Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by something, but don't know what.


  • This topic is locked This topic is locked
12 replies to this topic

#1 mattdh666

mattdh666

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 19 May 2009 - 10:59 AM

Hi, my computer is definitely infected by something. I cannot update my McAfee DAT files. When I try, I get a message saying, "An error occurred while updating. Please reinstall these programs: McAfee VirusScan Plus".

I also cannot go to www.mcafee.com using any browser (FireFox, Chrome, IE). I get a message saying, "The specified method is not supported."

I'm also not able to run certain programs, like regedit.exe. For example, when I try to run regedit from the Run dialog, it never appears. If I use Explorer and navigate to C:\Windows and try to run regedit.exe, not only does regedit not open, but the Explorer window also disappears.

I also tried to run a copy of Ad-Aware I have on my PC, but I wasn't able to update the Ad-Aware definitions. Got a message "Error retrieving update."

I've been following your instructions on how to post to this forum, but I'm not able to run the DDS script either. DDS starts up just like in your instructions, but it never finishes. I've waited for more than 15 minutes. Maybe the virus is blocking DDS, too?

I was able to run HijackThis. I have attached that log file.

Can you please help?

thanks,
matt

Attached Files


Edited by mattdh666, 19 May 2009 - 11:15 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:01 PM

Posted 19 May 2009 - 01:19 PM

Hi mattdh666,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Please download http://OTListIt2 by OldTimer.
  • Save it to your desktop.
  • Double click on the OTListIt2 icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Type or copy and paste in the Custom Scans/Fixes section: drivers32
  • Click Run Scan button.
  • Two reports will open, copy and paste them to your reply:
  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized


#3 mattdh666

mattdh666
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 19 May 2009 - 01:36 PM

Hi farbar,

Thanks for the quick reply. I ran the scan. The results are below.

cheers,
matt


OTListIt logfile created on: 5/19/2009 11:32:03 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Matt\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.17 Mb Total Physical Memory | 381.60 Mb Available Physical Memory | 37.30% Memory free
2.40 Gb Paging File | 1.67 Gb Available in Paging File | 69.27% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 182.81 Gb Free Space | 78.50% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 111.81 Gb Total Space | 82.81 Gb Free Space | 74.06% Space Free | Partition Type: NTFS

Computer Name: MATT-DD28991DDD
Current User Name: Matt
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [1999/12/12 18:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTsvcCDA.exe
PRC - [2002/09/03 15:46:36 | 01,282,112 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Kaiser\VPN Client\cvpnd.exe
PRC - [2002/07/01 07:36:04 | 00,057,344 | R--- | M] (Fiberlink Communications Corporation) -- C:\Program Files\1208_Fiberlink\Fgrd.exe
PRC - [2008/12/05 09:31:54 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/01/08 20:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/01/09 11:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\program files\common files\mcafee\mna\mcnasvc.exe
PRC - [2005/04/25 23:16:14 | 14,370,816 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2005/04/11 10:10:22 | 00,065,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\ALCMTR.EXE
PRC - [2005/12/04 17:38:57 | 00,437,008 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2005/12/04 17:39:19 | 00,461,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
PRC - [2005/01/12 03:01:32 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PRC - [2008/12/05 09:31:54 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/11/04 12:09:58 | 00,615,696 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2009/04/02 16:11:02 | 00,342,312 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/09/02 12:40:10 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
PRC - [2007/08/30 10:50:42 | 00,205,480 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2002/04/29 13:33:44 | 00,040,960 | ---- | M] (Plantronics) -- C:\Program Files\PerSono\perstray.exe
PRC - [2003/03/19 19:08:14 | 00,299,008 | ---- | M] (Palm, Inc.) -- C:\Program Files\Palm\HOTSYNC.EXE
PRC - [2003/09/17 16:03:45 | 03,424,256 | ---- | M] (Skyscape, Inc.) -- C:\Program Files\Common Files\Skyscape\smARTupdate.exe
PRC - [2008/03/18 17:31:20 | 04,742,184 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
PRC - [2009/01/09 08:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2001/06/21 15:54:22 | 00,270,336 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PRC - [2007/02/10 06:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2005/10/10 21:49:00 | 00,131,139 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2008/03/18 17:31:20 | 04,742,184 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
PRC - [2008/03/18 17:31:20 | 04,742,184 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
PRC - [2008/03/18 17:31:20 | 04,742,184 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
PRC - [2008/03/18 17:31:20 | 04,742,184 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
PRC - [2008/04/24 13:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2009/01/07 18:21:00 | 00,026,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spupdsvc.exe
PRC - [2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/04/13 17:12:32 | 00,050,176 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\reg.exe
PRC - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/05/07 11:33:21 | 00,766,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/05/07 11:33:21 | 00,766,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/05/07 11:33:21 | 00,766,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/05/07 11:33:21 | 00,766,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2004/04/16 06:03:00 | 00,757,796 | ---- | M] (C. Ghisler & Co.) -- C:\totalcmd\TOTALCMD.EXE
PRC - [2009/05/07 11:33:21 | 00,766,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/20 09:52:00 | 01,568,768 | ---- | M] (Griffin Technology) -- C:\Program Files\Griffin Technology\radioSHARK\radioSHARK.exe
PRC - [2008/04/13 17:12:37 | 00,135,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\taskmgr.exe
PRC - [2009/05/07 11:33:21 | 00,766,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/05/19 11:31:15 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Matt\My Documents\Downloads\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [1999/12/12 18:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTsvcCDA.exe -- (Creative Service for CDROM Access [Auto | Running])
SRV - [2002/09/03 15:46:36 | 01,282,112 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Kaiser\VPN Client\cvpnd.exe -- (CVPND [Auto | Running])
SRV - [2002/07/01 07:36:04 | 00,057,344 | R--- | M] (Fiberlink Communications Corporation) -- C:\Program Files\1208_Fiberlink\Fgrd.exe -- (FGR Service [Auto | Running])
SRV - [2008/12/03 14:01:58 | 00,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2008/07/29 22:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 20:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2008/12/05 09:31:54 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/01/08 20:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
SRV - [2009/01/09 11:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc [Auto | Running])
SRV - [2009/04/01 14:21:30 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
SRV - [2009/01/09 08:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
SRV - [2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Running])
SRV - [2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Running])
SRV - [2001/06/21 15:54:22 | 00,270,336 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe -- (MDM [Auto | Running])
SRV - [2007/02/10 06:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS [Auto | Running])
SRV - [2005/10/14 03:50:19 | 00,045,272 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper [Disabled | Stopped])
SRV - [2008/07/29 14:10:46 | 03,201,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon90 [Disabled | Stopped])
SRV - [2008/07/29 20:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2005/10/10 21:49:00 | 00,131,139 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/12/06 23:20:56 | 00,088,560 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9 [On_Demand | Stopped])
SRV - [2007/12/06 23:20:52 | 00,362,992 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9 [Auto | Stopped])
SRV - [2008/09/19 10:38:02 | 00,313,840 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9 [Auto | Stopped])
SRV - [2008/09/19 10:37:36 | 01,108,464 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [On_Demand | Stopped])
SRV - [2008/09/19 10:37:58 | 00,170,480 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9 [Auto | Stopped])
SRV - [2008/04/24 13:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2 [Auto | Running])
SRV - [2009/01/07 18:21:00 | 00,026,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spupdsvc.exe -- (spupdsvc [Auto | Running])
SRV - [2007/02/10 06:29:47 | 00,242,544 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser [On_Demand | Stopped])
SRV - [2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2008/08/14 08:57:42 | 00,074,720 | ---- | M] (Adobe Systems, Inc.) -- C:\WINDOWS\System32\drivers\adfs.sys -- (adfs [Auto | Running])
DRV - [2002/09/03 15:48:00 | 00,263,751 | ---- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\system32\Drivers\CVPNDRV.sys -- (CVPNDRV [Auto | Running])
DRV - [2002/01/09 17:10:30 | 00,128,380 | ---- | M] (Deterministic Networks, Inc.) -- C:\WINDOWS\system32\DRIVERS\dne2000.sys -- (DNE [On_Demand | Running])
DRV - [2001/05/08 19:11:24 | 00,015,872 | ---- | M] (HMSA) -- C:\WINDOWS\System32\Drivers\DPPSUSB.sys -- (DPPSUSB [Auto | Stopped])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2003/09/23 07:42:34 | 00,007,296 | ---- | M] (GARMIN Corp.) -- C:\WINDOWS\system32\drivers\grmnusb.sys -- (grmnusb [On_Demand | Stopped])
DRV - [2008/04/13 09:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/04/25 01:34:52 | 02,937,344 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2005/04/25 05:30:19 | 00,025,424 | R--- | M] (Integrated Technology Express, Inc.) -- C:\WINDOWS\system32\DRIVERS\iteatapi.sys -- (iteatapi [Boot | Running])
DRV - [2009/03/25 11:06:28 | 00,079,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
DRV - [2009/03/25 11:06:28 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
DRV - [2009/03/25 11:06:28 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk [System | Running])
DRV - [2009/03/25 11:05:54 | 00,034,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Stopped])
DRV - [2009/03/25 11:06:30 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Running])
DRV - [2008/10/23 13:08:54 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\Drivers\Mpfp.sys -- (MPFP [System | Running])
DRV - [2004/08/12 19:56:20 | 00,005,810 | R--- | M] () -- C:\WINDOWS\system32\DRIVERS\ASACPI.sys -- (MTsensor [On_Demand | Running])
DRV - [2005/10/10 21:49:00 | 03,530,432 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2003/03/19 19:08:38 | 00,016,509 | ---- | M] (Palm, Inc.) -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD [On_Demand | Stopped])
DRV - File not found -- -- (phooks [Unknown | Running])
DRV - [2005/12/01 16:57:56 | 00,021,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\point32.sys -- (Point32 [On_Demand | Running])
DRV - [2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/05/01 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2008/05/20 19:33:50 | 00,022,784 | ---- | M] (Research In Motion Limited) -- C:\WINDOWS\System32\Drivers\RimUsb.sys -- (RimUsb [On_Demand | Stopped])
DRV - [2007/01/18 10:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd) -- C:\WINDOWS\system32\DRIVERS\RimSerial.sys -- (RimVSerPort [On_Demand | Running])
DRV - [2004/08/04 05:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Drivers\RootMdm.sys -- (ROOTMODEM [On_Demand | Running])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2001/11/13 16:11:44 | 00,020,296 | ---- | M] (Micronas GmbH) -- C:\WINDOWS\system32\DRIVERS\uacflt.sys -- (uacFlt [Auto | Running])
DRV - [2008/04/13 11:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Running])
DRV - [2002/07/12 19:40:06 | 00,141,752 | ---- | M] (Zone Labs Inc.) -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant [On_Demand | Stopped])
DRV - [2003/11/28 10:18:46 | 00,337,216 | ---- | M] (NETGEAR, Inc.) -- C:\WINDOWS\system32\DRIVERS\wg121nd5.sys -- (wg121 [On_Demand | Stopped])
DRV - [2005/02/01 08:20:00 | 00,229,888 | ---- | M] (Marvell) -- C:\WINDOWS\system32\DRIVERS\yk51x86.sys -- (yukonwxp [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-484763869-823518204-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-484763869-823518204-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-484763869-823518204-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-484763869-823518204-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-484763869-823518204-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKU\S-1-5-21-484763869-823518204-725345543-1004\S-1-5-21-484763869-823518204-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.3.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA}:5.0.14
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}:0.14
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: yslow@yahoo-inc.com:2.0.0b3
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2008/11/04 17:17:42 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2008/12/05 09:31:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/05/02 17:33:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/05/02 17:33:31 | 00,000,000 | ---D | M]

[2008/06/09 10:47:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\mozilla\Extensions
[2008/06/09 10:47:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/18 15:18:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\mozilla\Firefox\Profiles\ho1x2gyf.default\extensions
[2007/10/21 07:31:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\mozilla\Firefox\Profiles\ho1x2gyf.default\extensions\{0cdfdd5e-eea6-45ff-b035-81243cf02efb}
[2008/06/11 17:03:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\mozilla\Firefox\Profiles\ho1x2gyf.default\extensions\{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}
[2009/02/23 23:10:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\mozilla\Firefox\Profiles\ho1x2gyf.default\extensions\firebug@software.joehewitt.com
[2009/05/05 22:37:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\mozilla\Firefox\Profiles\ho1x2gyf.default\extensions\yslow@yahoo-inc.com
[2006/07/15 17:08:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\mozilla\Sunbird\Profiles\vbs6k87d.default\extensions
[2009/05/18 15:18:47 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/05/02 17:33:31 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2007/11/21 22:16:50 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA}
[2007/11/26 20:44:57 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/03/10 23:00:30 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008/08/04 15:17:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2008/12/05 09:32:38 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/05/02 17:33:23 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/05/02 17:33:23 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/09/24 17:12:44 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/09/24 17:12:44 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/09/24 17:12:44 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/11/14 12:16:09 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/09/24 17:12:44 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/09/24 17:12:44 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/09/24 17:12:44 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (887 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (IE Developer Toolbar BHO) - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background (Research In Motion Limited)
O4 - HKLM..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2 (SupportSoft, Inc.)
O4 - HKLM..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install File not found
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (Cyberlink Corp.)
O4 - HKLM..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" (Sonic Solutions)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-484763869-823518204-725345543-1004..\Run: [Google Update] "C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
O4 - HKU\S-1-5-21-484763869-823518204-725345543-1004..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (Macrovision Corporation)
O4 - HKU\S-1-5-21-484763869-823518204-725345543-1004..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kaiser VPN Client.lnk = C:\Program Files\Kaiser\VPN Client\ipsecdialer.exe (Cisco Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Perstray.lnk = C:\Program Files\PerSono\perstray.exe (Plantronics)
O4 - Startup: C:\Documents and Settings\Matt\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (Palm, Inc.)
O4 - Startup: C:\Documents and Settings\Matt\Start Menu\Programs\Startup\Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe (Skyscape, Inc.)
O4 - Startup: C:\Documents and Settings\Matt\Start Menu\Programs\Startup\Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe (Yahoo! Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-484763869-823518204-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation)
O9 - Extra Button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - C:\Program Files\Fiddler2\Fiddler.exe (Eric Lawrence)
O9 - Extra 'Tools' menuitem : Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - C:\Program Files\Fiddler2\Fiddler.exe (Eric Lawrence)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 87 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 87 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-484763869-823518204-725345543-1004\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (McAfee.com Operating System Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1242702036875 (MUWebControl Class)
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://amdocs.webex.com/client/T26L/webex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://vpn.ucsf.edu/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupControlXP Class)
O16 - DPF: {F6A553B1-4B5F-4974-866F-98C1D1EBD3DE} https://usportal.amdocs.com/prx/000/http/ww...CPubAppsTCS.cab (CitrixTCSX Control)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/12 02:32:36 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/05/19 11:31:18 | 00,000,000 | ---D | M]
Drivers32: aux - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: aux1 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: aux2 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: aux3 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: aux4 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: aux5 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: aux6 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: aux7 - C:\WINDOWS\system32\..\kmsx.sue ()
Drivers32: midi - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi1 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi2 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi3 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi4 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi5 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi6 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\system32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer1 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer2 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer3 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer4 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer5 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer6 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\system32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\system32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\system32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\system32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\system32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\system32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\system32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\system32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\system32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\system32\DivX.dll (DivX, Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\system32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\system32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\system32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\system32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\system32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\system32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\system32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\system32\msh263.drv (Microsoft Corporation)
Drivers32: VIDC.MP42 - C:\WINDOWS\system32\mpg4c32.dll (Microsoft Corporation)
Drivers32: VIDC.MPG4 - C:\WINDOWS\system32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\system32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\system32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\system32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\WINDOWS\system32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\system32\DivX.dll (DivX, Inc.)
Drivers32: vidc.yvu9 - C:\WINDOWS\system32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\system32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave2 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave3 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave4 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave5 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave6 - C:\WINDOWS\system32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\system32\msacm32.drv (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\*.tmp files]
[2009/05/18 20:30:07 | 00,000,000 | ---D | C] -- C:\Program Files\Sophos
[2009/05/18 20:12:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/05/18 20:12:30 | 00,102,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/05/18 20:12:25 | 00,000,873 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009/05/18 20:10:01 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/05/12 06:59:01 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/05/12 06:58:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comcast
[2009/05/06 22:04:31 | 00,015,086 | ---- | C] () -- C:\WINDOWS\ComcastEmail.ico
[2009/05/06 22:04:31 | 00,007,982 | ---- | C] () -- C:\WINDOWS\ComcastSecurity.ico
[2009/05/06 22:04:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2009/05/06 22:03:49 | 00,000,000 | ---D | C] -- C:\Program Files\Comcast
[2009/05/06 21:47:52 | 00,001,000 | ---- | C] () -- C:\net_save.dna
[2009/05/06 21:47:39 | 00,000,000 | ---D | C] -- C:\Program Files\support.com
[2009/05/06 21:47:10 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\SupportSoft
[2009/05/02 18:55:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Matt\Application Data\com.amdocs.Dashboard.4B305DE8AB82210B14C1320C59C9079DB22166E1.1
[2009/05/02 18:55:49 | 00,000,640 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Dashboard.lnk
[2009/05/02 18:55:48 | 00,000,000 | ---D | C] -- C:\Program Files\Dashboard
[2009/05/02 18:45:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Matt\Application Data\com.amdocs.Dashboard
[2009/05/02 12:22:11 | 00,000,000 | ---D | C] -- C:\Program Files\TourDeFlex
[2009/04/25 11:01:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Matt\My Documents\Nolo Documents Backup
[2009/04/25 10:57:29 | 00,000,000 | ---D | C] -- C:\Program Files\Educated Investor
[2009/04/25 10:56:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Matt\Application Data\Quicken WillMaker
[2009/04/25 10:56:15 | 00,000,000 | ---D | C] -- C:\Program Files\Quicken WillMaker Plus 2009
[2009/04/25 09:08:00 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\AnswerWorks 5.0
[2009/04/25 09:07:38 | 01,848,608 | ---- | C] (Apache Software Foundation) -- C:\WINDOWS\System32\acXMLParser.dll
[2009/04/25 09:07:37 | 03,523,872 | ---- | C] (Amyuni Technologies
http://www.amyuni.com) -- C:\WINDOWS\System32\cdintf300.dll
[2009/04/25 09:06:33 | 00,000,000 | ---D | C] -- C:\Program Files\Quicken
[2008/04/29 18:00:11 | 00,000,164 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/06/26 13:47:11 | 00,017,553 | ---- | C] () -- C:\WINDOWS\uedit32.INI
[2007/06/25 07:55:54 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2007/06/25 07:53:22 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2007/06/25 07:53:22 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2007/06/22 07:55:29 | 00,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/02/21 09:03:14 | 00,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2006/12/18 20:32:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2006/12/12 09:24:42 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/12/11 23:11:16 | 00,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2006/11/05 10:30:25 | 00,122,946 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2006/08/16 08:35:48 | 00,000,520 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/26 19:05:58 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/07/16 17:26:35 | 00,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/07/16 10:39:53 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/07/15 17:27:31 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2006/07/15 16:57:00 | 00,000,461 | ---- | C] () -- C:\WINDOWS\wcx_ftp.ini
[2006/07/15 16:10:06 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/07/15 16:09:51 | 00,004,514 | ---- | C] () -- C:\WINDOWS\wincmd.ini
[2006/07/12 02:53:34 | 00,024,826 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2006/07/12 02:53:34 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2006/07/12 02:53:31 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2006/07/11 12:09:08 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/07/11 12:09:08 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/07/11 12:09:08 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/07/11 12:09:08 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/07/11 12:08:57 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/07/11 12:08:56 | 00,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/07/11 12:08:52 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/07/11 11:55:23 | 00,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2004/08/04 05:00:00 | 00,000,618 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 05:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[1996/04/03 12:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Files - Modified Within 30 Days ==========

[7 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/05/19 11:11:53 | 00,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-484763869-823518204-725345543-1004.job
[2009/05/19 08:25:48 | 00,017,553 | ---- | M] () -- C:\WINDOWS\uedit32.INI
[2009/05/19 08:11:19 | 00,004,514 | ---- | M] () -- C:\WINDOWS\wincmd.ini
[2009/05/19 07:40:43 | 00,000,618 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/05/19 07:29:40 | 00,587,750 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/05/19 07:29:40 | 00,487,832 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/05/19 07:29:40 | 00,088,702 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/05/19 07:24:59 | 00,039,291 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/05/19 07:24:49 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Matt\Local Settings\desktop.ini
[2009/05/19 07:24:49 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/19 07:24:47 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/18 20:21:38 | 00,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/18 20:16:17 | 00,000,075 | -HS- | M] () -- C:\Documents and Settings\Matt\My Documents\desktop.ini
[2009/05/18 20:12:28 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/05/18 20:12:25 | 00,000,873 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009/05/18 17:30:11 | 00,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/05/18 17:13:13 | 00,000,887 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/05/18 07:15:36 | 00,306,250 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.virus2
[2009/05/14 09:46:24 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/05/11 09:44:32 | 00,000,151 | ---- | M] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/05/07 00:16:29 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/06 21:47:52 | 00,001,000 | ---- | M] () -- C:\net_save.dna
[2009/05/02 18:55:49 | 00,000,640 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Dashboard.lnk
[2009/05/01 09:50:53 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/04/25 09:40:58 | 00,000,165 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2009/04/24 22:30:39 | 00,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
< End of report >



OTListIt Extras logfile created on: 5/19/2009 11:32:03 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Matt\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.17 Mb Total Physical Memory | 381.60 Mb Available Physical Memory | 37.30% Memory free
2.40 Gb Paging File | 1.67 Gb Available in Paging File | 69.27% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 182.81 Gb Free Space | 78.50% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 111.81 Gb Total Space | 82.81 Gb Free Space | 74.06% Space Free | Partition Type: NTFS

Computer Name: MATT-DD28991DDD
Current User Name: Matt
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.js [@ = UltraEdit.js] -- C:\Program Files\UltraEdit\uedit32.exe (IDM Computer Solutions, Inc.)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"2078:TCP" = 2078:TCP:*:Disabled:WebDisk SSL (2078)
"2077:TCP" = 2077:TCP:*:Disabled:WebDisk (2077)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2009/03/08 14:09:26 | 00,638,816 | -HS- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer
[2003/03/19 19:08:14 | 00,299,008 | ---- | M] (Palm, Inc.) -- C:\Program Files\Palm\HOTSYNC.EXE:*:Enabled:HotSync® Manager Application
[2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2004/04/16 06:03:00 | 00,757,796 | ---- | M] (C. Ghisler & Co.) -- C:\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows
[2008/10/08 11:34:44 | 00,053,346 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Adobe\Flex Builder 3\jre\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary
[2006/08/14 18:39:46 | 20,066,856 | ---- | M] () -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
[2008/08/14 08:58:34 | 00,611,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4
[2008/09/09 20:32:14 | 20,276,584 | ---- | M] (Adobe Systems Incorporated.) -- C:\Program Files\Adobe\Adobe Flash CS4\Flash.exe:*:Enabled:Adobe Flash CS4
[2009/01/09 11:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
[2009/04/02 16:10:58 | 13,646,632 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour
[2004/07/13 14:42:20 | 00,110,592 | ---- | M] () -- C:\Program Files\BitTornado\btdownloadgui.exe:*:Disabled:btdownloadgui
[2008/04/13 17:12:18 | 00,083,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test
[2008/08/14 15:52:32 | 00,098,816 | ---- | M] (Opera Software) -- C:\Program Files\Opera\opera.exe:*:Disabled:Opera Internet Browser

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{034E061B-B3A3-4123-842E-10C1B6B3C8C7}" = BlackBerry Desktop Software 4.7
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{05EC21B8-4593-3037-A781-A6B5AFFCB19D}" = Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools - enu
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0C19D563-5F25-4621-BF10-01F741BD283F}" = Microsoft SQL Server Compact 3.5 SP1 Design Tools English
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0DF3AE91-E533-3960-8516-B23737F8B7A2}" = Visual C++ 2008 x64 Runtime - (v9.0.30729)
"{0DF3AE91-E533-3960-8516-B23737F8B7A2}.vc_x64runtime_30729_01" = Visual C++ 2008 x64 Runtime - v9.0.30729.01
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{2168245A-B5AD-40D8-A641-48E3E070B5B6}" = Adobe Flash CS4 STI-en
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{21CBB462-7D6C-472A-88EA-A82AC3600980}" = Membership_CS
"{22E23C71-C27A-3F30-8849-BB6129E50679}" = Visual C++ 2008 IA64 Runtime - (v9.0.30729)
"{22E23C71-C27A-3F30-8849-BB6129E50679}.vc_i64runtime_30729_01" = Visual C++ 2008 IA64 Runtime - v9.0.30729.01
"{241F2BF7-69EB-42A4-9156-96B2426C7504}" = Microsoft SQL Server Compact 3.5 for Devices ENU
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{291B3A3B-F808-45B8-8113-DF232FCB6C82}" = Microsoft .NET Compact Framework 3.5
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{309172B9-7B5C-4A1C-A0AB-C145D46CB781}" = Fiberlink Global Remote
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150140}" = J2SE Runtime Environment 5.0 Update 14
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{32A3A4F4-B792-11D6-A78A-00B0D0150140}" = J2SE Development Kit 5.0 Update 14
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{395131D0-71C3-4411-8DDD-84E7A4EC8754}" = Intellisync® for Yahoo!
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3A6829EF-0791-4FDD-9382-C690DD0821B9}" = Adobe Flash Player 10 ActiveX
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{43509E18-076E-40FE-AF38-CA5ED400A5A9}" = Pixel Bender Toolkit
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4B27715E-43C5-42E7-9DFD-0DE6ED8A99AB}" = Masterpages_CS
"{51BA0AFE-6AA5-4B8C-8BA9-FA6AE5B1EEE0}" = Roxio Media Manager
"{53F5C3EE-05ED-483A29%3A58+PM+%7C+Computer+Name+%3D+MATT-DD28991DDD+%7C+Source+%3D+DCOM+%7C+ID+%3D+10010%0D%0ADescription+%3D+The+server+%7BC7E39D60-7A9F-42BF-ABB1-03DC0FA4F493%7D+did+not+register%0D%0A+with+DCOM+within+the+required+timeout.%0D%0A+%0D%0AError+-+5%2F19%2F2009+2%3A30%3A39+PM+%7C+Computer+Name+%3D+MATT-DD28991DDD+%7C+Source+%3D+DCOM+%7C+ID+%3D+10010%0D%0ADescription+%3D+The+server+%7BC7E39D60-7A9F-42BF-ABB1-03DC0FA4F493%7D+did+not+register%0D%0A+with+DCOM+within+the+required+timeout.%0D%0A+%0D%0AError+-+5%2F19%2F2009+2%3A31%3A19+PM+%7C+Computer+Name+%3D+MATT-DD28991DDD+%7C+Source+%3D+DCOM+%7C+ID+%3D+10010%0D%0ADescription+%3D+The+server+%7BC7E39D60-7A9F-42BF-ABB1-03DC0FA4F493%7D+did+not+register%0D%0A+with+DCOM+within+the+required+timeout.%0D%0A+%0D%0AError+-+5%2F19%2F2009+2%3A32%3A00+PM+%7C+Computer+Name+%3D+MATT-DD28991DDD+%7C+Source+%3D+DCOM+%7C+ID+%3D+10010%0D%0ADescription+%3D+The+server+%7BC7E39D60-7A9F-42BF-ABB1-03DC0FA4F493%7D+did+not+register%0D%0A+with+DCOM+within+the+required+timeout.%0D%0A+%0D%0AError+-+5%2F19%2F2009+2%3A32%3A40+PM+%7C+Computer+Name+%3D+MATT-DD28991DDD+%7C+Source+%3D+DCOM+%7C+ID+%3D+10010%0D%0ADescription+%3D+The+server+%7BC7E39D60-7A9F-42BF-ABB1-03DC0FA4F493%7D+did+not+register%0D%0A+with+DCOM+within+the+required+timeout.%0D%0A+%0D%0AError+-+5%2F19%2F2009+2%3A33%3A20+PM+%7C+Computer+Name+%3D+MATT-DD28991DDD+%7C+Source+%3D+DCOM+%7C+ID+%3D+10010%0D%0ADescription+%3D+The+server+%7BC7E39D60-7A9F-42BF-ABB1-03DC0FA4F493%7D+did+not+register%0D%0A+with+DCOM+within+the+required+timeout.%0D%0A+%0D%0AError+-+5%2F19%2F2009+2%3A34%3A01+PM+%7C+Computer+Name+%3D+MATT-DD28991DDD+%7C+Source+%3D+DCOM+%7C+ID+%3D+10010%0D%0ADescription+%3D+The+server+%7BC7E39D60-7A9F-42BF-ABB1-03DC0FA4F493%7D+did+not+register%0D%0A+with+DCOM+within+the+required+timeout.%0D%0A+%0D%0AError+-+5%2F19%2F2009+2%3A34%3A41+PM+%7C+Computer+Name+%3D+MATT-DD28991DDD+%7C+Source+%3D+DCOM+%7C+ID+%3D+10010%0D%0ADescription+%3D+The+server+%7BC7E39D60-7A9F-42BF-ABB1-03DC0FA4F493%7D+did+not+register%0D%0A+with+DCOM+within+the+required+timeout.%0D%0A+%0D%0A+%0D%0A%3C+End+of+report+%3E%0D%0A%0D%0A&enabletrack=1&enableemo=yes&enablesig=yes&submit=Add+ReplyBapplication/x-www-form-urlencodednhttp://www.bleepingcomputer.com/forums/topic228041.htmlòîÿ÷òîÿÁ1êˆÓ30-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5414086B-AE06-4332-8A59-26FF0F630D1B}" = Garmin Trip and Waypoint Manager v3
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}" = VPN Client
"{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}" = iTunes
"{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}" = Adobe Dynamiclink Support
"{63B8997E-EB2D-41D3-984C-C44D6D67A571}" = ArcSoft PhotoStudio 5.5
"{64c5b887-b5ee-42b8-8596-78905a6b5f1f}" = Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{686BB230-DE5B-44F4-8DB0-4F9BEE7310F7}" = OpenOffice.org 2.0
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C9F6D23-E9AD-43C9-B43A-011562AAF876}" = Windows Mobile 5.0 SDK R2 for Pocket PC
"{6DA9102E-199F-43A0-A36B-6EF48081A658}" = MobileMe Control Panel
"{72A819E7-4146-B9EA-1292-C4A77F657B4E}" = eBay Desktop
"{735142BA-454F-4ADC-B7DD-566061909C2E}" = Educated Investor WealthBuilder
"{775EA80D-E368-4310-97B6-3D47EB9BB3F1}" = Opera 9.52
"{793D1D88-6141-43DE-BE58-59BCE31B4090}" = Adobe Flash CS4 Extension - Flash Lite STI en
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7CF30945-CAC6-4FD6-2453-668DE9EAC65A}" = De MonsterDebugger
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{8704D51E-25B7-4F23-81E7-AA4F54790230}" = Microsoft MapPoint North America 2004
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007
"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard
"{922B9F30-EC5A-43EF-8F36-5C7929D54D9E}" = The Sanford Guide to Antimicrobial Therapy 2006 - Palm Edition
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-0052-0409-0000-0000000FF1CE}" = Microsoft Office Visio Viewer 2007
"{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}" = Windows Mobile 5.0 SDK R2 for Smartphone
"{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}" = Microsoft SQL Server Database Publishing Wizard 1.3
"{A12F2268-CE7A-31F8-F1BD-AD4F0AA8CCD3}" = Dashboard
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A57E473A-6FF4-426A-B742-08DF968F84F6}" = Palm Desktop
"{AA467959-A1D6-4F45-90CD-11DC57733F32}" = Crystal Reports Basic for Visual Studio 2008
"{AAF817C5-9B99-4025-A5C1-8D0DB5717F2C}" = Jing
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{AD4203ED-7683-435E-B436-C299773A9936}" = MapSource - US Topo v3.02
"{AFA20D47-69C3-4030-8DF8-D37466E70F13}" = Apple Mobile Device Support
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B268E9A1-04A9-40D0-9866-846BE2B74BA7}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Win32 Tools
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B32E7732-B2FB-3FD0-81AC-6025B1104C66}" = Microsoft Device Emulator version 3.0 - ENU
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}" = EVGA Display Driver
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2A5E894-7494-CA12-CC24-2C7BB1CAD51D}" = TourDeFlex
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CAA376AF-0DE8-4FCA-942E-C6AC579B94B3}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Tools
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D3D95F2B-4704-4693-DB80-EBCCDA3AC30D}" = StokeReportWidget
"{D63F2860-678D-11D4-B355-0010A4F75374}" = PerSono
"{D7DAD1E4-45F4-3B2B-899A-EA728167EC4F}" = Microsoft Visual Studio 2008 Professional Edition - ENU
"{D87149B3-7A1D-4548-9CBF-032B791E5908}" = Desktop Doctor
"{D90AFDE3-3E67-407A-ACA8-F0BAAD012F08}" = Safari
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{DEB90B8E-0DCB-48CE-B90E-8842A2BD643E}" = Adobe Media Encoder CS4
"{DFAA3D2B-7087-464E-823B-738A23C29C27}" = Microsoft Visual J# 2.0 Redistributable Package - SE
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{E5FCED12-3E77-4C0E-A305-5AEB38A52A70}" = AdobeColorCommonSetCMYK
"{E7081891-BC7F-43F9-9CE6-B5DD2F497156}" = Internet Explorer Developer Toolbar
"{E7F56612-69F7-4F85-AD0B-B04B1C5BC3BD}" = Creative ZEN V Series (R2)
"{E9459BCF-0982-498B-ABA7-26C34323493F}" = Citrix Presentation Server Client - Web Only
"{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer
"{EBC91840-41E1-4CC3-AC11-0B889546223C}" = Microsoft IntelliPoint 5.5
"{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}" = Quicken 2009
"{EDDF99D9-9FE3-4871-A7DB-D1522C51EE9A}" = Microsoft .NET Compact Framework 2.0 SP2
"{EED50C97-C79E-4149-BD82-7C5A22437708}" = Adobe Setup
"{F02CF4B0-05EC-4938-A8D2-F739AF3B4363}" = Microsoft IntelliType Pro 5.5
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F445476A-42DE-11D4-80D0-00C04F2750A6}" = Epocrates Essentials
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{F6E99614-F042-4459-82B7-8B38B2601356}" = Adobe Flash CS4
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
"101 Law Forms for Personal Use" = 101 Law Forms for Personal Use
"ActiveTouchMeetingClient" = WebEx
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Adobe Flex Builder 3" = Adobe Flex Builder 3
"Adobe_a68eec966ce913ddaa63251dc82ed31" = Adobe Flash CS4 Professional
"BC2_is1" = Beyond Compare Version 2.0.3
"BitTornado" = BitTornado 0.3.7
"BlackBerry_{034E061B-B3A3-4123-842E-10C1B6B3C8C7}" = BlackBerry Desktop Software 4.7
"Bzip2-1.0.5_is1" = GnuWin32: Bzip2-1.0.5
"CCleaner" = CCleaner (remove only)
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.ebay.sandimas.public-beta.AA1EEF5552BF52051F68E7EAF27E23FA6449A65C.1" = eBay Desktop
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"Core FTP LE 2.1" = Core FTP LE 2.1
"Creative Removable Disk Manager" = Creative Removable Disk Manager
"CSS Wizard" = CSS Wizard
"DivX Content Uploader" = DivX Content Uploader
"DxPreg_6.0.1" = DxPreg (Palm) v 6.0.1 by Skyscape
"Fiddler2" = Fiddler2
"Flickr Uploadr" = Flickr Uploadr 2.3
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ILOG Elixir 1.0" = ILOG Elixir 1.0
"ILOG Elixir 2.0 2.0.0" = ILOG Elixir 2.0
"Johns Hopkins ABX Guide" = Johns Hopkins ABX Guide
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual J# 2.0 Redistributable Package - SE" = Microsoft Visual J# 2.0 Redistributable Package - SE
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Microsoft Visual Studio 2008 Professional Edition - ENU" = Microsoft Visual Studio 2008 Professional Edition - ENU
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSMONEYV70" = Microsoft Money 99
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nolo’s Guide to California Law" = Nolo’s Guide to California Law
"Nolo's Encyclopedia of Everyday Law" = Nolo's Encyclopedia of Everyday Law
"Pdf995" = Pdf995
"PhotoStitch" = Canon Utilities PhotoStitch
"Quicken WillMaker Plus 2009" = Quicken WillMaker Plus 2009
"radioSHARK" = radioSHARK 2.1
"RealPlayer 6.0" = RealPlayer
"Rosetta Stone 2.1.3.0A" = Rosetta Stone 2.1.3.0A
"Skype_is1" = Skype 2.5
"smARTupdate" = smARTupdate
"Sony DPP-SV55" = Sony DPP-SV55
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.3.1
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"Stellarium_is1" = Stellarium 0.9.0
"SysInfo" = Creative System Information
"Totalcmd" = Total Commander (Remove or Repair)
"UltraEdit 10.10a" = UltraEdit 10.10a
"UnixUtils for Yahoo! Widgets" = Unix Utilities for Yahoo! Widgets
"VindigoLink" = VindigoLink
"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinUHA_is1" = WinUHA 2.0 RC1 (2005.02.27)
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Widget Engine" = Yahoo! Widgets
"YInstHelper" = Yahoo! Install Manager
"ZENcast Organizer" = ZENcast Organizer

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Sun Download Manager 2.0 (web)" = Sun Download Manager 2.0 (web)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-484763869-823518204-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Sun Download Manager 2.0 (web)" = Sun Download Manager 2.0 (web)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/16/2009 2:35:24 PM | Computer Name = MATT-DD28991DDD | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/16/2009 2:35:24 PM | Computer Name = MATT-DD28991DDD | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/16/2009 2:35:24 PM | Computer Name = MATT-DD28991DDD | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/16/2009 2:35:24 PM | Computer Name = MATT-DD28991DDD | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/18/2009 11:04:13 PM | Computer Name = MATT-DD28991DDD | Source = MSSQL$SQLEXPRESS | ID = 17207
Description = FCB::Open: Operating system error 32(The process cannot access the
file because it is being used by another process.) occurred while creating or opening
file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\tempdb.mdf'. Diagnose
and correct the operating system error, and retry the operation.

Error - 5/18/2009 11:04:13 PM | Computer Name = MATT-DD28991DDD | Source = MSSQL$SQLEXPRESS | ID = 17204
Description = FCB::Open failed: Could not open file c:\Program Files\Microsoft SQL
Server\MSSQL.1\MSSQL\DATA\tempdb.mdf for file number 1. OS error: 32(The process
cannot access the file because it is being used by another process.).

Error - 5/18/2009 11:12:06 PM | Computer Name = MATT-DD28991DDD | Source = MsiInstaller | ID = 11722
Description = Product: Java™ 6 Update 13 -- Error 1722.There is a problem with
this Windows Installer package. A program run as part of the setup did not finish
as expected. Contact your support personnel or package vendor. Action FilesInUseDialog,
location: C:\DOCUME~1\Matt\LOCALS~1\Temp\MSIFA.tmp, command: C:\Program Files\Java\jre6\


Error - 5/18/2009 11:26:15 PM | Computer Name = MATT-DD28991DDD | Source = Application Error | ID = 1000
Description = Faulting application install.exe, version 3.9.110.0, faulting module
mshtml.dll, version 8.0.6001.18702, fault address 0x000fae36.

Error - 5/19/2009 1:00:43 PM | Computer Name = MATT-DD28991DDD | Source = Application Hang | ID = 1002
Description = Hanging application opera.exe, version 9.52.10108.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/19/2009 1:51:34 PM | Computer Name = MATT-DD28991DDD | Source = Application Hang | ID = 1002
Description = Hanging application opera.exe, version 9.52.10108.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 5/19/2009 2:28:37 PM | Computer Name = MATT-DD28991DDD | Source = DCOM | ID = 10010

Edited by mattdh666, 19 May 2009 - 01:40 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:01 PM

Posted 19 May 2009 - 01:48 PM

Hi again,
  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop. (In case you use Firefox, rightclick the link and choose "Save Link As").
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.


  • Please open OTListTt2.
    • Copy the text in code box and paste it to Custom Scans/Fixes section:

      :Processes
      explorer.exe
      :otli
      O4 - HKLM..\Run: [] File not found
      O4 - HKLM..\Run: [nwiz] nwiz.exe /install File not found
      Drivers32: aux7 - C:\WINDOWS\system32\..\kmsx.sue ()
      :commands
      [start explorer]
      [emptytemp]
      [Reboot]
    • Click Run Fix button.
    • If the fix needed a reboot please do it.
    • After finished a log will open. Copy and paste the log to your reply. Also tell me how is your computer running.


#5 mattdh666

mattdh666
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 19 May 2009 - 02:21 PM

Hi,

I disabled TeaTimer as you explained and then ran the Fix. The log file is below. The computer seems to be running okay. I can also get to www.mcafee.com now.

matt


========== PROCESSES ==========
Process explorer.exe killed successfully!
========== OTLISTIT ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\nwiz deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\\aux7 deleted successfully.
C:\WINDOWS\system32\..\kmsx.sue moved successfully.
========== COMMANDS ==========
Explorer started successfully
File delete failed. C:\Documents and Settings\Matt\Local Settings\Temp\etilqs_FJXeRLQ26kqcOs7 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_474.dat scheduled to be deleted on reboot.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcmsc_1Wm36lFiJdtY02b scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_Rk9pBSmhOdcaojJ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_150.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTListIt2 by OldTimer - Version 2.0.15.8 log created on 05192009_121040

Files moved on Reboot...
File C:\Documents and Settings\Matt\Local Settings\Temp\etilqs_FJXeRLQ26kqcOs7 not found!
File C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_474.dat not found!
File C:\WINDOWS\temp\mcmsc_1Wm36lFiJdtY02b not found!
File C:\WINDOWS\temp\mcmsc_Rk9pBSmhOdcaojJ not found!
File C:\WINDOWS\temp\Perflib_Perfdata_150.dat not found!

Registry entries deleted on Reboot...

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:01 PM

Posted 19 May 2009 - 02:27 PM

The trojan is removed. We will do a final check with an updated MBAM and update Java. Make sure all the old Java versions are uninstalled.
  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


#7 mattdh666

mattdh666
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 19 May 2009 - 03:00 PM

Okay farbar,

I have completed both of those steps. The Malwarebyte's log is below.

cheers,
matt


Malwarebytes' Anti-Malware 1.36
Database version: 2155
Windows 5.1.2600 Service Pack 3

5/19/2009 12:37:03 PM
mbam-log-2009-05-19 (12-37-03).txt

Scan type: Quick Scan
Objects scanned: 87551
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\kmsx.sue (Trojan.Gumblar) -> Quarantined and deleted successfully.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:01 PM

Posted 19 May 2009 - 03:35 PM

The trojan we first removed was detected again by MBAM. We have to make sure there is nothing on the system regenerating it. It'll take a while but it is better to be safe than sorry.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#9 mattdh666

mattdh666
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 19 May 2009 - 04:04 PM

Thanks for sticking with me, farbar. Ran ComboFix.exe. Here is the log:


ComboFix 09-05-19.04 - Matt 05/19/2009 13:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.492 [GMT -7:00]
Running from: c:\documents and settings\Matt\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.

2009-05-19 19:10 . 2009-05-19 19:10 -------- d-----w C:\_OTListIt
2009-05-19 03:30 . 2009-05-19 03:30 -------- d-----w c:\program files\Sophos
2009-05-19 03:22 . 2009-05-19 03:22 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-19 03:22 . 2009-05-19 03:22 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-19 03:18 . 2009-05-19 03:18 -------- d-sh--w c:\documents and settings\Matt\PrivacIE
2009-05-19 03:16 . 2009-05-19 03:16 -------- d-sh--w c:\documents and settings\Matt\IETldCache
2009-05-19 03:12 . 2009-05-19 03:12 -------- d-----w c:\windows\ie8updates
2009-05-19 03:12 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-19 03:10 . 2009-05-19 03:11 -------- dc-h--w c:\windows\ie8
2009-05-19 00:30 . 2009-05-19 03:01 -------- d-----w c:\documents and settings\Matt\.housecall6.6
2009-05-12 13:58 . 2009-05-12 13:58 -------- d-----w c:\documents and settings\All Users\Application Data\Comcast
2009-05-07 05:04 . 2009-05-07 05:04 -------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft
2009-05-07 05:03 . 2009-05-07 05:03 -------- d-----w c:\program files\Comcast
2009-05-07 04:47 . 2009-05-07 04:47 -------- d-----w c:\program files\support.com
2009-05-07 04:47 . 2009-05-07 04:47 -------- d-----w c:\documents and settings\Matt\Local Settings\Application Data\SupportSoft
2009-05-07 04:47 . 2009-05-07 05:03 -------- d-----w c:\program files\Common Files\SupportSoft
2009-05-03 01:55 . 2009-05-03 01:55 -------- d-----w c:\documents and settings\Matt\Application Data\com.amdocs.Dashboard.4B305DE8AB82210B14C1320C59C9079DB22166E1.1
2009-05-03 01:55 . 2009-05-03 01:55 -------- d-----w c:\program files\Dashboard
2009-05-03 01:45 . 2009-05-03 01:45 -------- d-----w c:\documents and settings\Matt\Application Data\com.amdocs.Dashboard
2009-05-02 19:22 . 2009-05-02 19:22 -------- d-----w c:\program files\TourDeFlex
2009-04-25 17:57 . 2009-04-25 17:57 -------- d-----w c:\program files\Educated Investor
2009-04-25 17:56 . 2009-04-25 17:58 -------- d-----w c:\documents and settings\Matt\Local Settings\Application Data\Quicken WillMaker
2009-04-25 17:56 . 2009-04-25 17:56 -------- d-----w c:\documents and settings\Matt\Application Data\Quicken WillMaker
2009-04-25 17:56 . 2009-04-25 17:58 -------- d-----w c:\program files\Quicken WillMaker Plus 2009
2009-04-25 16:08 . 2009-04-25 16:08 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-04-25 16:07 . 2009-01-09 21:33 1848608 ----a-w c:\windows\system32\acXMLParser.dll
2009-04-25 16:07 . 2009-01-09 21:33 3523872 ----a-w c:\windows\system32\cdintf300.dll
2009-04-25 16:06 . 2009-04-25 16:40 -------- d-----w c:\program files\Quicken

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 19:57 . 2008-12-05 16:32 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-19 19:51 . 2006-08-11 21:03 -------- d-----w c:\program files\Java
2009-05-19 19:30 . 2009-01-21 15:49 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-19 00:30 . 2008-08-09 00:32 1324 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-02 19:23 . 2008-11-18 18:15 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-02 16:50 . 2008-11-19 03:00 -------- d-----w c:\program files\ILOG
2009-04-25 17:57 . 2006-07-11 18:55 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-18 21:43 . 2006-07-31 22:54 -------- d-----w c:\program files\McAfee
2009-04-16 17:01 . 2009-04-16 17:01 -------- d-----w c:\program files\iTunes
2009-04-16 17:01 . 2009-04-16 17:01 -------- d-----w c:\program files\iPod
2009-04-16 17:01 . 2007-09-23 18:18 -------- d-----w c:\program files\Common Files\Apple
2009-04-16 16:59 . 2009-04-16 16:59 -------- d-----w c:\program files\Bonjour
2009-04-16 16:58 . 2009-04-16 16:58 -------- d-----w c:\program files\QuickTime
2009-04-16 16:51 . 2008-02-25 16:10 -------- d-----w c:\program files\Safari
2009-04-15 00:56 . 2008-06-09 21:40 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-15 00:54 . 2009-02-22 19:41 261976 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-06 22:32 . 2009-01-21 15:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-01-21 15:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-25 18:06 . 2006-07-31 22:54 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2006-07-31 22:54 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2006-07-31 22:54 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2006-07-31 22:54 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2006-07-31 22:54 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-23 21:31 . 2009-03-23 21:31 24 ---ha-r c:\windows\wcpx_.dat
2009-03-23 21:30 . 2009-03-23 21:30 -------- d-----w c:\program files\EngAdven
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-12 01:16 . 2009-03-11 14:53 256 ----a-w c:\documents and settings\Matt\pool.bin
2009-03-11 14:51 . 2006-07-15 22:43 42640 ----a-w c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-08 11:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2007-02-21 16:02 . 2007-02-21 16:02 13386 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-02-21 16:03 . 2007-02-21 16:03 92746 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-02-08 04:46 . 2008-02-08 04:46 13624 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 04:46 . 2008-02-08 04:46 87360 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 04:46 . 2008-02-08 04:46 91448 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 04:46 . 2008-02-08 04:46 21824 ----a-w c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 04:46 . 2008-02-08 04:46 206136 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 04:46 . 2008-02-08 04:46 31544 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 04:46 . 2008-02-08 04:46 40248 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-17 00:27 . 2007-03-17 00:27 479232 ----a-w c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-17 00:27 . 2007-03-17 00:27 548864 ----a-w c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-17 00:27 . 2007-03-17 00:27 626688 ----a-w c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 19:47 . 2007-07-20 19:47 981170 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 04:46 . 2008-02-08 04:46 24384 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-11 7286784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-11 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-05 437008]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-04 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-09-19 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-19 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-04-26 14370816]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-3-19 299008]
Skyscape smARTupdate.lnk - c:\program files\Common Files\Skyscape\smARTupdate.exe [2003-9-17 3424256]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Kaiser VPN Client.lnk - c:\program files\Kaiser\VPN Client\ipsecdialer.exe [2006-11-5 1269836]
Perstray.lnk - c:\program files\PerSono\perstray.exe [2006-8-20 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"2078:TCP"= 2078:TCP:*:Disabled:WebDisk SSL (2078)
"2077:TCP"= 2077:TCP:*:Disabled:WebDisk (2077)

R2 CVPNDRV;Kaiser IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [11/5/2006 10:30 AM 263751]
R2 FGR Service;FGR Service;c:\program files\1208_Fiberlink\Fgrd.exe [7/1/2002 7:36 AM 57344]
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;c:\windows\system32\drivers\uacflt.sys [8/20/2006 8:48 PM 20296]
S2 DPPSUSB;DPPSUSB.Sys Sony DPP-SV55 USB Digital Photo Printer Driver;c:\windows\system32\drivers\DPPSUSB.sys [9/11/2006 8:07 PM 15872]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\A9.tmp --> c:\windows\system32\A9.tmp [?]
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\drivers\wg121nd5.sys [5/25/2007 7:23 AM 337216]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2009-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-823518204-725345543-1004.job
- c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:40]

2008-03-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-04 00:12]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-07-31 17:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {F6A553B1-4B5F-4974-866F-98C1D1EBD3DE} - hxxps://usportal.amdocs.com/prx/000/http/wwwstl2/tc/CPubAppsTCS.cab
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\ho1x2gyf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 13:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\A9.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(172)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Kaiser\VPN Client\cvpnd.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\taskmgr.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
.
**************************************************************************
.
Completion time: 2009-05-19 14:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-19 21:02

Pre-Run: 197,031,751,680 bytes free
Post-Run: 196,890,898,432 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

250 --- E O F --- 2009-05-14 05:41

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:01 PM

Posted 19 May 2009 - 04:20 PM

Well done. :thumbup2:

The log looks good matt. Please play with the computer a few minutes. Open and close a couple of programs, specially the internet browser. Then reboot and run a quick scan of MBAM again. If the log is clean tell me otherwise post the log it creates.

#11 mattdh666

mattdh666
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 19 May 2009 - 05:41 PM

I'm clean! Thanks a lot for your help, farbar. You were great.

cheers,
matt

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:01 PM

Posted 19 May 2009 - 05:48 PM

You are most welcome matt.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

    Note: The startup entry pointing at ALCMTR.EXE is an "Sypware" entry related to Realtek used silently to monitor one's actions. It is not a sinister one and you can remove the start up entry without affecting the function of Realtek software. We have just removed the start up entry but not the file itself. Notice that you should not remove the file itself because it is needed for the subsequent updating of the software.

  • Go to start > run and copy and paste or type next command in the field then hit enter:

    ComboFix /u

    Note: There's a space between Combofix and /

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore.

    The first reboot might be a little slow, the next one will be faster.

  • Please run OTListIt2.
  • Click Clean Up button.
  • Accept any prompts.
  • This will remove any tools we used, including OTListIt2, and will require a reboot.
Optional Recommendations:
  • I strongly recommend updating your Adobe Reader.

  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  • Install Javacools© SpywareBlaster
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction. You can find more information and a download link.

  • The rule of thumb: One AntiVirus with real-time protection, one firewall (other than Windows firewall) and one antispyware with real-time protection. Any additional anti-malware shouldn't be running. You might have two or three antispyware but they should not be running at the same time and should be set not to start with Windows.
Happy Surfing!

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:01 PM

Posted 23 May 2009 - 06:12 PM

This thread will now be closed as the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you. Include the address of this thread in your request.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users