Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cant remove ISTbar


  • This topic is locked This topic is locked
12 replies to this topic

#1 sonicx29

sonicx29

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 11 August 2009 - 08:45 AM


After performing a Xoftspyse full scan it stated that my computer had three malware infections which include mirar registry kworm, surfsidekick adware, and ISTbar registry kmalware.I believe its interfering with my browser searches since they all go to about blank and load practically forever. ive tried deleting these before and as expected they just come back. i dont have any more tricks left to solve this problem so if someone could help me, the time would be greatly appreciated.


this is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:43 AM, on 8/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\XoftSpySE\XoftSpy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL,C:\WINDOWS\System32\dxdiagn32.dll
O20 - Winlogon Notify: 8b1eec1648 - C:\WINDOWS\System32\dxdiagn32.dll
O20 - Winlogon Notify: __c00B4BDA - C:\WINDOWS\
O20 - Winlogon Notify: __c00B70EE - C:\WINDOWS\system32\__c00B70EE.dat
O23 - Service: McAfee Application Installer Cleanup (0321561246999915) (0321561246999915mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\032156~1.EXE (file missing)
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 7507 bytes

Edited by sonicx29, 11 August 2009 - 04:27 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 12 August 2009 - 06:03 AM

Hello, my name is fenzodahl512 and welcome to the forum.. Please do the following....


Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..



NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.


NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results



Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GAMERS result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 sonicx29

sonicx29
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 13 August 2009 - 09:28 AM

Hello, fenzodahl512

Thank you for responding to my post, as instructed i,ve downloaded the comedian.exe and it ran smoothly. Next step was to download malwarebytes anti-malware. No luck on that step though, my browser wont let me download it and instead loads the screen forever. I went on with the RSIT download and ran it with no problems. lastly was the GMER download which ran ok until my computer stated "a runtime error has caused this application to close in a very unusal way" however i was able to save its last results which are attached below.

info.txt logfile of random's system information tool 1.06 2009-08-12 23:12:58

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AbiWord 2.7.8-->C:\Program Files\AbiWord\UninstallAbiWord2.exe
Acrobat.com-->MsiExec.exe /X{6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Advanced SystemCare 3-->"C:\Program Files\IObit\Advanced SystemCare 3\unins000.exe"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Photos Screensaver-->MsiExec.exe /X{481E9852-DA0C-403B-ADA4-05D86C8BF9A9}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_9DE96A29E721D90A.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Haihaisoft Universal Player-->C:\Program Files\Haihaisoft Universal Player\Uninstall.exe
HijackThis 2.0.2-->"C:\Documents and Settings\Administrator\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Java™ 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LimeWire 4.18.6-->"C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Mozilla Firefox (3.5.2)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
OpenOffice.org 3.0-->MsiExec.exe /I{F44DA61E-720D-4E79-871F-F6E628B33242}
Opera 9.64-->MsiExec.exe /X{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}
Picasa 2-->"C:\Program Files\Picasa2\Uninstall.exe"
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
QuickTime-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Sony Media Manager for PSP 2.0-->MsiExec.exe /X{05861C9A-98C0-4A8F-9A36-EB2F7E0FA2D1}
Update for Windows Internet Explorer 8 (KB972636)-->"C:\WINDOWS\ie8updates\KB972636-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VideoLAN VLC media player 0.8.6i-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinMX Music-->C:\Program Files\WinMX Music\uninstall.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
XoftSpySE-->C:\Program Files\XoftSpySE\uninstall.exe
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

======Security center information======

AV: McAfee VirusScan (disabled)
FW: McAfee Personal Firewall

======System event log======

Computer Name: HOME-8E149AE411
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00065BA59EE4. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 3554
Source Name: Dhcp
Time Written: 20090621210208.000000-300
Event Type: warning
User:

Computer Name: HOME-8E149AE411
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 3545
Source Name: Tcpip
Time Written: 20090621150428.000000-300
Event Type: warning
User:

Computer Name: HOME-8E149AE411
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 3538
Source Name: W32Time
Time Written: 20090621020329.000000-300
Event Type: warning
User:

Computer Name: HOME-8E149AE411
Event Code: 7031
Message: The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Record Number: 3519
Source Name: Service Control Manager
Time Written: 20090620123943.000000-300
Event Type: error
User:

Computer Name: HOME-8E149AE411
Event Code: 10010
Message: The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.

Record Number: 3511
Source Name: DCOM
Time Written: 20090620122540.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: HOME-8E149AE411
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 59
Source Name: WinMgmt
Time Written: 20090602135044.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME-8E149AE411
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 58
Source Name: WinMgmt
Time Written: 20090602135044.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME-8E149AE411
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 50
Source Name: WinMgmt
Time Written: 20090602122312.000000-300
Event Type: warning
User: HOME-8E149AE411\Administrator

Computer Name: HOME-8E149AE411
Event Code: 1000
Message: Faulting application nmindexstoresvr.exe, version 3.3.3.0, faulting module unknown, version 0.0.0.0, fault address 0x01e2a36a.

Record Number: 47
Source Name: Application Error
Time Written: 20090602064140.000000-300
Event Type: error
User:

Computer Name: HOME-8E149AE411
Event Code: 1517
Message: Windows saved user HOME-8E149AE411\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 29
Source Name: Userenv
Time Written: 20090531110814.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 1 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0102
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-08-12 23:12:47
Microsoft Windows XP Professional Service Pack 3
System drive C: has 8 GB (22%) free of 38 GB
Total RAM: 255 MB (27% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:44 AM, on 8/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\XoftSpySE\XoftSpy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL,C:\WINDOWS\System32\dxdiagn32.dll
O20 - Winlogon Notify: 8b1eec1648 - C:\WINDOWS\System32\dxdiagn32.dll
O20 - Winlogon Notify: __c00B4BDA - C:\WINDOWS\
O20 - Winlogon Notify: __c00B70EE - C:\WINDOWS\system32\__c00B70EE.dat
O23 - Service: McAfee Application Installer Cleanup (0321561246999915) (0321561246999915mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\032156~1.EXE (file missing)
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 7538 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-790525478-1801674531-500Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-790525478-1801674531-500UA.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\XoftSpySE.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}]
McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mskapbho.dll [2009-01-09 246800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2009-07-29 312928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-03-25 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-12 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll [2009-06-21 669168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-04-23 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-02-15 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-02-15 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"McENUI"=C:\PROGRA~1\McAfee\MHN\McENUI.exe [2009-01-09 1176808]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-02-14 30192]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-02-15 148888]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-01-08 645328]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-02-16 282624]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-07-29 198160]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-14 133104]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-02-14 39408]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Advanced SystemCare 3"=C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2009-06-30 2329224]
"A00F1305ADB.exe"=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00F1305ADB.exe [2009-08-12 36864]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL,C:\WINDOWS\System32\dxdiagn32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\8b1eec1648]
C:\WINDOWS\System32\dxdiagn32.dll [2009-07-22 118272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00B4BDA]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00B70EE]
C:\WINDOWS\system32\__c00B70EE.dat [2009-08-12 27648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoResolveSearch"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Sony\Media Manager for PSP 2.0\MediaManager.exe"="C:\Program Files\Sony\Media Manager for PSP 2.0\MediaManager.exe:*:Enabled:Media Manager for PSP 2.0"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13893de6-0454-11de-a940-00065ba59ee4}]
shell\Auto\command - F:\Start.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76235031-4ca7-11de-a94b-00065ba59ee4}]
shell\Auto\command - Start.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a8adf7a-fc32-11dd-a93d-00065ba59ee4}]
shell\Auto\command - Start.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bdb8514-0f52-11de-a941-00065ba59ee4}]
shell\Auto\command - F:\Start.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe


======List of files/folders created in the last 3 months======

2009-08-12 23:12:47 ----D---- C:\rsit
2009-08-12 23:04:23 ----D---- C:\WINDOWS\ERDNT
2009-08-12 23:02:48 ----D---- C:\Program Files\ERUNT
2009-08-12 03:10:55 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-12 03:10:36 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-12 03:10:24 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-12 03:09:53 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-12 03:09:30 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-12 03:09:08 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-12 03:08:53 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-12 03:07:40 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-12 03:01:42 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-11 08:19:19 ----A---- C:\HijackThis.exe
2009-08-11 08:17:13 ----A---- C:\Program Files\HijackThis.exe
2009-08-11 00:58:14 ----SHD---- C:\Config.Msi
2009-08-11 00:58:10 ----A---- C:\WINDOWS\system32\ShellManager310E2D762.dll
2009-08-11 00:53:37 ----A---- C:\WINDOWS\Irremote.ini
2009-08-10 20:08:55 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-10 19:56:00 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-10 19:55:58 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-10 16:07:48 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-08-10 16:07:48 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-10 15:07:31 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-08-09 18:30:40 ----D---- C:\Program Files\XoftSpySE
2009-08-08 13:15:02 ----D---- C:\Documents and Settings\Administrator\Application Data\enchant
2009-08-08 13:10:55 ----D---- C:\Program Files\AbiWord
2009-08-08 11:29:45 ----D---- C:\WINDOWS\ie8updates
2009-08-08 11:24:52 ----HDC---- C:\WINDOWS\ie8
2009-08-08 11:11:31 ----D---- C:\Documents and Settings\Administrator\Application Data\Opera
2009-08-08 11:11:17 ----D---- C:\Program Files\Opera
2009-08-08 10:17:43 ----ASH---- C:\WINDOWS\system32\32A.tmp
2009-08-07 10:05:43 ----D---- C:\WINDOWS\Sun
2009-08-06 08:29:28 ----ASH---- C:\WINDOWS\system32\E.tmp
2009-08-06 08:14:50 ----SHD---- C:\WINDOWS\system32\SystemX86
2009-08-06 08:14:28 ----A---- C:\WINDOWS\system32\408.tmp
2009-08-01 07:23:23 ----A---- C:\WINDOWS\GnuHashes.ini
2009-07-29 19:00:44 ----A---- C:\WINDOWS\cdplayer.ini
2009-07-29 18:58:45 ----D---- C:\Program Files\Common Files\xing shared
2009-07-29 18:58:17 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2009-07-29 18:57:40 ----A---- C:\WINDOWS\system32\pndx5032.dll
2009-07-29 18:57:40 ----A---- C:\WINDOWS\system32\pndx5016.dll
2009-07-29 18:57:35 ----A---- C:\WINDOWS\system32\pncrt.dll
2009-07-29 18:57:20 ----D---- C:\Program Files\Real
2009-07-29 18:56:55 ----D---- C:\Documents and Settings\Administrator\Application Data\Real
2009-07-29 18:40:59 ----D---- C:\Documents and Settings\Administrator\Application Data\Haihaisoft
2009-07-29 18:40:40 ----D---- C:\Documents and Settings\Administrator\Application Data\Haihaisoft Universal Player
2009-07-29 18:38:47 ----D---- C:\Program Files\Common Files\Real
2009-07-29 18:37:43 ----D---- C:\Program Files\Haihaisoft Universal Player
2009-07-24 03:03:24 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2009-07-24 03:03:03 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2009-07-24 03:02:29 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
2009-07-24 03:02:12 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2009-07-24 03:01:25 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2009-07-23 13:53:58 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-07-23 13:53:57 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2009-07-23 13:52:14 ----D---- C:\Program Files\Windows Media Connect 2
2009-07-23 13:51:47 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2009-07-23 13:49:40 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2009-07-23 13:48:15 ----D---- C:\WINDOWS\system32\LogFiles
2009-07-23 13:47:58 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2009-07-22 14:23:46 ----A---- C:\WINDOWS\system32\dxdiagn32.dll
2009-07-22 14:23:42 ----A---- C:\WINDOWS\system32\qXnD9yOemfxH8.vbs
2009-07-15 03:06:45 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 03:06:30 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-15 03:01:19 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-09 17:50:19 ----D---- C:\Program Files\Common Files\Adobe
2009-07-09 17:50:18 ----D---- C:\Program Files\Adobe
2009-07-09 17:47:11 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-07-09 17:46:57 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-07-09 17:38:24 ----D---- C:\Program Files\NOS
2009-07-09 17:38:24 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-07-04 18:41:49 ----D---- C:\WINDOWS\Minidump
2009-07-04 17:45:51 ----HD---- C:\Documents and Settings\All Users\Application Data\CanonBJ
2009-07-04 17:45:42 ----A---- C:\WINDOWS\system32\CNMLM7Y.DLL
2009-06-20 12:59:48 ----D---- C:\Documents and Settings\All Users\Application Data\Trymedia
2009-06-20 12:59:01 ----D---- C:\Documents and Settings\All Users\Application Data\InstallShield
2009-06-11 03:05:49 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-06-11 03:05:35 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$
2009-06-11 03:02:25 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-06-11 03:01:00 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-06-03 03:01:35 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-06-03 03:01:22 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-06-03 03:00:59 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-06-02 13:45:54 ----D---- C:\WINDOWS\Prefetch
2009-06-02 12:44:55 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-06-02 12:44:35 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-06-02 12:44:19 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-06-02 12:43:58 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-06-02 12:43:42 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-06-02 12:43:27 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-06-02 12:43:12 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-06-02 12:42:58 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-06-02 12:42:36 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-06-02 12:42:15 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-06-02 12:41:54 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-06-02 12:41:38 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-06-02 12:40:17 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-06-02 12:39:36 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-06-02 12:39:22 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-06-02 12:38:38 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-06-02 12:38:19 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-06-02 12:38:05 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-06-02 12:37:46 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-06-02 12:37:29 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-06-02 12:37:00 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-06-02 12:36:04 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-06-02 12:35:50 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-06-02 12:35:35 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-06-02 12:35:21 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-06-02 12:35:04 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-06-02 12:34:50 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-06-02 12:34:24 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-06-02 12:18:59 ----D---- C:\WINDOWS\system32\scripting
2009-06-02 12:18:57 ----D---- C:\WINDOWS\l2schemas
2009-06-02 12:18:55 ----D---- C:\WINDOWS\system32\en
2009-06-02 12:18:54 ----D---- C:\WINDOWS\system32\bits
2009-06-02 12:12:05 ----D---- C:\WINDOWS\ServicePackFiles
2009-06-02 12:03:46 ----A---- C:\WINDOWS\imsins.BAK
2009-06-02 12:03:32 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-06-02 11:56:34 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-06-02 11:25:53 ----D---- C:\WINDOWS\system32\appmgmt
2009-05-20 03:00:56 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2009-05-13 21:59:46 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2009-05-13 21:55:31 ----D---- C:\Yahoo!

======List of files/folders modified in the last 3 months======

2009-08-12 23:04:23 ----D---- C:\WINDOWS
2009-08-12 23:02:48 ----RD---- C:\Program Files
2009-08-12 22:23:20 ----D---- C:\WINDOWS\Temp
2009-08-12 18:17:16 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-12 12:49:01 ----SD---- C:\WINDOWS\Tasks
2009-08-12 08:50:07 ----D---- C:\WINDOWS\system32
2009-08-12 03:11:04 ----HD---- C:\WINDOWS\inf
2009-08-12 03:11:01 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-12 03:09:49 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-12 03:08:56 ----D---- C:\Program Files\Outlook Express
2009-08-11 23:49:57 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-11 08:23:12 ----D---- C:\Program Files\Mozilla Firefox
2009-08-11 01:00:13 ----A---- C:\WINDOWS\system32\MsiExec.exe.log
2009-08-11 00:59:14 ----D---- C:\Program Files\Common Files\Nero
2009-08-11 00:59:12 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
2009-08-11 00:59:09 ----D---- C:\WINDOWS\system32\drivers
2009-08-11 00:51:12 ----SHD---- C:\WINDOWS\Installer
2009-08-11 00:31:19 ----A---- C:\WINDOWS\NeroDigital.ini
2009-08-10 23:51:34 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-08-10 18:50:29 ----D---- C:\Program Files\Common Files
2009-08-08 13:12:27 ----RSD---- C:\WINDOWS\Fonts
2009-08-08 13:11:52 ----D---- C:\WINDOWS\WinSxS
2009-08-08 11:59:31 ----D---- C:\WINDOWS\system32\en-US
2009-08-08 11:59:30 ----D---- C:\WINDOWS\Media
2009-08-08 11:59:30 ----D---- C:\WINDOWS\Help
2009-08-08 11:59:30 ----D---- C:\Program Files\Internet Explorer
2009-08-05 04:01:48 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-07-30 16:43:53 ----D---- C:\Documents and Settings\Administrator\Application Data\IObit
2009-07-29 19:49:14 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-29 18:57:36 ----A---- C:\WINDOWS\system32\msvcr71.dll
2009-07-29 18:57:35 ----A---- C:\WINDOWS\system32\msvcp71.dll
2009-07-24 03:03:48 ----D---- C:\WINDOWS\system32\CatRoot
2009-07-23 13:52:57 ----A---- C:\WINDOWS\win.ini
2009-07-23 13:52:13 ----D---- C:\Program Files\Windows Media Player
2009-07-19 18:48:58 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-19 08:18:59 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-18 22:53:02 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2009-07-17 14:01:06 ----A---- C:\WINDOWS\system32\atl.dll
2009-07-13 23:43:24 ----A---- C:\WINDOWS\system32\wmpdxm.dll
2009-07-13 23:43:24 ----A---- C:\WINDOWS\system32\wmp.dll
2009-07-09 17:56:37 ----D---- C:\Documents and Settings\Administrator\Application Data\Adobe
2009-07-07 15:51:24 ----D---- C:\Program Files\McAfee
2009-07-03 12:09:28 ----A---- C:\WINDOWS\system32\wininet.dll
2009-07-03 12:09:27 ----N---- C:\WINDOWS\system32\occache.dll
2009-07-03 12:09:27 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-07-03 12:09:25 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-07-03 12:09:25 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-07-03 12:09:24 ----N---- C:\WINDOWS\system32\jsproxy.dll
2009-07-03 12:09:24 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-07-03 12:09:23 ----N---- C:\WINDOWS\system32\iepeers.dll
2009-07-03 12:09:21 ----N---- C:\WINDOWS\system32\iedkcs32.dll
2009-07-03 06:01:06 ----N---- C:\WINDOWS\system32\ie4uinit.exe
2009-06-29 11:12:14 ----N---- C:\WINDOWS\system32\extmgr.dll
2009-06-20 13:08:04 ----HD---- C:\Program Files\InstallShield Installation Information
2009-06-20 12:38:50 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-06-20 12:38:33 ----D---- C:\Program Files\Common Files\InstallShield
2009-06-16 09:36:30 ----A---- C:\WINDOWS\system32\t2embed.dll
2009-06-16 09:36:30 ----A---- C:\WINDOWS\system32\fontsub.dll
2009-06-12 07:31:40 ----A---- C:\WINDOWS\system32\tlntsess.exe
2009-06-12 07:31:39 ----A---- C:\WINDOWS\system32\telnet.exe
2009-06-10 09:19:38 ----A---- C:\WINDOWS\system32\mstscax.dll
2009-06-10 09:13:29 ----A---- C:\WINDOWS\system32\avifil32.dll
2009-06-10 01:14:49 ----A---- C:\WINDOWS\system32\wkssvc.dll
2009-06-03 14:09:37 ----A---- C:\WINDOWS\system32\quartz.dll
2009-06-02 13:51:43 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-06-02 13:48:31 ----AC---- C:\WINDOWS\OEWABLog.txt
2009-06-02 13:46:00 ----AC---- C:\WINDOWS\setuplog.txt
2009-06-02 13:45:28 ----D---- C:\WINDOWS\system32\Setup
2009-06-02 13:45:28 ----D---- C:\WINDOWS\AppPatch
2009-06-02 13:45:27 ----D---- C:\WINDOWS\system32\wbem
2009-06-02 13:44:55 ----D---- C:\WINDOWS\security
2009-06-02 12:35:07 ----D---- C:\Program Files\Messenger
2009-06-02 12:19:42 ----D---- C:\WINDOWS\system32\inetsrv
2009-06-02 12:19:40 ----D---- C:\WINDOWS\network diagnostic
2009-06-02 12:19:40 ----D---- C:\WINDOWS\ime
2009-06-02 12:19:01 ----D---- C:\WINDOWS\system32\usmt
2009-06-02 12:18:54 ----D---- C:\WINDOWS\PeerNet
2009-06-02 12:18:53 ----D---- C:\Program Files\Movie Maker
2009-06-02 12:11:45 ----D---- C:\WINDOWS\system32\Restore
2009-06-02 12:11:45 ----D---- C:\WINDOWS\system32\npp
2009-06-02 12:11:44 ----D---- C:\WINDOWS\mui
2009-06-02 12:11:41 ----D---- C:\WINDOWS\msagent
2009-06-02 12:11:38 ----D---- C:\WINDOWS\srchasst
2009-06-02 12:11:36 ----D---- C:\Program Files\NetMeeting
2009-06-02 12:11:33 ----D---- C:\WINDOWS\system32\Com
2009-06-02 12:11:27 ----D---- C:\Program Files\Windows NT
2009-06-02 12:11:21 ----D---- C:\Program Files\Common Files\System
2009-06-02 12:10:45 ----D---- C:\WINDOWS\system32\oobe
2009-06-02 12:10:41 ----D---- C:\WINDOWS\system
2009-06-02 11:56:22 ----D---- C:\WINDOWS\ehome
2009-06-02 11:28:20 ----D---- C:\WINDOWS\SoftwareDistribution
2009-05-13 21:57:36 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2009-05-13 21:55:31 ----D---- C:\Program Files\Yahoo!
2009-05-13 21:55:19 ----D---- C:\Program Files\Common Files\Microsoft Shared

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2009-03-25 214024]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2008-10-23 120136]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2008-07-07 56108]
R3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 ati2mtaa;ati2mtaa; C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 327040]
R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2009-03-25 79880]
S3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2009-03-25 35272]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2009-03-25 34216]
S3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2009-03-25 40552]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-02-15 152984]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-01-08 797864]
R2 McNASvc;McAfee Network Agent; c:\program files\common files\mcafee\mna\mcnasvc.exe [2009-01-09 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-01-09 359952]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-03-19 884360]
R2 MSK80Service;McAfee SpamKiller Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2009-01-09 26640]
S2 0321561246999915mcinstcleanup;McAfee Application Installer Cleanup (0321561246999915); C:\WINDOWS\TEMP\032156~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service []
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 183280]
S2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-03-25 144704]
S2 spupdsvc;Windows Service Pack Installer update service; C:\WINDOWS\system32\spupdsvc.exe [2009-01-07 26144]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-02-14 30192]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-04-01 365072]
S3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-03-24 606736]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

Attached Files



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 13 August 2009 - 10:23 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 sonicx29

sonicx29
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 13 August 2009 - 12:45 PM

Hello, fenzodahl512

As instructed i ran the combo-fix program which ran smoothly, here are the results

ComboFix 09-08-10.06 - Administrator 08/13/2009 12:00.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.92 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\87.tmp
c:\documents and settings\Administrator\Application Data\02000000f871d2ff648C.manifest
c:\documents and settings\Administrator\Application Data\02000000f871d2ff648O.manifest
c:\documents and settings\Administrator\Application Data\02000000f871d2ff648P.manifest
c:\documents and settings\Administrator\Application Data\02000000f871d2ff648S.manifest
c:\documents and settings\Administrator\Local Settings\Temp\87.tmp
C:\install.exe
c:\windows\GnuHashes.ini
c:\windows\system32\__c0014A47.dat
c:\windows\system32\__c0017D10.dat
c:\windows\system32\__c0020059.dat
c:\windows\system32\__c003023A.dat
c:\windows\system32\__c003A2D4.dat
c:\windows\system32\__c003C371.dat
c:\windows\system32\__c003E232.dat
c:\windows\system32\__c004070D.dat
c:\windows\system32\__c004A1E1.dat
c:\windows\system32\__c009A969.dat
c:\windows\system32\__c00AB8C8.dat
c:\windows\system32\__c00AE27E.dat
c:\windows\system32\__c00B372A.dat
c:\windows\system32\__c00B6341.dat
c:\windows\system32\__c00B70EE.dat
c:\windows\system32\__c00D2848.dat
c:\windows\system32\__c00D3844.dat
c:\windows\system32\__c00DBD6D.dat
c:\windows\system32\__c00EFF7D.dat
c:\windows\system32\__c00F9D83.dat
c:\windows\system32\__c00FEE6D.dat
c:\windows\system32\E.tmp
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\qXnD9yOemfxH8.vbs
c:\windows\system32\SystemX86
c:\windows\system32\SystemX86\253.crack.zip
c:\windows\system32\SystemX86\253.crack.zip.kwd
c:\windows\system32\SystemX86\254.keygen.zip
c:\windows\system32\SystemX86\254.keygen.zip.kwd
c:\windows\system32\SystemX86\255.serial.zip
c:\windows\system32\SystemX86\255.serial.zip.kwd
c:\windows\system32\SystemX86\256.setup.zip
c:\windows\system32\SystemX86\256.setup.zip.kwd
c:\windows\system32\SystemX86\257.music.au
c:\windows\system32\SystemX86\257.music.au.kwd
c:\windows\system32\SystemX86\258.music2.au
c:\windows\system32\SystemX86\258.music2.au.kwd
c:\windows\system32\SystemX86\259.music3.au
c:\windows\system32\SystemX86\259.music3.au.kwd
c:\windows\system32\SystemX86\260.music.snd
c:\windows\system32\SystemX86\260.music.snd.kwd
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-13 17:11 . 2009-08-13 17:13 -------- d-sh--w- c:\windows\system32\SystemX86
2009-08-13 04:12 . 2009-08-13 04:41 -------- d-----w- C:\rsit
2009-08-13 04:02 . 2009-08-13 04:02 -------- d-----w- c:\program files\ERUNT
2009-08-12 04:50 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 13:19 . 2007-06-28 19:36 401720 ----a-w- C:\HijackThis.exe
2009-08-11 13:17 . 2007-06-28 19:36 401720 ----a-w- c:\program files\HijackThis.exe
2009-08-11 05:58 . 2008-02-28 20:26 1414440 ----a-w- c:\windows\system32\ShellManager310E2D762.dll
2009-08-11 00:56 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 00:56 . 2009-08-11 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-11 00:55 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-11 00:55 . 2009-08-11 01:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 21:07 . 2009-08-11 00:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-10 21:07 . 2009-08-11 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-10 20:07 . 2009-08-10 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-09 23:30 . 2009-08-09 23:31 -------- d-----w- c:\program files\XoftSpySE
2009-08-08 18:23 . 2009-08-08 18:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-08 18:15 . 2009-08-08 18:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\enchant
2009-08-08 18:13 . 2009-08-09 15:55 -------- d-----w- c:\documents and settings\Administrator\AbiSuite
2009-08-08 18:10 . 2009-08-08 18:12 -------- d-----w- c:\program files\AbiWord
2009-08-08 17:09 . 2009-08-08 17:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-08 16:59 . 2009-08-08 16:59 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-08 16:29 . 2009-08-08 16:29 -------- d-----w- c:\windows\ie8updates
2009-08-08 16:24 . 2009-08-08 16:28 -------- dc-h--w- c:\windows\ie8
2009-08-08 16:22 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-08 16:22 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-08 16:20 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-08 16:11 . 2009-08-08 16:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera
2009-08-08 16:11 . 2009-08-08 16:11 -------- d-----w- c:\program files\Opera
2009-08-07 15:05 . 2009-08-07 15:05 -------- d-----w- c:\windows\Sun
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-30 19:45 . 2009-07-30 19:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-07-29 23:58 . 2009-07-29 23:58 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-29 23:57 . 2009-07-29 23:57 -------- d-----w- c:\program files\Real
2009-07-29 23:40 . 2009-07-29 23:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Haihaisoft
2009-07-29 23:40 . 2009-07-29 23:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Haihaisoft Universal Player
2009-07-29 23:38 . 2009-07-29 23:58 -------- d-----w- c:\program files\Common Files\Real
2009-07-29 23:37 . 2009-07-29 23:37 -------- d-----w- c:\program files\Haihaisoft Universal Player
2009-07-23 18:56 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-07-23 18:52 . 2009-07-23 18:52 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-23 18:48 . 2009-07-23 18:50 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-07-23 18:48 . 2009-07-23 18:48 -------- d-----w- c:\windows\system32\LogFiles
2009-07-22 19:23 . 2009-07-22 19:23 118272 ----a-w- c:\windows\system32\dxdiagn32.dll
2009-07-18 01:17 . 2009-08-01 10:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 17:11 . 2009-08-13 17:11 518144 --sha-w- c:\windows\system32\7B.tmp
2009-08-13 06:53 . 2009-02-14 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-13 04:18 . 2009-08-13 04:18 0 ----a-w- c:\windows\system32\8C2.tmp
2009-08-13 04:18 . 2009-08-13 04:18 0 ----a-w- c:\windows\system32\8C1.tmp
2009-08-11 05:59 . 2009-02-14 18:05 -------- d-----w- c:\program files\Common Files\Nero
2009-08-11 05:59 . 2009-02-14 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-08 15:18 . 2009-08-08 15:17 518144 --sha-w- c:\windows\system32\32A.tmp
2009-08-08 15:15 . 2009-02-14 19:12 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-08-06 13:14 . 2009-08-06 13:14 0 ----a-w- c:\windows\system32\408.tmp
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-30 21:43 . 2009-02-14 18:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2009-07-29 23:57 . 2006-08-11 23:02 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-29 23:57 . 2006-08-11 23:02 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-19 03:53 . 2009-02-14 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-19 03:36 . 2009-07-09 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-19 03:36 . 2009-07-09 22:38 -------- d-----w- c:\program files\NOS
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 22:53 . 2009-07-09 22:50 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-09 22:46 . 2009-07-09 22:46 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-09 22:40 . 2009-07-09 22:40 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-07 20:51 . 2009-02-14 17:54 -------- d-----w- c:\program files\McAfee
2009-07-06 00:35 . 2009-02-10 11:40 17280 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 22:45 . 2009-07-04 22:45 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-20 18:08 . 2009-02-17 01:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-20 17:59 . 2009-06-20 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-06-20 17:59 . 2009-06-20 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-06-20 17:38 . 2009-02-17 01:19 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2009-02-10 03:28 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 17:27 . 2009-02-10 03:33 87263 -c--a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-30 15:09 . 2009-08-08 18:12 57948 ----a-w- c:\windows\Fonts\Dingbats.ttf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-14 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-14 39408]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-14 30192]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-02-17 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-29 198160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\8b1eec1648]
2009-07-22 19:23 118272 ----a-w- c:\windows\system32\dxdiagn32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP 2.0\\MediaManager.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/15/2009 1:04 PM 210216]
S2 0321561246999915mcinstcleanup;McAfee Application Installer Cleanup (0321561246999915);c:\windows\TEMP\032156~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\032156~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/14/2009 1:43 PM 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-14 09:12]

2009-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-790525478-1801674531-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-14 18:34]

2009-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-790525478-1801674531-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-14 18:34]

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-02-14 16:53]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-02-14 16:53]

2009-08-11 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2006-03-10 20:24]
.
- - - - ORPHANS REMOVED - - - -

Notify-__c00B4BDA - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vvs8ylly.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 12:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\ADMINI~1\LOCALS~1\Temp\catchme.sys


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-790525478-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,a2,a5,3d,98,50,3e,4c,a0,92,c0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,a2,a5,3d,98,50,3e,4c,a0,92,c0,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\windows\System32\dxdiagn32.dll

- - - - - - - > 'explorer.exe'(4012)
c:\windows\system32\WININET.dll
c:\windows\System32\dxdiagn32.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\7B.tmp
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\wscntfy.exe
c:\combo-fix\hidec.exe
c:\windows\system32\dwwin.exe
c:\combo-fix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-08-13 12:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 17:17

Pre-Run: 8,703,635,456 bytes free
Post-Run: 8,599,453,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

357 --- E O F --- 2009-08-12 08:11

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 13 August 2009 - 01:24 PM

Please download the OTM by OldTimer
  • Save it to your Desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :files
    c:\windows\system32\*.tmp
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Next, try download and run Malwarebytes once again.. It success, please install >> update >> run "Full Scan" >> remove everything that it found >> post the log here..

If still can't download, just tell me more about it :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 sonicx29

sonicx29
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 14 August 2009 - 11:29 AM

Hello, fenzodahl512

I downloaded OTM with no problems and let it run. Everything went right and it asked for a reboot which it performed. Next i tried downloading Malwarebytes again and it worked this time. i,ve removed all the listed infected files. Both logs are posted below.


OTM log

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
c:\windows\system32\22B.tmp moved successfully.
c:\windows\system32\32A.tmp moved successfully.
c:\windows\system32\408.tmp moved successfully.
c:\windows\system32\7B.tmp moved successfully.
c:\windows\system32\8C1.tmp moved successfully.
c:\windows\system32\8C2.tmp moved successfully.
c:\windows\system32\CONFIG.TMP moved successfully.
c:\windows\system32\SET15C.tmp moved successfully.
c:\windows\system32\SET161.tmp moved successfully.
c:\windows\system32\SET168.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\246.tmp scheduled to be deleted on reboot.
->Temp folder emptied: 40805 bytes
->Temporary Internet Files folder emptied: 12426826 bytes
->Java cache emptied: 14343532 bytes
->FireFox cache emptied: 84880810 bytes
->Google Chrome cache emptied: 0 bytes
->Opera cache emptied: 62888530 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 3555 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 168.59 mb


OTM by OldTimer - Version 3.0.0.6 log created on 08142009_094340

Files moved on Reboot...
C:\Documents and Settings\Administrator\Local Settings\Temp\246.tmp moved successfully.

Registry entries deleted on Reboot...


Malwarebytes' Anti-Malware 1.40
Database version: 2623
Windows 5.1.2600 Service Pack 3

8/14/2009 11:14:07 AM
mbam-log-2009-08-14 (11-13-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 125201
Time elapsed: 1 hour(s), 2 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 35

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c007F651.dat (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\temp\85.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dxdiagn32.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c007f651 (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\8b1eec1648 (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\SystemX86 (Worm.Archive) -> No action taken.

Files Infected:
C:\WINDOWS\system32\__c007F651.dat (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\temp\85.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\My Documents\PSP Games\Project64_1.7.0.54\Plugin\GFX\RiceVideoMud.dll (Malware.Packer) -> No action taken.
C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\LOCALS~1\Temp\87.tmp.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\E.tmp.vir (Trojan.Tracur) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c0014A47.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c0017D10.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c0020059.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c003023A.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c003A2D4.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c003C371.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c003E232.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c004070D.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c004A1E1.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c009A969.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00AB8C8.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00AE27E.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00B372A.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00B6341.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00B70EE.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00D2848.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00D3844.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00DBD6D.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00EFF7D.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00F9D83.dat.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00FEE6D.dat.vir (Trojan.Downloader) -> No action taken.
C:\_OTM\MovedFiles\08142009_094340\Documents and Settings\Administrator\Local Settings\Temp\246.tmp (Trojan.Agent) -> No action taken.
C:\_OTM\MovedFiles\08142009_094340\windows\system32\22B.tmp (Trojan.Tracur) -> No action taken.
C:\_OTM\MovedFiles\08142009_094340\windows\system32\32A.tmp (Trojan.Tracur) -> No action taken.
C:\_OTM\MovedFiles\08142009_094340\windows\system32\7B.tmp (Trojan.Tracur) -> No action taken.
C:\WINDOWS\system32\SystemX86\258.music2.au (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\SystemX86\259.music3.au (Worm.Archive) -> No action taken.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\GroupPolicy000.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\dxdiagn32.dll (Trojan.Agent) -> No action taken.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 14 August 2009 - 01:49 PM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 sonicx29

sonicx29
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 14 August 2009 - 09:28 PM

Hello, fenzodahl512

i tried to use the unline scanner and everything went smooth until the update screen was at 99% then it read "cannot get update. proxy configured?" the thing is, i dont use a proxy to connet to the internet, i have a direct connection. would this be because my mcafee firewall is active? should i temporarily disable it? BTW, thanks for the help thus far, i can see the performance improving, no more redirected browser searches. :thumbup2:

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 15 August 2009 - 12:35 AM

Lets do an alternative scanner :thumbup2:


Go HERE and download Dr.Web CureIt to the Desktop. It will be download as random filename.
  • Run Dr.Web CureIt (random filename) and let it run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 sonicx29

sonicx29
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 15 August 2009 - 09:43 PM

Hello, fenzodahl512

Drweb.csv log


257.music.au.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\SystemX86;Trojan.WMALoader;Cured.;
258.music2.au.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\SystemX86;Trojan.WMALoader;Cured.;
259.music3.au.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\SystemX86;Trojan.WMALoader;Cured.;
260.music.snd.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\SystemX86;Trojan.WMALoader;Cured.;

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 16 August 2009 - 01:44 AM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 sonicx29

sonicx29
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 17 August 2009 - 09:49 AM

Hello, fenzodahl512


Thank you very much, the computer now feels like i just bought it. Not only did you help me to clear the malware, but it also seems to be working faster than before. i,ll be sure to read the articles listed by you to avoid my computer being in this condition again. You guys at HJT rock!!! Once again Thank you so much, for the time, effort, and skill needed to fix my computer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users