dsh--- c:\windows\system32\NetworkService32
2009-04-22 12:38 615 a------- c:\windows\system32\TzUyiqc.vbs

==================== Find3M ====================

2009-05-17 20:16 4,002 a------- c:\windows\viassary-hp.reg
2009-05-04 00:06 178,870 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-04-26 16:27 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll
2008-09-03 20:57 61,224 a------- c:\documents and settings\helena\GoToAssistDownloadHelper.exe
2007-08-29 18:23 7,052 ---sh--- c:\windows\system32\ddeeg.bak2

============= FINISH: 21:48:33.62 ===============

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:54 AM

Posted 18 May 2009 - 09:46 PM

Hi sippingt3,


Welcome to BleepingComputer HijackThis Logs and Malware Removal, :thumbup2:
My name is sundavis, I will be helping you to deal with your Malware problems today.


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar


I also notice there are some unwanted programs installed in your system. Those unwanted programs are sometimes malware related or potential hazard to your security. You're well advised to remove them.

Click Start > Settings > Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, highlight

Ask Toolbar
System Protector
FrostWire 4.18.0


and click on Change/Remove to remove it.

If you want to remove Registry Mechanic 8.0 and Spyware Doctor 6.0, Please remove them as well.


Step1

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. You will see the below prompt when you first run ComboFix:


Posted Image


The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time. Once Recovery Console is installed, you should see a blue screen prompt like the one below:


Posted Image

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.


Step2
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<


In your next reply, please post back:

1.Combofix log
2.RSIT log.txt and info.txt. Thanks

#5 sippingt3

sippingt3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boston, MA
  • Local time:03:54 AM

Posted 19 May 2009 - 12:11 AM

Hello Sundavis,

Thank you for your assistance. Greatly appreciated.

Here is the latest I

I,
1. Removed ViewPoint Manger & ViewPoint Media Player successfully. ViewPoint Task Manger was not in the "Add/Remove Programs" listing.
2. Removed Ask Toolbar successfully
3. Removed Registry Mechanic successfully
4. Removed Frostwire 4.18.0 successfully
5. Could not remove Spyware Doctor from "Add/Remove Programs" listing. Said it was running with another program. I then went to Start>Programs>Spyware Doctor>Uninstall Spyware Doctor option which ended up opening up Spyware Doctor in another browser requesting me to keep/buy additional features. When I tried again to remove it using the same steps the following message appeared, "Runtime error (at 269:582): could not call proc."
6. Could not download ComboFix.exe as MacAfee keeps blocking the download and has identified the file as a Trojan. Here is the message that pops up - see below in quotes

"McAfee has automatically blocked and removed a Trojan.

About this Trojan
Detected: Artemis!BBF5A44CCEE0 (Trojan), Artemis!BBF5A44CCEE0 (Trojan)
Location: C:\Documents and Settings\Helena\Local Settings\Temporary Internet Files\Content.IE5\3Q0FB149\ComboFix[1].exe

Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer."

I do not know how to disable MacAfee from recognizing this as a Trojan file to continue with your next requested steps.

Sorry for my delay...Kind of Ironic
Thanks again
sipptingt

Edited by sippingt3, 19 May 2009 - 12:13 AM.


#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:54 AM

Posted 19 May 2009 - 06:58 AM

Hi sippingt3,


Disable McAfee before downloading Combofix.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

How to uninstall Spyware doctor.

http://www.uninstalltips.com/category/unin...spyware-doctor/

Have you uninstalled System Protector? This one is a rogue program.

http://www.bleepingcomputer.com/startups/S...ctor-24714.html

#7 sippingt3

sippingt3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boston, MA
  • Local time:03:54 AM

Posted 19 May 2009 - 09:21 PM

Hi Sundavis,

Thanks once again for the assistance and guidance.

Here's the latest.
1. Yes, I did remove System Proctector successfully and forgot to note this on my last reply on (5/18/09).
2. Spyware Doctor is my new baby. I wasn't readily prepared to pay $34.95 for the unistall program and will deal with Spyware Doctor later unless you think putting this off would not be in my best interest.
3. Below are the Combofix and the RSIT log.txt and info.txt logs

Combofix log (below)
ComboFix 09-05-19.08 - Helena 05/19/2009 21:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.152 [GMT -4:00]
Running from: c:\documents and settings\Helena\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Helena\Application Data\02000000357f2872579C.manifest
c:\documents and settings\Helena\Application Data\02000000357f2872579O.manifest
c:\documents and settings\Helena\Application Data\02000000357f2872579P.manifest
c:\documents and settings\Helena\Application Data\02000000357f2872579S.manifest
c:\program files\FunWebProducts
c:\windows\cookies.ini
c:\windows\GnuHashes.ini
c:\windows\IE4 Error Log.txt
c:\windows\MailSwitch.ocx
c:\windows\system32\__c008FF56.dat
c:\windows\system32\awtss.dll
c:\windows\system32\bgqpghju.ini
c:\windows\system32\bhcjhxah.ini
c:\windows\system32\ddeeg.bak2
c:\windows\system32\ddeeg.ini
c:\windows\system32\dktflcgy.ini
c:\windows\system32\dswjpuvk.ini
c:\windows\system32\eydliyky.ini
c:\windows\system32\fnlogupe.ini
c:\windows\system32\fryckaop.ini
c:\windows\system32\gpieapli.ini
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\gtpexwdx.ini
c:\windows\system32\gtvticqc.ini
c:\windows\system32\ilvmjhcp.ini
c:\windows\system32\jthlvsad.ini
c:\windows\system32\kjtxigna.ini
c:\windows\system32\krekteyv.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mtjixvih.ini
c:\windows\system32\ngmgkiuqm.dat
c:\windows\system32\ngmgkiuqm_nav.dat
c:\windows\system32\ngmgkiuqm_navps.dat
c:\windows\system32\noqfjjdk.ini
c:\windows\system32\nvs2.inf
c:\windows\system32\orevnofy.ini
c:\windows\system32\ppdxyxcm.ini
c:\windows\system32\pwavuwwg.ini
c:\windows\system32\qlcvcanj.ini
c:\windows\system32\rmdyklfd.ini
c:\windows\system32\rvbrndma.ini
c:\windows\system32\sgrdhvrr.ini
c:\windows\system32\srykbgnr.ini
c:\windows\system32\uuwgjfbv.ini
c:\windows\system32\vcwloddf.ini
c:\windows\system32\wxfcmcov.ini
c:\windows\system32\xbenujiy.ini
c:\windows\system32\xmikcnbk.ini
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-15 20:14 . 2009-05-19 03:17 -------- d-----w c:\documents and settings\Helena\Application Data\FrostWire
2009-05-15 20:11 . 2009-05-19 03:11 -------- d-----w c:\program files\FrostWire
2009-05-15 20:10 . 2009-05-19 03:07 -------- d-----w c:\program files\AskBarDis
2009-05-09 04:06 . 2009-05-09 04:06 -------- d-----w c:\documents and settings\LocalService\Application Data\McAfee
2009-05-02 01:13 . 2009-05-02 01:13 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-02 00:24 . 2008-12-10 15:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-02 00:24 . 2009-05-02 01:13 -------- d-----w C:\Spyware Doctor
2009-05-02 00:24 . 2009-05-02 00:24 -------- d-----w c:\documents and settings\Helena\Application Data\PC Tools
2009-05-02 00:24 . 2009-05-02 00:24 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-05-01 23:40 . 2009-05-20 01:51 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-01 23:38 . 2009-05-02 00:29 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-01 23:38 . 2009-05-01 23:47 -------- d-----w c:\program files\Spyware Doctor
2009-04-23 12:51 . 2009-05-19 04:03 0 ----a-w c:\windows\Emasucuyafupey.bin
2009-04-23 12:51 . 2009-04-23 12:51 -------- d-----w c:\documents and settings\Helena\Local Settings\Application Data\{832E2B97-AA38-4228-A2AB-F717681D6547}
2009-04-23 12:51 . 2009-04-23 12:51 300 ----a-w c:\windows\Lfelitobab.dat
2009-04-22 16:40 . 2009-04-22 20:40 -------- d-sh--w c:\windows\system32\NetworkService32
2009-04-22 16:38 . 2009-04-22 16:38 615 ----a-w c:\windows\system32\TzUyiqc.vbs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 01:50 . 2004-04-07 21:59 4002 ----a-w c:\windows\viassary-hp.reg
2009-05-19 03:05 . 2004-04-09 01:07 -------- d-----w c:\program files\Viewpoint
2009-05-17 04:31 . 2009-03-29 21:31 -------- d-----w c:\program files\myBabylon_English
2009-05-07 01:37 . 2004-01-21 03:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-06 21:36 . 2004-04-14 05:11 40552 ----a-w c:\documents and settings\Helena\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 00:39 . 2009-02-13 22:06 -------- d-----w c:\program files\LimeWire
2009-05-04 04:10 . 2008-03-20 01:17 -------- d-----w c:\program files\Common Files\Scanner
2009-04-26 20:27 . 2009-01-14 22:02 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-04-18 16:41 . 2008-05-12 05:56 -------- d-----w c:\program files\McAfee
2009-03-29 21:31 . 2009-03-29 21:31 -------- d-----w c:\program files\Conduit
2009-03-29 17:35 . 2009-03-29 17:29 -------- d-----w c:\program files\QuickTime
2009-03-29 17:32 . 2009-03-29 17:32 -------- d-----w c:\program files\Apple Software Update
2009-03-29 17:23 . 2004-01-21 03:25 -------- d-----w c:\program files\WildTangent
2009-03-29 17:22 . 2004-01-21 03:22 -------- d-----w c:\program files\Common Files\Real
2009-03-29 17:19 . 2004-01-21 03:23 -------- d-----w c:\program files\MUSICMATCH
2009-03-21 12:41 . 2009-03-21 12:40 -------- d-----w c:\program files\Common Files\ArcSoft
2009-03-21 12:40 . 2009-01-14 21:58 -------- d-----w c:\program files\ArcSoft
2009-03-06 14:22 . 2004-02-16 18:46 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-24 01:32 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ----a-w c:\windows\system32\ieencode.dll
2006-11-29 04:51 . 2006-11-29 04:51 935602 -csha-w c:\windows\ServicePackFiles\cbodddv.tmp
2007-08-20 00:45 . 2007-08-20 00:44 2441622 --sha-w c:\windows\system32\gtvticqc.tmp
2005-12-29 18:45 . 2005-12-29 17:58 340818 --sha-w c:\windows\system32\oqtwa.tmp
2007-04-27 04:01 . 2007-04-27 04:01 1380276 --sh--w c:\windows\system32\CatRoot\ldlddv.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 32768]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-19 200704]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-10-04 50528]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-16 24095528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-04 221184]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-12-06 3022848]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-14 50688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-05-04 278528]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-29 413696]
"Umeyovuviyakid"="c:\windows\otudoqevoy.dll" [2008-04-14 143872]
"ISTray"="c:\spyware doctor\pctsTray.exe" [2008-12-08 1173384]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Helena\Start Menu\Programs\Startup\
Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-1-20 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [6/25/2006 7:19 PM 16855]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [6/25/2006 7:19 PM 21808]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-05-12 17:32]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-05-12 17:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{893FC28C-3E85-4EEE-AEB0-F286192F2319} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKLM-Run-j3241139 - c:\windows\system32\j3241139.dll
Notify-5c15cd7c579 - c:\windows\System32\dpnwsock32.dll
Notify-__c008FF56 - c:\windows\system32\__c008FF56.dat
Notify-awtqn - awtqn.dll
Notify-xxyvwvw - xxyvwvw.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/?cid=toolbar_button&attr=comcast
uSearchMigratedDefaultURL =
uDefault_Search_URL =
mSearch Bar =
mSearchMigratedDefaultURL =
uInternet Settings,ProxyServer = http=127.0.0.1:9022
uInternet Settings,ProxyOverride = <local>;127.0.0.1;fws.municode.com;localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 21:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\windows\system32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-05-20 21:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-20 01:59

Pre-Run: 119,959,416,832 bytes free
Post-Run: 120,080,924,672 bytes free

237 --- E O F --- 2009-05-19 22:02


RSIT Info.txt log (below)
info.txt logfile of random's system information tool 1.06 2009-05-19 22:07:52

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\UninstIPP.isu
-->C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BB529C7-855D-11D7-8444-0050BA1D384D}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Atmosphere Player for Acrobat and Adobe Reader-->C:\WINDOWS\atmoUn.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Album 2.0 Starter Edition-->MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
AIM 6-->C:\Program Files\AIM6\uninst.exe
America Online (Choose which version to remove)-->C:\Program Files\Common Files\aolshare\Aolunins_us.exe
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ArcSoft Panorama Maker 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D45E8C45-B601-4A80-AFD8-E16338744DE1}\Setup.exe" -l0x9
ArcSoft WebCam Companion 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6392127-1223-4C7F-BBC8-87CCB449F96C}\setup.exe" -l0x9
Comcast High-Speed Internet Install Wizard-->C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Comcast Toolbar-->C:\Program Files\ComcastToolbar\uninstall.exe
DXG Digital Camera V 2.0M-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C140E041-CE7E-4947-87ED-630A2FEF6921}\Setup.exe"
FirstClass® Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B35C417-2649-11D6-83D1-0050FC01225C}\setup.exe" -l0x9 -uninst
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
hp deskjet 5100-->msiexec /x{FEDA56C4-82F3-46DD-8B50-FC592BBE1C0D}
HP Deskjet Preloaded Printer Drivers-->MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Image Zone 3.5-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone Plus 3.5-->C:\Program Files\HP\Digital Imaging\{C6C44651-7C66-4b11-92E8-17565D3D22DD}\setup\hpzscr01.exe -datfile hpdscr01.dat
HP Instant Support-->C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Organize-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
HP Photo & Imaging 3.5 - HP Devices-->C:\Program Files\HP\Digital Imaging\{15B9DC72-73F9-4d99-9E28-848D66DA8D99}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP PSC & OfficeJet 3.0-->"C:\Program Files\HP\Digital Imaging\{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update-->MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}
HPIZ350-->MsiExec.exe /X{F247869D-3643-4A9F-821B-3534145928E3}
Intel® Integrated Performance Primitives RTI 4.0-->MsiExec.exe /X{51C91B84-7B46-4FE7-8999-8228CFA75F89}
IntelliMover Data Transfer Demo-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
InterVideo WinDVD Creator 2-->"C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD Player-->"C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iPod for Windows 2005-03-23-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44A537A5-859C-43A6-8285-C0668142A090} /l1033
iTunes-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{523E6F2A-2D59-4D91-90E8-6C49931C9F50}
Java 2 Runtime Environment, SE v1.4.2_03-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ 6 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
KBD-->C:\HP\KBD\KBD.EXE uninstalled
Learn On-Demand-->C:\WINDOWS\UNWISE.EXE C:\WINDOWS\INSTWNG.LOG
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Memories Disc Creator 2.0-->MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Money 2004 System Pack-->MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Money 2004-->MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Outlook Connector for MSN-->MsiExec.exe /X{3A97084F-A6B7-478B-8D5E-57A6BFA8C35B}
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Web Components-->MsiExec.exe /I{90260409-6000-11D3-8CFE-0150048383C9}
Microsoft Picture It! Express 7.0-->MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE130}
Microsoft Picture It! Express 9-->C:\WINDOWS\System32\msiexec.exe /i {DBA8B9E1-C6FF-4624-9598-73D3B41A0900}
Microsoft Picture It! Library 9-->C:\WINDOWS\System32\msiexec.exe /i {9F7FC79B-3059-4264-9450-39EB368E3220}
Microsoft Plus! Digital Media Edition-->MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works 7.0-->MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MSN Encarta Plus Support Files-->MsiExec.exe /I{00000000-785F-478A-BAA2-87F1A136068C}
MSN Toolbar(01.02.5000.1021)-->C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\mtbs.exe c
MSN Toolbar-->MsiExec.exe /I{10C69612-017B-45F5-B986-7D113D5A2EA3}
MSN-->C:\Program Files\MSN\MsnInstaller\msniadm.exe /Action:ARP
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Multimedia Card Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{EF9967D8-1999-4260-ACC2-86901AA36650}
Nikon Message Center-->MsiExec.exe /X{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}
Nikon Transfer-->MsiExec.exe /X{E9757890-7EC5-46C8-99AB-B00F07B6525C}
NVIDIA Display Driver-->C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Drivers-->C:\WINDOWS\system32\nvuaudio.exe UninstallGUI
NVIDIA Ethernet Driver-->C:\WINDOWS\System32\nvuenet.exe Uninstall C:\WINDOWS\System32\Nvenet.nvu,NVIDIA Ethernet Driver
NVIDIA GART Driver-->C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA GART Driver
Ocean Discovery™-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ocean\Uninst.isu"
PC-Doctor for Windows-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
Photosmart 140,240,7200,7600,7700,7900 Series-->C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
Presto! VideoWorks 6 (VCD Version)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B0C0F5E6-10B1-11D6-9296-0050BA073EEC}\SETUP.EXE" -l0x9
PS2-->C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions-->C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1-->C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Skype™ 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spyware Doctor 6.0-->C:\Spyware Doctor\unins000.exe /LOG
Toolkit View(HP)-->c:\Windows\HPTK\unhptkit.exe
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Updates from HP-->C:\WINDOWS\BWUnin-6.2.3.66.exe -AppId 137903
WildTangent Web Driver-->C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Zone Deluxe Games-->MsiExec.exe /I{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}

======Security center information======

AV: McAfee VirusScan (disabled)
FW: McAfee Personal Firewall

======System event log======

Computer Name: YOUR-AT5QGAAC3Z
Event Code: 11
Message: The driver detected a controller error on \Device\Harddisk1\D.

Record Number: 83231
Source Name: Disk
Time Written: 20090503172034.000000-240
Event Type: error
User:

Computer Name: YOUR-AT5QGAAC3Z
Event Code: 11
Message: The driver detected a controller error on \Device\Harddisk1\D.

Record Number: 83230
Source Name: Disk
Time Written: 20090503172033.000000-240
Event Type: error
User:

Computer Name: YOUR-AT5QGAAC3Z
Event Code: 11
Message: The driver detected a controller error on \Device\Harddisk1\D.

Record Number: 83229
Source Name: Disk
Time Written: 20090503172032.000000-240
Event Type: error
User:

Computer Name: YOUR-AT5QGAAC3Z
Event Code: 11
Message: The driver detected a controller error on \Device\Harddisk1\D.

Record Number: 83228
Source Name: Disk
Time Written: 20090503172031.000000-240
Event Type: error
User:

Computer Name: YOUR-AT5QGAAC3Z
Event Code: 11
Message: The driver detected a controller error on \Device\Harddisk1\D.

Record Number: 83227
Source Name: Disk
Time Written: 20090503172030.000000-240
Event Type: error
User:

=====Application event log=====

Computer Name: YOUR-AT5QGAAC3Z
Event Code: 1002
Message: Hanging application aim6.exe, version 1.4.9.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 46
Source Name: Application Hang
Time Written: 20090215204327.000000-300
Event Type: error
User:

Computer Name: YOUR-AT5QGAAC3Z
Event Code: 1002
Message: Hanging application LimeWire.exe, version 1.0.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 35
Source Name: Application Hang
Time Written: 20090215131000.000000-300
Event Type: error
User:

Computer Name: YOUR-AT5QGAAC3Z
Event Code: 1000
Message: Faulting application iexplore.exe, version 6.0.2900.5512, faulting module mshtml.dll, version 6.0.2900.5726, fault address 0x0006a9d7.

Record Number: 31
Source Name: Application Error
Time Written: 20090214223830.000000-300
Event Type: error
User:

Computer Name: YOUR-AT5QGAAC3Z
Event Code: 5051
Message: A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 844 (0x34c)

Thread address : 0x7C90E4F4

Thread message :

Build VSCORE.14.0.0.349 / 5300.2777
Object being scanned = \Device\HarddiskVolume2\Documents and Settings\Helena\Local Settings\Temporary Internet Files\Content.IE5\OLY7WPY3\toolbaryhm[1].xml
by C:\Program Files\Internet Explorer\iexplore.exe
4(1937)(0)
4(1843)(0)
7200(1234)(0)
7595(1234)(0)
7005(968)(0)
7004(968)(0)
5006(828)(0)
5004(828)(0)


Record Number: 21
Source Name: McLogEvent
Time Written: 20090214144442.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-AT5QGAAC3Z
Event Code: 5051
Message: A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 1952 (0x7a0)

Thread address : 0x7C90E4F4

Thread message :

Build VSCORE.14.0.0.349 / 5300.2777
Object being scanned = \Device\HarddiskVolume2\Documents and Settings\Helena\Cookies\helena@turn[2].txt
by C:\Program Files\Internet Explorer\iexplore.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)


Record Number: 16
Source Name: McLogEvent
Time Written: 20090213204415.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0a00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------


RSIT log.txt (below)
Logfile of random's system information tool 1.06 (written by random/random)
Run by Helena at 2009-05-19 22:07:25
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 115 GB (77%) free of 148 GB
Total RAM: 447 MB (16% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:47 PM, on 5/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Spyware Doctor\pctsTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Helena\Local Settings\Temporary Internet Files\Content.IE5\4FUNQXW7\RSIT[1].exe
C:\Program Files\trend micro\Helena.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/?cid=toolbar_button&attr=comcast
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Umeyovuviyakid] rundll32.exe "C:\WINDOWS\otudoqevoy.dll",e
O4 - HKLM\..\Run: [ISTray] "C:\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [BackupNotify] "c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Organize.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://*.mcafee.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9694 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-01-29 1088296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}]
Comcast Toolbar - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL [2006-11-07 1821184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-10 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-11-09 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}]
ST - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
MSNToolBandBHO - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll [2006-01-17 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
MSN Toolbar Helper - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll [2008-12-04 83800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-10 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-10 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - HP View - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll [2003-09-03 98304]

{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll [2006-01-17 282624]
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - Comcast Toolbar - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL [2006-11-07 1821184]
{1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - MSN Toolbar - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll [2008-12-04 83800]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"KBD"=C:\HP\KBD\KBD.EXE [2003-02-11 61440]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2003-11-03 221184]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2003-12-05 3022848]
"AlcxMonitor"=C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]
"Microsoft Works Update Detection"=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [2003-09-13 50688]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2005-05-04 278528]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-10 136600]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-11-01 582992]
"ArcSoft Connection Service"=C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [2009-04-29 188728]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-03-29 413696]
"Umeyovuviyakid"=C:\WINDOWS\otudoqevoy.dll [2008-04-13 143872]
"ISTray"=C:\Spyware Doctor\pctsTray.exe [2008-12-08 1173384]
"MBkLogOnHook"=C:\Program Files\McAfee\MBK\LogOnHook.exe [2007-01-08 20480]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"=c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe [2004-01-09 32768]
"MoneyAgent"=C:\Program Files\Microsoft Money\System\mnyexpr.exe [2003-06-18 200704]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2007-10-04 50528]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2009-03-16 24095528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe [2003-03-27 172032]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe [2003-08-21 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe [2003-08-21 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2005-05-04 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\System32\NvCpl.dll [2003-12-05 3022848]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe [2002-10-16 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\Creator\Remind_XP.exe [2003-12-18 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe [2004-01-20 32881]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
C:\Program Files\Multimedia Card Reader\shwicon2k.exe [2003-10-29 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll [2004-05-21 64512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
C:\PROGRA~1\AMERIC~1.0\aoltray.exe [2003-09-10 36953]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2003-09-16 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
C:\PROGRA~1\UPDATE~1\137903\Program\BACKWE~1.EXE -startup []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\Documents and Settings\Helena\Start Menu\Programs\Startup
Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-11-18 323584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\rtcshare.exe"="C:\WINDOWS\system32\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 1 months======

2009-05-19 22:07:26 ----D---- C:\Program Files\trend micro
2009-05-19 22:07:25 ----D---- C:\rsit
2009-05-19 21:59:56 ----A---- C:\ComboFix.txt
2009-05-19 21:39:14 ----A---- C:\WINDOWS\zip.exe
2009-05-19 21:39:14 ----A---- C:\WINDOWS\vFind.exe
2009-05-19 21:39:14 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-05-19 21:39:14 ----A---- C:\WINDOWS\SWSC.exe
2009-05-19 21:39:14 ----A---- C:\WINDOWS\SWREG.exe
2009-05-19 21:39:14 ----A---- C:\WINDOWS\sed.exe
2009-05-19 21:39:14 ----A---- C:\WINDOWS\NIRCMD.exe
2009-05-19 21:39:14 ----A---- C:\WINDOWS\grep.exe
2009-05-19 21:39:08 ----A---- C:\WINDOWS\system32\MPFServiceFailureCount.txt
2009-05-19 21:39:06 ----D---- C:\WINDOWS\ERDNT
2009-05-19 21:38:56 ----D---- C:\Qoobox
2009-05-15 16:14:28 ----D---- C:\Documents and Settings\Helena\Application Data\FrostWire
2009-05-15 16:11:17 ----D---- C:\Program Files\FrostWire
2009-05-15 16:10:27 ----D---- C:\Program Files\AskBarDis
2009-05-01 23:29:28 ----D---- C:\WINDOWS\Minidump
2009-05-01 20:24:06 ----D---- C:\Spyware Doctor
2009-05-01 20:24:06 ----D---- C:\Documents and Settings\Helena\Application Data\PC Tools
2009-05-01 20:24:06 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-05-01 20:23:45 ----A---- C:\WINDOWS\system32\STKIT432.DLL
2009-05-01 19:40:31 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-05-01 19:38:36 ----D---- C:\Program Files\Common Files\PC Tools
2009-05-01 19:38:18 ----D---- C:\Program Files\Spyware Doctor
2009-04-22 12:40:07 ----SHD---- C:\WINDOWS\system32\NetworkService32
2009-04-22 12:38:23 ----A---- C:\WINDOWS\system32\TzUyiqc.vbs

======List of files/folders modified in the last 1 months======

2009-05-19 22:07:42 ----D---- C:\WINDOWS\Temp
2009-05-19 22:07:26 ----D---- C:\Program Files
2009-05-19 22:02:44 ----D---- C:\Documents and Settings\Helena\Application Data\ComcastToolbar
2009-05-19 22:00:24 ----D---- C:\WINDOWS\system32
2009-05-19 21:57:55 ----D---- C:\WINDOWS\Prefetch
2009-05-19 21:57:20 ----SD---- C:\WINDOWS\Tasks
2009-05-19 21:56:48 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-19 21:55:14 ----D---- C:\Documents and Settings\Helena\Application Data\Skype
2009-05-19 21:54:17 ----D---- C:\Documents and Settings\Helena\Application Data\skypePM
2009-05-19 21:50:48 ----D---- C:\WINDOWS
2009-05-19 21:50:48 ----A---- C:\WINDOWS\system.ini
2009-05-19 21:48:24 ----D---- C:\WINDOWS\system32\drivers
2009-05-19 21:46:33 ----D---- C:\WINDOWS\system32\config
2009-05-19 21:43:56 ----D---- C:\WINDOWS\AppPatch
2009-05-19 21:43:54 ----D---- C:\Program Files\Common Files
2009-05-19 21:40:36 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-19 18:11:54 ----HD---- C:\WINDOWS\inf
2009-05-19 16:48:25 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-18 23:05:48 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-05-18 23:05:45 ----D---- C:\Program Files\Viewpoint
2009-05-17 00:31:45 ----D---- C:\Program Files\myBabylon_English
2009-05-17 00:29:42 ----SHD---- C:\WINDOWS\Installer
2009-05-17 00:29:42 ----SHD---- C:\Config.Msi
2009-05-08 15:33:23 ----SD---- C:\Documents and Settings\Helena\Application Data\Microsoft
2009-05-07 03:16:29 ----A---- C:\WINDOWS\system32\MRT.exe
2009-05-06 21:37:32 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-06 20:50:26 ----D---- C:\WINDOWS\system32\wbem
2009-05-06 00:03:28 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-05-05 20:39:22 ----D---- C:\Program Files\LimeWire
2009-05-05 19:57:25 ----D---- C:\Documents and Settings\Helena\Application Data\LimeWire
2009-05-04 00:10:23 ----D---- C:\Program Files\Common Files\Scanner
2009-05-03 22:56:04 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2009-05-03 22:56:03 ----D---- C:\Documents and Settings\Helena\Application Data\McAfee

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R1 SiSkp;SiSkp; C:\WINDOWS\System32\DRIVERS\srvkp.sys [2003-12-05 11392]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
R3 Aldebaran;Aldebaran - SCSI Command Filters; C:\WINDOWS\System32\Drivers\Aldebaran.sys [2004-02-11 21808]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2005-03-07 14408]
R3 ltmodem5;Agere Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-07-02 652497]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-12-05 1619243]
R3 nvax;Service for NVIDIA® nForce™ Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2004-10-22 53376]
R3 NVENET;NVIDIA nForce MCP Networking Controller Driver; C:\WINDOWS\System32\DRIVERS\NVENET.sys [2003-04-22 54784]
R3 nvnforce;Service for NVIDIA® nForce™ Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2004-10-22 413824]
R3 Pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-13 121984]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys [2003-01-10 33588]
R4 catchme;catchme; \??\C:\DOCUME~1\Helena\LOCALS~1\Temp\catchme.sys []
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-11-20 122110]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-11-20 99002]
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-12-12 391424]
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-11-20 95579]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2003-12-06 429440]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 SunkFilt;Alcor Micro Corp - 9360; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys []
S3 Sunkfiltp;HP && Alcor Micro Corp for Phison; \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys []
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 viagfx;viagfx; C:\WINDOWS\System32\DRIVERS\vtmini.sys [2003-10-17 117760]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2008-04-13 5504]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2009-02-06 109056]
R2 AOL ACS;AOL Connectivity Service; C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe [2003-08-12 1376360]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-10 152984]
R2 MBackMonitor;MBackMonitor; C:\Program Files\McAfee\MBK\MBackMonitor.exe [2007-01-16 71208]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\System32\nvsvc32.exe [2003-12-05 77824]
R2 WANMiniportService;WAN Miniport (ATW) Service; C:\WINDOWS\wanmpsvc.exe [2003-01-10 65536]
R3 iPodService;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2005-05-04 327680]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
S2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-11 138168]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------


Take Care...Have a Good Evening
\
sippingt3

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:54 AM

Posted 20 May 2009 - 02:14 AM

Hi sippingt3,



Spyware Doctor is my new baby....

That's ok to keep it since it's a paid version.

Step1
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
File::
c:\windows\Emasucuyafupey.bin
c:\windows\Lfelitobab.dat
c:\windows\system32\NetworkService32
c:\windows\system32\TzUyiqc.vbs
c:\windows\ServicePackFiles\cbodddv.tmp
c:\windows\system32\gtvticqc.tmp
c:\windows\system32\oqtwa.tmp
c:\windows\system32\CatRoot\ldlddv.tmp
c:\windows\otudoqevoy.dll

Folder::
c:\program files\FrostWire
c:\program files\AskBarDis
c:\program files\LimeWire

Driver::
Viewpoint Manager Service

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Umeyovuviyakid"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\StubInstaller.exe"=-
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2

Please download Malwarebytes' Anti-Malware from Here or Here
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



Step3


Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 13...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:
    • Java 2 Runtime Environment, SE v1.4.2_03
      Java™ 6 Update 11
      Java™ 6 Update 4
      Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.


Step4


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step5


Please do an online scan with Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.


1.Combofix log
2.MBAM log
3.KAS Scan Report
4.Fresh HJT log

Tell me how your pc is running now.

#9 sippingt3

sippingt3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boston, MA
  • Local time:03:54 AM

Posted 21 May 2009 - 01:21 PM

Hi Sundavis,

Thanks once again for your assistance.

Here's the latest

1. Completed Step1 successfully. Log is below.
2. Completed Step2 successfully. Log is below.
3. Completed Step3 successfully.
4. Completed Step4 successfully.
5. Completed Step5 (steps 1-5). When I reached step 6. "Make sure all boxes are checked. then click on the Save button", all the boxes were checked, however the top box was checked, but wasn't accesible for change. The other 3 boxes were accesible for change. Also, I could not access the SAVE button. At this point, the CPU Usage was running at a constant of 90 - 100%. The fan, I guess that's noise I here, was running non-stop. I've always noticed in the past when the fan is running like that, the computer is normally in a frozen state and the CPU Usage is running high. I wasn't able to get past this point because I couldn't access the SAVE button. I did a full shutdown of the computer and started again and still got stuck at #5.
6. I did not complete a new HJT log as I thought you might want me to resolve this problem before doing that.

As an added note, the CPU Usage as I described above was intermintently running high from the beginning at Step1, but I was able to continue on unitl I got stopped/stuck.

I work late Thurs and Fri evenings, so I won't be able to do any computer repair homework tonight or tomorrow and will be back on duty Saturday, but I look forward to your reply.

I've seen a noticeable improvement in my computer.
..It launches to the internet quicker
..Navigates from browser page to the next quicker
..All the 'start-up" dll s are gone (Yeah!..They were a nuisance)
..The color on the monitor (web pages) no longer fade to grey/black&white anymore...Yeah. In the past, this would happen once the computer had been on for a while. It would start to flicker and then proceed to grey.

I've posted the logs below...Take Care..Thanks again

ComboFix log
ComboFix 09-05-20.07 - Helena 05/20/2009 19:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.245 [GMT -4:00]
Running from: c:\documents and settings\Helena\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Helena\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
c:\windows\Emasucuyafupey.bin
c:\windows\Lfelitobab.dat
c:\windows\otudoqevoy.dll
c:\windows\ServicePackFiles\cbodddv.tmp
c:\windows\system32\CatRoot\ldlddv.tmp
c:\windows\system32\gtvticqc.tmp
c:\windows\system32\NetworkService32
c:\windows\system32\oqtwa.tmp
c:\windows\system32\TzUyiqc.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskBarDis
c:\program files\AskBarDis\bar\bin\askBar.dll
c:\program files\FrostWire
c:\program files\FrostWire\aopalliance.jar
c:\program files\FrostWire\clink.jar
c:\program files\FrostWire\commons-codec-1.3.jar
c:\program files\FrostWire\commons-logging.jar
c:\program files\FrostWire\daap.jar
c:\program files\FrostWire\forms.jar
c:\program files\FrostWire\foxtrot.jar
c:\program files\FrostWire\FrostWire.exe
c:\program files\FrostWire\FrostWire.jar
c:\program files\FrostWire\gettext-commons.jar
c:\program files\FrostWire\guice-1.0.jar
c:\program files\FrostWire\httpclient-4.0-alpha3.jar
c:\program files\FrostWire\httpcore-4.0-beta2.jar
c:\program files\FrostWire\httpcore-nio-4.0-beta2.jar
c:\program files\FrostWire\httpcore-niossl-4.0-alpha7.jar
c:\program files\FrostWire\icu4j.jar
c:\program files\FrostWire\jaudiotagger.jar
c:\program files\FrostWire\jcraft.jar
c:\program files\FrostWire\jdic.dll
c:\program files\FrostWire\jdic.jar
c:\program files\FrostWire\jdic_stub.jar
c:\program files\FrostWire\jflac.jar
c:\program files\FrostWire\jl.jar
c:\program files\FrostWire\jmdns.jar
c:\program files\FrostWire\jogg.jar
c:\program files\FrostWire\jorbis.jar
c:\program files\FrostWire\jython.jar
c:\program files\FrostWire\log.txt
c:\program files\FrostWire\log4j.jar
c:\program files\FrostWire\looks.jar
c:\program files\FrostWire\lw-all.jar
c:\program files\FrostWire\messages.jar
c:\program files\FrostWire\mp3spi.jar
c:\program files\FrostWire\onion-common.jar
c:\program files\FrostWire\onion-fec.jar
c:\program files\FrostWire\ProgressTabs.jar
c:\program files\FrostWire\SystemUtilities.dll
c:\program files\FrostWire\themes.jar
c:\program files\FrostWire\tray.dll
c:\program files\FrostWire\tritonus.jar
c:\program files\FrostWire\vorbisspi.jar
c:\program files\LimeWire
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-codec-1.3.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-net.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\dnsjava.jar
c:\program files\LimeWire\lib\forms.jar
c:\program files\LimeWire\lib\foxtrot.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\guice-1.0.jar
c:\program files\LimeWire\lib\hsqldb.jar
c:\program files\LimeWire\lib\httpclient-4.0-alpha5-20080522.192134-5.jar
c:\program files\LimeWire\lib\httpcore-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\jaudiotagger.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\looks.jar
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\onion-common.jar
c:\program files\LimeWire\lib\onion-fec.jar
c:\program files\LimeWire\lib\ProgressTabs.jar
c:\program files\LimeWire\lib\swt.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\themes.jar
c:\program files\LimeWire\lib\tray.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire.exe
c:\windows\Emasucuyafupey.bin
c:\windows\Lfelitobab.dat
c:\windows\ServicePackFiles\cbodddv.tmp
c:\windows\system32\CatRoot\ldlddv.tmp
c:\windows\system32\djbosflo.dll
c:\windows\system32\gtvticqc.tmp
c:\windows\system32\oqtwa.tmp
c:\windows\system32\twvdjhlc.dll
c:\windows\system32\TzUyiqc.vbs
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-20 02:07 . 2009-05-20 02:07 -------- d-----w c:\program files\trend micro
2009-05-20 02:07 . 2009-05-20 02:07 -------- d-----w C:\rsit
2009-05-15 20:14 . 2009-05-19 03:17 -------- d-----w c:\documents and settings\Helena\Application Data\FrostWire
2009-05-09 04:06 . 2009-05-09 04:06 -------- d-----w c:\documents and settings\LocalService\Application Data\McAfee
2009-05-02 01:13 . 2009-05-02 01:13 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-02 00:24 . 2008-12-10 15:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-02 00:24 . 2009-05-02 01:13 -------- d-----w C:\Spyware Doctor
2009-05-02 00:24 . 2009-05-02 00:24 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-05-02 00:24 . 2009-05-02 00:24 -------- d-----w c:\documents and settings\Helena\Application Data\PC Tools
2009-05-01 23:40 . 2009-05-20 23:22 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-01 23:38 . 2009-05-02 00:29 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-01 23:38 . 2009-05-01 23:47 -------- d-----w c:\program files\Spyware Doctor
2009-04-23 12:51 . 2009-04-23 12:51 -------- d-----w c:\documents and settings\Helena\Local Settings\Application Data\{832E2B97-AA38-4228-A2AB-F717681D6547}
2009-04-22 16:40 . 2009-04-22 20:40 -------- d-sh--w c:\windows\system32\NetworkService32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 23:22 . 2004-04-07 21:59 4002 ----a-w c:\windows\viassary-hp.reg
2009-05-19 03:05 . 2004-04-09 01:07 -------- d-----w c:\program files\Viewpoint
2009-05-17 04:31 . 2009-03-29 21:31 -------- d-----w c:\program files\myBabylon_English
2009-05-07 01:37 . 2004-01-21 03:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-06 21:36 . 2004-04-14 05:11 40552 ----a-w c:\documents and settings\Helena\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-04 04:10 . 2008-03-20 01:17 -------- d-----w c:\program files\Common Files\Scanner
2009-05-04 04:06 . 2009-05-04 01:55 178870 ----a-w c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2009-04-26 20:27 . 2009-01-14 22:02 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-04-18 16:41 . 2008-05-12 05:56 -------- d-----w c:\program files\McAfee
2009-03-29 21:31 . 2009-03-29 21:31 -------- d-----w c:\program files\Conduit
2009-03-29 17:35 . 2009-03-29 17:29 -------- d-----w c:\program files\QuickTime
2009-03-29 17:32 . 2009-03-29 17:32 -------- d-----w c:\program files\Apple Software Update
2009-03-29 17:23 . 2004-01-21 03:25 -------- d-----w c:\program files\WildTangent
2009-03-29 17:22 . 2004-01-21 03:22 -------- d-----w c:\program files\Common Files\Real
2009-03-29 17:19 . 2004-01-21 03:23 -------- d-----w c:\program files\MUSICMATCH
2009-03-06 14:22 . 2004-02-16 18:46 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-24 01:32 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-20_01.50.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-20 23:21 . 2009-05-20 23:21 16384 c:\windows\Temp\Perflib_Perfdata_648.dat
+ 2009-05-20 22:05 . 2009-05-20 22:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-01-21 01:18 . 2009-05-20 22:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-01-21 01:18 . 2009-05-20 01:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-01-21 01:18 . 2009-05-20 22:12 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-01-21 01:18 . 2009-05-20 01:18 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 32768]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-19 200704]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-10-04 50528]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-16 24095528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-04 221184]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-12-06 3022848]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-14 50688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-05-04 278528]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-29 413696]
"ISTray"="c:\spyware doctor\pctsTray.exe" [2008-12-08 1173384]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Helena\Start Menu\Programs\Startup\
Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-1-20 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [6/25/2006 7:19 PM 16855]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [6/25/2006 7:19 PM 21808]
.
Contents of the 'Scheduled Tasks' folder

2009-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-05-12 17:32]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-05-12 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/?cid=toolbar_button&attr=comcast
uSearchMigratedDefaultURL =
uDefault_Search_URL =
mSearch Bar =
mSearchMigratedDefaultURL =
uInternet Settings,ProxyServer = http=127.0.0.1:9022
uInternet Settings,ProxyOverride = <local>;127.0.0.1;fws.municode.com;localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 19:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(472)
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\windows\system32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-05-20 19:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-20 23:31
ComboFix2.txt 2009-05-20 01:59

Pre-Run: 120,075,010,048 bytes free
Post-Run: 120,068,083,712 bytes free

288 --- E O F --- 2009-05-19 22:02

MBAM log

Malwarebytes' Anti-Malware 1.36
Database version: 2161
Windows 5.1.2600 Service Pack 3

5/20/2009 8:36:07 PM
mbam-log-2009-05-20 (20-36-07).txt

Scan type: Quick Scan
Objects scanned: 113462
Time elapsed: 31 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\829275 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\NetworkService32\113.music.mp3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\114.music.snd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\115.music.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\116.video.wmv (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\117.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\117.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\118.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\118.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\119.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\119.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\120.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\120.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\121.music.mp3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\121.music.mp3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\122.music.snd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\122.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\123.music.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\123.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\124.video.wmv (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\124.video.wmv.kwd (Worm.Archive) -> Quarantined and deleted successfully.

Edited by sippingt3, 21 May 2009 - 01:25 PM.


#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:54 AM

Posted 21 May 2009 - 04:48 PM

Hi sippingt3,




still got stuck at #5...

That's ok. We can try another instead.


Step1

Let's try the following instead.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.

I will give you another one, just in case. :thumbup2:


Please go to F-Secure Online Scanner Next Generation
  • Click on the link "Start your scan".
  • You may receive an alert on the address bar at this point to install the ActiveX control.
  • Read the license agreement and click "Accept".
  • Click "Full System Scan" to download the scanning components and begin scan and cleaning.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • When done click "Show report" and copy/paste its contents into your next reply.

In your next reply, please post back:


1.ESET online scan report
2.New HJT log

Tell me how things went.

#11 sippingt3

sippingt3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boston, MA
  • Local time:03:54 AM

Posted 24 May 2009 - 01:24 AM

Hi Sundavis,

I'm back. I started my homework late Saturday evening and just now finishing at 1:44am. So here it goes:

1. I ran the EsetOnline Scan and all went well until (step 8). I could not access the log.txt file anywhere and this was not offered as a option. What was offered at the completion of the scan was the following options:
..List of found files - which listed the files that were found/infected. The first scan showed 95 files the second showed 4. I was able to copy the 4 infected files from the list, which I didn't do the first time around. They are listed below. I wish I'd had done this on the 1st scan to have been able to offer you more details.
..Manage quarantine - which gave an extensive list of files, however it didn't allow me to export or copy them
..uninstall application at close - which takes the user to the next page offering the user a paid or 30day free trial version
..delete quarantined files - wasn't sure if I should have done this, so I did nothing.

The page with the paid of 30day free trial version had no indication of a log.txt report at all. It just showed a variety of tabs to navigate. I then proceeded with another route. I still hadn't closed the browser Eset browser window and it didn't allow the user to go back to previous page. I clicked on Start>Run>typed in the path of your instructions and windows could not find the txt file. I then typed in C:\Program Files to locate the program. I found the Eset program but it only contained a quarantine folder with all the list of files that had been placed in quarantine and it also contained an unistall eset online option.

I tried again to run the scan a second time, and you guess it, got stuck at (step 8) again with the same navigation option process.

I was unable to copy the quarantine files from the off-line folder of the Eset Online off-line folder

2. I then chose your second option of running the F-Secure Online scan which was a success. I posted this report below.
F-Secure located 5 infected files and cleaned them. It also found 1 ifected file that was not cleaned. I listed that file below.

3. Below is the F-Secure report, and the new HJT log, plus other mentions. Thanks again for your support


Logs

4 files found by the 2nd scan of Eset Online Scan
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP730\A0177843.cpl Win32/Adware.SpyProtector.L application cleaned by deleting - quarantined
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP746\A0190416.dll Win32/Adware.BHO.V application cleaned by deleting - quarantined
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP746\A0190417.dll a variant of Win32/Adware.BHO.V application cleaned by deleting - quarantined
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP746\A0190418.dll a variant of Win32/Adware.BHO.V application cleaned by deleting - quarantined

the 1 infected file found by the F-Secure scan that was not cleaned
File: A10188555.DLL

F-Secure Scan Report
Sunday, May 24, 2009 00:20:02 - 01:22:16
Computer name: YOUR-AT5QGAAC3Z
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

6 malware found
TrackingCookie.Advertising (spyware)
System (Disinfected)
TrackingCookie.Atdmt (spyware)
System (Disinfected)
TrackingCookie.Doubleclick (spyware)
System (Disinfected)
TrackingCookie.Atwola (spyware)
System (Disinfected)
TrackingCookie.Yieldmanager (spyware)
System (Disinfected)
Vundo.gen99 (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP740\A0188555.DLL (Not cleaned & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 57398
System: 3845
Not scanned: 7
Actions:
Disinfected: 5
Renamed: 0
Deleted: 0
Not cleaned: 1
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\MCMSC_NKK5RDU8UJW1GQ9
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.8.9080, 2009-05-23
F-Secure AVP: 7.0.171, 2009-05-22
F-Secure Pegasus: 1.20.0
F-Secure Blacklight
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

New HJT log

DDS (Ver_09-05-14.01) - NTFSx86
Run by Helena at 1:36:30.98 on Sun 05/24/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.110 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Helena\Local Settings\Temporary Internet Files\Content.IE5\4FUNQXW7\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/?cid=toolbar_button&attr=comcast
uSearchMigratedDefaultURL =
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
mSearch Bar =
mSearchMigratedDefaultURL =
uInternet Settings,ProxyServer = http=127.0.0.1:9022
uInternet Settings,ProxyOverride = <local>;127.0.0.1;fws.municode.com;localhost
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
uRun: [BackupNotify] "c:\program files\hp\digital imaging\bin\backupnotify.exe"
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISTray] "c:\spyware doctor\pctsTray.exe"
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\helena\startm~1\programs\startup\organize.lnk - c:\program files\hewlett-packard\hp organize\bin\displayAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [2006-6-25 16855]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-5-12 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-5-12 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-5-12 144704]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [2006-6-25 21808]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-5-12 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-5-12 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-5-12 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-5-12 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-5-12 33832]

=============== Created Last 30 ================

2009-05-23 22:07 <DIR> --d----- c:\program files\ESET
2009-05-20 21:12 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-20 20:00 <DIR> --d----- c:\docume~1\helena\applic~1\Malwarebytes
2009-05-20 20:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-20 20:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-20 20:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-20 20:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-20 19:13 130,048 a------- c:\windows\PEV.exe
2009-05-19 22:07 <DIR> --d----- c:\program files\trend micro
2009-05-19 21:39 161,792 a------- c:\windows\SWREG.exe
2009-05-19 21:39 98,816 a------- c:\windows\sed.exe
2009-05-19 20:08 42 a------- c:\windows\system32\AK083E209605E394C.lie
2009-05-15 16:14 <DIR> --d----- c:\docume~1\helena\applic~1\FrostWire
2009-05-01 21:13 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-01 20:24 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-01 20:24 <DIR> --d----- C:\Spyware Doctor
2009-05-01 20:24 <DIR> --d----- c:\docume~1\helena\applic~1\PC Tools
2009-05-01 20:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-01 19:38 <DIR> --d----- c:\program files\common files\PC Tools

==================== Find3M ====================

2009-05-23 21:02 4,002 a------- c:\windows\viassary-hp.reg
2009-05-20 21:11 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-04 00:06 178,870 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-04-26 16:27 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2008-09-03 20:57 61,224 a------- c:\documents and settings\helena\GoToAssistDownloadHelper.exe

============= FINISH: 1:37:57.65 ===============


That's all I have for now...Thank You

Attached Files


Edited by sippingt3, 24 May 2009 - 01:34 AM.


#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:54 AM

Posted 24 May 2009 - 06:18 AM

Hi sippingt3,


got stuck at (step 8) again

The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start → Run dialog box from the Start Menu on the desktop. Since we have F-Secure log produced instead, you may ignore this. :)

The 1 infected file found by the F-Secure scan was removed by being Submitted. and the infected file was located in SYSTEM VOLUME INFORMATION. That does no harm to your system and can be terminated by flushing system restore which would be addressed by unisntalling Combofix in the following.

Other than that, your logs look good. Now, you are all clean. :thumbup2: If you have no remaining issues on your pc, let's do some tidy up.


Step1

Click START then RUN
Now copy/paste Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2
  • Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Remember to delete tools and all the logs we have used.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:
  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Make your Internet Explorer more secure
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Install a-squared Free -a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers

    A tutorial on installing & using this product can be found here:

    Clean your PC with a-squared Free

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#13 sippingt3

sippingt3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boston, MA
  • Local time:03:54 AM

Posted 26 May 2009 - 05:09 PM

Hi Sundavis,

Thanks so much for your grand assistance. I will perform the steps in your last reply and HOPEFULLY send you my last post, so that you can move on to assisting others.

Thanks again...I should have a post ready by tomorrow (Wed 5/27)

\
sippingt3

#14 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:54 AM

Posted 26 May 2009 - 07:39 PM

:thumbup2:

#15 sippingt3

sippingt3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Boston, MA
  • Local time:03:54 AM

Posted 28 May 2009 - 01:07 AM

Hello Sundavis,

Started my homework late, non-the less, here's the latest.

I'm a bit concerned that in the process of doing your tidying up steps I might have infected my computer again. Let me explain.

1. Per the steps you indicated, I uninstalled ComboFix successfully.
2. I also deleted Malwarebytes. Not sure if sucessfully deleted.

3.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check


As part of being a Comcast highspeed internet customer, MacAfee Antivirus protection is part of this package and is installed on my stystem and updates automatically and I have the full scan function preset for periodic scans. Do I need more protection than this?

I performed the Secunia Software Inspector scan and it listed a few software programs on my computer that need to be updated.
  • Adobe
  • Itunes
  • Adobe Flash Player
I followed the links that Secunia provided for each of the above and updated the software with the latest versions. With each of these changes came license agreements, and notifications from MacAfee that the registry was being changed. This is where my concern comes in with new addware/malware being downloaded from these updates. Not sure, but I think so. On my computer I had Adobe version 7.0. I followed the link provided and downloaded the updated exe setup file but for some reason the exe file could not located the 7.0 version, so I deleted the exe setup file, and delted Adobe 7.0 and downloaded Adobe 9.0. which I think might be the new culprit behind the malware.

4.

Make your Internet Explorer more secure

- I completed this step successfully

5. I installed Spyware Blaster successfully and set it up according to the instructions in the guidelines.
6.

Install a-squared Free

- I installed this successfully and performed a "Deep Scan" which found over 145 items of infected files/cookies. This was quite puzzling. I've listed the log below.

7. Today (Wed (5/27) when I turned on the computer I received an "old" returning message something like "virtumond memory is low
and windows was creating memory space." This is not the exact wording, but something like it. This message pops up on the bottom right side of the start up tool bar.

I seriously hope I have not undone all of our hardwork. I've listed the a-square log below and also a new HJT log. Should I run a MacAfee scan as well? I haven't run one since we've started our sessions
Thanks once again..and my apologies if I goofed up. :thumbup2:

a-squared log
a-squared Free - Version 4.5
Last update: 5/26/2009 11:38:32 PM

Scan settings:

Scan type: Deep Scan
Objects: Memory, Traces, Cookies, C:\, D:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 5/26/2009 11:39:29 PM

c:\program files\imesh applications\imesh detected: Trace.Directory.iMesh!A2
c:\documents and settings\helena\application data\weatherbug detected: Trace.Directory.WeatherBug!A2
c:\program files\aws\weatherbug detected: Trace.Directory.WeatherBug!A2
c:\program files\freshgames detected: Trace.Directory.Cubis Gold 2!A2
c:\windows\button0.gif detected: Trace.File.iePlugin!A2
c:\windows\button1.gif detected: Trace.File.iePlugin!A2
c:\windows\button2.gif detected: Trace.File.iePlugin!A2
c:\windows\button3.gif detected: Trace.File.iePlugin!A2
c:\program files\imesh applications\imesh\install.log detected: Trace.File.iMesh!A2
c:\documents and settings\helena\application data\weatherbug\topnav_generic2005_121505.jpg detected: Trace.File.WeatherBug!A2
c:\program files\aws\weatherbug\remove.exe detected: Trace.File.WeatherBug!A2
Value: HKEY_USERS\.DEFAULT\Software\Viewpoint\Content Debugger --> Viewpoint Manager detected: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\Viewpoint\Content Debugger --> Viewpoint Manager detected: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-18\Software\Viewpoint\Content Debugger --> Viewpoint Manager detected: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\Viewpoint\Content Debugger --> Viewpoint Manager Installer detected: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Warning --> TVNetwork detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Warning --> WarningInterval detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> AllDownloaded detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> File0Done detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> FileFlag0 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> FileLoc0 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> FileSize0 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> FileToRun detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> FileUrl0 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> RunMode detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> TotalBytes detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> TotalFileNum detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\Reg --> GetDataURL detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\Reg --> GetFileInfoURL detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\Reg --> RegNum detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\Setup --> BugStartup detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\Setup --> DownloadID detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\Setup --> ZCode detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> AdDormantFreshInterval detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> AdFreshInterval detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> AffiliateClick detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> AffiliateLogo detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ArrowB detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ArrowG detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ArrowR detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionB detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionG detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionR detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionShadowB detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionShadowDepth detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionShadowG detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionShadowR detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataB detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataG detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataR detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataShadownB detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataShadownDepth detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataShadownG detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataShadownR detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DesignInterval detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> FillerB detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> FillerG detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> FillerR detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> LA detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> LastPopupID detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> PMClicks detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> TdInterval detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> TimeToDormant detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Forecast --> Interval detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkName0 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkName1 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkName2 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkName3 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkName4 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkURL0 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkURL1 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkURL2 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkURL3 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkURL4 detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CustomLinkNum detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Options --> CheckInstance detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Options --> path detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Setup --> x detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Setup --> y detected: Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Setup --> ZIPCode detected: Trace.Registry.WeatherBug!A2
C:\Documents and Settings\Helena\Cookies\helena@247realmedia[1].txt detected: Trace.TrackingCookie.247realmedia!A2
C:\Documents and Settings\Helena\Cookies\helena@adserver.adtechus[1].txt detected: Trace.TrackingCookie.adserv!A2
C:\Documents and Settings\Helena\Cookies\helena@advertising[2].txt detected: Trace.TrackingCookie.advertising!A2
C:\Documents and Settings\Helena\Cookies\helena@atdmt[1].txt detected: Trace.TrackingCookie.atdmt!A2
C:\Documents and Settings\Helena\Cookies\helena@bs.serving-sys[2].txt detected: Trace.TrackingCookie.bs.serving-sys!A2
C:\Documents and Settings\Helena\Cookies\helena@comcast[1].txt detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Helena\Cookies\helena@com[1].txt detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Helena\Cookies\helena@data.coremetrics[1].txt detected: Trace.TrackingCookie.data.coremetrics!A2
C:\Documents and Settings\Helena\Cookies\helena@doubleclick[2].txt detected: Trace.TrackingCookie.doubleclick!A2
C:\Documents and Settings\Helena\Cookies\helena@fastclick[2].txt detected: Trace.TrackingCookie.fastclick!A2
C:\Documents and Settings\Helena\Cookies\helena@hitbox[2].txt detected: Trace.TrackingCookie.hitbox!A2
C:\Documents and Settings\Helena\Cookies\helena@media.adrevolver[1].txt detected: Trace.TrackingCookie.media!A2
C:\Documents and Settings\Helena\Cookies\helena@media6degrees[2].txt detected: Trace.TrackingCookie.media!A2
C:\Documents and Settings\Helena\Cookies\helena@mediaplex[1].txt detected: Trace.TrackingCookie.media!A2
C:\Documents and Settings\Helena\Cookies\helena@phg.hitbox[1].txt detected: Trace.TrackingCookie.phg.hitbox!A2
C:\Documents and Settings\Helena\Cookies\helena@questionmarket[2].txt detected: Trace.TrackingCookie.questionmarket!A2
C:\Documents and Settings\Helena\Cookies\helena@realmedia[1].txt detected: Trace.TrackingCookie.realmedia!A2
C:\Documents and Settings\Helena\Cookies\helena@serving-sys[1].txt detected: Trace.TrackingCookie.serving-sys!A2
C:\Documents and Settings\Helena\Cookies\helena@specificclick[2].txt detected: Trace.TrackingCookie.specificclick!A2
C:\Documents and Settings\Helena\Cookies\helena@trafficmp[1].txt detected: Trace.TrackingCookie.trafficmp!A2
C:\Documents and Settings\Helena\Cookies\helena@tribalfusion[1].txt detected: Trace.TrackingCookie.tribalfusion!A2
C:\Documents and Settings\Helena\Cookies\helena@www.comcast[2].txt detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\Helena\Cookies\helena@zedo[2].txt detected: Trace.TrackingCookie.zedo!A2
C:\Documents and Settings\Helena\My Documents\LimeWire\Saved\drake josh theme song.mp3 detected: Trojan-Downloader.ASX.Wimad!IK
C:\Documents and Settings\Helena\My Documents\LimeWire\Saved\neff u sobelieve.zip/setup.exe detected: AdWare.Vundo!IK
C:\Documents and Settings\Helena\My Documents\LimeWire\Saved\Nightwish - Burning Flames.MP3 detected: Trojan.Wimad!IK
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TISYVLXG\enter[1].htm detected: Trojan-Downloader.JS.IstBar.AI!IK
C:\Documents and Settings\Owner\My Documents\E-mail documents\Install_AIM.exe detected: AdWare.Win32.VirtualBouncer!IK
C:\Documents and Settings\Owner\My Documents\E-mail documents\ZangoInstaller.exe/ClientAX.dll detected: Riskware.AdWare.Win32.180Solutions.b!IK
C:\hp\recovery\wizard\SWR_Wizard.exe detected: Win32.SuspectCrc!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt1.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt10.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt11.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt12.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt13.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt14.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt15.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt16.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt17.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt18.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt19.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt20.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt21.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt22.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt23.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt24.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt25.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt26.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt27.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt28.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt29.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt3.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt30.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt4.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt5.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt6.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt7.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt8.htm detected: Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt9.htm detected: Worm.Win32.Fujack.az!IK
C:\WINDOWS\wt\webdriver\wthost.exe detected: Virus.Win32.Spyware!IK
C:\WINDOWS\wt\webdriver\wthostctl.dll detected: Spy.WildTangent!IK
C:\WINDOWS\wt\webdriver\wtmulti.dll detected: Riskware.AdWare.WildTangent!IK
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wthost.exe detected: Virus.Win32.Spyware!IK
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wthostctl.dll detected: Spy.WildTangent!IK
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtmulti.dll detected: Riskware.AdWare.WildTangent!IK

Scanned

Files: 227709
Traces: 697481
Cookies: 167
Processes: 44

Found

Files: 42
Traces: 80
Cookies: 25
Processes: 0
Registry keys: 0

Scan end: 5/27/2009 1:28:16 AM
Scan time: 1:48:47

C:\WINDOWS\wt\webdriver\wthostctl.dll Deleted Spy.WildTangent!IK
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wthostctl.dll Deleted Spy.WildTangent!IK
C:\WINDOWS\wt\webdriver\wthost.exe Deleted Virus.Win32.Spyware!IK
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wthost.exe Deleted Virus.Win32.Spyware!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt1.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt10.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt11.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt12.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt13.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt14.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt15.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt16.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt17.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt18.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt19.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt20.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt21.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt22.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt23.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt24.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt25.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt26.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt27.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt28.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt29.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt3.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt30.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt4.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt5.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt6.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt7.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt8.htm Deleted Worm.Win32.Fujack.az!IK
C:\Program Files\NewSoft\Presto! VideoWorks 6\Help\whgdata\whlstt9.htm Deleted Worm.Win32.Fujack.az!IK
C:\hp\recovery\wizard\SWR_Wizard.exe Deleted Win32.SuspectCrc!IK
C:\Documents and Settings\Owner\My Documents\E-mail documents\Install_AIM.exe Deleted AdWare.Win32.VirtualBouncer!IK
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TISYVLXG\enter[1].htm Deleted Trojan-Downloader.JS.IstBar.AI!IK
C:\Documents and Settings\Helena\My Documents\LimeWire\Saved\Nightwish - Burning Flames.MP3 Deleted Trojan.Wimad!IK
C:\Documents and Settings\Helena\My Documents\LimeWire\Saved\neff u sobelieve.zip/setup.exe Deleted AdWare.Vundo!IK
C:\Documents and Settings\Helena\My Documents\LimeWire\Saved\drake josh theme song.mp3 Deleted Trojan-Downloader.ASX.Wimad!IK
C:\WINDOWS\wt\webdriver\wtmulti.dll Deleted Riskware.AdWare.WildTangent!IK
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtmulti.dll Deleted Riskware.AdWare.WildTangent!IK
C:\Documents and Settings\Owner\My Documents\E-mail documents\ZangoInstaller.exe/ClientAX.dll Deleted Riskware.AdWare.Win32.180Solutions.b!IK
C:\Documents and Settings\Helena\Cookies\helena@zedo[2].txt Deleted Trace.TrackingCookie.zedo!A2
C:\Documents and Settings\Helena\Cookies\helena@www.comcast[2].txt Deleted Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\Helena\Cookies\helena@tribalfusion[1].txt Deleted Trace.TrackingCookie.tribalfusion!A2
C:\Documents and Settings\Helena\Cookies\helena@trafficmp[1].txt Deleted Trace.TrackingCookie.trafficmp!A2
C:\Documents and Settings\Helena\Cookies\helena@specificclick[2].txt Deleted Trace.TrackingCookie.specificclick!A2
C:\Documents and Settings\Helena\Cookies\helena@serving-sys[1].txt Deleted Trace.TrackingCookie.serving-sys!A2
C:\Documents and Settings\Helena\Cookies\helena@realmedia[1].txt Deleted Trace.TrackingCookie.realmedia!A2
C:\Documents and Settings\Helena\Cookies\helena@questionmarket[2].txt Deleted Trace.TrackingCookie.questionmarket!A2
C:\Documents and Settings\Helena\Cookies\helena@phg.hitbox[1].txt Deleted Trace.TrackingCookie.phg.hitbox!A2
C:\Documents and Settings\Helena\Cookies\helena@media.adrevolver[1].txt Deleted Trace.TrackingCookie.media!A2
C:\Documents and Settings\Helena\Cookies\helena@media6degrees[2].txt Deleted Trace.TrackingCookie.media!A2
C:\Documents and Settings\Helena\Cookies\helena@mediaplex[1].txt Deleted Trace.TrackingCookie.media!A2
C:\Documents and Settings\Helena\Cookies\helena@hitbox[2].txt Deleted Trace.TrackingCookie.hitbox!A2
C:\Documents and Settings\Helena\Cookies\helena@fastclick[2].txt Deleted Trace.TrackingCookie.fastclick!A2
C:\Documents and Settings\Helena\Cookies\helena@doubleclick[2].txt Deleted Trace.TrackingCookie.doubleclick!A2
C:\Documents and Settings\Helena\Cookies\helena@data.coremetrics[1].txt Deleted Trace.TrackingCookie.data.coremetrics!A2
C:\Documents and Settings\Helena\Cookies\helena@comcast[1].txt Deleted Trace.TrackingCookie.com!A2
C:\Documents and Settings\Helena\Cookies\helena@com[1].txt Deleted Trace.TrackingCookie.com!A2
C:\Documents and Settings\Helena\Cookies\helena@bs.serving-sys[2].txt Deleted Trace.TrackingCookie.bs.serving-sys!A2
C:\Documents and Settings\Helena\Cookies\helena@atdmt[1].txt Deleted Trace.TrackingCookie.atdmt!A2
C:\Documents and Settings\Helena\Cookies\helena@advertising[2].txt Deleted Trace.TrackingCookie.advertising!A2
C:\Documents and Settings\Helena\Cookies\helena@adserver.adtechus[1].txt Deleted Trace.TrackingCookie.adserv!A2
C:\Documents and Settings\Helena\Cookies\helena@247realmedia[1].txt Deleted Trace.TrackingCookie.247realmedia!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Warning --> TVNetwork Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Warning --> WarningInterval Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> AllDownloaded Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> File0Done Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> FileFlag0 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> FileLoc0 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> FileSize0 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> FileToRun Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> FileUrl0 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> RunMode Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> TotalBytes Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\DownLoad --> TotalFileNum Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\Reg --> GetDataURL Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\Reg --> GetFileInfoURL Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\Reg --> RegNum Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\Setup --> BugStartup Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\Setup --> DownloadID Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\MINIBUG\Setup --> ZCode Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> AdDormantFreshInterval Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> AdFreshInterval Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> AffiliateClick Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> AffiliateLogo Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ArrowB Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ArrowG Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ArrowR Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionB Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionG Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionR Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionShadowB Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionShadowDepth Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionShadowG Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> ConditionShadowR Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataB Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataG Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataR Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataShadownB Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataShadownDepth Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataShadownG Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DataShadownR Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> DesignInterval Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> FillerB Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> FillerG Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> FillerR Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> LA Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> LastPopupID Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> PMClicks Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> TdInterval Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Design --> TimeToDormant Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Forecast --> Interval Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkName0 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkName1 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkName2 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkName3 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkName4 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkURL0 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkURL1 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkURL2 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkURL3 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CLinkURL4 Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Links --> CustomLinkNum Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Options --> CheckInstance Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Options --> path Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Setup --> x Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Setup --> y Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\AWS\Weather\Setup --> ZIPCode Deleted Trace.Registry.WeatherBug!A2
Value: HKEY_USERS\.DEFAULT\Software\Viewpoint\Content Debugger --> Viewpoint Manager Deleted Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\Viewpoint\Content Debugger --> Viewpoint Manager Deleted Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-18\Software\Viewpoint\Content Debugger --> Viewpoint Manager Deleted Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-4075770808-2995516413-367360236-1007\Software\Viewpoint\Content Debugger --> Viewpoint Manager Installer Deleted Trace.Registry.Viewpoint Media Toolbar!A2
c:\documents and settings\helena\application data\weatherbug\topnav_generic2005_121505.jpg Deleted Trace.File.WeatherBug!A2
c:\program files\aws\weatherbug\remove.exe Deleted Trace.File.WeatherBug!A2
c:\program files\imesh applications\imesh\install.log Deleted Trace.File.iMesh!A2
c:\windows\button0.gif Deleted Trace.File.iePlugin!A2
c:\windows\button1.gif Deleted Trace.File.iePlugin!A2
c:\windows\button2.gif Deleted Trace.File.iePlugin!A2
c:\windows\button3.gif Deleted Trace.File.iePlugin!A2
c:\program files\freshgames Deleted Trace.Directory.Cubis Gold 2!A2
c:\documents and settings\helena\application data\weatherbug Deleted Trace.Directory.WeatherBug!A2
c:\program files\aws\weatherbug Deleted Trace.Directory.WeatherBug!A2
c:\program files\imesh applications\imesh Deleted Trace.Directory.iMesh!A2

Deleted

Files: 42
Traces: 80
Cookies: 23


HJT DDS log

DDS (Ver_09-05-14.01) - NTFSx86
Run by Helena at 1:24:56.46 on Thu 05/28/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.106 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Helena\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/?cid=toolbar_button&attr=comcast
uSearchMigratedDefaultURL =
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
mSearch Bar =
mSearchMigratedDefaultURL =
uInternet Settings,ProxyServer = http=127.0.0.1:9022
uInternet Settings,ProxyOverride = <local>;127.0.0.1;fws.municode.com;localhost;*.local
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
uRun: [BackupNotify] "c:\program files\hp\digital imaging\bin\backupnotify.exe"
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISTray] "c:\spyware doctor\pctsTray.exe"
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\helena\startm~1\programs\startup\organize.lnk - c:\program files\hewlett-packard\hp organize\bin\displayAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [2006-6-25 16855]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-5-12 201320]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-5-26 717320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-5-12 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-5-12 144704]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [2006-6-25 21808]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-5-12 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-5-12 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-5-12 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-5-12 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-5-12 33832]

=============== Created Last 30 ================

2009-05-26 23:35 <DIR> --d----- c:\program files\a-squared Free
2009-05-26 23:07 <DIR> --d----- c:\docume~1\helena\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-26 22:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-26 22:00 <DIR> --d----- c:\program files\Bonjour
2009-05-26 20:11 <DIR> --d----- c:\program files\SpywareBlaster
2009-05-23 22:07 <DIR> --d----- c:\program files\ESET
2009-05-20 21:12 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-20 20:00 <DIR> --d----- c:\docume~1\helena\applic~1\Malwarebytes
2009-05-20 20:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-19 22:07 <DIR> --d----- c:\program files\trend micro
2009-05-19 20:08 42 a------- c:\windows\system32\AK083E209605E394C.lie
2009-05-15 16:14 <DIR> --d----- c:\docume~1\helena\applic~1\FrostWire
2009-05-01 21:13 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-01 20:24 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-01 20:24 <DIR> --d----- C:\Spyware Doctor
2009-05-01 20:24 <DIR> --d----- c:\docume~1\helena\applic~1\PC Tools
2009-05-01 20:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-01 19:38 <DIR> --d----- c:\program files\common files\PC Tools

==================== Find3M ====================

2009-05-28 01:07 4,002 a------- c:\windows\viassary-hp.reg
2009-05-20 21:11 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-04 00:06 178,870 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-04-26 16:27 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2008-09-03 20:57 61,224 a------- c:\documents and settings\helena\GoToAssistDownloadHelper.exe

============= FINISH: 1:26:01.37 ===============

Attached Files


Edited by sippingt3, 28 May 2009 - 01:15 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users