Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected with Vundo!h and others...


  • This topic is locked This topic is locked
20 replies to this topic

#1 jabroy

jabroy

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Cal
  • Local time:09:01 PM

Posted 02 June 2009 - 10:27 PM

I got infected with Vundo!h, FakeAlert-DA, Generic Packed, Generic Downloader,x!ce, Generic Downloader,x!cfc Downloader-BPH and New Malware.j

I found the Bleepingcomputer site and downloaded the Combofix program and ran it on my machine. It found the offensive files and deleted them but did not reverse all the changes these programs had installed. I still have the following problems from what I can tell:

Regedit can't be run from any user account other than the administrator account.

The Local Settings directory and all the temp files in it have been hidden except on the administrator account.

Mcafee now seems to search out any Combofix files that are on the machine from my usb drive or if I download another copy from bleepingcomputer and says it detects the Artemis!C87B91C798AD trojan and proceeds to quarantine it.

I tried to load and run Combofix on another laptop which also has Mcafee installed and it too quarantines the Combofix file. I did load it with a usb drive that had been attached to this infected computer though. The laptop now won't load the usb drive so it can be seen in My Computer. I can see it from a dos prompt but not in my computer.

I used Root Repeal and Combofix prior to getting any advice from anyone here which was probably a mistake. I do have the logs created from them that show the files that were deleted and can upload them if needed.

Attached is the DDS and Attach files for my machine. I hope I haven't messed my machine up so badly that it can't be recovered.

Thanks for any help you can give me.....James


DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 19:14:11.35 on Tue 06/02/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2942.2052 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CardReader2.0\OTiReader.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\CardReader2.0\CRBroadCasting.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\regedit.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SandIcon] "c:\imagemate compactflash usb\SandIcon.Exe"
mRun: [PinnacleDriverCheck] "c:\windows\system32\PSDrvCheck.exe" -CheckReg
mRun: [REGSHAVE] "c:\program files\regshave\REGSHAVE.EXE" /AUTORUN
mRun: [CRBroadCasting] "c:\program files\cardreader2.0\CRBroadCasting.exe"
mRun: [SoundMan] "c:\windows\SOUNDMAN.EXE"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] "c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE"
mRun: [WD Button Manager] "c:\windows\system32\WDBtnMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [UserFaultCheck] "c:\windows\system32\dumprep.exe" 0 -u
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hypers~2.lnk - c:\program files\hypersnap 6\HprSnap6.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - hxxp://www.webshots.com/samplers/WSDownloader.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192802961734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} - hxxps://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [2008-3-21 10112]
R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [2008-3-20 5543]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-10 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-10 144704]
R3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2004-9-4 203264]
R3 ham50;Intel HaM Data Fax Voice;c:\windows\system32\drivers\ham50.sys [2001-11-27 366525]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-10 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-10 40552]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2006-9-7 10112]
S1 LStone;Pinnacle Systems Studio AV/DV Overlay;c:\windows\system32\drivers\LStone2k.sys [2008-3-20 256113]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\james\locals~1\temp\{9b94b~1\atiicdxx.sys --> c:\docume~1\james\locals~1\temp\{9b94b~1\atiicdxx.sys [?]
S3 DQPA4AV;USB2.0 DQPA4 Premier;c:\windows\system32\drivers\DQPA4AV.SYS [2006-1-5 121728]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-10 34216]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-9-1 36928]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]

=============== Created Last 30 ================

2009-06-02 19:09 <DIR> --d----- c:\program files\Trend Micro
2009-06-01 04:33 <DIR> a-dshr-- C:\cmdcons
2009-06-01 04:29 161,792 a------- c:\windows\SWREG.exe
2009-06-01 04:29 154,624 a------- c:\windows\PEV.exe
2009-06-01 04:29 98,816 a------- c:\windows\sed.exe
2009-06-01 04:20 <DIR> --d----- c:\docume~1\admini~1\applic~1\Avanquest
2009-06-01 04:02 <DIR> --d----- c:\docume~1\admini~1\applic~1\Zeon
2009-05-31 18:40 <DIR> --d----- c:\docume~1\admini~1\applic~1\Research In Motion
2009-05-30 11:00 36,090 a------- c:\windows\system32\fkas
2009-05-30 02:35 67,072 a------- c:\windows\system32\drivers\ximqevxvksvbupyx.sys
2009-05-27 03:15 <DIR> --d----- c:\program files\DVDFab 6
2009-05-03 22:30 <DIR> --d----- c:\program files\uTorrent

==================== Find3M ====================

2009-06-01 04:23 269,610 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:44 283,648 a------- c:\windows\system32\pdh.dll
2007-03-15 06:14 952 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:15:14.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:01 PM

Posted 13 June 2009 - 06:43 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 jabroy

jabroy
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Cal
  • Local time:09:01 PM

Posted 14 June 2009 - 11:11 AM

Hello Fireman4it,

Thank you for responding and helping me with my problems. I have been lurking and viewing your teams other posts that have helped other members and I think you guys do an excellent job with the sheer number of requests for help. I have ran the new DDS file as you requested and have attached it here. The only other things I have done since my original post was to uninstall some unused programs, installed and ran Panda software's active scan, tried to install Trend Micro Housecall but could not get it to run and installed and ran Spybot. These cleared up an issue that would not let me run Regedit and also re-enabled my Local Settings directory so I can see the contents in that directory. I await you or your teams response and again thanks for the assistance.
James


DDS (Ver_09-05-14.01) - NTFSx86
Run by James at 8:31:32.89 on Sun 06/14/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2942.2208 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\CardReader2.0\OTiReader.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\CardReader2.0\CRBroadCasting.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\Program Files\Brother\Brmfl05c\FAXRX.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\James\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://mail.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SandIcon] "c:\imagemate compactflash usb\SandIcon.Exe"
mRun: [PinnacleDriverCheck] "c:\windows\system32\PSDrvCheck.exe" -CheckReg
mRun: [REGSHAVE] "c:\program files\regshave\REGSHAVE.EXE" /AUTORUN
mRun: [CRBroadCasting] "c:\program files\cardreader2.0\CRBroadCasting.exe"
mRun: [SoundMan] "c:\windows\SOUNDMAN.EXE"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] "c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE"
mRun: [WD Button Manager] "c:\windows\system32\WDBtnMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [UserFaultCheck] "c:\windows\system32\dumprep.exe" 0 -u
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
StartupFolder: c:\docume~1\james\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\james\startm~1\programs\startup\faxrx.lnk - c:\program files\brother\brmfl05c\FAXRX.exe
StartupFolder: c:\docume~1\james\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hypers~2.lnk - c:\program files\hypersnap 6\HprSnap6.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - hxxp://www.webshots.com/samplers/WSDownloader.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192802961734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} - hxxps://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\james\applic~1\mozilla\firefox\profiles\zdjgsuxp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/?.intl=us
FF - component: c:\documents and settings\james\application data\mozilla\firefox\profiles\zdjgsuxp.default\extensions\{7e7165e2-0767-448c-852f-5fa8714f2c37}\components\PlainOldFavorites.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.2.1273.1045\npCIDetect12.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [2008-3-21 10112]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-10 28544]
R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [2008-3-20 5543]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-10 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-10 144704]
R3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2004-9-4 203264]
R3 ham50;Intel HaM Data Fax Voice;c:\windows\system32\drivers\ham50.sys [2001-11-27 366525]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-10 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-10 40552]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2006-9-7 10112]
S1 LStone;Pinnacle Systems Studio AV/DV Overlay;c:\windows\system32\drivers\LStone2k.sys [2008-3-20 256113]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\james\locals~1\temp\{9b94b~1\atiicdxx.sys --> c:\docume~1\james\locals~1\temp\{9b94b~1\atiicdxx.sys [?]
S3 DQPA4AV;USB2.0 DQPA4 Premier;c:\windows\system32\drivers\DQPA4AV.SYS [2006-1-5 121728]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-10 34216]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-9-1 36928]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]

=============== Created Last 30 ================

2009-06-10 18:52 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-10 18:52 <DIR> --d----- c:\program files\Panda Security
2009-06-10 18:44 <DIR> --d----- c:\documents and settings\james\.housecall6.6
2009-06-02 19:09 <DIR> --d----- c:\program files\Trend Micro
2009-06-01 04:33 <DIR> --dshr-- C:\cmdcons
2009-06-01 04:29 161,792 -------- c:\windows\SWREG.exe
2009-06-01 04:29 154,624 -------- c:\windows\PEV.exe
2009-06-01 04:29 98,816 -------- c:\windows\sed.exe
2009-05-30 11:00 36,090 -------- c:\windows\system32\fkas
2009-05-27 03:15 <DIR> --d----- c:\program files\DVDFab 6

==================== Find3M ====================

2009-06-01 04:23 269,610 -------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 08:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2009-03-09 23:23 256 a------- c:\documents and settings\james\pool.bin
2008-01-13 16:48 87,608 a------- c:\docume~1\james\applic~1\inst.exe
2008-01-13 16:48 47,360 a------- c:\docume~1\james\applic~1\pcouffin.sys
2007-04-07 22:26 25,600 a------- c:\documents and settings\james\usbsermptxp.sys
2007-04-07 22:26 22,768 a------- c:\documents and settings\james\usbsermpt.sys
2007-03-15 06:14 952 ---sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 8:32:42.81 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 AM

Posted 16 June 2009 - 11:45 AM

Hello Jabroy.

Your logs look clean of malware.

Let's see what we can find.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please also take a new DDS.txt log.

With Regards,
The Panda

#5 jabroy

jabroy
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Cal
  • Local time:09:01 PM

Posted 17 June 2009 - 11:38 PM

**
Good evening Panda,

Just like you suspected, the F-Secure Online scanner did not find any malware or virus'. I ran both programs as you

suggested and the scan results and latest DDS scan is attached here. But I do have some additional concerns about my

machine, would you please read on below the DDs and F-Secure scan logs?


I labelled each new section of this post with double asterisks ** to make it easier to jump between sections if you

would like to search on them.




**
DDS (Ver_09-05-14.01) - NTFSx86
Run by James at 4:44:03.37 on Wed 06/17/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2942.2236 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\CardReader2.0\CRBroadCasting.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CardReader2.0\OTiReader.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Brother\Brmfl05c\FAXRX.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Documents and Settings\James\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL =

hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://mail.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program

files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program

files\yahoo!\companion\installs\cpn\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search &

destroy\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute

CS3/contributeieplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SandIcon] "c:\imagemate compactflash usb\SandIcon.Exe"
mRun: [PinnacleDriverCheck] "c:\windows\system32\PSDrvCheck.exe" -CheckReg
mRun: [REGSHAVE] "c:\program files\regshave\REGSHAVE.EXE" /AUTORUN
mRun: [CRBroadCasting] "c:\program files\cardreader2.0\CRBroadCasting.exe"
mRun: [SoundMan] "c:\windows\SOUNDMAN.EXE"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] "c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE"
mRun: [WD Button Manager] "c:\windows\system32\WDBtnMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [UserFaultCheck] "c:\windows\system32\dumprep.exe" 0 -u
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\james\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common

files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\james\startm~1\programs\startup\faxrx.lnk - c:\program files\brother\brmfl05c\FAXRX.exe
StartupFolder: c:\docume~1\james\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in

motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hypers~2.lnk - c:\program files\hypersnap 6\HprSnap6.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search &

destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -

hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - hxxp://www.webshots.com/samplers/WSDownloader.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192802961734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} - hxxps://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop

messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\james\applic~1\mozilla\firefox\profiles\zdjgsuxp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/?.intl=us
FF - component: c:\documents and settings\james\application

data\mozilla\firefox\profiles\zdjgsuxp.default\extensions\{7e7165e2-0767-448c-852f-5fa8714f2c37}\components\PlainOldFavo

rites.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.2.1273.1045\npCIDetect12.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [2008-3-21 10112]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-10 28544]
R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [2008-3-20 5543]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-10

210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-10 144704]
R3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2004-9-4 203264]
R3 ham50;Intel HaM Data Fax Voice;c:\windows\system32\drivers\ham50.sys [2001-11-27 366525]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-10 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-10 35272]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2006-9-7 10112]
S1 LStone;Pinnacle Systems Studio AV/DV Overlay;c:\windows\system32\drivers\LStone2k.sys [2008-3-20 256113]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\james\locals~1\temp\{9b94b~1\atiicdxx.sys -->

c:\docume~1\james\locals~1\temp\{9b94b~1\atiicdxx.sys [?]
S3 DQPA4AV;USB2.0 DQPA4 Premier;c:\windows\system32\drivers\DQPA4AV.SYS [2006-1-5 121728]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-10 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-10 40552]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-9-1 36928]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys

[?]
S3 SS;SS;c:\docume~1\james\locals~1\temp\ss.exe --> c:\docume~1\james\locals~1\temp\SS.exe [?]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe

[2008-10-10 13088]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-10 606736]

=============== Created Last 30 ================

2009-06-15 19:46 <DIR> --d----- c:\program files\iPod
2009-06-15 19:46 <DIR> --d----- c:\program files\iTunes
2009-06-15 19:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-15 19:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Research In Motion
2009-06-15 19:37 54,156 a---h--- c:\windows\QTFont.qfn
2009-06-15 19:37 1,409 a------- c:\windows\QTFont.for
2009-06-14 22:57 0 a------- c:\windows\system32\iphist.dat
2009-06-14 21:09 3,255 a------- c:\windows\system32\wbem\Outlook_01c9ed6f2103b094.mof
2009-06-14 20:06 0 a------- c:\windows\system32\MDNIUQC
2009-06-10 18:52 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-10 18:52 <DIR> --d----- c:\program files\Panda Security
2009-06-10 18:44 <DIR> --d----- c:\documents and settings\james\.housecall6.6
2009-06-02 19:09 <DIR> --d----- c:\program files\Trend Micro
2009-06-01 04:33 <DIR> --dshr-- C:\cmdcons
2009-06-01 04:29 161,792 -------- c:\windows\SWREG.exe
2009-06-01 04:29 154,624 -------- c:\windows\PEV.exe
2009-06-01 04:29 98,816 -------- c:\windows\sed.exe
2009-05-30 11:00 36,090 -------- c:\windows\system32\fkas
2009-05-27 03:15 <DIR> --d----- c:\program files\DVDFab 6
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 08:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2009-03-09 23:23 256 a------- c:\documents and settings\james\pool.bin
2008-01-13 16:48 87,608 a------- c:\docume~1\james\applic~1\inst.exe
2008-01-13 16:48 47,360 a------- c:\docume~1\james\applic~1\pcouffin.sys
2007-04-07 22:26 25,600 a------- c:\documents and settings\james\usbsermptxp.sys
2007-04-07 22:26 22,768 a------- c:\documents and settings\james\usbsermpt.sys
2007-03-15 06:14 952 ---sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 4:45:07.31 ===============



**
F-Secure Online Scan Results:


Scanning Report
Tuesday, June 16, 2009 17:56:34 - 21:48:02
Computer name: JC-MONSTER-DSKT
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\ H:\ J:\


--------------------------------------------------------------------------------

No malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 127446
System: 4998
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
Not cleaned: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\MCMSC_RRA6SP52NV14PP5
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO

PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD

JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages

have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by

E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure

World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links.

While doing this, your access will be logged to our private access statistics with your domain name. This information

will not be given to any third party. You agree not to take action against us in relation to material that you submit.

Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts

described in it in the F-Secure products/publications without liability.




**
Panda,

When I posted my topic, I had already used Root Repeal to identify and ComboFix to rid my machine of a whole slew of

malware, trojans and virus. McAfee had quarantined a number of files after Combofix had found and quarantined the main

problem files in a directory called Qoobox on my C drive. These files are still on my machine. Some were still present

in my original DDS log. But running Panda scan and Spybot cleaned my machine a before my second DDS scan log post. My

concerns are these:


1. I still have the combofix quarantined files on my machine and I'm hoping you can help me remove them safely. But

why didn't F-Secure, Spybot or McAfee find these files now and note them as infected?

2. I am attaching portions of my original root repeal log, combofix logs(3), Hijack log and all the files that

McAfee found during my infestation. Would you review the below lists and give me your opinion whether some of my

personal and critical information could have been compromised? When the infection occured, I got a large number of

internet connection requests which I denied access to as they popped up. I then disconnected my ethernet cable to ensure

nothing else could get out. I didn't reconnect until after I ran Combofix but I wasn't completely sure that I got

everything. Then I created my post on June 2nd.



**
From Root Repeal log:

Name: kungsfyhmtqrsa.sys
Image Path: C:\WINDOWS\system32\drivers\kungsfyhmtqrsa.sys
Address: 0xA9CDF000 Size: 163840 File Visible: -
Status: Hidden from Windows API!



**
1st Combofix log:


ComboFix 09-05-31.05 - Administrator 06/01/2009 4:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2942.2302 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\INSTALL.LOG
c:\windows\hosts
c:\windows\system32\drivers\kungsfyhmtqrsa.sys
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\kungsfewupqdeg.dll
c:\windows\system32\kungsfgxspkfaw.dat
c:\windows\system32\kungsfivmwoudq.dat
c:\windows\system32\kungsfudbqkayp.dll
c:\windows\system32\regsvr.exe
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

hxxp://binuser.fileave.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kungsfjitioclk


((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01
)))))))))))))))))))))))))))))))
.

2009-06-01 11:20 . 2009-06-01 11:20 -------- d-----w- c:\documents and
settings\Administrator\Application Data\Avanquest
2009-06-01 11:02 . 2009-06-01 11:02 -------- d-----w- c:\documents and
settings\Administrator\Application Data\Zeon
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and
settings\Administrator\Local Settings\Application Data\Ahead
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and
settings\Administrator\Local Settings\Application Data\Adobe
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and
settings\Administrator\Application Data\Research In Motion
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and
settings\Administrator\Application Data\InstallShield
2009-06-01 01:39 . 2009-06-01 01:39 95792 ----a-w- c:\documents and
settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 09:35 . 2009-05-30 09:35 67072 ----a-w-
c:\windows\system32\drivers\ximqevxvksvbupyx.sys
2009-05-27 10:15 . 2009-05-28 12:46 -------- d-----w- c:\program files\DVDFab 6
2009-05-04 05:30 . 2009-05-04 05:30 -------- d-----w- c:\program files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 10:56 . 2004-08-28 03:42 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-01 10:55 . 2009-03-08 07:57 256 ----a-w- c:\windows\system32\pool.bin
2009-05-31 09:31 . 2008-07-08 01:32 -------- d-----w- c:\documents and settings\All
Users\Application Data\Google Updater
2009-05-30 17:23 . 2008-02-29 13:30 -------- d-----w- c:\documents and settings\All
Users\Application Data\DVD Shrink
2009-05-26 04:56 . 2004-09-04 18:52 -------- d-----w- c:\program files\Winamp
2009-04-17 12:14 . 2009-02-11 06:23 -------- d-----w- c:\program files\McAfee
2009-04-17 12:01 . 2008-08-23 00:33 -------- d-----w- c:\program files\Java
2009-04-05 22:19 . 2008-02-26 03:45 89 ----a-w- c:\documents and settings\All
Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-03-25 18:06 . 2009-02-11 06:24 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2009-02-11 06:24 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2009-02-11 06:24 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2009-01-09 20:03 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2009-02-11 06:16 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-03-09 12:19 . 2008-12-14 00:24 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-06 14:44 . 2002-08-29 03:41 283648 ----a-w- c:\windows\system32\pdh.dll
2009-03-05 08:08 . 2009-03-05 08:08 65 ----a-w- c:\windows\system32\BD8860DN.DAT
2008-01-15 02:49 . 2007-12-24 07:40 72 --sh--w- c:\windows\SBA76E11F.tmp
2007-03-15 13:14 . 2006-10-29 01:59 952 --sha-w- c:\windows\system32\KGyGaAvL.sys





**
2nd Combofix log:


ComboFix 09-05-31.05 - Administrator 06/01/2009 17:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2942.2442 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-06-01 11:20 . 2009-06-01 11:20 -------- d-----w- c:\documents and

settings\Administrator\Application Data\Avanquest
2009-06-01 11:02 . 2009-06-01 11:02 -------- d-----w- c:\documents and

settings\Administrator\Application Data\Zeon
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and settings\Administrator\Local

Settings\Application Data\Ahead
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and settings\Administrator\Local

Settings\Application Data\Adobe
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and

settings\Administrator\Application Data\Research In Motion
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and

settings\Administrator\Application Data\InstallShield
2009-06-01 01:39 . 2009-06-01 01:39 95792 ----a-w- c:\documents and settings\Administrator\Local

Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 09:35 . 2009-05-30 09:35 67072 ----a-w- c:\windows\system32\drivers\ximqevxvksvbupyx.sys
2009-05-27 10:15 . 2009-05-28 12:46 -------- d-----w- c:\program files\DVDFab 6
2009-05-04 05:30 . 2009-05-04 05:30 -------- d-----w- c:\program files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 12:14 . 2008-07-08 01:32 -------- d-----w- c:\documents and settings\All Users\Application

Data\Google Updater
2009-06-01 10:56 . 2004-08-28 03:42 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-01 10:55 . 2009-03-08 07:57 256 ----a-w- c:\windows\system32\pool.bin
2009-05-30 17:23 . 2008-02-29 13:30 -------- d-----w- c:\documents and settings\All Users\Application

Data\DVD Shrink
2009-05-26 04:56 . 2004-09-04 18:52 -------- d-----w- c:\program files\Winamp
2009-04-17 12:14 . 2009-02-11 06:23 -------- d-----w- c:\program files\McAfee
2009-04-17 12:01 . 2008-08-23 00:33 -------- d-----w- c:\program files\Java
2009-04-05 22:19 . 2008-02-26 03:45 89 ----a-w- c:\documents and settings\All Users\Application

Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-03-25 18:06 . 2009-02-11 06:24 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2009-02-11 06:24 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2009-02-11 06:24 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2009-01-09 20:03 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2009-02-11 06:16 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-03-09 12:19 . 2008-12-14 00:24 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-06 14:44 . 2002-08-29 03:41 283648 ----a-w- c:\windows\system32\pdh.dll
2009-03-05 08:08 . 2009-03-05 08:08 65 ----a-w- c:\windows\system32\BD8860DN.DAT
2008-01-15 02:49 . 2007-12-24 07:40 72 --sh--w- c:\windows\SBA76E11F.tmp
2007-03-15 13:14 . 2006-10-29 01:59 952 --sha-w- c:\windows\system32\KGyGaAvL.sys




**
3rd Combo Fix log: Files Quarantined by Combo fix



2009-06-02 01:05:24 . 2005-02-16 06:54:22 24,613 ----a-w- C:\Qoobox\Quarantine\C\Documents and

Settings\ADMINI~1\LOCALS~1\temp\IadHide5.dll.vir
2009-06-01 11:59:38 . 2009-06-01 11:59:38 562 ----a-w-

C:\Qoobox\Quarantine\Registry_backups\SafeBoot-procexp90.Sys.reg.dat
2009-06-01 11:59:36 . 2009-06-01 11:59:36 270 ----a-w-

C:\Qoobox\Quarantine\Registry_backups\Notify-SDNotify.reg.dat
2009-06-01 11:59:36 . 2009-06-01 11:59:36 554 ----a-w-

C:\Qoobox\Quarantine\Registry_backups\Notify-__c00723C4.reg.dat
2009-06-01 11:59:35 . 2009-06-01 11:59:35 165 ----a-w-

C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{C6C7B2A1-00F3-42BD-F434-00AABA2C8953}.reg.dat
2009-06-01 11:59:29 . 2009-06-01 11:59:29 165 ----a-w-

C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-DomainScan Light Client.reg.dat
2009-06-01 11:54:59 . 2009-06-02 01:00:29 9,080 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-06-01 11:40:58 . 2009-06-01 11:40:58 1,305 ----a-w-

C:\Qoobox\Quarantine\Registry_backups\Service_kungsfjitioclk.reg.dat
2009-06-01 11:28:35 . 2009-06-02 00:55:20 153 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-05-31 19:08:06 . 2009-05-31 19:08:06 56 ----a-w- C:\Qoobox\Quarantine\C\xcrashdump.dat.vir
2009-05-30 18:00:03 . 2009-05-30 18:01:05 19,456 ----a-w-

C:\Qoobox\Quarantine\C\WINDOWS\system32\kungsfewupqdeg.dll.vir
2009-05-30 17:59:58 . 2009-06-01 11:36:25 144,918 ----a-w-

C:\Qoobox\Quarantine\C\WINDOWS\system32\kungsfivmwoudq.dat.vir
2009-05-30 17:59:57 . 2009-05-30 17:59:57 42,496 ----a-w-

C:\Qoobox\Quarantine\C\WINDOWS\system32\kungsfudbqkayp.dll.vir
2009-05-30 17:59:57 . 2009-05-30 17:59:57 67,072 ----a-w-

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kungsfyhmtqrsa.sys.vir
2007-04-08 07:50:59 . 2007-03-05 07:52:26 927 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\hosts.vir
2007-02-02 13:44:42 . 2000-03-06 18:06:58 7,216 ----a-w-

C:\Qoobox\Quarantine\C\WINDOWS\system32\REGSVR.EXE.vir
2004-12-08 03:18:54 . 2004-12-08 03:18:56 164 ----a-w- C:\Qoobox\Quarantine\C\Program

Files\INSTALL.LOG.vir
2004-08-28 05:22:56 . 2009-05-30 17:59:32 4,232 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All

Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2004-08-28 05:22:56 . 2009-05-30 17:59:32 5,030 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All

Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir





**
Portion of original HiJack log:


O4 - HKLM\..\Run: [UserFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

/background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [OpAgent] "OpAgent.exe" /agent
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [A00F1CDEF3F.exe] C:\WINDOWS\TEMP\_A00F1CDEF3F.exe
O4 - HKCU\..\Run: [] C:\WINDOWS\TEMP\qqn1mb04.exe
O4 - HKCU\..\Run: [nzdflkioezncfiunfindiuchiuenfcdc] C:\WINDOWS\TEMP\qqn1mb04.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\James\LOCALS~1\Temp\4255043978.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\James\LOCALS~1\Temp\debug.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: FAXRX.lnk = C:\Program Files\Brother\Brmfl05c\FAXRX.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1





**
McAfee detection Log with found malware and virus:


5/30/2009 11:29:30 AM Scan Started: 05/30/2009 11:29:30 AM
5/30/2009 11:39:05 AM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\238510448.EXE" "FakeAlert-DA"

"5"
5/30/2009 11:39:05 AM "C:\Documents and Settings\James\Local Settings\Temp\238510448.exe" "FakeAlert-DA"

"5"
5/30/2009 11:39:05 AM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\823099836.EXE" "FakeAlert-DA"

"5"
5/30/2009 11:39:05 AM "C:\Documents and Settings\James\Local Settings\Temp\823099836.exe" "FakeAlert-DA"

"5"
5/30/2009 11:39:15 AM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMPORARY INTERNET

FILES\CONTENT.IE5\2E9G70AF\UDEEE[1].HTM" "Vundo!h" "5"
5/30/2009 11:39:15 AM "C:\Documents and Settings\James\Local Settings\Temporary Internet

Files\Content.IE5\2E9G70AF\udeee[1].htm" "Vundo!h" "5"
5/30/2009 11:39:25 AM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMPORARY INTERNET

FILES\CONTENT.IE5\5EOC8SE7\VOCLZZJKG[1].HTM" "Generic Packed" "5"
5/30/2009 11:39:25 AM "C:\Documents and Settings\James\Local Settings\Temporary Internet

Files\Content.IE5\5EOC8SE7\voclzzjkg[1].htm" "Generic Packed" "5"
5/30/2009 11:39:39 AM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMPORARY INTERNET

FILES\CONTENT.IE5\GC7LRCQ0\JYIIFGKXHY[1].HTM" "Generic Packed" "5"
5/30/2009 11:39:39 AM "C:\Documents and Settings\James\Local Settings\Temporary Internet

Files\Content.IE5\GC7LRCQ0\jyiifgkxhy[1].htm" "Generic Packed" "5"
5/30/2009 11:40:29 AM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMPORARY INTERNET

FILES\CONTENT.IE5\MN7TLDLT\IOBPGG[1].HTM" "Generic Packed" "5"
5/30/2009 11:40:29 AM "C:\Documents and Settings\James\Local Settings\Temporary Internet

Files\Content.IE5\MN7TLDLT\iobpgg[1].htm" "Generic Packed" "5"
5/30/2009 11:40:36 AM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMPORARY INTERNET

FILES\CONTENT.IE5\V0YN7T4M\NKKLPCGHHV[1].TXT" "Generic Downloader.x!ce" "5"
5/30/2009 11:40:36 AM "C:\Documents and Settings\James\Local Settings\Temporary Internet

Files\Content.IE5\V0YN7T4M\nkklpcghhv[1].txt" "Generic Downloader.x!ce" "5"
5/30/2009 11:40:42 AM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMPORARY INTERNET

FILES\CONTENT.IE5\ZIEGUKS0\SYVVW[1].HTM" "FakeAlert-DA" "5"
5/30/2009 11:40:42 AM "C:\Documents and Settings\James\Local Settings\Temporary Internet

Files\Content.IE5\ZIEGUKS0\syvvw[1].htm" "FakeAlert-DA" "5"
5/30/2009 11:47:52 AM Total objects scanned: 40354
5/30/2009 11:47:52 AM Objects detected: 8
5/30/2009 11:47:52 AM Scan Done: 05/30/2009 11:47:52 AM
5/30/2009 12:03:21 PM Scan Started: 05/30/2009 12:03:21 PM
5/30/2009 12:17:28 PM Total objects scanned: 371
5/30/2009 12:17:28 PM Objects detected: 0
5/30/2009 12:17:28 PM Scan Done: 05/30/2009 12:17:28 PM
5/30/2009 1:44:54 PM Scan Started: 05/30/2009 01:44:54 PM
5/30/2009 1:46:45 PM Scan Started: 05/30/2009 01:46:45 PM
5/30/2009 1:48:03 PM Scan Started: 05/30/2009 01:48:03 PM
5/30/2009 1:49:05 PM "C:\WINDOWS\system32\drivers\svchost.exe" "New Malware.j" "10"
5/30/2009 1:49:38 PM "C:\WINDOWS\TEMP\QQN1MB04.EXE" "FakeAlert-DA" "5"
5/30/2009 1:49:43 PM "C:\WINDOWS\TEMP\qqn1mb04.exe" "FakeAlert-DA" "10"
5/30/2009 1:50:10 PM "C:\DOCUME~1\JAMES\LOCALS~1\TEMP\663597666.EXE" "FakeAlert-DA" "5"
5/30/2009 1:50:10 PM "C:\DOCUME~1\James\LOCALS~1\Temp\663597666.exe" "FakeAlert-DA" "10"
5/30/2009 1:50:38 PM "C:\chifx.exe" "Vundo!h" "5"
5/30/2009 2:06:34 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\1441533712.EXE" "FakeAlert-DA"

"5"
5/30/2009 2:06:34 PM "C:\Documents and Settings\James\Local Settings\Temp\1441533712.exe" "FakeAlert-DA"

"5"
5/30/2009 2:06:34 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\2152136902.EXE" "FakeAlert-DA"

"5"
5/30/2009 2:06:34 PM "C:\Documents and Settings\James\Local Settings\Temp\2152136902.exe" "FakeAlert-DA"

"5"
5/30/2009 7:02:49 PM Scan Started: 05/30/2009 07:02:49 PM
5/30/2009 7:03:08 PM "C:\WINDOWS\TEMP\QQN1MB04.EXE" "FakeAlert-DA" "5"
5/30/2009 7:03:08 PM "C:\WINDOWS\Temp\qqn1mb04.exe" "FakeAlert-DA" "5"
5/30/2009 7:03:57 PM Scan Started: 05/30/2009 07:03:57 PM
5/30/2009 7:04:02 PM "C:\WINDOWS\TEMP\ZJHUFHDFE.EXE" "FakeAlert-DA" "5"
5/30/2009 7:04:02 PM "C:\WINDOWS\Temp\zjhufhdfe.exe" "FakeAlert-DA" "5"
5/30/2009 7:04:03 PM "C:\WINDOWS\TEMP\_A00F1CDEF3F.EXE" "Vundo!h" "5"
5/30/2009 7:04:03 PM "C:\WINDOWS\Temp\_A00F1CDEF3F.exe" "Vundo!h" "5"
5/30/2009 7:04:06 PM Total objects scanned: 1042
5/30/2009 7:04:06 PM Objects detected: 2
5/30/2009 7:04:06 PM Scan Done: 05/30/2009 07:04:06 PM
5/30/2009 7:05:01 PM Scan Started: 05/30/2009 07:05:01 PM
5/30/2009 7:05:13 PM Total objects scanned: 1040
5/30/2009 7:05:13 PM Objects detected: 0
5/30/2009 7:05:13 PM Scan Done: 05/30/2009 07:05:13 PM
5/30/2009 7:05:38 PM Scan Started: 05/30/2009 07:05:38 PM
5/30/2009 7:05:44 PM Total objects scanned: 1040
5/30/2009 7:05:44 PM Objects detected: 0
5/30/2009 7:05:44 PM Scan Done: 05/30/2009 07:05:44 PM
5/30/2009 7:05:57 PM Scan Started: 05/30/2009 07:05:57 PM
5/30/2009 7:06:29 PM Scan Started: 05/30/2009 07:06:29 PM
5/30/2009 7:07:01 PM Scan Started: 05/30/2009 07:07:01 PM
5/30/2009 7:13:52 PM Scan Started: 05/30/2009 07:13:52 PM
5/30/2009 7:14:51 PM "C:\WINDOWS\system32\drivers\svchost.exe" "New Malware.j" "10"
5/30/2009 11:30:11 PM Scan Started: 05/30/2009 11:30:11 PM
5/30/2009 11:31:02 PM "C:\WINDOWS\system32\drivers\svchost.exe" "New Malware.j" "10"
5/31/2009 12:58:08 PM Scan Started: 05/31/2009 12:58:08 PM
5/31/2009 12:58:14 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\1444004742.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:58:14 PM "C:\Documents and Settings\James\Local Settings\Temp\1444004742.exe" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\181588292.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\Documents and Settings\James\Local Settings\Temp\181588292.exe" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\1844251834.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\Documents and Settings\James\Local Settings\Temp\1844251834.exe" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\191599186.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\Documents and Settings\James\Local Settings\Temp\191599186.exe" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\3507580306.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\Documents and Settings\James\Local Settings\Temp\3507580306.exe" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\3603684950.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\Documents and Settings\James\Local Settings\Temp\3603684950.exe" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\4200094824.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\Documents and Settings\James\Local Settings\Temp\4200094824.exe" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\4255043978.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\Documents and Settings\James\Local Settings\Temp\4255043978.exe" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\832791070.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\Documents and Settings\James\Local Settings\Temp\832791070.exe" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\929364464.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\Documents and Settings\James\Local Settings\Temp\929364464.exe" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\DEBUG.EXE" "FakeAlert-DA" "5"
5/31/2009 12:58:15 PM "C:\Documents and Settings\James\Local Settings\Temp\debug.exe" "FakeAlert-DA" "5"
5/31/2009 12:58:15 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\INSTALL.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:58:15 PM "C:\Documents and Settings\James\Local Settings\Temp\install.exe" "FakeAlert-DA"

"5"
5/31/2009 12:58:16 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\LOGIN.EXE" "FakeAlert-DA" "5"
5/31/2009 12:58:16 PM "C:\Documents and Settings\James\Local Settings\Temp\login.exe" "FakeAlert-DA" "5"
5/31/2009 12:58:16 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\TASKMGR.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:58:16 PM "C:\Documents and Settings\James\Local Settings\Temp\taskmgr.exe" "FakeAlert-DA"

"5"
5/31/2009 12:58:16 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\WINAMP.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:58:16 PM "C:\Documents and Settings\James\Local Settings\Temp\winamp.exe" "FakeAlert-DA"

"5"
5/31/2009 12:58:16 PM Total objects scanned: 45
5/31/2009 12:58:16 PM Objects detected: 15
5/31/2009 12:58:16 PM Scan Done: 05/31/2009 12:58:16 PM
5/31/2009 12:59:20 PM Scan Started: 05/31/2009 12:59:20 PM
5/31/2009 12:59:20 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\DEBUG.EXE" "FakeAlert-DA" "5"
5/31/2009 12:59:20 PM "C:\Documents and Settings\James\Local Settings\Temp\debug.exe" "FakeAlert-DA" "5"
5/31/2009 12:59:20 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\LOGIN.EXE" "FakeAlert-DA" "5"
5/31/2009 12:59:20 PM "C:\Documents and Settings\James\Local Settings\Temp\login.exe" "FakeAlert-DA" "5"
5/31/2009 12:59:21 PM "C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\TASKMGR.EXE" "FakeAlert-DA"

"5"
5/31/2009 12:59:21 PM "C:\Documents and Settings\James\Local Settings\Temp\taskmgr.exe" "FakeAlert-DA"

"5"
5/31/2009 12:59:21 PM Total objects scanned: 33
5/31/2009 12:59:21 PM Objects detected: 3
5/31/2009 12:59:21 PM Scan Done: 05/31/2009 12:59:21 PM
5/31/2009 1:04:44 PM Scan Started: 05/31/2009 01:04:44 PM
5/31/2009 1:55:49 PM Scan Started: 05/31/2009 01:55:49 PM
5/31/2009 1:55:50 PM Total objects scanned: 6
5/31/2009 1:55:50 PM Objects detected: 0
5/31/2009 1:55:50 PM Scan Done: 05/31/2009 01:55:50 PM
5/31/2009 1:57:12 PM Scan Started: 05/31/2009 01:57:12 PM
5/31/2009 1:57:28 PM "C:\WINDOWS\LD08.EXE" "W32/Koobface.worm.gen.d" "5"
5/31/2009 1:57:28 PM "C:\WINDOWS\ld08.exe" "W32/Koobface.worm.gen.d" "5"
5/31/2009 2:27:55 PM Scan Started: 05/31/2009 02:27:55 PM
5/31/2009 2:27:55 PM Total objects scanned: 7
5/31/2009 2:27:55 PM Objects detected: 0
5/31/2009 2:27:55 PM Scan Done: 05/31/2009 02:27:55 PM
5/31/2009 2:31:46 PM Scan Started: 05/31/2009 02:31:46 PM
5/31/2009 2:31:54 PM "C:\WINDOWS\TEMP\EXT" "W32/Koobface.worm.gen.d" "5"
5/31/2009 2:31:54 PM "C:\WINDOWS\Temp\ext" "W32/Koobface.worm.gen.d" "5"
5/31/2009 2:35:57 PM Scan Started: 05/31/2009 02:35:57 PM
5/31/2009 2:36:02 PM Total objects scanned: 687
5/31/2009 2:36:02 PM Objects detected: 0
5/31/2009 2:36:02 PM Scan Done: 05/31/2009 02:36:02 PM
5/31/2009 2:50:19 PM Scan Started: 05/31/2009 02:50:19 PM
5/31/2009 2:50:33 PM Total objects scanned: 690
5/31/2009 2:50:33 PM Objects detected: 0
5/31/2009 2:50:33 PM Scan Done: 05/31/2009 02:50:33 PM
5/31/2009 2:51:39 PM Scan Started: 05/31/2009 02:51:39 PM
5/31/2009 2:51:47 PM Total objects scanned: 36
5/31/2009 2:51:47 PM Objects detected: 0
5/31/2009 2:51:47 PM Scan Done: 05/31/2009 02:51:47 PM
5/31/2009 2:53:23 PM Scan Started: 05/31/2009 02:53:23 PM
5/31/2009 2:53:53 PM Scan Started: 05/31/2009 02:53:53 PM
5/31/2009 2:54:22 PM "C:\WINDOWS\SYSTEM32\BEKBN.DLL" "Generic Downloader.x!cf" "5"
5/31/2009 2:54:22 PM "C:\WINDOWS\system32\bekbn.dll" "Generic Downloader.x!cf" "5"
5/31/2009 2:56:21 PM "CLSID\{C6C7B2A1-00F3-42BD-F434-00AABA2C8953}\InProcServer32" "Downloader-BPH"

"14"
5/31/2009 2:56:21 PM "HKCR\CLSID\{C6C7B2A1-00F3-42BD-F434-00AABA2C8953}\InProcServer32" "Downloader-BPH"

"14"
5/31/2009 2:56:21 PM "CLSID\{C6C7B2A1-00F3-42BD-F434-00AABA2C8953}" "Downloader-BPH" "14"
5/31/2009 2:56:21 PM "HKCR\CLSID\{C6C7B2A1-00F3-42BD-F434-00AABA2C8953}" "Downloader-BPH" "14"
5/31/2009 2:56:21 PM "Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{C6C7B2A1-00F3-42BD-F434-00AABA2C8953}" "Downloader-BPH" "14"
5/31/2009 2:56:21 PM "Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{C6C7B2A1-00F3-42BD-F434-00AABA2C8953}" "Downloader-BPH" "14"
5/31/2009 2:56:21 PM "C:\WINDOWS\SYSTEM32\YHAFD78AUHD.DLL" "Downloader-BPH" "5"
5/31/2009 2:56:21 PM "C:\WINDOWS\system32\yhafd78auhd.dll" "Downloader-BPH" "5"
5/31/2009 2:56:22 PM "C:\WINDOWS\system32\__c00723C4.dat" "Vundo!h" "5"
5/31/2009 2:57:23 PM "C:\WINDOWS\system32\drivers\svchost.exe" "New Malware.j" "5"
5/31/2009 2:58:16 PM Total objects scanned: 6370
5/31/2009 2:58:16 PM Objects detected: 9
5/31/2009 2:58:16 PM Scan Done: 05/31/2009 02:58:16 PM
5/31/2009 3:13:42 PM Scan Started: 05/31/2009 03:13:42 PM
5/31/2009 3:13:45 PM Total objects scanned: 36
5/31/2009 3:13:45 PM Objects detected: 0
5/31/2009 3:13:45 PM Scan Done: 05/31/2009 03:13:45 PM
5/31/2009 3:14:01 PM Scan Started: 05/31/2009 03:14:01 PM
5/31/2009 3:15:15 PM Scan Started: 05/31/2009 03:15:15 PM
5/31/2009 3:18:05 PM "C:\WINDOWS\system32\drivers\svchost.exe" "New Malware.j" "5"
5/31/2009 3:18:47 PM Total objects scanned: 6362
5/31/2009 3:18:47 PM Objects detected: 1
5/31/2009 3:18:47 PM Scan Done: 05/31/2009 03:18:47 PM
5/31/2009 3:22:39 PM Scan Started: 05/31/2009 03:22:39 PM
5/31/2009 3:23:13 PM Scan Started: 05/31/2009 03:23:13 PM
5/31/2009 3:34:27 PM Scan Started: 05/31/2009 03:34:27 PM
5/31/2009 3:35:13 PM Scan Started: 05/31/2009 03:35:13 PM
5/31/2009 5:58:59 PM Scan Started: 05/31/2009 05:58:59 PM
5/31/2009 6:12:01 PM Scan Started: 05/31/2009 06:12:01 PM
5/31/2009 6:13:45 PM Total objects scanned: 2535
5/31/2009 6:13:45 PM Objects detected: 0
5/31/2009 6:13:45 PM Scan Done: 05/31/2009 06:13:45 PM
5/31/2009 6:14:12 PM Scan Started: 05/31/2009 06:14:12 PM
5/31/2009 6:20:40 PM Scan Started: 05/31/2009 06:20:40 PM
5/31/2009 6:27:17 PM Scan Started: 05/31/2009 06:27:17 PM
5/31/2009 6:34:45 PM "C:\WINDOWS\system32\drivers\svchost.exe" "New Malware.j" "5"
5/31/2009 6:35:52 PM Total objects scanned: 14090
5/31/2009 6:35:52 PM Objects detected: 1
5/31/2009 6:35:52 PM Scan Done: 05/31/2009 06:35:52 PM


**
Thank you for your assistance. James
End of post.

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 AM

Posted 18 June 2009 - 07:26 AM

Hello.

From your ComboFix log, you were infected with a backdoor.

No scanner is perfect, and all will miss files. However, those ones really should have been detected.

Posted ImageBackdoor Threat
This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.



Please download a new copy of ComboFix. Run it and post back the log.
Link 1, Link 2, Link 3
  • In notepad where the log opens, click on Format and uncheck word wrap. It messes up the spacing in the logs.

    Download and Run Scan with GMER
    We will use GMER to scan for rootkits.

    Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.

    [list]
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.


With Regards,
The Panda

Edited by PropagandaPanda, 18 June 2009 - 07:26 AM.


#7 jabroy

jabroy
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Cal
  • Local time:09:01 PM

Posted 18 June 2009 - 08:42 AM

Hello Panda,
here are the logs....

ComboFix 09-06-17.02 - James 06/18/2009 6:05.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2942.2327 [GMT -7:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\James\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-17 12:59 . 2009-06-17 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-06-17 12:54 . 2009-06-17 12:54 -------- d-----w- c:\program files\Citrix
2009-06-17 12:54 . 2009-06-17 12:54 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\Citrix
2009-06-17 12:54 . 2009-06-17 12:54 61224 ----a-w- c:\documents and settings\James\GoToAssistDownloadHelper.exe
2009-06-16 02:46 . 2009-06-16 02:46 -------- d-----w- c:\program files\iPod
2009-06-16 02:46 . 2009-06-16 02:46 -------- d-----w- c:\program files\iTunes
2009-06-16 02:46 . 2009-06-16 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-16 02:44 . 2009-06-16 02:44 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\Apple
2009-06-16 02:44 . 2009-06-16 02:44 -------- d-----w- c:\program files\Apple Software Update
2009-06-16 02:43 . 2009-06-16 02:46 -------- d-----w- c:\program files\Common Files\Apple
2009-06-16 02:43 . 2009-06-16 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-16 02:40 . 2009-06-16 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-06-15 05:57 . 2009-06-16 04:35 0 ----a-w- c:\windows\system32\iphist.dat
2009-06-11 01:52 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-06-11 01:52 . 2009-06-11 01:52 -------- d-----w- c:\program files\Panda Security
2009-06-11 01:44 . 2009-06-11 01:50 -------- d-----w- c:\documents and settings\James\.housecall6.6
2009-06-05 20:57 . 2009-06-05 20:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 02:41 . 2009-06-03 02:41 -------- d-----r- c:\documents and settings\Administrator\Application Data\Brother
2009-06-03 02:09 . 2009-06-03 02:09 -------- d-----w- c:\program files\Trend Micro
2009-06-03 02:06 . 2009-06-03 02:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-06-01 11:20 . 2009-06-01 11:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avanquest
2009-06-01 11:02 . 2009-06-01 11:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Zeon
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Research In Motion
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-06-01 01:39 . 2009-06-01 01:39 95792 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-27 10:15 . 2009-05-28 12:46 -------- d-----w- c:\program files\DVDFab 6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 00:35 . 2009-03-08 07:57 256 ----a-w- c:\windows\system32\pool.bin
2009-06-17 00:32 . 2009-02-11 06:23 -------- d-----w- c:\program files\McAfee
2009-06-16 02:46 . 2005-03-12 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-16 02:45 . 2008-02-24 08:04 -------- d-----w- c:\program files\Bonjour
2009-06-16 02:45 . 2005-03-12 16:55 -------- d-----w- c:\program files\QuickTime
2009-06-16 02:38 . 2009-03-08 07:56 -------- d-----w- c:\documents and settings\James\Application Data\Research In Motion
2009-06-15 08:36 . 2009-03-08 06:45 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-06-14 15:22 . 2008-02-26 07:00 -------- d-----w- c:\program files\Absolute Video Converter
2009-06-14 15:21 . 2007-12-24 07:26 -------- d-----w- c:\program files\Elaborate Bytes
2009-06-14 14:51 . 2008-08-14 11:53 -------- d-----w- c:\program files\No1 DVD Ripper
2009-06-14 14:48 . 2008-02-26 06:53 -------- d-----w- c:\program files\VSO
2009-06-14 14:48 . 2008-01-13 23:48 -------- d-----w- c:\documents and settings\James\Application Data\Vso
2009-06-14 14:47 . 2008-02-27 08:20 -------- d-----w- c:\documents and settings\James\Application Data\Any DVD Converter Professional
2009-06-14 14:47 . 2009-05-04 05:30 -------- d-----w- c:\documents and settings\James\Application Data\uTorrent
2009-06-12 12:14 . 2008-08-23 07:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-12 12:13 . 2004-09-06 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-10 11:39 . 2008-02-29 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-06-02 03:27 . 2004-08-28 03:42 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-01 12:14 . 2008-07-08 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-26 04:56 . 2004-09-04 18:52 -------- d-----w- c:\program files\Winamp
2009-05-07 15:44 . 2002-08-29 03:41 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-02-07 02:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-09-04 00:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 11:59 . 2009-04-17 11:59 152576 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 09:58 . 2002-08-29 02:14 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:26 . 2004-09-01 12:10 583168 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-05 22:19 . 2008-02-26 03:45 89 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-03-25 18:06 . 2009-02-11 06:24 40552 ------w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2009-02-11 06:24 79880 ------w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2009-02-11 06:24 35272 ------w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2009-01-09 20:03 214024 ------w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2009-02-11 06:16 34216 ------w- c:\windows\system32\drivers\mferkdk.sys
2008-01-15 02:49 . 2007-12-24 07:40 72 --sh--w- c:\windows\SBA76E11F.tmp
2007-03-15 13:14 . 2006-10-29 01:59 952 --sh--w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-01_11.56.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-02 07:08 . 2006-12-02 07:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
- 2006-12-02 08:08 . 2006-12-02 08:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 07:08 . 2006-12-02 07:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
- 2006-12-02 08:08 . 2006-12-02 08:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
- 2006-12-02 08:08 . 2006-12-02 08:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 07:08 . 2006-12-02 07:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
- 2006-12-02 08:08 . 2006-12-02 08:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 07:08 . 2006-12-02 07:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 07:08 . 2006-12-02 07:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
- 2006-12-02 08:08 . 2006-12-02 08:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 07:08 . 2006-12-02 07:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
- 2006-12-02 08:08 . 2006-12-02 08:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
- 2006-12-02 08:08 . 2006-12-02 08:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 07:08 . 2006-12-02 07:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
- 2006-12-02 08:08 . 2006-12-02 08:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 07:08 . 2006-12-02 07:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
- 2006-12-02 08:08 . 2006-12-02 08:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 07:08 . 2006-12-02 07:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
- 2006-12-02 08:26 . 2006-12-02 08:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 07:26 . 2006-12-02 07:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
- 2006-12-02 08:25 . 2006-12-02 08:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 07:25 . 2006-12-02 07:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
- 2006-12-02 06:56 . 2006-12-02 06:56 96256 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 05:56 . 2006-12-02 05:56 96256 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2009-06-17 00:32 . 2009-06-17 00:32 16384 c:\windows\Temp\Perflib_Perfdata_4f0.dat
+ 2007-09-09 19:10 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
- 2007-09-09 19:10 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2009-06-15 08:39 . 2007-01-18 18:24 26496 c:\windows\system32\ReinstallBackups\0021\DriverFiles\RimSerial.sys
- 2002-08-29 03:41 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
+ 2002-08-29 03:41 . 2009-04-29 04:56 44544 c:\windows\system32\pngfilt.dll
- 2001-08-23 12:00 . 2009-05-31 11:53 72152 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2009-06-15 04:09 72152 c:\windows\system32\perfc009.dat
+ 2006-10-27 23:09 . 2009-04-29 04:55 52224 c:\windows\system32\msfeedsbs.dll
- 2006-10-27 23:09 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
- 2001-08-23 12:00 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
+ 2001-08-23 12:00 . 2009-04-29 04:55 27648 c:\windows\system32\jsproxy.dll
- 2006-10-27 10:44 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
+ 2006-10-27 10:44 . 2009-04-28 09:05 13824 c:\windows\system32\ieudinit.exe
+ 2001-08-23 12:00 . 2009-04-29 04:55 44544 c:\windows\system32\iernonce.dll
- 2001-08-23 12:00 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
+ 2002-08-29 03:41 . 2009-04-28 09:05 70656 c:\windows\system32\ie4uinit.exe
- 2002-08-29 03:41 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
+ 2006-10-17 20:58 . 2009-04-29 04:55 63488 c:\windows\system32\icardie.dll
- 2006-10-17 20:58 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
+ 2009-06-16 02:44 . 2009-06-05 18:42 39424 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaapl.sys
+ 2009-06-16 02:44 . 2009-06-05 18:42 17408 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\netaapl.sys
+ 2009-06-16 02:46 . 2009-03-19 23:32 23400 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspiWDM.sys
- 2008-05-21 03:33 . 2008-05-21 03:33 22784 c:\windows\system32\drivers\RimUsb.sys
+ 2008-05-21 02:33 . 2008-05-21 02:33 22784 c:\windows\system32\drivers\RimUsb.sys
- 2009-03-08 06:47 . 2007-01-18 18:24 26496 c:\windows\system32\drivers\RimSerial.sys
+ 2009-03-08 06:47 . 2007-01-18 17:24 26496 c:\windows\system32\drivers\RimSerial.sys
+ 2004-09-14 22:38 . 2009-03-19 23:32 23400 c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2008-12-12 18:11 . 2008-12-12 18:11 61440 c:\windows\system32\dnssd.dll
+ 2008-12-12 18:18 . 2008-12-12 18:18 87336 c:\windows\system32\dns-sd.exe
+ 2006-05-10 05:23 . 2009-04-29 04:56 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2006-05-10 05:23 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2007-05-13 16:26 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-13 16:26 . 2009-04-29 04:55 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2006-05-10 05:22 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:22 . 2009-04-29 04:55 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-05-13 16:26 . 2009-04-28 09:05 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2007-05-13 16:26 . 2009-02-20 10:20 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2006-10-27 10:44 . 2009-04-29 04:55 44544 c:\windows\system32\dllcache\iernonce.dll
- 2006-10-27 10:44 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
- 2006-10-17 21:06 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2006-10-17 21:06 . 2009-04-29 04:55 78336 c:\windows\system32\dllcache\ieencode.dll
- 2006-10-27 10:44 . 2009-02-20 10:20 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2006-10-27 10:44 . 2009-04-28 09:05 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-20 10:04 . 2009-04-29 04:55 63488 c:\windows\system32\dllcache\icardie.dll
- 2007-08-20 10:04 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
- 2004-08-28 03:32 . 2009-06-01 10:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-28 03:32 . 2009-06-18 09:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-28 03:32 . 2009-06-18 09:10 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-28 03:32 . 2009-06-01 10:51 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-05-16 11:37 . 2009-05-16 11:37 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-06-14 15:10 . 2009-06-14 15:10 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-02-06 10:06 . 2009-06-14 15:10 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-02-06 10:06 . 2009-05-16 11:38 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-02-06 10:06 . 2009-05-16 11:38 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-02-06 10:06 . 2009-06-14 15:10 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2009-02-06 10:06 . 2009-05-16 11:38 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-02-06 10:06 . 2009-06-14 15:10 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-02-06 10:06 . 2009-05-16 11:38 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-02-06 10:06 . 2009-06-14 15:10 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-02-06 10:06 . 2009-06-14 15:10 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2009-02-06 10:06 . 2009-05-16 11:38 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2009-02-06 10:06 . 2009-05-16 11:38 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-02-06 10:06 . 2009-06-14 15:10 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-06-16 02:44 . 2009-06-16 02:44 27136 c:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
+ 2009-06-15 08:38 . 2009-06-15 08:38 26694 c:\windows\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-06-15 08:38 . 2009-06-15 08:38 26694 c:\windows\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-06-15 08:38 . 2009-06-15 08:38 26694 c:\windows\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-06-15 08:38 . 2009-06-15 08:38 26694 c:\windows\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-06-15 08:38 . 2009-06-15 08:38 26694 c:\windows\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-06-15 08:38 . 2009-06-15 08:38 26694 c:\windows\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-06-15 08:38 . 2009-06-15 08:38 26694 c:\windows\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-06-15 08:38 . 2009-06-15 08:38 69632 c:\windows\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\DesktopMgr.exe
+ 2009-06-16 02:45 . 2009-06-16 02:45 86016 c:\windows\Installer\{07287123-B8AC-41CE-8346-3D777245C35B}\PrntWzrdIco.exe
+ 2006-10-27 04:13 . 2006-10-27 04:13 72472 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\XL12CNVP.DLL
+ 2009-06-14 15:01 . 2009-02-20 18:09 44544 c:\windows\ie7updates\KB969897-IE7\pngfilt.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 52224 c:\windows\ie7updates\KB969897-IE7\msfeedsbs.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 27648 c:\windows\ie7updates\KB969897-IE7\jsproxy.dll
+ 2009-06-14 15:01 . 2009-02-20 10:20 13824 c:\windows\ie7updates\KB969897-IE7\ieudinit.exe
+ 2009-06-14 15:01 . 2009-02-20 18:09 44544 c:\windows\ie7updates\KB969897-IE7\iernonce.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 78336 c:\windows\ie7updates\KB969897-IE7\ieencode.dll
+ 2009-06-14 15:01 . 2009-02-20 10:20 70656 c:\windows\ie7updates\KB969897-IE7\ie4uinit.exe
+ 2009-06-14 15:01 . 2009-02-20 18:09 63488 c:\windows\ie7updates\KB969897-IE7\icardie.dll
+ 2009-02-06 10:06 . 2009-06-14 15:10 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-02-06 10:06 . 2009-05-16 11:38 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-06-16 02:40 . 2009-06-16 02:40 6318 c:\windows\Installer\{689E0AB3-50B2-4E5A-9DCE-6DA9F5BE1314}\ICO_ARPProductIcon.exe
+ 2009-06-15 08:38 . 2009-06-15 08:38 6502 c:\windows\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
+ 2009-06-15 08:38 . 2009-06-15 08:38 6502 c:\windows\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe
+ 2009-06-15 08:38 . 2009-06-15 08:38 6502 c:\windows\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe
+ 2006-12-02 05:54 . 2006-12-02 05:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
- 2006-12-02 06:54 . 2006-12-02 06:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
- 2006-12-02 06:54 . 2006-12-02 06:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 05:54 . 2006-12-02 05:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 05:54 . 2006-12-02 05:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
- 2006-12-02 06:54 . 2006-12-02 06:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2005-05-17 00:25 . 2009-04-15 09:24 351744 c:\windows\system32\xpsp3res.dll
- 2005-05-17 00:25 . 2008-02-15 09:06 351744 c:\windows\system32\xpsp3res.dll
+ 2002-08-29 03:41 . 2009-04-29 04:56 233472 c:\windows\system32\webcheck.dll
- 2002-08-29 03:41 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
- 2002-08-29 03:41 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
+ 2002-08-29 03:41 . 2009-04-29 04:56 105984 c:\windows\system32\url.dll
+ 2001-08-23 12:00 . 2009-06-15 04:09 444528 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2009-05-31 11:53 444528 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
+ 2001-08-23 12:00 . 2009-04-29 04:56 102912 c:\windows\system32\occache.dll
+ 2002-08-29 03:41 . 2009-04-29 04:56 671232 c:\windows\system32\mstime.dll
- 2002-08-29 03:41 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
- 2002-08-29 03:41 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
+ 2002-08-29 03:41 . 2009-04-29 04:56 193024 c:\windows\system32\msrating.dll
- 2002-08-29 03:41 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
+ 2002-08-29 03:41 . 2009-04-29 04:56 477696 c:\windows\system32\mshtmled.dll
- 2006-10-27 23:09 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
+ 2006-10-27 23:09 . 2009-04-29 04:55 459264 c:\windows\system32\msfeeds.dll
+ 2006-10-17 20:57 . 2009-04-29 04:55 268288 c:\windows\system32\iertutil.dll
- 2006-10-17 20:57 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
- 2002-08-29 03:40 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
+ 2002-08-29 03:40 . 2009-04-29 04:55 385024 c:\windows\system32\iedkcs32.dll
- 2006-10-17 20:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
+ 2006-10-17 20:27 . 2009-04-29 04:55 383488 c:\windows\system32\ieapfltr.dll
+ 2001-08-23 12:00 . 2009-04-25 05:26 161792 c:\windows\system32\ieakui.dll
- 2001-08-23 12:00 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
+ 2002-08-29 03:40 . 2009-04-29 04:55 230400 c:\windows\system32\ieaksie.dll
- 2002-08-29 03:40 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
+ 2002-08-29 03:40 . 2009-04-29 04:55 153088 c:\windows\system32\ieakeng.dll
- 2002-08-29 03:40 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
+ 2004-09-14 22:38 . 2008-04-17 19:12 107368 c:\windows\system32\GEARAspi.dll
- 2004-09-04 00:37 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
+ 2004-09-04 00:37 . 2009-04-29 04:55 133120 c:\windows\system32\extmgr.dll
- 2002-08-29 03:40 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
+ 2002-08-29 03:40 . 2009-04-29 04:55 214528 c:\windows\system32\dxtrans.dll
+ 2002-08-29 03:40 . 2009-04-29 04:55 347136 c:\windows\system32\dxtmsft.dll
- 2002-08-29 03:40 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
+ 2009-06-16 02:46 . 2008-04-17 19:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspi.dll
+ 2006-05-10 05:23 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\wininet.dll
+ 2006-10-27 23:09 . 2009-04-29 04:56 233472 c:\windows\system32\dllcache\webcheck.dll
- 2006-10-27 23:09 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2006-10-17 21:05 . 2009-04-29 04:56 105984 c:\windows\system32\dllcache\url.dll
- 2006-10-17 21:05 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
+ 2007-10-09 19:44 . 2009-04-15 15:26 583168 c:\windows\system32\dllcache\rpcrt4.dll
- 2006-10-17 21:04 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 21:04 . 2009-04-29 04:56 102912 c:\windows\system32\dllcache\occache.dll
- 2006-05-10 05:23 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
+ 2006-05-10 05:23 . 2009-04-29 04:56 671232 c:\windows\system32\dllcache\mstime.dll
- 2006-05-10 05:23 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-05-10 05:23 . 2009-04-29 04:56 193024 c:\windows\system32\dllcache\msrating.dll
- 2006-05-10 05:23 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-05-10 05:23 . 2009-04-29 04:56 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2007-05-13 16:26 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-05-13 16:26 . 2009-04-29 04:55 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-05-07 15:44 . 2009-05-07 15:44 344064 c:\windows\system32\dllcache\localspl.dll
+ 2006-10-17 21:04 . 2009-04-25 05:27 636088 c:\windows\system32\dllcache\iexplore.exe
- 2007-05-13 16:26 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2007-05-13 16:26 . 2009-04-29 04:55 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2006-10-27 10:44 . 2009-04-29 04:55 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2006-10-27 10:44 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-05-13 16:26 . 2009-04-29 04:55 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2007-05-13 16:26 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2001-08-23 12:00 . 2009-02-20 05:14 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2001-08-23 12:00 . 2009-04-25 05:26 161792 c:\windows\system32\dllcache\ieakui.dll
- 2006-10-27 10:44 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-10-27 10:44 . 2009-04-29 04:55 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-10-27 10:44 . 2009-04-29 04:55 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-10-27 10:44 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-05-10 05:22 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-05-10 05:22 . 2009-04-29 04:55 133120 c:\windows\system32\dllcache\extmgr.dll
- 2006-05-10 05:22 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-05-10 05:22 . 2009-04-29 04:55 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2006-05-10 05:22 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-05-10 05:22 . 2009-04-29 04:55 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-10-27 10:44 . 2009-04-29 04:55 124928 c:\windows\system32\dllcache\advpack.dll
- 2006-10-27 10:44 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
+ 2002-08-29 03:40 . 2009-04-29 04:55 124928 c:\windows\system32\advpack.dll
- 2002-08-29 03:40 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
+ 2009-05-28 01:07 . 2009-05-28 01:07 585728 c:\windows\Installer\BBMediaSyncUninstall.exe
- 2009-02-06 10:06 . 2009-05-16 11:38 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-02-06 10:06 . 2009-06-14 15:10 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2009-02-06 10:06 . 2009-05-16 11:38 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-02-06 10:06 . 2009-06-14 15:10 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-02-06 10:06 . 2009-06-14 15:10 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2009-02-06 10:06 . 2009-05-16 11:38 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-02-06 10:06 . 2009-06-14 15:10 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-02-06 10:06 . 2009-05-16 11:38 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-02-06 10:06 . 2009-05-16 11:38 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-02-06 10:06 . 2009-06-14 15:10 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-02-06 10:06 . 2009-06-14 15:10 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2009-02-06 10:06 . 2009-05-16 11:38 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-06-16 02:46 . 2009-06-16 02:46 102400 c:\windows\Installer\{5D601655-6D54-4384-B52C-17EC5385FBBD}\iTunesIco.exe
+ 2009-06-14 15:01 . 2009-03-03 00:18 826368 c:\windows\ie7updates\KB969897-IE7\wininet.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 233472 c:\windows\ie7updates\KB969897-IE7\webcheck.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 105984 c:\windows\ie7updates\KB969897-IE7\url.dll
+ 2009-06-14 15:01 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB969897-IE7\spuninst\updspapi.dll
+ 2009-06-14 15:01 . 2008-07-09 07:38 231288 c:\windows\ie7updates\KB969897-IE7\spuninst\spuninst.exe
+ 2009-06-14 15:01 . 2009-02-20 18:09 102912 c:\windows\ie7updates\KB969897-IE7\occache.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 671232 c:\windows\ie7updates\KB969897-IE7\mstime.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 193024 c:\windows\ie7updates\KB969897-IE7\msrating.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 477696 c:\windows\ie7updates\KB969897-IE7\mshtmled.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 459264 c:\windows\ie7updates\KB969897-IE7\msfeeds.dll
+ 2009-06-14 15:01 . 2009-02-28 04:54 636072 c:\windows\ie7updates\KB969897-IE7\iexplore.exe
+ 2009-06-14 15:01 . 2009-02-20 18:09 268288 c:\windows\ie7updates\KB969897-IE7\iertutil.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 385024 c:\windows\ie7updates\KB969897-IE7\iedkcs32.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 383488 c:\windows\ie7updates\KB969897-IE7\ieapfltr.dll
+ 2009-06-14 15:01 . 2009-02-20 05:14 161792 c:\windows\ie7updates\KB969897-IE7\ieakui.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 230400 c:\windows\ie7updates\KB969897-IE7\ieaksie.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 153088 c:\windows\ie7updates\KB969897-IE7\ieakeng.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 133120 c:\windows\ie7updates\KB969897-IE7\extmgr.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 214528 c:\windows\ie7updates\KB969897-IE7\dxtrans.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 347136 c:\windows\ie7updates\KB969897-IE7\dxtmsft.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 124928 c:\windows\ie7updates\KB969897-IE7\advpack.dll
+ 2009-04-23 01:05 . 2009-04-23 01:05 406640 c:\windows\Downloaded Program Files\fslauncher.dll
+ 2009-04-17 15:59 . 2009-04-17 15:59 128256 c:\windows\Downloaded Program Files\as2stubie.dll
- 2006-12-02 08:25 . 2006-12-02 08:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 07:25 . 2006-12-02 07:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 07:25 . 2006-12-02 07:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
- 2006-12-02 08:25 . 2006-12-02 08:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2004-01-22 00:20 . 2009-04-29 04:56 1159680 c:\windows\system32\urlmon.dll
+ 2004-07-08 01:37 . 2009-04-29 04:56 3596288 c:\windows\system32\mshtml.dll
+ 2006-10-27 23:09 . 2009-04-29 04:55 6066176 c:\windows\system32\ieframe.dll
- 2006-10-27 23:09 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
+ 2004-08-27 20:18 . 2009-06-14 15:15 1760296 c:\windows\system32\FNTCACHE.DAT
- 2004-08-27 20:18 . 2009-03-12 12:27 1760296 c:\windows\system32\FNTCACHE.DAT
+ 2009-06-16 02:44 . 2009-06-05 18:42 2060288 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaaplrc.dll
+ 2009-06-16 02:44 . 2009-06-05 18:42 1419232 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\wdfcoinstaller01005.dll
+ 2007-03-08 13:47 . 2009-04-17 09:58 1846656 c:\windows\system32\dllcache\win32k.sys
+ 2006-05-10 05:23 . 2009-04-29 04:56 1159680 c:\windows\system32\dllcache\urlmon.dll
+ 2006-05-19 15:08 . 2009-04-29 04:56 3596288 c:\windows\system32\dllcache\mshtml.dll
- 2007-05-13 16:26 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
+ 2007-05-13 16:26 . 2009-04-29 04:55 6066176 c:\windows\system32\dllcache\ieframe.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 1160192 c:\windows\ie7updates\KB969897-IE7\urlmon.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 3595264 c:\windows\ie7updates\KB969897-IE7\mshtml.dll
+ 2009-06-14 15:01 . 2009-02-20 18:09 6066176 c:\windows\ie7updates\KB969897-IE7\ieframe.dll
+ 2009-06-14 15:01 . 2008-07-09 14:25 2455488 c:\windows\ie7updates\KB969897-IE7\ieapfltr.dat
+ 2005-05-11 12:58 . 2009-06-01 16:51 23635392 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 335872]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2000-11-13 131072]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-11 406016]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"CRBroadCasting"="c:\program files\CardReader2.0\CRBroadCasting.exe" [2004-02-26 24576]
"SoundMan"="c:\windows\SOUNDMAN.EXE" [2004-01-08 65536]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"WD Button Manager"="c:\windows\system32\WDBtnMgr.exe" [2008-03-22 364544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"UserFaultCheck"="c:\windows\system32\dumprep.exe" [2004-08-04 10752]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-12 995328]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-06-05 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-09-19 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-04-26 29696]

c:\documents and settings\James\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-9-11 113664]
FAXRX.lnk - c:\program files\Brother\Brmfl05c\FAXRX.exe [2009-3-5 499712]
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2004-8-29 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-6-5 1545488]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-1-30 282624]
HyperSnap 6.lnk - c:\program files\HyperSnap 6\HprSnap6.exe [2007-10-27 2393424]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
backup=c:\windows\pss\Device Detector 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Liquid.6\\Program\\RM.exe"=
"c:\\Program Files\\Liquid.6\\Program\\Studiou.mod"=
"c:\\Program Files\\LimeWire\\LimeWire 4.2.2 Pro\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Brother\\Brmfl05c\\FAXRX.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\WINDOWS\\system32\\SecTrap.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2869:TCP"= 2869:TCP:@xpsp2res.dll,-22008
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

R0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [3/21/2008 6:37 PM 10112]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [6/10/2009 6:52 PM 28544]
R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [3/20/2008 5:45 PM 5543]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/10/2009 11:25 PM 210216]
R3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [9/4/2004 7:57 AM 203264]
R3 ham50;Intel HaM Data Fax Voice;c:\windows\system32\drivers\ham50.sys [11/27/2001 11:56 AM 366525]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [9/7/2006 9:16 PM 10112]
S1 LStone;Pinnacle Systems Studio AV/DV Overlay;c:\windows\system32\drivers\LStone2k.sys [3/20/2008 5:45 PM 256113]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\James\LOCALS~1\Temp\{9B94B~1\atiicdxx.sys --> c:\docume~1\James\LOCALS~1\Temp\{9B94B~1\atiicdxx.sys [?]
S3 DQPA4AV;USB2.0 DQPA4 Premier;c:\windows\system32\drivers\DQPA4AV.SYS [1/5/2006 6:05 AM 121728]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [9/1/2008 10:49 PM 36928]
S3 SS;SS;c:\docume~1\James\LOCALS~1\Temp\SS.exe --> c:\docume~1\James\LOCALS~1\Temp\SS.exe [?]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - F-SECURE_STANDALONE_MINIFILTER
*NewlyCreated* - FSBL
*Deregistered* - F-Secure Standalone Minifilter
*Deregistered* - fsbl
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-03 15:27]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-11 18:53]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-11 18:53]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://mail.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 06:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,6e,e6,a4,fc,41,
b7,77,61,e2,63,26,f1,3f,c8,ff,68,6e,95,24,f2,b5,f7,90,4a,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,45,ca,a4,82,c1,
1f,25,14,6a,9c,d6,61,af,45,84,18,91,e9,0a,70,14,1f,cb,fd,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,4a,1e,b0,4d,93,
fb,18,9c,ff,7c,85,e0,43,d4,0e,fe,90,c9,b2,18,a6,18,9c,e7,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,b1,37,3c,e2,42,
98,7e,18,86,8c,21,01,be,91,eb,e7,97,12,8a,ee,fe,da,99,d9,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,57,e7,e6,da,15,
3e,cb,be,f5,1d,4d,73,a8,13,5c,05,80,05,cb,f5,4b,2a,27,55,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,f7,1d,9b,a9,85,
f9,af,9d,df,20,58,62,78,6b,cf,c8,80,a8,d8,3f,8b,52,19,ad,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,f1,82,cc,74,3b,
85,f4,a5,fb,a7,78,e6,12,2f,9a,ea,58,60,78,19,7b,cb,cf,2d,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,92,f1,b2,2f,70,
88,df,b2,01,3a,48,fc,e8,04,4a,f1,8b,b4,47,20,3e,54,4f,47,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,11,e6,f8,f3,68,
cb,07,ce,f6,0f,4e,58,98,5b,89,c9,35,40,82,6e,1c,65,67,44,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,3d,98,a0,21,23,
88,1f,9d,3d,ce,ea,26,2d,45,aa,78,27,07,65,e0,c0,e2,b1,6f,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,2f,bb,0d,0e,5f,
0b,98,76,2a,b7,cc,b5,b9,7f,41,e7,4c,d6,3d,45,32,a5,ba,f1,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,7d,41,ec,e6,7a,
11,2d,a2,6c,43,2d,1e,aa,22,2f,9c,f3,a2,86,23,da,55,4d,33,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-18 6:19
ComboFix-quarantined-files.txt 2009-06-18 13:19
ComboFix2.txt 2009-06-02 00:27
ComboFix3.txt 2009-06-01 12:00

Pre-Run: 68,332,142,592 bytes free
Post-Run: 68,490,133,504 bytes free

552 --- E O F --- 2009-06-14 15:10


and GMER

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-18 06:32:40
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xF75B05DC]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xF75BC120]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA9C9F4EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9C9F498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA9C9F4AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9C9F52A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA9C9F470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA9C9F484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA9C9F4FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA9C9F4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA9C9F4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9C9F559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9C9F540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA9C9F514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A117530

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat 88190598

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Modules - GMER 1.0.15 ----

Module _________ F7474000-F748A000 (90112 bytes)

---- EOF - GMER 1.0.15 ----


Thanks

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 AM

Posted 18 June 2009 - 10:13 AM

Hello.

Some leftovers to take care of.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    
    Driver::
    SS
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

With Regards,
The Panda

#9 jabroy

jabroy
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Cal
  • Local time:09:01 PM

Posted 18 June 2009 - 12:24 PM

Hi Panda,

I'm at work and can't run the Combofix with script until this evening, but I'm very curious. Can you elaborate on what the logs from the latest combofix and GMER revealed and what the particular issues are that the logs are telling you. I'm looking at the filelist and they of course look like legitmate files to me, but what do you see??

Thanks.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 AM

Posted 18 June 2009 - 01:20 PM

Hello.

I'd be glad to elaborate.

The latest ComboFix and GMER logs are clean, with the exception of a leftover driver (file is missing), and some settings that may have been put in place by the infection to disable antivirus protection.

The ComboFix log that you provided from before, however, showed evidence of a rootkit infection that has backdoor capabilities.

c:\windows\system32\drivers\kungsfyhmtqrsa.sys
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\kungsfewupqdeg.dll
c:\windows\system32\kungsfgxspkfaw.dat
c:\windows\system32\kungsfivmwoudq.dat
c:\windows\system32\kungsfudbqkayp.dll
-------\Service_kungsfjitioclk


With Regards,
The Panda

#11 jabroy

jabroy
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Cal
  • Local time:09:01 PM

Posted 18 June 2009 - 07:30 PM

Hi Panda,
Here is the combofix log ran with the script you supplied.

ComboFix 09-06-17.02 - James 06/18/2009 16:59.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2942.2424 [GMT -7:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\James\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SS
-------\Service_SS


((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-17 12:59 . 2009-06-17 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-06-17 12:54 . 2009-06-17 12:54 -------- d-----w- c:\program files\Citrix
2009-06-17 12:54 . 2009-06-17 12:54 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\Citrix
2009-06-17 12:54 . 2009-06-17 12:54 61224 ----a-w- c:\documents and settings\James\GoToAssistDownloadHelper.exe
2009-06-16 02:46 . 2009-06-16 02:46 -------- d-----w- c:\program files\iPod
2009-06-16 02:46 . 2009-06-16 02:46 -------- d-----w- c:\program files\iTunes
2009-06-16 02:46 . 2009-06-16 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-16 02:44 . 2009-06-16 02:44 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\Apple
2009-06-16 02:44 . 2009-06-16 02:44 -------- d-----w- c:\program files\Apple Software Update
2009-06-16 02:43 . 2009-06-16 02:46 -------- d-----w- c:\program files\Common Files\Apple
2009-06-16 02:43 . 2009-06-16 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-16 02:40 . 2009-06-16 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-06-15 05:57 . 2009-06-16 04:35 0 ----a-w- c:\windows\system32\iphist.dat
2009-06-11 01:52 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-06-11 01:52 . 2009-06-11 01:52 -------- d-----w- c:\program files\Panda Security
2009-06-11 01:44 . 2009-06-11 01:50 -------- d-----w- c:\documents and settings\James\.housecall6.6
2009-06-05 20:57 . 2009-06-05 20:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 02:41 . 2009-06-03 02:41 -------- d-----r- c:\documents and settings\Administrator\Application Data\Brother
2009-06-03 02:09 . 2009-06-03 02:09 -------- d-----w- c:\program files\Trend Micro
2009-06-03 02:06 . 2009-06-03 02:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-06-01 11:20 . 2009-06-01 11:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avanquest
2009-06-01 11:02 . 2009-06-01 11:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Zeon
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Research In Motion
2009-06-01 01:40 . 2009-06-01 01:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-06-01 01:39 . 2009-06-01 01:39 95792 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-27 10:15 . 2009-05-28 12:46 -------- d-----w- c:\program files\DVDFab 6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 00:13 . 2009-03-08 07:57 256 ----a-w- c:\windows\system32\pool.bin
2009-06-17 00:32 . 2009-02-11 06:23 -------- d-----w- c:\program files\McAfee
2009-06-16 02:46 . 2005-03-12 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-16 02:45 . 2008-02-24 08:04 -------- d-----w- c:\program files\Bonjour
2009-06-16 02:45 . 2005-03-12 16:55 -------- d-----w- c:\program files\QuickTime
2009-06-16 02:38 . 2009-03-08 07:56 -------- d-----w- c:\documents and settings\James\Application Data\Research In Motion
2009-06-15 08:36 . 2009-03-08 06:45 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-06-14 15:22 . 2008-02-26 07:00 -------- d-----w- c:\program files\Absolute Video Converter
2009-06-14 15:21 . 2007-12-24 07:26 -------- d-----w- c:\program files\Elaborate Bytes
2009-06-14 14:51 . 2008-08-14 11:53 -------- d-----w- c:\program files\No1 DVD Ripper
2009-06-14 14:48 . 2008-02-26 06:53 -------- d-----w- c:\program files\VSO
2009-06-14 14:48 . 2008-01-13 23:48 -------- d-----w- c:\documents and settings\James\Application Data\Vso
2009-06-14 14:47 . 2008-02-27 08:20 -------- d-----w- c:\documents and settings\James\Application Data\Any DVD Converter Professional
2009-06-14 14:47 . 2009-05-04 05:30 -------- d-----w- c:\documents and settings\James\Application Data\uTorrent
2009-06-12 12:14 . 2008-08-23 07:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-12 12:13 . 2004-09-06 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-10 11:39 . 2008-02-29 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-06-02 03:27 . 2004-08-28 03:42 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-01 12:14 . 2008-07-08 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-26 04:56 . 2004-09-04 18:52 -------- d-----w- c:\program files\Winamp
2009-05-07 15:44 . 2002-08-29 03:41 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-02-07 02:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-09-04 00:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 11:59 . 2009-04-17 11:59 152576 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 09:58 . 2002-08-29 02:14 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:26 . 2004-09-01 12:10 583168 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-05 22:19 . 2008-02-26 03:45 89 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-03-25 18:06 . 2009-02-11 06:24 40552 ------w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2009-02-11 06:24 79880 ------w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2009-02-11 06:24 35272 ------w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2009-01-09 20:03 214024 ------w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2009-02-11 06:16 34216 ------w- c:\windows\system32\drivers\mferkdk.sys
2008-01-15 02:49 . 2007-12-24 07:40 72 --sh--w- c:\windows\SBA76E11F.tmp
2007-03-15 13:14 . 2006-10-29 01:59 952 --sh--w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-06-18_13.13.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-19 00:11 . 2009-06-19 00:11 16384 c:\windows\Temp\Perflib_Perfdata_5f8.dat
+ 2004-08-28 03:32 . 2009-06-18 22:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-28 03:32 . 2009-06-18 09:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-28 03:32 . 2009-06-18 22:52 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-28 03:32 . 2009-06-18 09:10 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 335872]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"SandIcon"="c:\imagemate compactflash usb\SandIcon.Exe" [2000-11-13 131072]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-11 406016]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"CRBroadCasting"="c:\program files\CardReader2.0\CRBroadCasting.exe" [2004-02-26 24576]
"SoundMan"="c:\windows\SOUNDMAN.EXE" [2004-01-08 65536]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"WD Button Manager"="c:\windows\system32\WDBtnMgr.exe" [2008-03-22 364544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"UserFaultCheck"="c:\windows\system32\dumprep.exe" [2004-08-04 10752]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-12 995328]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-06-05 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-09-19 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-04-26 29696]

c:\documents and settings\James\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-9-11 113664]
FAXRX.lnk - c:\program files\Brother\Brmfl05c\FAXRX.exe [2009-3-5 499712]
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2004-8-29 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-6-5 1545488]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-1-30 282624]
HyperSnap 6.lnk - c:\program files\HyperSnap 6\HprSnap6.exe [2007-10-27 2393424]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
backup=c:\windows\pss\Device Detector 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Liquid.6\\Program\\RM.exe"=
"c:\\Program Files\\Liquid.6\\Program\\Studiou.mod"=
"c:\\Program Files\\LimeWire\\LimeWire 4.2.2 Pro\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Brother\\Brmfl05c\\FAXRX.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\WINDOWS\\system32\\SecTrap.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2869:TCP"= 2869:TCP:@xpsp2res.dll,-22008
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

R0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [3/21/2008 6:37 PM 10112]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [6/10/2009 6:52 PM 28544]
R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [3/20/2008 5:45 PM 5543]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/10/2009 11:25 PM 210216]
R3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [9/4/2004 7:57 AM 203264]
R3 ham50;Intel HaM Data Fax Voice;c:\windows\system32\drivers\ham50.sys [11/27/2001 11:56 AM 366525]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [9/7/2006 9:16 PM 10112]
S1 LStone;Pinnacle Systems Studio AV/DV Overlay;c:\windows\system32\drivers\LStone2k.sys [3/20/2008 5:45 PM 256113]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\James\LOCALS~1\Temp\{9B94B~1\atiicdxx.sys --> c:\docume~1\James\LOCALS~1\Temp\{9B94B~1\atiicdxx.sys [?]
S3 DQPA4AV;USB2.0 DQPA4 Premier;c:\windows\system32\drivers\DQPA4AV.SYS [1/5/2006 6:05 AM 121728]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [9/1/2008 10:49 PM 36928]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-03 15:27]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-11 18:53]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-11 18:53]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://mail.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 17:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,6e,e6,a4,fc,41,
b7,77,61,e2,63,26,f1,3f,c8,ff,68,6e,95,24,f2,b5,f7,90,4a,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,45,ca,a4,82,c1,
1f,25,14,6a,9c,d6,61,af,45,84,18,91,e9,0a,70,14,1f,cb,fd,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,4a,1e,b0,4d,93,
fb,18,9c,ff,7c,85,e0,43,d4,0e,fe,90,c9,b2,18,a6,18,9c,e7,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,b1,37,3c,e2,42,
98,7e,18,86,8c,21,01,be,91,eb,e7,97,12,8a,ee,fe,da,99,d9,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,57,e7,e6,da,15,
3e,cb,be,f5,1d,4d,73,a8,13,5c,05,80,05,cb,f5,4b,2a,27,55,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,f7,1d,9b,a9,85,
f9,af,9d,df,20,58,62,78,6b,cf,c8,80,a8,d8,3f,8b,52,19,ad,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,f1,82,cc,74,3b,
85,f4,a5,fb,a7,78,e6,12,2f,9a,ea,58,60,78,19,7b,cb,cf,2d,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,92,f1,b2,2f,70,
88,df,b2,01,3a,48,fc,e8,04,4a,f1,8b,b4,47,20,3e,54,4f,47,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,11,e6,f8,f3,68,
cb,07,ce,f6,0f,4e,58,98,5b,89,c9,35,40,82,6e,1c,65,67,44,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,3d,98,a0,21,23,
88,1f,9d,3d,ce,ea,26,2d,45,aa,78,27,07,65,e0,c0,e2,b1,6f,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,2f,bb,0d,0e,5f,
0b,98,76,2a,b7,cc,b5,b9,7f,41,e7,4c,d6,3d,45,32,a5,ba,f1,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,7d,41,ec,e6,7a,
11,2d,a2,6c,43,2d,1e,aa,22,2f,9c,f3,a2,86,23,da,55,4d,33,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3420)
c:\program files\HyperSnap 6\dxsnap.dll
c:\program files\HyperSnap 6\HSTxtCap.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\netdde.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Olympus\DeviceDetector\DM1Service.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CardReader2.0\OTiReader.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\progra~1\Webshots\webshots.scr
c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-19 17:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 00:22
ComboFix2.txt 2009-06-02 00:27
ComboFix3.txt 2009-06-01 12:00

Pre-Run: 68,502,622,208 bytes free
Post-Run: 68,352,937,984 bytes free

327 --- E O F --- 2009-06-14 15:10

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 AM

Posted 18 June 2009 - 08:32 PM

Hello.

Looks good. Let's do some updating.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Take a new DDS.txt log after.

Please give me an update on the symptoms.

With Regards,
The Panda

#13 jabroy

jabroy
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Cal
  • Local time:09:01 PM

Posted 18 June 2009 - 09:18 PM

Hi Panda,

Question, I have been resisting the installation of Service pack 3 for XP because a lot of people I know and the MIS dept at work have said not to install it. Do you know of any pitfalls with XP Service pack 3?

Thanks.

#14 jabroy

jabroy
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Cal
  • Local time:09:01 PM

Posted 19 June 2009 - 12:42 AM

Hi Panda,

Whew!! This updating stuff is certainly not a quick task when you haven't been meticulous about it in the past!!! :)

But, all updates have been installed including the Service Pack 3 update that I previously whined about. The DDS log is attached...


DDS (Ver_09-05-14.01) - NTFSx86
Run by James at 22:33:14.56 on Thu 06/18/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.1930 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\CardReader2.0\CRBroadCasting.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\CardReader2.0\OTiReader.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Brother\Brmfl05c\FAXRX.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\James\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://mail.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SandIcon] "c:\imagemate compactflash usb\SandIcon.Exe"
mRun: [PinnacleDriverCheck] "c:\windows\system32\PSDrvCheck.exe" -CheckReg
mRun: [REGSHAVE] "c:\program files\regshave\REGSHAVE.EXE" /AUTORUN
mRun: [CRBroadCasting] "c:\program files\cardreader2.0\CRBroadCasting.exe"
mRun: [SoundMan] "c:\windows\SOUNDMAN.EXE"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] "c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE"
mRun: [WD Button Manager] "c:\windows\system32\WDBtnMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [UserFaultCheck] "c:\windows\system32\dumprep.exe" 0 -u
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\james\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\james\startm~1\programs\startup\faxrx.lnk - c:\program files\brother\brmfl05c\FAXRX.exe
StartupFolder: c:\docume~1\james\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hypers~2.lnk - c:\program files\hypersnap 6\HprSnap6.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - hxxp://www.webshots.com/samplers/WSDownloader.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192802961734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} - hxxps://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\james\applic~1\mozilla\firefox\profiles\zdjgsuxp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/?.intl=us
FF - component: c:\documents and settings\james\application data\mozilla\firefox\profiles\zdjgsuxp.default\extensions\{7e7165e2-0767-448c-852f-5fa8714f2c37}\components\PlainOldFavorites.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.2.1273.1045\npCIDetect12.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [2008-3-21 10112]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-10 28544]
R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [2008-3-20 5543]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-10 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-10 144704]
R3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2004-9-4 203264]
R3 ham50;Intel HaM Data Fax Voice;c:\windows\system32\drivers\ham50.sys [2001-11-27 366525]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-10 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-10 40552]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2006-9-7 11520]
S1 LStone;Pinnacle Systems Studio AV/DV Overlay;c:\windows\system32\drivers\LStone2k.sys [2008-3-20 256113]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\james\locals~1\temp\{9b94b~1\atiicdxx.sys --> c:\docume~1\james\locals~1\temp\{9b94b~1\atiicdxx.sys [?]
S3 DQPA4AV;USB2.0 DQPA4 Premier;c:\windows\system32\drivers\DQPA4AV.SYS [2006-1-5 121728]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-10 34216]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-9-1 36928]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]

=============== Created Last 30 ================

2009-06-18 22:02 <DIR> --d----- c:\program files\Microsoft
2009-06-18 22:02 <DIR> --d----- c:\docume~1\james\applic~1\Windows Desktop Search
2009-06-18 22:00 <DIR> --d----- c:\program files\Windows Desktop Search
2009-06-18 21:59 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-06-18 21:59 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-06-18 21:59 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-06-18 21:42 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-06-18 21:17 <DIR> --d----- c:\windows\system32\scripting
2009-06-18 21:17 <DIR> --d----- c:\windows\l2schemas
2009-06-18 21:17 <DIR> --d----- c:\windows\system32\en
2009-06-18 20:36 <DIR> --dsh--- c:\documents and settings\james\IECompatCache
2009-06-18 20:35 <DIR> --dsh--- c:\documents and settings\james\PrivacIE
2009-06-18 20:28 <DIR> --dsh--- c:\documents and settings\james\IETldCache
2009-06-18 20:03 <DIR> --d----- c:\windows\SxsCaPendDel
2009-06-18 19:56 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-18 19:56 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-18 19:56 <DIR> --d----- c:\windows\ie8updates
2009-06-18 19:55 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-18 19:54 <DIR> -cd-h--- c:\windows\ie8
2009-06-17 05:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-06-17 05:54 <DIR> --d----- c:\program files\Citrix
2009-06-17 05:54 61,224 a------- c:\documents and settings\james\GoToAssistDownloadHelper.exe
2009-06-15 19:46 <DIR> --d----- c:\program files\iPod
2009-06-15 19:46 <DIR> --d----- c:\program files\iTunes
2009-06-15 19:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-15 19:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Research In Motion
2009-06-15 19:37 54,156 a---h--- c:\windows\QTFont.qfn
2009-06-15 19:37 1,409 a------- c:\windows\QTFont.for
2009-06-14 22:57 0 a------- c:\windows\system32\iphist.dat
2009-06-14 21:09 3,255 a------- c:\windows\system32\wbem\Outlook_01c9ed6f2103b094.mof
2009-06-14 20:06 0 a------- c:\windows\system32\MDNIUQC
2009-06-10 18:52 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-10 18:52 <DIR> --d----- c:\program files\Panda Security
2009-06-10 18:44 <DIR> --d----- c:\documents and settings\james\.housecall6.6
2009-06-02 19:09 <DIR> --d----- c:\program files\Trend Micro
2009-06-01 04:33 <DIR> --dshr-- C:\cmdcons
2009-06-01 04:29 161,792 a------- c:\windows\SWREG.exe
2009-06-01 04:29 155,136 a------- c:\windows\PEV.exe
2009-06-01 04:29 98,816 -------- c:\windows\sed.exe
2009-05-30 11:00 36,090 -------- c:\windows\system32\fkas
2009-05-27 03:15 <DIR> --d----- c:\program files\DVDFab 6
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-06-18 21:21 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-09 23:23 256 a------- c:\documents and settings\james\pool.bin
2008-01-13 16:48 47,360 a------- c:\docume~1\james\applic~1\pcouffin.sys
2007-04-07 22:26 25,600 a------- c:\documents and settings\james\usbsermptxp.sys
2007-04-07 22:26 22,768 a------- c:\documents and settings\james\usbsermpt.sys
2007-03-15 06:14 952 ---sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 22:34:21.31 ===============
:thumbup2:

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 AM

Posted 19 June 2009 - 07:25 AM

Hello jabroy.

Some choose not to install SP3 because there were some issues during installation. Glad it went well this time.

Logs look good.

There is just one file that I want to take a closer look at.

Submit File to Online Scanner
There is a file that I would like you to check out for me using an online scanner.
  • Open VirusTotal, Jotti or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • c:\windows\system32\fkas
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users