Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by NTOSKRNL-HOOK and more


  • This topic is locked This topic is locked
27 replies to this topic

#1 Ken Meller

Ken Meller

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 21 July 2009 - 07:06 AM

I have been asked to help with a problem on my cousin's computer.

The symptoms had been: McAfee was being switched off randomly, a Norton warning pop-up kept appearing, the case fans were working hard and the computer was switching off minutes after being connected to the internet.

I asked for the machine to be scanned using McAfee in safe-mode before I popped over to have a look. When I got there this was the log-file on the screen (slightly condensed by removing date & time stamp):
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scan Started: 05/17/2009 12:51:07 PM
"C:\WINDOWS\SYSTEM32\UACAIHQGWQJNTDDKYC.DLL" "Generic FakeAlert.k" "5"
"C:\WINDOWS\system32\UACaihqgwqjntddkyc.dll" "Generic FakeAlert.k" "5"
"C:\WINDOWS\SYSTEM32\UACHXEJQARPLUXRFTJ.DLL" "Generic FakeAlert.k" "5"
"C:\WINDOWS\system32\UAChxejqarpluxrftj.dll" "Generic FakeAlert.k" "5"
"C:\WINDOWS\SYSTEM32\UACLKFHDLDRLHTHTGY.DLL" "Generic FakeAlert.k" "5"
"C:\WINDOWS\system32\UAClkfhdldrlhthtgy.dll" "Generic FakeAlert.k" "5"
"C:\WINDOWS\SYSTEM32\UACPVTLTAMYVKRLYJB.DLL" "Generic FakeAlert.k" "5"
"C:\WINDOWS\system32\UACpvtltamyvkrlyjb.dll" "Generic FakeAlert.k" "5"
"C:\WINDOWS\system32\UACsewndpsmogxtfyx.dll" "Generic.dx!by" "5"
"C:\WINDOWS\system32\Drivers\UACruxfnxowboevtlm.sys" "DNSChanger!k" "5"
Scan Started: 05/17/2009 12:53:35 PM
Scan Started: 05/17/2009 12:54:43 PM

Scan Started: 07/13/2009 12:05:39 PM
Total objects scanned: 206641
Objects detected: 0
Scan Done: 07/13/2009 03:21:35 PM
Scan Started: 07/15/2009 07:42:52 AM

Scan Started: 07/15/2009 08:07:34 AM
"NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
"NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|wondows" "Generic VB.w" "14"
"C:\WINDOWS\WONDOWS.EXE" "Generic VB.w" "5"
"C:\WINDOWS\wondows.exe" "Generic VB.w" "10"
"C:\E" "Generic VB.w" "5"
"C:\e" "Generic VB.w" "5"
"C:\IMAGE.EXE" "Generic QHosts.a.gen" "5"
"C:\image.exe" "Generic QHosts.a.gen" "5"
"C:\IMAGES.EXE" "Generic VB.w" "5"
"C:\images.exe" "Generic VB.w" "5"
"C:\DOCUMENTS AND SETTINGS\CHARLOTTE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\E09L8OLL\IMAGES[1].EXE" "Generic VB.w" "5"
"C:\Documents and Settings\Charlotte\Local Settings\Temporary Internet Files\Content.IE5\E09L8OLL\images[1].exe" "Generic VB.w" "5"
"C:\DOCUMENTS AND SETTINGS\CHARLOTTE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\E09L8OLL\IMAGE[1].EXE" "Generic QHosts.a.gen" "5"
"C:\Documents and Settings\Charlotte\Local Settings\Temporary Internet Files\Content.IE5\E09L8OLL\image[1].exe" "Generic QHosts.a.gen" "5"
Total objects scanned: 204779
Objects detected: 9
Scan Done: 07/15/2009 09:58:10 AM

Scan Started: 07/15/2009 03:32:20 PM
"NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
"NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
Total objects scanned: 196065
Objects detected: 2
Scan Done: 07/15/2009 05:55:42 PM

Scan Started: 07/17/2009 07:08:10 PM
"NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
"NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit" "Spy-Agent.bw!mem" "14"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit" "Spy-Agent.bw!mem" "14"
"C:\WINDOWS\system32\ntos.exe" "Spy-Agent.bw!mem" "5"
"C:\WINDOWS\system32\sdra64.exe" "Spy-Agent.bw!mem" "5"
"C:\WINDOWS\system32\twex.exe" "Spy-Agent.bw!mem" "5"
"C:\WINDOWS\system32\twext.exe" "Spy-Agent.bw!mem" "5"
"C:\WINDOWS\system32\winlogon.exe" "Spy-Agent.bw!mem" "10"
"C:\E" "Generic VB.w" "5"
"C:\e" "Generic VB.w" "5"
"C:\IMAGES.EXE" "Generic VB.w" "5"
"C:\images.exe" "Generic VB.w" "5"
"C:\DOCUMENTS AND SETTINGS\CHARLOTTE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\MQXA34ZB\IMAGES[1].EXE" "Generic VB.w" "5"
"C:\Documents and Settings\Charlotte\Local Settings\Temporary Internet Files\Content.IE5\MQXA34ZB\images[1].exe" "Generic VB.w" "5"
"C:\DOCUMENTS AND SETTINGS\CHARLOTTE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\R8JZWDS0\IMAGES[1].EXE" "Generic VB.w" "5"
"C:\Documents and Settings\Charlotte\Local Settings\Temporary Internet Files\Content.IE5\R8JZWDS0\images[1].exe" "Generic VB.w" "5"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|downlaw" "Generic VB.w" "14"
"C:\WINDOWS\DOWNLAW.EXE" "Generic VB.w" "5"
"C:\WINDOWS\downlaw.exe" "Generic VB.w" "5"
Total objects scanned: 195702
Objects detected: 14
Scan Done: 07/17/2009 11:44:54 PM
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Clearly, the machine had been scanned a few times with the problem arising a couple of months ago.

I ran Malwarebytes Anti-Malware and it quietened the fans but McAfee still carried on switching off. I activated WindowsXP's firewall and had Windows Update install SP3 and IE8.

One or two more utilities (inc SAS, Bitdefender rescue disc, SpybotSD) were used to no avail, a DNS redirector was removed but that looks as though it is back.

MBAM was run again yesterday with this as the result

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.39
Database version: 2458
Windows 5.1.2600 Service Pack 3

20/07/2009 14:21:53
mbam-log-2009-07-20 (14-21-48).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 296498
Time elapsed: 57 minute(s), 32 second(s)

Memory Processes Infected: 7
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\winnt_\winntR1.exe (Trojan.Downloader)
C:\winnt_\winntR2.exe (Trojan.Downloader)
C:\winnt_\winnt2.exe (Trojan.Downloader)
C:\winnt_\winnt3.exe (Trojan.Downloader)
C:\winnt_\winnt4.exe (Trojan.Downloader)
C:\winnt_\winnt5.exe (Trojan.Downloader)
C:\winnt_\winnt6.exe (Trojan.Downloader)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winntr1 (Trojan.Downloader)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winntr2 (Trojan.Downloader)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winnt2 (Trojan.Downloader)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winnt3 (Trojan.Downloader)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winnt4 (Trojan.Downloader)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winnt5 (Trojan.Downloader)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winnt6 (Trojan.Downloader)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\msn messenger\riched20.dll (Adware.MyWeb.FunWeb)
C:\images.exe (Trojan.Agent)
C:\pic.exe (Trojan.Agent)
c:\winnt_\winntR1.exe (Trojan.Downloader)
c:\winnt_\winntR2.exe (Trojan.Downloader)
c:\winnt_\winnt2.exe (Trojan.Downloader)
c:\winnt_\winnt3.exe (Trojan.Downloader)
c:\winnt_\winnt4.exe (Trojan.Downloader)
c:\winnt_\winnt5.exe (Trojan.Downloader)
c:\winnt_\winnt6.exe (Trojan.Downloader)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A utility from McAfee's forum submitted by Secured2k was tried (I didn't get to see the results log) but following that the regular McAfee in safe-mode last, night, reported:

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
NTOSKRNL-HOOKType - Trojan Status - Removed
NTOSKRNL-HOOKType - Trojan Status - Removed
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|winntR1Type - TrojanStatus - Quarantined
C:\WINNTR1.EXEType - Trojan Status - Quarantined
C:\DOCUMENTS AND SETTINGS\CHARLOTTE\MY DOCUMENTS\DOWNLOADS\FOTOS.COM Type - Trojan Status - Quarantined
C:\WINDOWS\TEMP\JKGWLDDTNL.EXEType - Trojan Status - Quarantined
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

So it hadn't worked and something tells me that McAfee is yet again being optimistic.

I left a copy of Kaspersky's rescue disc but I don't know yet if it has been run.

I will get a DDS logfile as soon as I can and have downloaded Combofix - I will wait for someone's instruction to run it.

In the meantime, personal files are being backed up getting ready for the time when all else has failed and the system has to be restored to day-0. I hope that someone here can save us from that doom.

Cheers,

Ken

BC AdBot (Login to Remove)

 


m

#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:15 AM

Posted 31 July 2009 - 04:32 PM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 Ken Meller

Ken Meller
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 31 July 2009 - 05:40 PM

Hello Syler - thanks for getting back to me.

As I said above the machine is not mine and I do not have immediate access to it - so the actions you request of me might take until the next day to bring results so please don't write us off. We have been waiting for your input before taking any further anti-virus activity after the MBAM & McAfee scans reported above.

In the meantime, I did run DDS and will attach the results below - they may be out date now but they will give you some idea of what we're up against. I would have posted them earlier but I didn't want to bump my initial request and possibly delay your kind offer to help.

I did leave instructions that the computer should not be used in Windows and I'm hoping that it has only been used with the Linux Live CD I left with them (fingers crossed).

Tomorrow, I will run a new (updated) MBAM scan and the RSIT utility you have requested, I will post those results tomorrow afternoon but for now here are the DDS logs:

Cheers
Ken


DDS (Ver_09-06-26.01) - NTFSx86
Run by Charlotte at 14:12:53.75 on 26/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.894.272 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\winnt_\winnt2.exe
C:\winnt_\winnt3.exe
C:\winnt_\winnt4.exe
C:\winnt_\winnt5.exe
C:\winnt_\winnt6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Photo Gallery\WLXQuickTimeControlHost.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_GB&Sys=DTP&M=E4076
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=userinit.exe
mWinlogon: Taskman=c:\recycler\s-1-5-21-7254510389-6315529300-563192697-1584\f1.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [Power2GoExpress] NA
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\documents and settings\charlotte\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AVScan] c:\documents and settings\charlotte\application data\winav.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [CHotkey] zHotkey.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SiteAdvisor] c:\program files\siteadvisor\6172\SiteAdv.exe
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [winnt2] c:\winnt_\winnt2.exe
mRun: [winnt3] c:\winnt_\winnt3.exe
mRun: [winnt4] c:\winnt_\winnt4.exe
mRun: [winnt5] c:\winnt_\winnt5.exe
mRun: [winnt6] c:\winnt_\winnt6.exe
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/229?3d20ffcf0fd64ddbb885c316de66896c
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/230?3d20ffcf0fd64ddbb885c316de66896c
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-27 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 163840]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-27 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-27 144704]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-27 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-27 35272]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-8-30 29744]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7c.tmp --> c:\windows\system32\7C.tmp [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-27 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-27 40552]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [2008-3-6 15104]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-27 606736]
S4 Motbitagad;Motbitagad;c:\windows\system32\drivers\ati1mdxx.sys [2008-10-7 11615]

=============== Created Last 30 ================

2009-07-26 11:22 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-26 11:22 1,409 a------- c:\windows\QTFont.for
2009-07-22 11:44 <DIR> --dsh--- c:\windows\system32\lowsec
2009-07-21 01:35 <DIR> --d----- C:\940BEEA5
2009-07-20 16:07 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-07-20 16:07 <DIR> --d----- c:\program files\LSoft Technologies
2009-07-20 01:23 <DIR> --ds---- C:\winnt_
2009-07-19 19:01 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-19 19:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-19 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-07-19 11:30 <DIR> --d----- c:\program files\Trend Micro
2009-07-19 09:34 <DIR> --dsh--- c:\documents and settings\charlotte\PrivacIE
2009-07-19 09:02 90,624 a------- C:\images.exe
2009-07-18 20:19 90,624 a------- C:\funpics.exe
2009-07-18 19:09 90,624 a------- C:\pics.exe
2009-07-18 18:14 <DIR> --d----- c:\windows\system32\scripting
2009-07-18 18:14 <DIR> --d----- c:\windows\system32\en
2009-07-18 18:14 <DIR> --d----- c:\windows\l2schemas
2009-07-18 18:14 <DIR> --d----- c:\windows\system32\bits
2009-07-18 18:10 <DIR> --d----- c:\windows\ServicePackFiles
2009-07-18 18:09 <DIR> --d----- c:\windows\network diagnostic
2009-07-18 17:01 21,504 a------- c:\windows\system32\WBCustomizer.dll
2009-07-18 16:48 90,624 ---shr-- c:\windows\ixplorer.exe
2009-07-18 16:48 90,624 a------- C:\pic.exe
2009-07-18 15:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-18 15:10 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-18 15:10 <DIR> --d----- c:\docume~1\charlo~1\applic~1\SUPERAntiSpyware.com
2009-07-18 15:10 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-18 15:05 <DIR> --dsh--- c:\documents and settings\charlotte\IETldCache
2009-07-18 15:02 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-18 15:02 <DIR> --d----- c:\windows\ie8updates
2009-07-18 15:01 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-18 15:01 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-07-18 15:01 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-07-18 15:01 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-18 15:00 <DIR> -cd-h--- c:\windows\ie8
2009-07-18 14:30 98,380 ---shr-- c:\windows\winCon.exe
2009-07-18 13:50 <DIR> --d----- c:\docume~1\charlo~1\applic~1\Malwarebytes
2009-07-18 13:50 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-18 13:50 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-18 13:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-18 13:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-18 13:48 6,144 -------- c:\windows\system32\3F.tmp
2009-07-18 13:48 6,144 -------- c:\windows\system32\3E.tmp
2009-07-18 13:48 6,144 -------- c:\windows\system32\3D.tmp
2009-07-18 13:47 <DIR> --d----- c:\program files\Sophos
2009-07-16 17:34 664 a------- c:\windows\system32\d3d9caps.dat
2009-07-15 15:13 147,532 a------- C:\crypted.exe

==================== Find3M ====================

2009-07-18 18:19 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-14 14:40 129,784 -------- c:\windows\system32\pxafs.dll
2009-06-14 14:40 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-06-14 14:40 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-06-11 10:01 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 19:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2007-05-01 19:56 0 a------- c:\docume~1\charlo~1\applic~1\wklnhst.dat
2005-11-04 00:29 72,832 a----r-- c:\windows\inf\CamAvb.sys
2000-10-31 22:27 81,920 a------- c:\windows\inf\i386\Pmxusd.dll
1999-04-08 08:28 19,112 a------- c:\windows\inf\i386\Pmxscan.sys

============= FINISH: 14:15:35.17 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 07/02/2007 16:48:48
System Uptime: 26/07/2009 08:34:11 (6 hours ago)

Motherboard: Intel Corporation | | D102GGC2
Processor: Intel® Pentium® 4 CPU 3.06GHz | | 3066/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 107 GiB total, 75.883 GiB free.
E: is CDROM (CDFS)
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

4Media MP4 Converter
Active@ ISO Burner
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Audition 3.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop Elements 7.0
Adobe Reader 8.1.1
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Adobe® Photoshop® Album Starter Edition 3.0
ATI Display Driver
Audacity 1.2.6
AVS DVDMenu Editor 1.2.1.19
AVS Video Converter 5.6
AVS4YOU Software Navigator 1.2
Before You Know It 3.6
Belarc Advisor 7.2
BigFix
Browser Address Error Redirector
CardRd81
CCHelp
CCScore
Celtx (2.0)
Choice Guard
Compatibility Pack for the 2007 Office system
CR2
Critical Update for Windows Media Player 11 (KB959772)
Digital Media Reader
DVD Solution
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTUTOR
ESSvpaht
ESSvpot
Express Burn
Google Chrome
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Graboid Video 1.3
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
HLPCCTR
HLPIndex
HLPPDOCK
HLPSFO
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
J2SE Runtime Environment 5.0 Update 2
Java™ 6 Update 14
Junk Mail filter update
Kodak EasyShare software
KSU
Legacy 7.0
Legacy Charting 7.0
Life On Mars 02 Screen Saver
Macromedia Fireworks MX 2004
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image 2006 Starter Edition
Microsoft Digital Image 2006 Starter Edition Editor
Microsoft Digital Image 2006 Starter Edition Library
Microsoft Digital Image Library 9 - Blocker
Microsoft Office Live Add-in 1.3
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla ActiveX Control v1.7.12
MSN
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Multimedia Keyboard Driver
MyDsc2
MySpaceIM
Notifier
OfotoXMI
OneCare Advisor (Windows Live Toolbar)
OTtBP
OTtBPSDK
PaperPort 6.5
PCDLNCH
PDF Settings
Picasa 3
Popup Blocker (Windows Live Toolbar)
Power2Go 4.0
PowerDVD
QuickTime
RealPlayer
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Recovery Software Suite eMachines
Samsung CamCorder Driver
Samsung Video Codec 1.1 Uninstall
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Segoe UI
Serif DrawPlus 6.0
SFR
SFR2
Skype™ 3.8
Smart Menus (Windows Live Toolbar)
SmartSound Quicktracks Plugin
Soft Data Fax Modem with SmartCP
Sonic Encoders
Sophos Anti-Rootkit 1.5.0
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Tabbed Browsing (Windows Live Toolbar)
Ulead DVD DiskRecorder 2.1.1
Ulead VideoStudio 9.0 SE DVD
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
VCAMCEN
VideoLAN VLC media player 0.8.6d
Visioneer 6100 USB Scanner Driver
VPRINTOL
WavePad Sound Editor
WebFldrs XP
Windows Genuine Advantage Validation Tool
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Favorites for Windows Live Toolbar
Windows Live Mail
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Live Upload Tool
Windows Live Writer
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

24/07/2009 22:05:06, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SystemGuards service to connect.
24/07/2009 22:05:06, error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
23/07/2009 16:11:52, error: Service Control Manager [7022] - The McAfee Real-time Scanner service hung on starting.
22/07/2009 18:16:54, error: System Error [1003] - Error code 100000d1, parameter1 e2574000, parameter2 00000002, parameter3 00000000, parameter4 ecfa9a60.
21/07/2009 20:00:39, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
21/07/2009 10:09:32, error: Dhcp [1002] - The IP address lease 192.168.100.10 for the Network Card with network address 001676D60979 has been denied by the DHCP server 62.31.176.116 (The DHCP Server sent a DHCPNACK message).
20/07/2009 12:56:31, error: Dhcp [1002] - The IP address lease 92.238.12.106 for the Network Card with network address 001676D60979 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
20/07/2009 00:54:05, error: System Error [1003] - Error code 100000d1, parameter1 e2590000, parameter2 00000002, parameter3 00000000, parameter4 ed3b4a60.

==== End Of File ===========================

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:15 AM

Posted 31 July 2009 - 05:53 PM

Hi Ken,

Thanks for the update, their is no problem with the delays but if their is going to be any delays over 5 days please
keep me informed and I wont close the topic.

I can see a few baddies in them logs, I will wait for the updated logs then we can start cleaning.

Thanks
Syler

unite.jpg


#5 Ken Meller

Ken Meller
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 01 August 2009 - 08:25 AM

Ok, so far so good. MBAM removed a few items but within a couple of minutes of the reboot McAfee was being switched off by something - so something is still in there I guess. Here are the log files:

Malwarebytes' Anti-Malware 1.39
Database version: 2540
Windows 5.1.2600 Service Pack 3

01/08/2009 14:07:00
mbam-log-2009-08-01 (14-07-00).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 293743
Time elapsed: 54 minute(s), 4 second(s)

Memory Processes Infected: 5
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
C:\winnt_\winnt2.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\winnt_\winnt3.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\winnt_\winnt4.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\winnt_\winnt5.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\winnt_\winnt6.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrbkvlfowp.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winnt2 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winnt3 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winnt4 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winnt5 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winnt6 (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\system32\geyekrbkvlfowp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\940BEEA5\Backup\C_\program files\msn messenger\riched20.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\images.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\pic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\winnt_\winnt2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\winnt_\winnt3.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\winnt_\winnt4.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\winnt_\winnt5.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\winnt_\winnt6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Logfile of random's system information tool 1.06 (written by random/random)
Run by Charlotte at 2009-08-01 14:12:57
Microsoft Windows XP Professional Service Pack 3
System drive C: has 82 GB (74%) free of 110 GB
Total RAM: 894 MB (40% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:13:30, on 01/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Documents and Settings\Charlotte\Desktop\RSIT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Charlotte.exe
C:\Program Files\Kodak\Kodak Utilities\kodnotif.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...DTP&M=E4076
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Charlotte\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [AVScan] C:\Documents and Settings\Charlotte\Application Data\winav.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?3d20ffcf0fd64ddbb885c316de66896c
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?3d20ffcf0fd64ddbb885c316de66896c
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 12897 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1498223936-504033522-3246727776-1006Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1498223936-504033522-3246727776-1006UA.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{089FD14D-132B-48FC-8861-0048AE113215}]
C:\Program Files\SiteAdvisor\6261\SiteAdv.dll [2008-05-16 927008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-05-30 1410344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2009-05-19 137600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-03-25 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-03 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll [2009-06-20 669168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-01-03 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-06-11 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-06-11 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0} - McAfee SiteAdvisor - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll [2008-05-16 927008]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-03 251504]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-06 64512]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-01 29744]
"readericon"=C:\Program Files\Digital Media Reader\readericon45G.exe [2005-12-09 139264]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-04-17 16143872]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"CHotkey"=C:\WINDOWS\zHotkey.exe [2004-12-08 550912]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-13 212992]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-02-17 98304]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-04-06 180269]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-06 57344]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]
"PaperPort PTD"=c:\progra~1\scansoft\paperp~1\pptd40nt.exe [2000-03-17 30720]
"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall []
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-01-08 645328]
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6172\SiteAdv.exe [2007-08-24 36640]
"McENUI"=C:\PROGRA~1\McAfee\MHN\McENUI.exe [2009-01-09 1176808]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-06-11 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"=NA []
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-16 68856]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3885408]
"Google Update"=C:\Documents and Settings\Charlotte\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-18 133104]
"AVScan"=C:\Documents and Settings\Charlotte\Application Data\winav.exe []
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-06-23 1830128]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-01-14 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfehidk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfehidk.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mferkdk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mferkdk.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfetdik]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfetdik.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\Adobe\Photoshop Elements 7.0\AdobePhotoshopElementsMediaServer.exe"="C:\Program Files\Adobe\Photoshop Elements 7.0\AdobePhotoshopElementsMediaServer.exe:*:Disabled:Adobe Photoshop Elements Media Server"
"C:\Program Files\Common Files\System\ati.exe"="C:\Program Files\Common Files\System\ati.exe:*:Enabled:Explorer"
"c:\windows\temp\clocks.exe"="c:\windows\temp\clocks.exe:*:Enabled:Explorer"
"C:\WINDOWS\TEMP\ch.exe"="C:\WINDOWS\TEMP\ch.exe:*:Enabled:@xpsp2res.dll,-22019"
"c:\windows\temp\adobespic.exe"="c:\windows\temp\adobespic.exe:*:Enabled:@xpsp2res.dll,-22019"
"c:\windows\temp\upwins.exe"="c:\windows\temp\upwins.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\DOCUME~1\CHARLO~1\LOCALS~1\Temp\eraseme_62314.exe"="C:\DOCUME~1\CHARLO~1\LOCALS~1\Temp\eraseme_62314.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\runsdlls.exe"="C:\WINDOWS\runsdlls.exe:*:Enabled:@xpsp2res.dll,-22019"
"c:\windows\temp\algsup.exe"="c:\windows\temp\algsup.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\winCon.exe"="C:\WINDOWS\winCon.exe:*:Enabled:@xpsp2res.dll,-22019"
"c:\windows\temp\win-up.exe"="c:\windows\temp\win-up.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\DOCUME~1\CHARLO~1\LOCALS~1\Temp\IXP003.TMP\update.exe"="C:\DOCUME~1\CHARLO~1\LOCALS~1\Temp\IXP003.TMP\update.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\TEMP\IXP000.TMP\update.exe"="C:\WINDOWS\TEMP\IXP000.TMP\update.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\DOCUME~1\CHARLO~1\LOCALS~1\Temp\IXP004.TMP\update.exe"="C:\DOCUME~1\CHARLO~1\LOCALS~1\Temp\IXP004.TMP\update.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\image.exe"="C:\image.exe:*:Enabled:wondows"
"C:\images.exe"="C:\images.exe:*:Enabled:downlaw"
"C:\DOCUME~1\CHARLO~1\LOCALS~1\Temp\260.exe"="C:\DOCUME~1\CHARLO~1\LOCALS~1\Temp\260.exe:*:Enabled:winCon32"
"C:\pic.exe"="C:\pic.exe:*:Enabled:ixplorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da8f2bf4-eb65-11dc-aca2-001676d60979}]
shell\AutoRun\command - J:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9bf5407-382c-11db-b4f2-806d6172696f}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


======List of files/folders created in the last 1 months======

2009-08-01 14:12:57 ----D---- C:\rsit
2009-07-26 15:36:00 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-07-21 01:35:47 ----D---- C:\940BEEA5
2009-07-20 16:07:37 ----D---- C:\Program Files\LSoft Technologies
2009-07-20 01:23:56 ----SD---- C:\winnt_
2009-07-19 19:01:28 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-07-19 19:01:28 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-19 14:43:47 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2009-07-19 13:40:24 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-07-19 13:40:11 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-07-19 11:30:44 ----D---- C:\Program Files\Trend Micro
2009-07-19 03:00:31 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-07-18 20:19:05 ----A---- C:\funpics.exe
2009-07-18 19:09:57 ----A---- C:\pics.exe
2009-07-18 18:44:49 ----D---- C:\WINDOWS\Prefetch
2009-07-18 18:27:58 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-18 18:27:50 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-07-18 18:27:38 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-07-18 18:27:27 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-07-18 18:27:17 ----HDC---- C:\WINDOWS\$NtUninstallKB961503$
2009-07-18 18:27:09 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-07-18 18:27:01 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-07-18 18:26:53 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-18 18:26:43 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-07-18 18:26:28 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-07-18 18:26:18 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-07-18 18:26:07 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-07-18 18:25:56 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-07-18 18:25:45 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-07-18 18:25:32 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-07-18 18:25:22 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-07-18 18:25:13 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-07-18 18:25:01 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-07-18 18:24:50 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-07-18 18:24:34 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-07-18 18:24:15 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-07-18 18:24:04 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-07-18 18:23:49 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-07-18 18:23:36 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-07-18 18:23:26 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-07-18 18:23:15 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-07-18 18:23:03 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-07-18 18:22:52 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-07-18 18:22:40 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-07-18 18:22:30 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2009-07-18 18:22:17 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-07-18 18:22:09 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-07-18 18:22:01 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-07-18 18:21:50 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-07-18 18:21:43 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-07-18 18:21:31 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-07-18 18:14:04 ----D---- C:\WINDOWS\system32\scripting
2009-07-18 18:14:03 ----D---- C:\WINDOWS\system32\en
2009-07-18 18:14:03 ----D---- C:\WINDOWS\l2schemas
2009-07-18 18:14:02 ----D---- C:\WINDOWS\system32\bits
2009-07-18 18:10:53 ----D---- C:\WINDOWS\ServicePackFiles
2009-07-18 18:09:21 ----D---- C:\WINDOWS\network diagnostic
2009-07-18 18:05:40 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-07-18 17:01:25 ----A---- C:\WINDOWS\system32\WBCustomizer.dll
2009-07-18 16:48:17 ----RSH---- C:\WINDOWS\ixplorer.exe
2009-07-18 15:11:05 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-18 15:10:51 ----D---- C:\Program Files\SUPERAntiSpyware
2009-07-18 15:10:51 ----D---- C:\Documents and Settings\Charlotte\Application Data\SUPERAntiSpyware.com
2009-07-18 15:10:25 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-07-18 15:02:24 ----D---- C:\WINDOWS\ie8updates
2009-07-18 15:00:51 ----D---- C:\WINDOWS\WBEM
2009-07-18 15:00:26 ----HDC---- C:\WINDOWS\ie8
2009-07-18 15:00:26 ----D---- C:\WINDOWS\system32\en-US
2009-07-18 14:42:59 ----HDC---- C:\WINDOWS\$NtUninstallKB932823-v3$
2009-07-18 14:30:07 ----RSH---- C:\WINDOWS\winCon.exe
2009-07-18 13:50:20 ----D---- C:\Documents and Settings\Charlotte\Application Data\Malwarebytes
2009-07-18 13:50:02 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-18 13:50:02 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-18 13:48:45 ----N---- C:\WINDOWS\system32\3F.tmp
2009-07-18 13:48:43 ----N---- C:\WINDOWS\system32\3E.tmp
2009-07-18 13:48:14 ----N---- C:\WINDOWS\system32\3D.tmp
2009-07-18 13:47:58 ----D---- C:\Program Files\Sophos
2009-07-16 14:02:28 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-15 15:13:52 ----A---- C:\crypted.exe
2009-07-15 11:37:36 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 11:37:29 ----HDC---- C:\WINDOWS\$NtUninstallKB971633_0$
2009-07-15 11:35:58 ----HDC---- C:\WINDOWS\$NtUninstallKB961371_0$
2009-07-08 20:06:27 ----A---- C:\WINDOWS\system32\MPFServiceFailureCount.txt

======List of files/folders modified in the last 1 months======

2009-08-01 14:12:03 ----D---- C:\WINDOWS\Temp
2009-08-01 14:11:46 ----A---- C:\WINDOWS\win.ini
2009-08-01 14:11:25 ----D---- C:\WINDOWS
2009-08-01 14:11:09 ----D---- C:\WINDOWS\system32\drivers
2009-08-01 14:09:32 ----A---- C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt
2009-08-01 14:09:27 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-01 14:06:59 ----D---- C:\WINDOWS\system32
2009-08-01 12:55:49 ----D---- C:\WINDOWS\Registration
2009-07-31 22:29:29 ----D---- C:\Documents and Settings\Charlotte\Application Data\Skype
2009-07-31 20:30:44 ----D---- C:\Documents and Settings\Charlotte\Application Data\skypePM
2009-07-30 22:43:54 ----D---- C:\Documents and Settings\Charlotte\Application Data\SiteAdvisor
2009-07-30 22:33:16 ----D---- C:\Program Files\Internet Explorer
2009-07-30 20:11:40 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-30 20:07:34 ----HD---- C:\WINDOWS\inf
2009-07-30 20:04:12 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-30 20:04:00 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-30 20:03:01 ----SHD---- C:\WINDOWS\Installer
2009-07-30 20:02:56 ----D---- C:\WINDOWS\WinSxS
2009-07-26 14:23:04 ----D---- C:\WINDOWS\security
2009-07-22 17:02:46 ----D---- C:\WINDOWS\Minidump
2009-07-21 18:47:30 ----D---- C:\Legacy
2009-07-21 08:43:47 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-07-21 02:23:54 ----D---- C:\Program Files\MSN Messenger
2009-07-20 16:07:37 ----RD---- C:\Program Files
2009-07-20 16:07:37 ----HD---- C:\Program Files\InstallShield Installation Information
2009-07-19 18:48:58 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-19 18:18:13 ----D---- C:\Program Files\Common Files
2009-07-19 18:13:46 ----D---- C:\Program Files\Norton Security Scan
2009-07-19 18:13:41 ----SD---- C:\WINDOWS\Tasks
2009-07-19 14:18:59 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 13:40:19 ----A---- C:\WINDOWS\imsins.BAK
2009-07-18 18:49:49 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-07-18 18:49:30 ----A---- C:\WINDOWS\OEWABLog.txt
2009-07-18 18:46:05 ----A---- C:\WINDOWS\setuplog.txt
2009-07-18 18:44:14 ----D---- C:\WINDOWS\system32\wbem
2009-07-18 18:44:14 ----D---- C:\WINDOWS\system32\Setup
2009-07-18 18:44:14 ----D---- C:\WINDOWS\ime
2009-07-18 18:44:14 ----D---- C:\WINDOWS\AppPatch
2009-07-18 18:44:13 ----RSD---- C:\WINDOWS\Fonts
2009-07-18 18:28:02 ----D---- C:\WINDOWS\system32\CatRoot
2009-07-18 18:21:51 ----D---- C:\Program Files\Messenger
2009-07-18 18:14:18 ----D---- C:\WINDOWS\system32\inetsrv
2009-07-18 18:14:18 ----D---- C:\WINDOWS\Help
2009-07-18 18:14:05 ----D---- C:\WINDOWS\system32\usmt
2009-07-18 18:14:02 ----D---- C:\WINDOWS\PeerNet
2009-07-18 18:14:02 ----D---- C:\Program Files\Movie Maker
2009-07-18 18:10:43 ----D---- C:\WINDOWS\system32\Restore
2009-07-18 18:10:43 ----D---- C:\WINDOWS\system32\npp
2009-07-18 18:10:43 ----D---- C:\WINDOWS\mui
2009-07-18 18:10:42 ----D---- C:\WINDOWS\msagent
2009-07-18 18:10:39 ----D---- C:\WINDOWS\srchasst
2009-07-18 18:10:38 ----D---- C:\WINDOWS\system32\Com
2009-07-18 18:10:38 ----D---- C:\Program Files\NetMeeting
2009-07-18 18:10:36 ----D---- C:\Program Files\Windows NT
2009-07-18 18:10:36 ----D---- C:\Program Files\Outlook Express
2009-07-18 18:10:34 ----RSHD---- C:\Program Files\Common Files\System
2009-07-18 18:10:24 ----D---- C:\WINDOWS\system32\oobe
2009-07-18 18:10:23 ----D---- C:\WINDOWS\system
2009-07-18 18:08:10 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-07-18 18:05:36 ----D---- C:\WINDOWS\ehome
2009-07-18 17:00:12 ----D---- C:\Program Files\Picasa2
2009-07-18 15:01:36 ----D---- C:\WINDOWS\system32\config
2009-07-18 15:00:44 ----D---- C:\WINDOWS\Media
2009-07-15 15:15:16 ----SHD---- C:\RECYCLER
2009-07-15 10:41:29 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-10 08:16:29 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2009-07-10 08:09:08 ----D---- C:\Program Files\McAfee
2009-07-07 08:10:58 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-03 18:09:28 ----A---- C:\WINDOWS\system32\wininet.dll
2009-07-03 18:09:27 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-07-03 18:09:27 ----A---- C:\WINDOWS\system32\occache.dll
2009-07-03 18:09:25 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-07-03 18:09:25 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-07-03 18:09:24 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-07-03 18:09:24 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-07-03 18:09:23 ----A---- C:\WINDOWS\system32\iepeers.dll
2009-07-03 18:09:21 ----N---- C:\WINDOWS\system32\iedkcs32.dll
2009-07-03 12:01:06 ----N---- C:\WINDOWS\system32\ie4uinit.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 BANTExt;Belarc SMBios Access; C:\WINDOWS\System32\Drivers\BANTExt.sys [2005-04-07 3840]
R1 DcCam;Kodak Camera Proxy; C:\WINDOWS\system32\DRIVERS\DcCam.sys [2004-05-20 36918]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2009-03-25 214024]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2008-10-23 120136]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 DCFS2K;Kodak DCFS2K Driver; C:\WINDOWS\system32\drivers\dcfs2k.sys [2004-06-02 38705]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-01-14 1477632]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-07-18 990592]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2006-07-18 256128]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-04-17 4262912]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-01-18 80512]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-07-18 728192]
S1 Exportit;Exportit; C:\WINDOWS\system32\DRIVERS\exportit.sys [2004-07-07 152049]
S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2008-04-13 48128]
S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2008-04-13 38912]
S3 CamAv;SAMSUNG Video Capture; C:\WINDOWS\System32\Drivers\CamAv.sys [2005-12-16 58624]
S3 CAMFLT;%CAMFLT.SvcDesc%; C:\WINDOWS\system32\drivers\CAMFLT.sys [2005-07-20 11648]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 DcFpoint;DcFpoint; C:\WINDOWS\system32\DRIVERS\DcFpoint.sys [2004-05-20 61564]
S3 DcLps;Legacy Polling Service; C:\WINDOWS\system32\DRIVERS\DcLps.sys [2004-05-20 8022]
S3 DcPTP;dcptp; C:\WINDOWS\system32\DRIVERS\DcPTP.sys [2004-07-07 70070]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\7C.tmp []
S3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2009-03-25 79880]
S3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2009-03-25 35272]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2009-03-25 34216]
S3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2009-03-25 40552]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2008-04-13 51200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 pmxscan;Visioneer USB Kernel; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SQTECH905C;DualCamera; C:\WINDOWS\System32\Drivers\Capt905c.sys [2004-11-24 647333]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBCM;Scientific-Atlanta USB Cable Modem Driver; C:\WINDOWS\system32\DRIVERS\Sacm2A.sys [2004-06-10 15429]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7; C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 163840]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-01-14 405504]
R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-06 102912]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-06-11 152984]
R2 KodakCCS;Kodak Camera Connection Software; C:\WINDOWS\system32\drivers\KodakCCS.exe [2004-05-24 322104]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-01-08 797864]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-01-09 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-01-09 359952]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-06 99328]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-03-25 144704]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-03-19 884360]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-05-19 240512]
R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2005-01-31 49152]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2006-01-26 520192]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2007-11-27 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-06-14 651720]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-01 29744]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-01 29744]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-03 137200]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2007-11-10 68096]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-04-01 365072]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-03-24 606736]
S4 Motbitagad;Motbitagad; C:\WINDOWS\system32\drivers\ati1mdxx.sys [2004-08-03 11615]
S4 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2006-08-30 172032]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.06 2009-08-01 14:13:49

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4Media MP4 Converter-->C:\Documents and Settings\Charlotte\My Documents\MP4 Converter 3\Uninstall.exe
Active@ ISO Burner-->"C:\Program Files\InstallShield Installation Information\{7694E0B1-2332-448B-9235-929F84B41E3F}\setup.exe" -runfromtemp -l0x0009 -removeonly
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Audition 3.0-->msiexec /I {53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Photoshop Elements 7.0-->msiexec /i {CB6075D9-F912-40AE-BEA6-E590DA24F16B}
Adobe Reader 8.1.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Adobe® Photoshop® Album Starter Edition 3.0-->MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
AVS DVDMenu Editor 1.2.1.19-->"C:\Program Files\Common Files\AVSMedia\AVS DVDMenu Editor\unins000.exe"
AVS Video Converter 5.6-->"C:\Program Files\AVS4YOU\AVSVideoConverter\unins000.exe"
AVS4YOU Software Navigator 1.2-->"C:\Program Files\AVS4YOU\AVSSoftwareNavigator\unins000.exe"
Before You Know It 3.6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8C2A61E-3E19-40F5-A810-A5773D4B9A1E}\Setup.exe" -l0x9
Before You Know It 3.6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFDD5FA3-6A00-43E4-8825-74031578C83A}\Setup.exe" -l0x9
Belarc Advisor 7.2-->C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
BigFix-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Browser Address Error Redirector-->regsvr32 /u /s "c:\windows\system32\BAE.dll"
CardRd81-->MsiExec.exe /I{54C8FE84-89C4-40E8-976C-439EB0729BD6}
CCHelp-->MsiExec.exe /I{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}
CCScore-->MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Celtx (2.0)-->C:\Program Files\Celtx\uninstall\helper.exe
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
CR2-->MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Digital Media Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875} /l1033
DVD Solution-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
ESSAdpt-->MsiExec.exe /I{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}
ESSANUP-->MsiExec.exe /I{A6F18A67-B771-4191-8A33-36D2E742D6D9}
ESSBrwr-->MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCAM-->MsiExec.exe /I{469730CC-78DF-4CD3-B286-562D459EA619}
ESSCDBK-->MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore-->MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSCT-->MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
ESSEMAIL-->MsiExec.exe /I{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}
ESSgui-->MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp-->MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini-->MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD-->MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock-->MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC-->MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTUTOR-->MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
ESSvpaht-->MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot-->MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
Express Burn-->C:\Program Files\NCH Swift Sound\ExpressBurn\uninst.exe
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_0531C63A913CC9D1.exe" /uninstall
Graboid Video 1.3-->C:\Documents and Settings\Charlotte\My Documents\Graboid\uninst.exe
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HLPCCTR-->MsiExec.exe /I{F2D0C1B1-80FF-46F9-BA61-33B01A07FAFC}
HLPIndex-->MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPPDOCK-->MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
HLPSFO-->MsiExec.exe /I{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 10 (KB903157)-->"C:\WINDOWS\$NtUninstallKB903157$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 10 (KB910393)-->"C:\WINDOWS\$NtUninstallKB910393$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB954708)-->"C:\WINDOWS\$NtUninstallKB954708$\spuninst\spuninst.exe"
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Java™ 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
Junk Mail filter update-->MsiExec.exe /I{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}
Kodak EasyShare software-->C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_9_3af6d9\Setup.exe /APR-REMOVE
KSU-->MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Legacy 7.0-->"C:\Legacy\UNWISE.EXE" /U "C:\Legacy\Install.log"
Legacy Charting 7.0-->"C:\Legacy\LegacyCharting7\unins000.exe"
Life On Mars 02 Screen Saver-->C:\WINDOWS\Life On Mars 02.scr /u
Macromedia Fireworks MX 2004-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E583ED6F-BD99-4066-A420-C815BF692B69}\Setup.exe" -l0x9 UNINSTALL
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Map Button (Windows Live Toolbar)-->MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Digital Image 2006 Starter Edition -->"C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Office Live Add-in 1.3-->MsiExec.exe /I{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Search Enhancement Pack-->MsiExec.exe /X{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Sync Framework Runtime Native v1.0 (x86)-->MsiExec.exe /I{8A74E887-8F0F-4017-AF53-CBA42211AAA5}
Microsoft Sync Framework Services Native v1.0 (x86)-->MsiExec.exe /I{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla ActiveX Control v1.7.12-->C:\Program Files\Mozilla ActiveX Control v1.7.12\uninst.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Multimedia Keyboard Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}\Setup.exe" -l0x9
MyDsc2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83D96ED0-98AA-4515-8DDC-816F3EFDD104}\Setup.exe" -l0x9
MySpaceIM-->C:\Program Files\MySpace\IM\Uninstall.exe
Notifier-->MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OfotoXMI-->MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OneCare Advisor (Windows Live Toolbar)-->MsiExec.exe /X{53B2CFE9-A508-4457-B2CA-5D253536BFB7}
OTtBP-->MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK-->MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
PaperPort 6.5-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ScanSoft\PaperPort\Config\DeIsL1.isu" -y -c"C:\Program Files\ScanSoft\PaperPort\UnInstl2.dll"
PCDLNCH-->MsiExec.exe /I{69BD6399-3D8F-45B7-81D9-819361F5101D}
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Picasa 3-->"C:\Program Files\Picasa2\Uninstall.exe"
Popup Blocker (Windows Live Toolbar)-->MsiExec.exe /X{66A7A386-6F35-41A7-A731-101F0C0153C8}
Power2Go 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
REALTEK GbE & FE Ethernet PCI NIC Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\setup.exe" -l0x9 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Samsung CamCorder Driver-->C:\WINDOWS\Uninstall.exe
Samsung Video Codec 1.1 Uninstall-->C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_SMP4 132 C:\WINDOWS\INF\install.inf
Scientific-Atlanta WebSTAR 2000 series Cable Modem-->UNDPX2A.EXE
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Encoder (KB954156)-->"C:\WINDOWS\$NtUninstallKB954156_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Serif DrawPlus 6.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{765908E2-3AED-40EE-A13C-E47B2FA4C490}\Setup.exe" -l0x9
SFR-->MsiExec.exe /I{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}
SFR2-->MsiExec.exe /I{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Smart Menus (Windows Live Toolbar)-->MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
SmartSound Quicktracks Plugin-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F40&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDBRYCM5K.inf
Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sophos Anti-Rootkit 1.5.0-->C:\Program Files\Sophos\Sophos Anti-Rootkit\helper.exe remove
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tabbed Browsing (Windows Live Toolbar)-->MsiExec.exe /X{47FBF7F9-FBD3-43EF-823B-7684D56C1962}
Ulead VideoStudio 9.0 SE DVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EAB2384-C794-40ED-A9DD-3270A0D2BB76}\Setup.exe" -l0x9
Update for Windows Internet Explorer 8 (KB971930)-->"C:\WINDOWS\ie8updates\KB971930-IE8\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB926251)-->"C:\WINDOWS\$NtUninstallKB926251$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005-->C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
VCAMCEN-->MsiExec.exe /I{10E98E14-832C-4AF7-A4D1-6A9EF83B282E}
VideoLAN VLC media player 0.8.6d-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Visioneer 6100 USB Scanner Driver-->C:\WINDOWS\twain_32\paprport\6100USB\UNWISE.EXE C:\WINDOWS\twain_32\paprport\6100USB\INSTALL.LOG
VPRINTOL-->MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
WavePad Sound Editor-->C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Favorites for Windows Live Toolbar-->MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live Mail-->MsiExec.exe /I{63C1109E-D977-49ED-BCE3-D00D0BF187D6}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Outlook Toolbar (Windows Live Toolbar)-->MsiExec.exe /X{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}
Windows Live Photo Gallery-->MsiExec.exe /X{3C52E7DA-C431-4239-B66B-1BF703D5B194}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Live Sync-->MsiExec.exe /X{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}
Windows Live Toolbar Extension (Windows Live Toolbar)-->MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Live Toolbar Feed Detector (Windows Live Toolbar)-->MsiExec.exe /X{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}
Windows Live Toolbar-->MsiExec.exe /X{995F1E2E-F542-4310-8E1D-9926F5A279B3}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Live Writer-->MsiExec.exe /X{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}
Windows Media Encoder 9 Series-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766-->"C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

=====HijackThis Backups=====

O4 - HKLM\..\Run: [winCon32] winCon.exe [2009-07-19]
O4 - HKLM\..\Run: [ixplorer] ixplorer.exe [2009-07-19]
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll [2009-07-19]
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2009-07-19]
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE [2009-07-19]
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) [2009-07-19]

======Security center information======

AV: McAfee VirusScan (disabled) (outdated)
FW: McAfee Personal Firewall (disabled)

======System event log======

Computer Name: YOUR-2F8E36BE71
Event Code: 2504
Message: The server could not bind to the transport \Device\NetBT_Tcpip_{8766210D-D84C-4B41-B0FE-14680CB1A36D}.

Record Number: 101079
Source Name: Server
Time Written: 20090715150813.000000+060
Event Type: warning
User:

Computer Name: YOUR-2F8E36BE71
Event Code: 1002
Message: The IP address lease 92.238.12.106 for the Network Card with network address 001676D60979 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Record Number: 101078
Source Name: Dhcp
Time Written: 20090715150759.000000+060
Event Type: error
User:

Computer Name: YOUR-2F8E36BE71
Event Code: 1003
Message: Error code 10000050, parameter1 ffffffe8, parameter2 00000001, parameter3 80526288, parameter4 00000000.

Record Number: 101075
Source Name: System Error
Time Written: 20090715150253.000000+060
Event Type: error
User:

Computer Name: YOUR-2F8E36BE71
Event Code: 7034
Message: The SeaPort service terminated unexpectedly. It has done this 1 time(s).

Record Number: 101055
Source Name: Service Control Manager
Time Written: 20090715150244.000000+060
Event Type: error
User:

Computer Name: YOUR-2F8E36BE71
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the Explorer service to connect.

Record Number: 101053
Source Name: Service Control Manager
Time Written: 20090715150244.000000+060
Event Type: error
User:

=====Application event log=====

Computer Name: YOUR-2F8E36BE71
Event Code: 20
Message:
Record Number: 9243
Source Name: Google Update
Time Written: 20090510192941.000000+060
Event Type: error
User: YOUR-2F8E36BE71\Charlotte

Computer Name: YOUR-2F8E36BE71
Event Code: 2001
Message: Rejected Safe Mode action : Microsoft Office Outlook.

Record Number: 9240
Source Name: Microsoft Office 11
Time Written: 20090510175219.000000+060
Event Type: error
User:

Computer Name: YOUR-2F8E36BE71
Event Code: 1000
Message: Faulting application wlxquicktimecontrolhost.exe, version 14.0.8064.206, faulting module ole32.dll, version 5.1.2600.2726, fault address 0x0002f44f.

Record Number: 9239
Source Name: Application Error
Time Written: 20090510110409.000000+060
Event Type: error
User:

Computer Name: YOUR-2F8E36BE71
Event Code: 1002
Message: Hanging application WINWORD.EXE, version 11.0.8237.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 9238
Source Name: Application Hang
Time Written: 20090510110239.000000+060
Event Type: error
User:

Computer Name: YOUR-2F8E36BE71
Event Code: 20
Message:
Record Number: 9231
Source Name: Google Update
Time Written: 20090509212806.000000+060
Event Type: error
User: YOUR-2F8E36BE71\Charlotte

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0409
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


All the best,
Ken

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:15 AM

Posted 01 August 2009 - 08:52 AM

Hey Ken, I suspect that their is still quite a bit their, as you have alot of crap on this machine, including a rootkit.


One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Regards
Syler

Edited by syler, 01 August 2009 - 08:53 AM.

unite.jpg


#7 Ken Meller

Ken Meller
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 01 August 2009 - 11:08 AM

Hi Syler,

Things went fairly well - one or two hiccups but we have a Combofix logfile.

I had turned off internet access, so when Combofix tried to fetch the recovery console it failed - I will try to get that installed separately.

After the initial scan, a reboot was required but a pop-up telling us that Catchme.cfexe could not run because the machine was shutting down appeared. The machine then hung. Eventually I restarted the machine manually.

After that everything seemed to go ok, I did worry about AV kicking in again - but I had told McAfee to 'never' restart so I hope that was ok.

One thing that worries me is that McAfee is reporting that the machine is not protected even though when I open it up and check each component, they're all switched on and Windows Security Center reports that AV, Firewall & Updates are all on.

Ok, so here's the logfile - what do you think:

Cheers,
Ken

ComboFix 09-07-31.04 - Charlotte 01/08/2009 16:11.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.894.474 [GMT 1:00]
Running from: c:\documents and settings\Charlotte\Desktop\CmbFx.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Charlotte\Application Data\bcrypt.html
c:\recycler\S-1-5-21-7254510389-6315529300-563192697-1584
c:\recycler\S-1-5-21-7254510389-6315529300-563192697-1584\f1.exe
c:\recycler\S-1-5-21-841947514-3932110038-3995118088-500
c:\windows\Installer\WMEncoder.msi
c:\windows\kb913800.exe
c:\windows\system32\drivers\geyekrfmhrabtx.sys
c:\windows\system32\geyekrbkvlfowp.dll
c:\windows\system32\geyekrfwquywtr.dat
c:\windows\system32\geyekruxuoonuj.dll
c:\windows\system32\geyekrxynnykpr.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_geyekrlaxxxtwn
-------\Legacy_EXPLORER


((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-08-01 13:12 . 2009-08-01 13:13 -------- d-----w- C:\rsit
2009-07-29 21:14 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 21:14 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-26 14:36 . 2009-07-26 14:36 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-07-26 14:32 . 2009-07-26 14:32 -------- d-sh--w- c:\documents and settings\Charlotte\IECompatCache
2009-07-21 00:35 . 2009-07-21 01:47 -------- d-----w- C:\940BEEA5
2009-07-20 15:07 . 2009-07-20 15:07 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-20 15:07 . 2009-07-20 15:07 -------- d-----w- c:\program files\LSoft Technologies
2009-07-20 00:23 . 2009-07-24 20:18 -------- d-s---w- C:\winnt_
2009-07-19 18:01 . 2009-07-19 18:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-19 18:01 . 2009-07-19 18:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-19 13:43 . 2009-07-19 13:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2009-07-19 10:30 . 2009-07-19 10:30 -------- d-----w- c:\program files\Trend Micro
2009-07-19 08:34 . 2009-07-19 08:34 -------- d-sh--w- c:\documents and settings\Charlotte\PrivacIE
2009-07-18 19:19 . 2009-07-18 19:34 90624 ----a-w- C:\funpics.exe
2009-07-18 18:09 . 2009-07-18 18:09 90624 ----a-w- C:\pics.exe
2009-07-18 17:14 . 2009-07-18 17:14 -------- d-----w- c:\windows\system32\scripting
2009-07-18 17:14 . 2009-07-18 17:14 -------- d-----w- c:\windows\l2schemas
2009-07-18 17:14 . 2009-07-18 17:14 -------- d-----w- c:\windows\system32\en
2009-07-18 17:14 . 2009-07-18 17:14 -------- d-----w- c:\windows\system32\bits
2009-07-18 17:10 . 2009-07-18 17:14 -------- d-----w- c:\windows\ServicePackFiles
2009-07-18 16:01 . 1998-09-11 08:14 21504 ----a-w- c:\windows\system32\WBCustomizer.dll
2009-07-18 15:48 . 2009-07-18 15:48 90624 --sh--r- c:\windows\ixplorer.exe
2009-07-18 14:15 . 2009-07-18 14:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-18 14:12 . 2009-08-01 15:27 117760 ----a-w- c:\documents and settings\Charlotte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-18 14:11 . 2009-07-18 14:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-18 14:10 . 2009-07-18 14:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-18 14:10 . 2009-07-18 14:10 -------- d-----w- c:\documents and settings\Charlotte\Application Data\SUPERAntiSpyware.com
2009-07-18 14:10 . 2009-07-18 14:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-18 14:05 . 2009-07-18 14:05 -------- d-sh--w- c:\documents and settings\Charlotte\IETldCache
2009-07-18 14:02 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-18 14:02 . 2009-07-18 14:02 -------- d-----w- c:\windows\ie8updates
2009-07-18 14:01 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-18 14:01 . 2009-07-19 17:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-07-18 14:01 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-07-18 14:01 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-18 14:00 . 2009-07-18 14:00 -------- dc-h--w- c:\windows\ie8
2009-07-18 13:33 . 2009-07-31 19:34 -------- d-----w- c:\documents and settings\Charlotte\Local Settings\Application Data\Temp
2009-07-18 13:30 . 2009-07-18 13:30 98380 --sh--r- c:\windows\winCon.exe
2009-07-18 12:50 . 2009-07-18 12:50 -------- d-----w- c:\documents and settings\Charlotte\Application Data\Malwarebytes
2009-07-18 12:50 . 2009-07-13 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-18 12:50 . 2009-07-18 12:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-18 12:50 . 2009-07-18 12:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-18 12:50 . 2009-07-13 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-18 12:47 . 2009-07-18 12:47 -------- d-----w- c:\program files\Sophos
2009-07-16 16:34 . 2009-07-16 17:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-15 14:13 . 2009-07-15 14:15 147532 ----a-w- C:\crypted.exe
2009-07-14 17:04 . 2009-07-14 17:14 -------- d-----w- c:\documents and settings\Teresa\Tracing

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 21:29 . 2007-02-17 13:54 -------- d-----w- c:\documents and settings\Charlotte\Application Data\Skype
2009-07-31 19:30 . 2008-05-27 18:17 -------- d-----w- c:\documents and settings\Charlotte\Application Data\skypePM
2009-07-30 21:43 . 2008-08-27 09:32 -------- d-----w- c:\documents and settings\Charlotte\Application Data\SiteAdvisor
2009-07-21 07:43 . 2008-09-29 18:00 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-07-21 01:23 . 2007-02-12 19:22 -------- d-----w- c:\program files\MSN Messenger
2009-07-20 15:07 . 2006-08-30 13:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-19 17:13 . 2009-03-11 08:01 -------- d-----w- c:\program files\Norton Security Scan
2009-07-19 06:29 . 2007-02-12 18:22 106144 ----a-w- c:\documents and settings\Charlotte\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-18 17:19 . 2006-01-14 21:17 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-18 16:00 . 2007-02-17 12:39 -------- d-----w- c:\program files\Picasa2
2009-07-10 07:16 . 2006-08-30 14:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-07-10 07:09 . 2008-08-27 09:29 -------- d-----w- c:\program files\McAfee
2009-07-03 17:09 . 2006-01-14 19:59 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-18 11:54 . 2009-07-18 12:48 6144 ------w- c:\windows\system32\3F.tmp
2009-06-18 11:54 . 2009-07-18 12:48 6144 ------w- c:\windows\system32\3E.tmp
2009-06-18 11:54 . 2009-07-18 12:48 6144 ------w- c:\windows\system32\3D.tmp
2009-06-16 14:36 . 2006-01-14 19:59 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-01-14 19:58 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 13:05 . 2009-06-15 13:05 -------- d-----w- c:\program files\Audacity
2009-06-14 13:51 . 2007-07-27 21:50 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-14 13:44 . 2009-06-14 13:44 -------- d-----w- c:\windows\Fonts\Fonts
2009-06-14 13:40 . 2009-06-14 13:40 129784 ------w- c:\windows\system32\pxafs.dll
2009-06-14 13:40 . 2009-06-14 13:40 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-06-14 13:40 . 2009-06-14 13:40 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-06-11 09:01 . 2009-06-11 09:02 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-11 09:01 . 2006-08-30 13:57 -------- d-----w- c:\program files\Java
2009-06-11 09:01 . 2009-06-11 09:01 152576 ----a-w- c:\documents and settings\Charlotte\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 05:14 . 2006-08-30 14:05 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 07:59 . 2009-04-05 17:57 -------- d-----w- c:\program files\Celtx
2009-06-03 19:09 . 2006-01-14 19:59 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2006-01-14 19:58 345600 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Google Update"="c:\documents and settings\Charlotte\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-18 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-01 29744]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-17 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-06 180269]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"PaperPort PTD"="c:\progra~1\scansoft\paperp~1\pptd40nt.exe" [2000-03-17 30720]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-16 16143872]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-08 550912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-03-07 5181440]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-8-30 2168360]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2005-3-10 757760]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\WINDOWS\\winCon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 14:02 163840]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [30/08/2006 14:50 29744]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7C.tmp --> c:\windows\system32\7C.tmp [?]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [06/03/2008 11:15 15104]
S4 Motbitagad;Motbitagad;c:\windows\system32\drivers\ati1mdxx.sys [07/10/2008 10:58 11615]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AVScan - c:\documents and settings\Charlotte\Application Data\winav.exe
HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
Notify-WgaLogon - (no file)
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_GB&Sys=DTP&M=E4076
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?3d20ffcf0fd64ddbb885c316de66896c
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?3d20ffcf0fd64ddbb885c316de66896c
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 16:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7C.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ų•€|˙˙˙˙•€|ł•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2548)
c:\windows\system32\WININET.dll
c:\docume~1\CHARLO~1\LOCALS~1\Temp\IadHide5.dll
c:\program files\SiteAdvisor\6172\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-08-01 16:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-01 15:39

Pre-Run: 85,450,022,912 bytes free
Post-Run: 87,343,075,328 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=1 Sets=1,2,3,4
272 --- E O F --- 2009-07-30 21:36

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:15 AM

Posted 01 August 2009 - 02:52 PM

Hi Ken,

We should make sure you have the recovery console installed before you run a CF script, if you have not already managed to
get it installed please follow these steps to install it.


Before you do any of the next step you need to temporarily disable the TeaTimer protection in spybot, as it may
stop the tools we use from doing their job. Please keep it disabled whilst I am helping you then you can enable it again
when your clean.

To disable Teatimer, open Spybot and click on the Mode tab and select Advanced mode.
It will ask you if your sure you want to go into advanced mode, select yes.
Now go to tools and click on the resident tab.
Uncheck the box that says "Resident "TeaTimer" (Protection of over-all system settings) active".
Then close Spybot and reboot your computer.

Next

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • When asked if you want to continue scanning for malware, click 'No'.
Next

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/243223/infected-by-ntoskrnl-hook-and-more/

Collect::
C:\funpics.exe
C:\pics.exe
c:\windows\ixplorer.exe
c:\windows\winCon.exe
C:\crypted.exe
c:\windows\system32\3F.tmp
c:\windows\system32\3E.tmp
c:\windows\system32\3D.tmp
DirLook::
C:\940BEEA5
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\winCon.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#9 Ken Meller

Ken Meller
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 02 August 2009 - 09:10 AM

Ok, that went ok. Recovery Console now installed.

There might be a different issue with McAfee - a manual update results in a pop-up saying that the program is up to date but the virus definitions database is over two-weeks old, so there might be an issue there. McAfee expires in three weeks or so but it reports that there is 'No Date' for the expiration date. Maybe a re-install is called for.

Anyway here's the latest log:

Thanks for your time so far.

Ken

ComboFix 09-07-31.04 - Charlotte 02/08/2009 14:08.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.894.471 [GMT 1:00]
Running from: c:\documents and settings\Charlotte\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Charlotte\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: C:\crypted.exe
file zipped: C:\funpics.exe
file zipped: C:\pics.exe
file zipped: c:\windows\ixplorer.exe
file zipped: c:\windows\system32\3D.tmp
file zipped: c:\windows\system32\3E.tmp
file zipped: c:\windows\system32\3F.tmp
file zipped: c:\windows\winCon.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\crypted.exe
c:\docume~1\CHARLO~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Charlotte\Local Settings\Temp\IadHide5.dll
C:\funpics.exe
C:\pics.exe
c:\windows\ixplorer.exe
c:\windows\system32\3D.tmp
c:\windows\system32\3E.tmp
c:\windows\system32\3F.tmp
c:\windows\winCon.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-02 to 2009-08-02 )))))))))))))))))))))))))))))))
.

2009-08-02 12:58 . 2009-08-02 13:04 -------- d-s---w- C:\CmbFx
2009-08-01 13:12 . 2009-08-01 13:13 -------- d-----w- C:\rsit
2009-07-29 21:14 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 21:14 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-26 14:36 . 2009-07-26 14:36 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-07-26 14:32 . 2009-07-26 14:32 -------- d-sh--w- c:\documents and settings\Charlotte\IECompatCache
2009-07-21 00:35 . 2009-07-21 01:47 -------- d-----w- C:\940BEEA5
2009-07-20 15:07 . 2009-07-20 15:07 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-20 15:07 . 2009-07-20 15:07 -------- d-----w- c:\program files\LSoft Technologies
2009-07-20 00:23 . 2009-07-24 20:18 -------- d-s---w- C:\winnt_
2009-07-19 18:01 . 2009-07-19 18:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-19 18:01 . 2009-07-19 18:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-19 13:43 . 2009-07-19 13:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2009-07-19 10:30 . 2009-07-19 10:30 -------- d-----w- c:\program files\Trend Micro
2009-07-19 08:34 . 2009-07-19 08:34 -------- d-sh--w- c:\documents and settings\Charlotte\PrivacIE
2009-07-18 17:14 . 2009-07-18 17:14 -------- d-----w- c:\windows\system32\scripting
2009-07-18 17:14 . 2009-07-18 17:14 -------- d-----w- c:\windows\l2schemas
2009-07-18 17:14 . 2009-07-18 17:14 -------- d-----w- c:\windows\system32\en
2009-07-18 17:14 . 2009-07-18 17:14 -------- d-----w- c:\windows\system32\bits
2009-07-18 17:10 . 2009-07-18 17:14 -------- d-----w- c:\windows\ServicePackFiles
2009-07-18 16:01 . 1998-09-11 08:14 21504 ----a-w- c:\windows\system32\WBCustomizer.dll
2009-07-18 14:15 . 2009-07-18 14:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-18 14:11 . 2009-07-18 14:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-18 14:10 . 2009-08-02 12:35 -------- d-----w- c:\documents and settings\Charlotte\Application Data\SUPERAntiSpyware.com
2009-07-18 14:10 . 2009-08-02 12:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-18 14:05 . 2009-07-18 14:05 -------- d-sh--w- c:\documents and settings\Charlotte\IETldCache
2009-07-18 14:02 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-18 14:02 . 2009-07-18 14:02 -------- d-----w- c:\windows\ie8updates
2009-07-18 14:01 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-18 14:01 . 2009-07-19 17:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-07-18 14:01 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-07-18 14:01 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-18 14:00 . 2009-07-18 14:00 -------- dc-h--w- c:\windows\ie8
2009-07-18 13:33 . 2009-07-31 19:34 -------- d-----w- c:\documents and settings\Charlotte\Local Settings\Application Data\Temp
2009-07-18 12:50 . 2009-07-18 12:50 -------- d-----w- c:\documents and settings\Charlotte\Application Data\Malwarebytes
2009-07-18 12:50 . 2009-07-13 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-18 12:50 . 2009-07-18 12:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-18 12:50 . 2009-07-18 12:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-18 12:50 . 2009-07-13 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-18 12:47 . 2009-08-02 12:33 -------- d-----w- c:\program files\Sophos
2009-07-16 16:34 . 2009-07-16 17:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-14 17:04 . 2009-07-14 17:14 -------- d-----w- c:\documents and settings\Teresa\Tracing

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 21:29 . 2007-02-17 13:54 -------- d-----w- c:\documents and settings\Charlotte\Application Data\Skype
2009-07-31 19:30 . 2008-05-27 18:17 -------- d-----w- c:\documents and settings\Charlotte\Application Data\skypePM
2009-07-30 21:43 . 2008-08-27 09:32 -------- d-----w- c:\documents and settings\Charlotte\Application Data\SiteAdvisor
2009-07-21 07:43 . 2008-09-29 18:00 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-07-21 01:23 . 2007-02-12 19:22 -------- d-----w- c:\program files\MSN Messenger
2009-07-20 15:07 . 2006-08-30 13:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-19 17:13 . 2009-03-11 08:01 -------- d-----w- c:\program files\Norton Security Scan
2009-07-19 06:29 . 2007-02-12 18:22 106144 ----a-w- c:\documents and settings\Charlotte\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-18 17:19 . 2006-01-14 21:17 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-18 16:00 . 2007-02-17 12:39 -------- d-----w- c:\program files\Picasa2
2009-07-10 07:16 . 2006-08-30 14:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-07-10 07:09 . 2008-08-27 09:29 -------- d-----w- c:\program files\McAfee
2009-07-03 17:09 . 2006-01-14 19:59 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2006-01-14 19:59 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-01-14 19:58 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 13:05 . 2009-06-15 13:05 -------- d-----w- c:\program files\Audacity
2009-06-14 13:51 . 2007-07-27 21:50 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-14 13:44 . 2009-06-14 13:44 -------- d-----w- c:\windows\Fonts\Fonts
2009-06-14 13:40 . 2009-06-14 13:40 129784 ------w- c:\windows\system32\pxafs.dll
2009-06-14 13:40 . 2009-06-14 13:40 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-06-14 13:40 . 2009-06-14 13:40 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-06-11 09:01 . 2009-06-11 09:02 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-11 09:01 . 2006-08-30 13:57 -------- d-----w- c:\program files\Java
2009-06-11 09:01 . 2009-06-11 09:01 152576 ----a-w- c:\documents and settings\Charlotte\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 05:14 . 2006-08-30 14:05 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 07:59 . 2009-04-05 17:57 -------- d-----w- c:\program files\Celtx
2009-06-03 19:09 . 2006-01-14 19:59 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2006-01-14 19:58 345600 ----a-w- c:\windows\system32\localspl.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\940BEEA5 ----

2009-07-21 01:23 . 2009-07-21 01:23 89 ----a-w- c:\940beea5\BADFILES.TXT
2009-07-21 00:40 . 2009-07-21 01:47 2002 ----a-w- c:\940beea5\REPORT.TXT


((((((((((((((((((((((((((((( SnapShot@2009-08-01_15.26.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-02 13:15 . 2009-08-02 13:15 16384 c:\windows\Temp\Perflib_Perfdata_620.dat
+ 2006-01-14 21:22 . 2009-08-02 12:16 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-01-14 21:22 . 2009-08-01 14:29 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-01-14 21:22 . 2009-08-02 12:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-01-14 21:22 . 2009-08-01 14:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-01-14 21:22 . 2009-08-02 12:16 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-01-14 21:22 . 2009-08-01 14:29 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Google Update"="c:\documents and settings\Charlotte\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-18 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-01 29744]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-17 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-06 180269]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"PaperPort PTD"="c:\progra~1\scansoft\paperp~1\pptd40nt.exe" [2000-03-17 30720]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-16 16143872]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-08 550912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-03-07 5181440]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-8-30 2168360]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2005-3-10 757760]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 14:02 163840]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [30/08/2006 14:50 29744]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7C.tmp --> c:\windows\system32\7C.tmp [?]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [06/03/2008 11:15 15104]
S4 Motbitagad;Motbitagad;c:\windows\system32\drivers\ati1mdxx.sys [07/10/2008 10:58 11615]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_GB&Sys=DTP&M=E4076
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?3d20ffcf0fd64ddbb885c316de66896c
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?3d20ffcf0fd64ddbb885c316de66896c
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-02 14:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7C.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ų•€|˙˙˙˙•€|ł•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1016)
c:\windows\system32\WININET.dll
c:\docume~1\CHARLO~1\LOCALS~1\Temp\IadHide5.dll
c:\program files\SiteAdvisor\6172\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-08-02 14:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-02 13:29
ComboFix2.txt 2009-08-01 15:40

Pre-Run: 87,362,629,632 bytes free
Post-Run: 87,298,334,720 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=1 Sets=1,2,3,4
270 --- E O F --- 2009-07-30 21:36

#10 Ken Meller

Ken Meller
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 02 August 2009 - 09:58 AM

Ok that went ok - Recovery console now installed. Starnge though - I thought that I'd replied once but then couldn't see my posting so here it is again.

McAfee is still playing up - the virus database was out of date and calling for a manual update resulted in a pop-up which reported that it was in fact already up-to-date. So, I ran the McAfee Virtual Technician which corrected a registry error and updated the database. It now seems to be behaving (fingers crossed).

Edited by syler, 02 August 2009 - 11:07 AM.
Removed duplicated log.


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:15 AM

Posted 02 August 2009 - 12:35 PM

Thats looks alot better now, how is the computer running now, any more problems?

Navigate to and delete the following folders.

C:\940BEEA5
C:\winnt_

Than go to Add or Remove programs and remove this old version of Java, as old versions of Java can still be exploited even when you have
the latest version.

J2SE Runtime Environment 5.0 Update 2

Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Next

Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.
  • Then post back with DDS.txt.
  • Also please attach, Attach.txt in your next reply.
Then please post back here with the following:
  • Kaspersky report
  • DDS.txt
  • Attach.txt
Thanks

unite.jpg


#12 Ken Meller

Ken Meller
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 02 August 2009 - 01:19 PM

Thanks Syler,

The machine does seem somewhat better - in order to determine if McAfee will continue to behave, I have left the family running Windows and asked to be be informed of any strange behaviour (in which case they should go back to working from the Live Linux CD).

I won't have access to the machine until Tuesday afternoon now, so that's when I'll follow up on your instructions above and get back to you.

Cheers,
Ken

#13 Ken Meller

Ken Meller
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 02 August 2009 - 02:28 PM

Quick update: after about 3hrs, McAfee reported that the machine was not protecetd (quite in what way I don't yet know - previously the firewall was being switched off by something). Ken

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:15 AM

Posted 02 August 2009 - 05:19 PM

Hi Ken,

Im not sure why you are having problems with McAfee, I can see that monitoring of them by the security center, has been disabled,
did you disable these settings? If you keep having problems, an uninstall reinstall maybe the best option, although lets wait and see
what shows up in the new logs.

unite.jpg


#15 Ken Meller

Ken Meller
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 03 August 2009 - 06:52 AM

Yes, I had turned off as much of McAfee as I could for the Combofix run (and the router) - I understood that that was recommended when running Combofix. I turned them all back on again after we'd got the log.

I am not overly familiar with McAfee (I use AVG/ZoneAlarm and Kaspersky on my machines) but I suspect that what happened last night was that it tried to update itself and the verification process failed (which we were getting before the Virtual Technician was run) and that's what the rather sparse notification was warning about - rather than protection actually being turned off. I note that a number of other McAfee users have complained of the verification failure problem. It is a pity I wasn't there to read exactly what was reported and to see whether Windows Security was reporting a gaping hole in the protection. I will re-install it and see if that changes anything.

As you say let's see what the next set of logs bring out into the open.

As the McAfee subscription expires in about 3 weeks - would you recommend renewing it or moving to an different product?

Cheers,
Ken




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users