Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus / Firefox Hijack - Not IE


  • This topic is locked This topic is locked
16 replies to this topic

#1 esbaylus

esbaylus

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 03 October 2009 - 02:52 PM

Vista x86.

OK, I cannot run the DDS.SCR - I get a "windows cannot find cmd".

I ran rootrepeal, and have attached the ARK.TXT file.

Firefox is hijacked, but IE is OK. I'm able to run SOME programs in safemode, but not much at all in normal mode.


Where to start??



Gene

Attached Files

  • Attached File  ark.txt   2.59KB   2 downloads

Edited by esbaylus, 03 October 2009 - 02:53 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:23 PM

Posted 21 October 2009 - 01:20 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 esbaylus

esbaylus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 21 October 2009 - 03:02 PM

OK, I MAY have cleaned the system by following OTHER threads in this forum, but I'm not sure.

DDS Log:


DDS (Ver_09-10-13.01) - NTFSx86
Run by Baylus at 15:53:46.65 on Wed 10/21/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.958.411 [GMT -4:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\lxcrcoms.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Baylus\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: RefresherBand Class: {b24ba06e-fb7b-4757-95c2-dc01125f750e} - c:\progra~1\yrefre~1\YREFRE~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [lxcrmon.exe] "c:\program files\lexmark 2400 series\lxcrmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2400 series\ezprint.exe"
mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,_RunDLLEntry@16
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\baylus\appdata\roaming\mozilla\firefox\profiles\u2rqimzj.default\
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-2-2 179712]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2008-7-29 904192]

=============== Created Last 30 ================

2009-10-21 09:48 24 a------- c:\windows\emachinelaptop.tmp
2009-10-14 16:18 213,504 a------- c:\windows\system32\msv1_0.dll
2009-10-14 16:18 3,597,896 a------- c:\windows\system32\ntkrnlpa.exe
2009-10-14 16:18 3,546,184 a------- c:\windows\system32\ntoskrnl.exe
2009-10-14 16:17 428,544 a------- c:\windows\system32\EncDec.dll
2009-10-14 16:17 217,088 a------- c:\windows\system32\psisrndr.ax
2009-10-14 16:17 293,376 a------- c:\windows\system32\psisdecd.dll
2009-10-14 16:17 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-10-14 16:17 80,896 a------- c:\windows\system32\MSNP.ax
2009-10-14 09:10 332,066 a------- C:\EZClaimBU.zip
2009-10-14 09:09 41 a------- c:\windows\EZRepair.INI
2009-10-12 08:45 <DIR> --d----- c:\windows\system32\EventProviders
2009-10-11 17:06 57,667 a------- c:\windows\system32\ieuinit.inf
2009-10-10 15:35 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-10-09 07:04 2,335,270 a------- c:\windows\system32\dd1E530.mht
2009-10-07 18:26 538,096 a------- c:\windows\system32\dlbccoms.exe
2009-10-07 18:26 524,288 a------- c:\windows\system32\DivXsm.exe
2009-10-07 18:26 386,544 a------- c:\windows\system32\dlbcih.exe
2009-10-07 18:26 382,448 a------- c:\windows\system32\dlbccfg.exe
2009-10-07 18:26 318,976 a------- c:\windows\system32\cmd.exe
2009-10-07 18:26 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2009-10-07 18:26 98,304 a------- c:\windows\system32\netsh.exe
2009-10-07 18:26 47,560 a------- c:\windows\system32\SPReview.exe
2009-10-07 18:26 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-07 18:26 178,688 a------- c:\windows\system32\cleanmgr.exe
2009-10-07 18:23 <DIR> --d----- c:\windows\Win32
2009-10-07 17:58 2,000 a---h--- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2009-10-07 17:58 2,000 a---h--- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2009-10-07 08:13 6,144 -------- c:\windows\system32\929.tmp
2009-10-05 11:15 6,144 -------- c:\windows\system32\C6F1.tmp
2009-10-05 09:24 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-10-05 09:24 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-10-02 19:59 <DIR> --d----- c:\users\baylus\DoctorWeb
2009-10-02 19:03 0 a------- c:\windows\system32\settings.dat
2009-10-01 19:19 526,184 a------- c:\windows\system32\XceedCry.dll
2009-10-01 19:19 110,602 a------- c:\windows\system32\xcdsfx32.bin
2009-10-01 19:19 224,016 a------- c:\windows\system32\Tabctl32.ocx
2009-10-01 19:19 <DIR> --d----- c:\program files\Driver Magician
2009-09-21 17:12 <DIR> --d----- c:\programdata\TEMP

==================== Find3M ====================

2009-09-27 08:03 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-16 10:22 214,664 a------- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 10:22 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 10:22 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 10:22 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 10:22 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-09-14 05:44 144,896 a------- c:\windows\system32\drivers\srv2.sys
2009-09-04 08:24 61,440 a------- c:\windows\system32\msasn1.dll
2009-08-28 08:39 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-28 08:39 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 08:38 2,153,984 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 08:38 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 08:38 459,776 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 06:15 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 01:22 916,480 a------- c:\windows\system32\wininet.dll
2009-08-27 01:17 109,056 a------- c:\windows\system32\iesysprep.dll
2009-08-27 01:17 71,680 a------- c:\windows\system32\iesetup.dll
2009-08-26 23:42 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-08-26 09:18 21,833,760 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-08-26 09:18 256,940 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-08-14 12:29 104,960 a------- c:\windows\system32\netiohlp.dll
2009-08-14 12:29 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 10:16 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 10:16 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 10:16 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 10:16 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 10:16 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 10:16 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 10:16 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-07-07 12:17 691 a------- c:\users\baylus\appdata\roaming\GetValue.vbs
2009-07-07 12:17 35 a------- c:\users\baylus\appdata\roaming\SetValue.bat
2009-05-08 21:45 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-08 21:45 86,016 a------- c:\windows\inf\infstor.dat
2009-05-08 21:45 51,200 a------- c:\windows\inf\infpub.dat
2009-04-30 10:24 983,760 a------- c:\program files\ipscan-3.0-beta4.exe
2009-02-05 22:25 174 a--sh--- c:\program files\desktop.ini
2009-02-05 21:53 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-07-04 12:12 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-07-04 12:12 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-07-04 12:12 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-02-21 15:49 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:58:35.23 ===============



and I've attached ATTACHED.ZIP


Thanks,


Gene

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:23 PM

Posted 21 October 2009 - 03:32 PM

Hello, esbaylus
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.


I MAY have cleaned the system by following OTHER threads in this forum


And how did you do that? Did you use any tools?

First, please take note of the following:

C: is FIXED (NTFS) - 51 GiB total, 0.62 GiB free.


Your Harddrive is very full. When too many stuff is saved it is possible to lost data or the system may not will work correctly.





Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Bittorent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."






Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.







Step 2
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<






Please post back with:
  • Malwarebytes-Logfile
  • Both RSIT-Logfiles

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 esbaylus

esbaylus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 22 October 2009 - 06:30 AM

I know the HD is full... I'm working on a backup solution.



OK, here's the logs:

Malwarebytes' Anti-Malware 1.41
Database version: 3006
Windows 6.0.6001 Service Pack 1

10/22/2009 7:09:56 AM
mbam-log-2009-10-22 (07-09-56).txt

Scan type: Quick Scan
Objects scanned: 126954
Time elapsed: 11 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Logfile of random's system information tool 1.06 (written by random/random)
Run by Baylus at 2009-10-22 07:13:38
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 620 MB (1%) free of 52 GB
Total RAM: 958 MB (26% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:01 AM, on 10/22/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Baylus\Desktop\RSIT.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\trend micro\Baylus.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: McAfee Application Installer Cleanup (0005861256131550) (0005861256131550mcinstcleanup) - McAfee, Inc. - C:\Windows\TEMP\000586~1.EXE
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9fabb4a7b7ea) (gupdate1c9fabb4a7b7ea) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 5949 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Ad-Aware Update (Weekly).job
C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\McDefragTask.job
C:\Windows\tasks\McQcTask.job
C:\Windows\tasks\User_Feed_Synchronization-{284A3770-EC10-428A-96D1-4CE53C1A3E55}.job
C:\Windows\tasks\User_Feed_Synchronization-{A7CF99AC-7533-4FBD-A3DD-79385D394E59}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1017A80C-6F09-4548-A84D-EDD6AC9525F0}]
Lexmark Toolbar - C:\Program Files\Lexmark Toolbar\toolband.dll [2006-08-09 184320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-07-08 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-01 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll [2009-09-26 762864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-06-01 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-09-27 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5A1691B-D188-4419-AD02-90002030B8EE}]
FlashFXP Helper for Internet Explorer - C:\PROGRA~1\FlashFXP\IEFlash.dll [2005-05-04 191096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{1017A80C-6F09-4548-A84D-EDD6AC9525F0} - Lexmark Toolbar - C:\Program Files\Lexmark Toolbar\toolband.dll [2006-08-09 184320]
{B24BA06E-FB7B-4757-95C2-DC01125F750E} - RefresherBand Class - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL [2001-08-03 45056]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-01 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-07-10 645328]
"lxcrmon.exe"=C:\Program Files\Lexmark 2400 Series\lxcrmon.exe [2006-12-11 291760]
"EzPrint"=C:\Program Files\Lexmark 2400 Series\ezprint.exe [2006-12-11 82864]
"LXCRCATS"=rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16 []
"SoundMan"=C:\Windows\SOUNDMAN.EXE [2009-02-01 598016]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-09-27 149280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-09-10 420176]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-06-01 39408]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RKS Fax Print Controller]
C:\Program Files\RKS Fax\rksfax_control.exe [2008-02-19 3912200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Staples Easy Button]
C:\Program Files\Staples Easy Button\EasyButton.exe [2009-06-19 1739312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wootalyzer]
C:\Program Files\Wootalyzer\woot.exe [2009-03-25 374272]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Baylus^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^On-Screen Keyboard.lnk]
C:\Windows\System32\osk.exe [2006-11-02 182272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\FlashFXP\flashfxp.exe"="C:\Program Files\FlashFXP\flashfxp.exe:*:Enabled:FlashFXP v3"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\Program Files\FlashFXP\flashfxp.exe"="C:\Program Files\FlashFXP\flashfxp.exe:*:Enabled:FlashFXP v3"

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-10-22 07:13:39 ----D---- C:\Program Files\trend micro
2009-10-22 07:13:38 ----D---- C:\rsit
2009-10-21 16:42:10 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-21 09:48:26 ----A---- C:\Windows\emachinelaptop.tmp
2009-10-14 16:18:28 ----A---- C:\Windows\system32\msv1_0.dll
2009-10-14 16:18:14 ----A---- C:\Windows\system32\ntkrnlpa.exe
2009-10-14 16:18:12 ----A---- C:\Windows\system32\ntoskrnl.exe
2009-10-14 16:17:22 ----A---- C:\Windows\system32\EncDec.dll
2009-10-14 16:17:15 ----A---- C:\Windows\system32\psisdecd.dll
2009-10-14 16:16:54 ----A---- C:\Windows\system32\mshtml.dll
2009-10-14 16:16:51 ----A---- C:\Windows\system32\ieframe.dll
2009-10-14 16:16:49 ----A---- C:\Windows\system32\iertutil.dll
2009-10-14 16:16:48 ----A---- C:\Windows\system32\urlmon.dll
2009-10-14 16:16:47 ----A---- C:\Windows\system32\wininet.dll
2009-10-14 16:16:47 ----A---- C:\Windows\system32\msfeeds.dll
2009-10-14 16:16:46 ----A---- C:\Windows\system32\occache.dll
2009-10-14 16:16:46 ----A---- C:\Windows\system32\iedkcs32.dll
2009-10-14 16:16:43 ----A---- C:\Windows\system32\ieui.dll
2009-10-14 16:16:43 ----A---- C:\Windows\system32\iepeers.dll
2009-10-14 16:16:42 ----A---- C:\Windows\system32\msfeedsbs.dll
2009-10-14 16:16:42 ----A---- C:\Windows\system32\ieUnatt.exe
2009-10-14 16:16:42 ----A---- C:\Windows\system32\iesysprep.dll
2009-10-14 16:16:41 ----A---- C:\Windows\system32\jsproxy.dll
2009-10-14 16:16:40 ----A---- C:\Windows\system32\msfeedssync.exe
2009-10-14 16:16:40 ----A---- C:\Windows\system32\iesetup.dll
2009-10-14 16:16:40 ----A---- C:\Windows\system32\ie4uinit.exe
2009-10-14 16:16:39 ----A---- C:\Windows\system32\iernonce.dll
2009-10-14 16:16:23 ----A---- C:\Windows\system32\msasn1.dll
2009-10-14 16:16:03 ----A---- C:\Windows\system32\WMSPDMOD.DLL
2009-10-14 09:09:07 ----A---- C:\Windows\EZRepair.INI
2009-10-12 08:45:35 ----D---- C:\Windows\system32\EventProviders
2009-10-11 23:50:05 ----A---- C:\Windows\system32\jscript.dll
2009-10-11 17:00:37 ----A---- C:\Windows\system32\mshtmled.dll
2009-10-11 17:00:37 ----A---- C:\Windows\system32\icardie.dll
2009-10-11 17:00:36 ----A---- C:\Windows\system32\admparse.dll
2009-10-11 17:00:35 ----A---- C:\Windows\system32\mshtmler.dll
2009-10-11 17:00:34 ----A---- C:\Windows\system32\msls31.dll
2009-10-11 17:00:33 ----A---- C:\Windows\system32\corpol.dll
2009-10-11 17:00:32 ----A---- C:\Windows\system32\ieakeng.dll
2009-10-11 17:00:31 ----A---- C:\Windows\system32\imgutil.dll
2009-10-11 17:00:31 ----A---- C:\Windows\system32\dxtrans.dll
2009-10-11 17:00:31 ----A---- C:\Windows\system32\dxtmsft.dll
2009-10-11 17:00:29 ----A---- C:\Windows\system32\licmgr10.dll
2009-10-11 17:00:28 ----A---- C:\Windows\system32\inseng.dll
2009-10-11 17:00:28 ----A---- C:\Windows\system32\ieaksie.dll
2009-10-11 17:00:27 ----A---- C:\Windows\system32\webcheck.dll
2009-10-11 17:00:27 ----A---- C:\Windows\system32\msrating.dll
2009-10-11 17:00:26 ----A---- C:\Windows\system32\WinFXDocObj.exe
2009-10-11 17:00:26 ----A---- C:\Windows\system32\wextract.exe
2009-10-11 17:00:26 ----A---- C:\Windows\system32\mstime.dll
2009-10-11 17:00:26 ----A---- C:\Windows\system32\ieakui.dll
2009-10-11 17:00:25 ----A---- C:\Windows\system32\pngfilt.dll
2009-10-11 17:00:25 ----A---- C:\Windows\system32\advpack.dll
2009-10-11 17:00:23 ----A---- C:\Windows\system32\ieapfltr.dll
2009-10-11 17:00:22 ----A---- C:\Windows\system32\vbscript.dll
2009-10-11 17:00:21 ----A---- C:\Windows\system32\url.dll
2009-10-11 17:00:17 ----A---- C:\Windows\system32\SetIEInstalledDate.exe
2009-10-11 17:00:17 ----A---- C:\Windows\system32\SetDepNx.exe
2009-10-11 17:00:17 ----A---- C:\Windows\system32\RegisterIEPKEYs.exe
2009-10-11 17:00:17 ----A---- C:\Windows\system32\mshta.exe
2009-10-11 17:00:17 ----A---- C:\Windows\system32\iexpress.exe
2009-10-11 17:00:16 ----A---- C:\Windows\system32\PDMSetup.exe
2009-10-10 15:35:32 ----SHD---- C:\$RECYCLE.BIN
2009-10-07 18:26:07 ----N---- C:\Windows\system32\MpSigStub.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\SPReview.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\netsh.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\dllhost.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\dlbcih.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\dlbccoms.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\dlbccfg.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\DivXsm.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\DivXCodecVersionChecker.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\cmd.exe
2009-10-07 18:26:06 ----A---- C:\Windows\system32\cleanmgr.exe
2009-10-07 18:23:24 ----D---- C:\Windows\Win32
2009-10-07 08:13:06 ----N---- C:\Windows\system32\929.tmp
2009-10-05 11:15:54 ----N---- C:\Windows\system32\C6F1.tmp
2009-10-05 09:24:43 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-10-01 19:19:45 ----A---- C:\Windows\system32\XceedCry.dll
2009-10-01 19:19:41 ----D---- C:\Program Files\Driver Magician
2009-09-27 08:05:25 ----A---- C:\Windows\system32\javaws.exe
2009-09-27 08:05:24 ----A---- C:\Windows\system32\javaw.exe
2009-09-27 08:05:24 ----A---- C:\Windows\system32\java.exe

======List of files/folders modified in the last 1 months======

2009-10-22 07:13:56 ----D---- C:\Windows\Prefetch
2009-10-22 07:13:50 ----D---- C:\Windows\Temp
2009-10-22 07:13:39 ----RD---- C:\Program Files
2009-10-21 17:12:12 ----D---- C:\Windows\Tasks
2009-10-21 16:42:15 ----D---- C:\Windows\system32\drivers
2009-10-21 16:02:02 ----D---- C:\Program Files\Mozilla Firefox
2009-10-21 10:51:48 ----SHD---- C:\System Volume Information
2009-10-21 09:48:26 ----D---- C:\Windows
2009-10-21 09:45:52 ----D---- C:\Windows\Debug
2009-10-21 09:24:42 ----D---- C:\Program Files\McAfee
2009-10-20 17:33:44 ----D---- C:\Windows\winsxs
2009-10-20 14:13:05 ----D---- C:\Windows\System32
2009-10-20 07:28:08 ----SHD---- C:\Windows\Installer
2009-10-20 07:28:08 ----D---- C:\Program Files\Common Files
2009-10-20 07:28:06 ----D---- C:\Config.Msi
2009-10-18 15:51:11 ----D---- C:\Program Files\FlashFXP
2009-10-18 13:21:54 ----D---- C:\Windows\inf
2009-10-18 13:21:54 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-10-18 07:05:15 ----A---- C:\Windows\system32\HPPDEVX.DLL.log
2009-10-15 03:41:01 ----D---- C:\Windows\Microsoft.NET
2009-10-15 03:40:44 ----RSD---- C:\Windows\assembly
2009-10-15 03:26:53 ----D---- C:\Windows\system32\catroot
2009-10-15 03:21:52 ----D---- C:\Program Files\Windows Mail
2009-10-15 03:21:51 ----D---- C:\Windows\ehome
2009-10-15 03:21:47 ----D---- C:\Windows\system32\migration
2009-10-15 03:21:44 ----D---- C:\Program Files\Internet Explorer
2009-10-15 03:08:51 ----D---- C:\Windows\system32\catroot2
2009-10-14 09:13:42 ----D---- C:\Program Files\EZClaim
2009-10-14 09:07:44 ----A---- C:\Windows\win.ini
2009-10-13 11:48:17 ----D---- C:\Windows\system32\Tasks
2009-10-12 03:11:38 ----D---- C:\ProgramData
2009-10-11 18:39:39 ----D---- C:\Windows\rescache
2009-10-11 18:16:25 ----D---- C:\Windows\system32\en-US
2009-10-11 18:16:25 ----D---- C:\Windows\PolicyDefinitions
2009-10-11 16:26:45 ----D---- C:\ProgramData\Lavasoft
2009-10-11 16:26:45 ----D---- C:\Program Files\Lavasoft
2009-10-11 16:26:02 ----DC---- C:\Windows\system32\DRVSTORE
2009-10-10 16:10:56 ----D---- C:\Windows\ERDNT
2009-10-10 15:32:58 ----A---- C:\Windows\system.ini
2009-10-10 15:26:07 ----D---- C:\Windows\AppPatch
2009-10-10 07:35:35 ----D---- C:\Program Files\lx_cats
2009-10-02 14:01:57 ----A---- C:\Windows\system32\mrt.exe
2009-10-01 07:29:19 ----D---- C:\Program Files\Xvid
2009-09-27 08:03:40 ----A---- C:\Windows\system32\deploytk.dll
2009-09-23 10:46:02 ----D---- C:\Users\Baylus\AppData\Roaming\wootalyzer

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2009-09-16 214664]
R1 MPFP;MPFP; C:\Windows\System32\Drivers\Mpfp.sys [2009-07-16 130424]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2004-03-16 13059]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2008-01-19 179712]
R3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
R3 CAMCAUD;Conexant AMC Audio; C:\Windows\system32\drivers\camc6aud.sys [2005-04-20 38016]
R3 CAMCHALA;CAMCHALA; C:\Windows\system32\drivers\camc6hal.sys [2005-04-20 350080]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSF_DPV.sys [2004-12-14 1038208]
R3 HSFHWATI;HSFHWATI; C:\Windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\Windows\system32\drivers\mfeavfk.sys [2009-09-16 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\Windows\system32\drivers\mfebopk.sys [2009-09-16 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\Windows\system32\drivers\mfesmfk.sys [2009-09-16 40552]
R3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2007-01-25 2387456]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-19 88576]
R3 tifm21;tifm21; C:\Windows\system32\drivers\tifm21.sys [2005-06-23 162176]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]
S2 adfs;adfs; C:\Windows\system32\drivers\adfs.sys []
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\Windows\system32\drivers\RTKVAC.SYS [2009-02-01 4137312]
S3 APLMp50;APLMp50 NDIS Protocol Driver; C:\Windows\System32\Drivers\APLMp50.sys [2006-11-29 28224]
S3 athrusb;Atheros Wireless LAN USB device driver; C:\Windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
S3 BthEnum;Bluetooth Request Block Driver; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-01-31 19456]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-19 92160]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2009-01-31 220160]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2009-01-31 29184]
S3 catchme;catchme; \??\C:\Users\Baylus\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\Windows\system32\227E.tmp []
S3 mfehidk01;McAfee Inc.; C:\Windows\system32\drivers\mfehidk01.sys []
S3 mferkdk;McAfee Inc. mferkdk; C:\Windows\system32\drivers\mferkdk.sys [2009-09-16 34248]
S3 motmodem;Motorola USB CDC ACM Driver; C:\Windows\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 pgfilter;pgfilter; \??\C:\Program Files\PeerGuardian2\pgfilter.sys [2007-06-02 8192]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2008-01-19 49664]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-19 73088]
S3 usbbus;LGE Mobile Composite USB Device; C:\Windows\system32\DRIVERS\lgusbbus.sys [2005-05-26 21344]
S3 UsbDiag;LGE Mobile USB Serial Port; C:\Windows\system32\DRIVERS\lgusbdiag.sys [2005-05-26 38144]
S3 USBModem;LGE Mobile USB Modem; C:\Windows\system32\DRIVERS\lgusbmodem.sys [2005-06-24 39036]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2007-01-25 561152]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 lxcr_device;lxcr_device; C:\Windows\system32\lxcrcoms.exe [2006-12-11 537520]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-07-10 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-07-08 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-07-10 894136]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-07-08 606736]
S2 0005861256131550mcinstcleanup;McAfee Application Installer Cleanup (0005861256131550); C:\Windows\TEMP\000586~1.EXE [2009-08-18 316312]
S2 gupdate1c9fabb4a7b7ea;Google Update Service (gupdate1c9fabb4a7b7ea); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-01 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-01 190448]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-05-23 655624]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-09-16 365072]
S4 TlntSvr;@%SystemRoot%\system32\tlntsvr.exe,-119; C:\Windows\System32\tlntsvr.exe [2008-01-19 75776]

-----------------EOF-----------------




info.txt logfile of random's system information tool 1.06 2009-10-22 07:14:09

======Uninstall list======

7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
ABC Amber LIT Converter-->C:\PROGRA~1\ABCAMB~1\UNWISE.EXE C:\PROGRA~1\ABCAMB~1\INSTALL.LOG
Acrobat.com-->MsiExec.exe /X{6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Anchor Service CS4-->MsiExec.exe /I{1618734A-3957-4ADD-8199-F973763109A8}
Adobe Bridge CS4-->MsiExec.exe /I{83877DB1-8B77-45BC-AB43-2BAC22E093E0}
Adobe CMaps CS4-->MsiExec.exe /I{94D398EB-D2FD-4FD1-B8C4-592635E8A191}
Adobe Color - Photoshop Specific CS4-->MsiExec.exe /I{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}
Adobe Color EU Extra Settings CS4-->MsiExec.exe /I{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}
Adobe Color JA Extra Settings CS4-->MsiExec.exe /I{0D6013AB-A0C7-41DC-973C-E93129C9A29F}
Adobe Color NA Recommended Settings CS4-->MsiExec.exe /I{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}
Adobe Color Video Profiles CS CS4-->MsiExec.exe /I{63C24A08-70F3-4C8E-B9FB-9F21A903801D}
Adobe CSI CS4-->MsiExec.exe /I{0F723FC1-7606-4867-866C-CE80AD292DAF}
Adobe Default Language CS4-->MsiExec.exe /I{C52E3EC1-048C-45E1-8D53-10B0C6509683}
Adobe Device Central CS4-->MsiExec.exe /I{67F0E67A-8E93-4C2C-B29D-47C48262738A}
Adobe Drive CS4-->MsiExec.exe /I{16E16F01-2E2D-4248-A42F-76261C147B6C}
Adobe ExtendScript Toolkit CS4-->MsiExec.exe /I{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}
Adobe Extension Manager CS4-->MsiExec.exe /I{054EFA56-2AC1-48F4-A883-0AB89874B972}
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}
Adobe Linguistics CS4-->MsiExec.exe /I{931AB7EA-3656-4BB7-864D-022B09E3DD67}
Adobe Media Player-->MsiExec.exe /I{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}
Adobe Output Module-->MsiExec.exe /I{BB4E33EC-8181-4685-96F7-8554293DEC6A}
Adobe PDF Library Files CS4-->MsiExec.exe /I{F93C84A6-0DC6-42AF-89FA-776F7C377353}
Adobe Photoshop CS4 Support-->MsiExec.exe /I{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}
Adobe Photoshop CS4-->MsiExec.exe /I{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}
Adobe Photoshop CS4-->MsiExec.exe /I{E4848436-0345-47E2-B648-8B522FCDA623}
Adobe Reader 9.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Search for Help-->MsiExec.exe /I{F0E64E2E-3A60-40D8-A55D-92F6831875DA}
Adobe Service Manager Extension-->MsiExec.exe /I{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}
Adobe Setup-->MsiExec.exe /I{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}
Adobe Type Support CS4-->MsiExec.exe /I{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}
Adobe Update Manager CS4-->MsiExec.exe /I{05308C4E-7285-4066-BAE3-6B50DA6ED755}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}
Adobe XMP Panels CS4-->MsiExec.exe /I{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}
AdobeColorCommonSetCMYK-->MsiExec.exe /I{68243FF8-83CA-466B-B2B8-9F99DA5479C4}
AdobeColorCommonSetRGB-->MsiExec.exe /I{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}
AnswerWorks 5.0 English Runtime-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}\setup.exe" -l0x9 -uninst -removeonly
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Astro Gemini Screensaver Manager 1.2-->"C:\Program Files\Astro Gemini Software\Screensaver Manager\unins000.exe"
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
BitLord 1.1-->C:\Program Files\BitLord\uninst.exe
Cathedral 3D Screensaver 1.0-->"C:\Program Files\Astro Gemini Software\Cathedral 3D Screensaver\unins000.exe"
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CN_Ben10 Screensaver-->C:\Program Files\HKTW\CN_Ben10\Uninstall.exe
Conexant AC-Link Audio-->C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -Iari2041a.inf
Connect-->MsiExec.exe /I{B29AD377-CC12-490A-A480-1452337C618D}
Download Accelerator Plus (DAP)-->C:\PROGRA~1\DAP\DAPREMOVE.EXE
Driver Magician 3.41-->"C:\Program Files\Driver Magician\unins000.exe"
EZClaim Basic 7-->MsiExec.exe /X{E90D10AC-2BE4-4862-8B2A-E9F966D5A595}
FlashFXP v3-->"C:\Program Files\FlashFXP\unins000.exe"
Garden Flowers 3D Screensaver 1.0-->"C:\Program Files\Astro Gemini Software\Garden Flowers 3D Screensaver\unins000.exe"
gBurner-->"C:\Program Files\gBurner\uninstall.exe"
Google Earth-->MsiExec.exe /X{CC016F21-3970-11DE-B878-005056806466}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_9DE96A29E721D90A.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Java™ 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}
K-Lite Codec Pack 4.5.3 (Standard)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
kuler-->MsiExec.exe /I{098727E1-775A-4450-B573-3F441F1CA243}
Lexmark 2400 Series-->C:\Program Files\Lexmark 2400 Series\Install\x86\Uninst.exe
Lexmark Toolbar-->regsvr32.exe /s /u "C:\Program Files\Lexmark Toolbar\toolband.dll"
LG Tool Kit-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6179550A-3E7C-499E-BCC9-9E8113E0A285}\Setup.exe"
Magic ISO Maker v5.5 (build 0276)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Reader-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6F7DBE7-2FE2-458F-A738-B10832746036}\Setup.exe" -L0x9
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (3.0.14)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
OpenOffice.org 3.0-->MsiExec.exe /I{F44DA61E-720D-4E79-871F-F6E628B33242}
PDF Settings CS4-->MsiExec.exe /I{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}
PeerGuardian 2.0-->"C:\Program Files\PeerGuardian2\unins000.exe"
PerformanceTest v6.1-->"C:\Program Files\PerformanceTest\unins000.exe"
Photoshop Camera Raw-->MsiExec.exe /I{CC75AB5C-2110-4A7F-AF52-708680D22FE8}
Quicken 2009-->MsiExec.exe /X{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
Realtek AC'97 Audio-->Alcrmv.exe -r -m
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -removeonly
RKS Fax-->"C:\Program Files\RKS Fax\unins000.exe"
Snow Princess Screensaver Screensaver-->C:\Program Files\Ambercakes.com\Snow Princess Screensaver\Uninstall.exe
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378\HXFSETUP.EXE -U -Iari2045k.inf
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Staples Easy Button (remove only)-->"C:\Program Files\Staples Easy Button\EasyButton.exe" /UNINSTALL
Star Wars - The Clone Wars-->"C:\Program Files\ScreenSaverAve.com\Star Wars Clone Wars Screensaver\uninstall Star_War.exe"
Star Wars 3D Screensaver 1.3-->"C:\Program Files\Astro Gemini Software\Star Wars 3D Screensaver\unins000.exe"
Star Wars 3D Space Battles Screensaver v2.0-->"C:\Program Files\UselessCreations\StarWars3D\uninst.exe"
Suite Shared Configuration CS4-->MsiExec.exe /I{842B4B72-9E8F-4962-B3C1-1C422A5C4434}
Tux Paint 0.9.20b-->"C:\Program Files\TuxPaint\unins000.exe"
Tux Paint Stamps 2008.06.30-->"C:\Program Files\TuxPaint\unins001.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\Windows\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Wootalyzer!-->C:\Program Files\Wootalyzer\Uninstall.exe
Xvid 1.2.2 final uninstall-->"C:\Program Files\Xvid\unins000.exe"
Yrefresher 1.00-->"C:\Program Files\YRefresher\unins000.exe"
Zero Assumption Recovery Version 8.4-->"C:\Program Files\ZAR\unins000.exe"

======Hosts File======

127.0.0.1 localhost

======Security center information======

AS: Lavasoft Ad-Watch Live! (disabled)
AS: Windows Defender (disabled)

======System event log======

Computer Name: emachineLaptop
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0014A53B3D24. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 86635
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20091022011434.000000-000
Event Type: Warning
User:

Computer Name: emachineLaptop
Event Code: 1003
Message:
Record Number: 86636
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20091022011436.000000-000
Event Type: Warning
User:

Computer Name: emachineLaptop
Event Code: 1002
Message: The IP address lease 192.168.1.39 for the Network Card with network address 0014A53B3D24 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
Record Number: 86637
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20091022011436.000000-000
Event Type: Error
User:

Computer Name: emachineLaptop
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0014A53B3D24. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 86644
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20091022110816.000000-000
Event Type: Warning
User:

Computer Name: emachineLaptop
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0014A53B3D24. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 86647
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20091022110823.000000-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: emachineLaptop
Event Code: 8193
Message: Failed to create restore point on volume (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Descripton = Scheduled Checkpoint; Hr = 0x8004231f).
Record Number: 11441
Source Name: System Restore
Time Written: 20091020235017.000000-000
Event Type: Error
User:

Computer Name: emachineLaptop
Event Code: 8210
Message: The scheduled restore point could not be created. Additional information: (0x8004231f).
Record Number: 11442
Source Name: System Restore
Time Written: 20091020235017.000000-000
Event Type: Error
User:

Computer Name: emachineLaptop
Event Code: 4001
Message: Volume Shadow Copy Service error: Cannot find diff areas for creating shadow copies. Please add at least one NTFS drive to the system with enough free space. The free space needed is at least 300 Mb for each volume to be shadow copied.

Operation:
Automatically choosing a diff-area volume
Processing EndPrepareSnapshots

Context:
Execution Context: System Provider
Record Number: 11447
Source Name: VSS
Time Written: 20091021131548.000000-000
Event Type: Error
User:

Computer Name: emachineLaptop
Event Code: 8193
Message: Failed to create restore point on volume (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Descripton = Scheduled Checkpoint; Hr = 0x8004231f).
Record Number: 11448
Source Name: System Restore
Time Written: 20091021131549.000000-000
Event Type: Error
User:

Computer Name: emachineLaptop
Event Code: 8210
Message: The scheduled restore point could not be created. Additional information: (0x8004231f).
Record Number: 11449
Source Name: System Restore
Time Written: 20091021131549.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: emachineLaptop
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
Security ID: S-1-5-18
Account Name: EMACHINELAPTOP$
Account Domain: BAY6LUS
Logon ID: 0x3e7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\ieaksie.dll
Handle ID: 0x14

Process Information:
Process ID: 0xfd4
Process Name: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\poqexec.exe

Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 45644
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091011221621.019672-000
Event Type: Audit Success
User:

Computer Name: emachineLaptop
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
Security ID: S-1-5-18
Account Name: EMACHINELAPTOP$
Account Domain: BAY6LUS
Logon ID: 0x3e7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\mshtmled.dll
Handle ID: 0x14

Process Information:
Process ID: 0xfd4
Process Name: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\poqexec.exe

Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 45645
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091011221621.082172-000
Event Type: Audit Success
User:

Computer Name: emachineLaptop
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
Security ID: S-1-5-18
Account Name: EMACHINELAPTOP$
Account Domain: BAY6LUS
Logon ID: 0x3e7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\urlmon.dll
Handle ID: 0x14

Process Information:
Process ID: 0xfd4
Process Name: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\poqexec.exe

Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 45646
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091011221621.457172-000
Event Type: Audit Success
User:

Computer Name: emachineLaptop
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
Security ID: S-1-5-18
Account Name: EMACHINELAPTOP$
Account Domain: BAY6LUS
Logon ID: 0x3e7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\msfeedsbs.dll
Handle ID: 0x14

Process Information:
Process ID: 0xfd4
Process Name: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\poqexec.exe

Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 45647
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091011221621.566547-000
Event Type: Audit Success
User:

Computer Name: emachineLaptop
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
Security ID: S-1-5-18
Account Name: EMACHINELAPTOP$
Account Domain: BAY6LUS
Logon ID: 0x3e7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\msrating.dll
Handle ID: 0x14

Process Information:
Process ID: 0xfd4
Process Name: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\poqexec.exe

Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 45648
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091011221621.691547-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2c02
"NUMBER_OF_PROCESSORS"=1
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------


Thanks!!

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:23 PM

Posted 22 October 2009 - 12:09 PM

Hi,

Please answer my above question about how you may clean your system :(.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 esbaylus

esbaylus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 22 October 2009 - 01:32 PM

Hi,
I used Malwarebytes, Rootrepeal, combofix, superspyware. They would ONLY run in safe mode (and sometimes NOT run in safe mode). Browsers (Firefox AND IE) were redirecting. I thought at first only Firefox was, but it was both. After MULTIPLE scans and cleanings, I was able to get programs to run in 'normal' mode. I had to recopy many of my .com and .exe files (in system32 dir) from another computer, as they were missing from my infected computer. (including cmd.com).

Edited by esbaylus, 22 October 2009 - 01:44 PM.


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:23 PM

Posted 22 October 2009 - 02:03 PM

I used Malwarebytes, Rootrepeal, combofix, superspyware. They would ONLY run in safe mode (and sometimes NOT run in safe mode). Browsers (Firefox AND IE) were redirecting. I thought at first only Firefox was, but it was both. After MULTIPLE scans and cleanings, I was able to get programs to run in 'normal' mode. I had to recopy many of my .com and .exe files (in system32 dir) from another computer, as they were missing from my infected computer. (including cmd.com).


Ok, that's a lot. Can you please post older logfiles from Malwarebytes? You will find it under the log-tab when you run the tool.
Also please have a look for C:\Combofix.txt and post back with the content of that logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 esbaylus

esbaylus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 22 October 2009 - 02:14 PM

I'll check tonight - the old logs may be gone. I'll respond either way this evening!


Gene

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:23 PM

Posted 22 October 2009 - 02:16 PM

Ok, Thanks :(
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 esbaylus

esbaylus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 22 October 2009 - 06:41 PM

OK, I found a few Malwarebytes Log files... I post a few of them:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6001 Service Pack 1 (Safe Mode)

10/1/2009 10:42:38 PM
mbam-log-2009-10-01 (22-42-38).txt

Scan type: Quick Scan
Objects scanned: 111224
Time elapsed: 5 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.



***********************************************************************************************


Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6001 Service Pack 1 (Safe Mode)

10/2/2009 7:39:30 AM
mbam-log-2009-10-02 (07-39-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 239183
Time elapsed: 51 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



***********************************************************************************************

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6001 Service Pack 1 (Safe Mode)

10/3/2009 7:26:14 PM
mbam-log-2009-10-03 (19-26-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 239757
Time elapsed: 1 hour(s), 0 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (regedit.exe %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.41
Database version: 2904
Windows 6.0.6001 Service Pack 1 (Safe Mode)

10/4/2009 10:13:39 AM
mbam-log-2009-10-04 (10-13-39).txt

Scan type: Quick Scan
Objects scanned: 119654
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{77dc0b63-1535-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\PC_protectnewn0.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Windows\System32\pump.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Windows\System32\nuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\wf3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\wf4.dat (Malware.Trace) -> Quarantined and deleted successfully.


***********************************************************************************************



Combofix.txt can't be found.


Thanks!

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:23 PM

Posted 23 October 2009 - 12:36 PM

Ok, let's take out the leftovers.


Step 1

We need to run an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the OTM icon on your desktop.
  • Paste the following code under the Paste Instructions for Items to be Moved area. Do not include the word "Code".
    :Files
    C:\Windows\Win32
    C:\Windows\system32\929.tmp
    C:\Windows\system32\C6F1.tmp
    C:\Windows\tasks\User_Feed_Synchronization-{284A3770-EC10-428A-96D1-4CE53C1A3E55}.job
    C:\Windows\tasks\User_Feed_Synchronization-{A7CF99AC-7533-4FBD-A3DD-79385D394E59}.job
    
    :Commands
    [EmptyTemp]
  • Push the large MoveIt! button.
    **OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Results line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.







Step 2

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.








Please post back with:
  • OTM-Logfile
  • BitDefender-Logfile
  • Fresh RSIT-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 esbaylus

esbaylus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 24 October 2009 - 06:17 AM

OK, here are the logs in order:

All processes killed
========== FILES ==========
C:\Windows\Win32 moved successfully.
C:\Windows\system32\929.tmp moved successfully.
C:\Windows\system32\C6F1.tmp moved successfully.
C:\Windows\tasks\User_Feed_Synchronization-{284A3770-EC10-428A-96D1-4CE53C1A3E55}.job moved successfully.
C:\Windows\tasks\User_Feed_Synchronization-{A7CF99AC-7533-4FBD-A3DD-79385D394E59}.job moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Baylus
->Temp folder emptied: 684598 bytes
->Temporary Internet Files folder emptied: 12737984 bytes
->Java cache emptied: 67392411 bytes
->FireFox cache emptied: 62278034 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Emily
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 51715351 bytes
->Java cache emptied: 14486996 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Joey
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2521472 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Seth
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 60842162 bytes
->Java cache emptied: 7617538 bytes
->FireFox cache emptied: 89329383 bytes

User: Starr
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\Windows\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 24 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 321012 bytes
RecycleBin emptied: 338401 bytes

Total Files Cleaned = 353.11 mb


OTM by OldTimer - Version 3.0.0.6 log created on 10232009_213846

Files moved on Reboot...

Registry entries deleted on Reboot...



***********************************************************************************


BitDefender Online Scanner



Scan report generated at: Sat, Oct 24, 2009 - 00:46:49





Scan path: C:\;D:\;







Statistics

Time
02:25:26

Files
269300

Folders
20267

Boot Sectors
0

Archives
4372

Packed Files
11287




Results

Identified Viruses
0

Infected Files
0

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0




Engines Info

Virus Definitions
4452225

Engine build
AVCORE v2.1 Windows/i386 11.0.0.26 (Aug 27 2009)

Scan plugins
17

Archive plugins
44

Unpack plugins
8

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

No virus found.


*************************************************************************************


Logfile of random's system information tool 1.06 (written by random/random)
Run by Baylus at 2009-10-24 07:13:08
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 690 MB (1%) free of 52 GB
Total RAM: 958 MB (34% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:47 AM, on 10/24/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Baylus\Desktop\RSIT.exe
C:\Program Files\trend micro\Baylus.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: McAfee Application Installer Cleanup (0005861256131550) (0005861256131550mcinstcleanup) - Unknown owner - C:\Windows\TEMP\000586~1.EXE (file missing)
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9fabb4a7b7ea) (gupdate1c9fabb4a7b7ea) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 6047 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Ad-Aware Update (Weekly).job
C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\McDefragTask.job
C:\Windows\tasks\McQcTask.job
C:\Windows\tasks\User_Feed_Synchronization-{284A3770-EC10-428A-96D1-4CE53C1A3E55}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1017A80C-6F09-4548-A84D-EDD6AC9525F0}]
Lexmark Toolbar - C:\Program Files\Lexmark Toolbar\toolband.dll [2006-08-09 184320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-09-16 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-01 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll [2009-09-26 762864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-06-01 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-09-27 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5A1691B-D188-4419-AD02-90002030B8EE}]
FlashFXP Helper for Internet Explorer - C:\PROGRA~1\FlashFXP\IEFlash.dll [2005-05-04 191096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{1017A80C-6F09-4548-A84D-EDD6AC9525F0} - Lexmark Toolbar - C:\Program Files\Lexmark Toolbar\toolband.dll [2006-08-09 184320]
{B24BA06E-FB7B-4757-95C2-DC01125F750E} - RefresherBand Class - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL [2001-08-03 45056]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-01 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-09-17 645328]
"lxcrmon.exe"=C:\Program Files\Lexmark 2400 Series\lxcrmon.exe [2006-12-11 291760]
"EzPrint"=C:\Program Files\Lexmark 2400 Series\ezprint.exe [2006-12-11 82864]
"LXCRCATS"=rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16 []
"SoundMan"=C:\Windows\SOUNDMAN.EXE [2009-02-01 598016]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-09-27 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-06-01 39408]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RKS Fax Print Controller]
C:\Program Files\RKS Fax\rksfax_control.exe [2008-02-19 3912200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Staples Easy Button]
C:\Program Files\Staples Easy Button\EasyButton.exe [2009-06-19 1739312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wootalyzer]
C:\Program Files\Wootalyzer\woot.exe [2009-03-25 374272]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Baylus^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^On-Screen Keyboard.lnk]
C:\Windows\System32\osk.exe [2006-11-02 182272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\FlashFXP\flashfxp.exe"="C:\Program Files\FlashFXP\flashfxp.exe:*:Enabled:FlashFXP v3"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\Program Files\FlashFXP\flashfxp.exe"="C:\Program Files\FlashFXP\flashfxp.exe:*:Enabled:FlashFXP v3"

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-10-23 21:51:27 ----D---- C:\Windows\BDOSCAN8
2009-10-23 21:38:46 ----D---- C:\_OTM
2009-10-22 07:13:39 ----D---- C:\Program Files\trend micro
2009-10-22 07:13:38 ----D---- C:\rsit
2009-10-21 16:42:10 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-14 16:18:28 ----A---- C:\Windows\system32\msv1_0.dll
2009-10-14 16:18:14 ----A---- C:\Windows\system32\ntkrnlpa.exe
2009-10-14 16:18:12 ----A---- C:\Windows\system32\ntoskrnl.exe
2009-10-14 16:17:22 ----A---- C:\Windows\system32\EncDec.dll
2009-10-14 16:17:15 ----A---- C:\Windows\system32\psisdecd.dll
2009-10-14 16:16:54 ----A---- C:\Windows\system32\mshtml.dll
2009-10-14 16:16:51 ----A---- C:\Windows\system32\ieframe.dll
2009-10-14 16:16:49 ----A---- C:\Windows\system32\iertutil.dll
2009-10-14 16:16:48 ----A---- C:\Windows\system32\urlmon.dll
2009-10-14 16:16:47 ----A---- C:\Windows\system32\wininet.dll
2009-10-14 16:16:47 ----A---- C:\Windows\system32\msfeeds.dll
2009-10-14 16:16:46 ----A---- C:\Windows\system32\occache.dll
2009-10-14 16:16:46 ----A---- C:\Windows\system32\iedkcs32.dll
2009-10-14 16:16:43 ----A---- C:\Windows\system32\ieui.dll
2009-10-14 16:16:43 ----A---- C:\Windows\system32\iepeers.dll
2009-10-14 16:16:42 ----A---- C:\Windows\system32\msfeedsbs.dll
2009-10-14 16:16:42 ----A---- C:\Windows\system32\ieUnatt.exe
2009-10-14 16:16:42 ----A---- C:\Windows\system32\iesysprep.dll
2009-10-14 16:16:41 ----A---- C:\Windows\system32\jsproxy.dll
2009-10-14 16:16:40 ----A---- C:\Windows\system32\msfeedssync.exe
2009-10-14 16:16:40 ----A---- C:\Windows\system32\iesetup.dll
2009-10-14 16:16:40 ----A---- C:\Windows\system32\ie4uinit.exe
2009-10-14 16:16:39 ----A---- C:\Windows\system32\iernonce.dll
2009-10-14 16:16:23 ----A---- C:\Windows\system32\msasn1.dll
2009-10-14 16:16:03 ----A---- C:\Windows\system32\WMSPDMOD.DLL
2009-10-14 09:09:07 ----A---- C:\Windows\EZRepair.INI
2009-10-12 08:45:35 ----D---- C:\Windows\system32\EventProviders
2009-10-11 23:50:05 ----A---- C:\Windows\system32\jscript.dll
2009-10-11 17:00:37 ----A---- C:\Windows\system32\mshtmled.dll
2009-10-11 17:00:37 ----A---- C:\Windows\system32\icardie.dll
2009-10-11 17:00:36 ----A---- C:\Windows\system32\admparse.dll
2009-10-11 17:00:35 ----A---- C:\Windows\system32\mshtmler.dll
2009-10-11 17:00:34 ----A---- C:\Windows\system32\msls31.dll
2009-10-11 17:00:33 ----A---- C:\Windows\system32\corpol.dll
2009-10-11 17:00:32 ----A---- C:\Windows\system32\ieakeng.dll
2009-10-11 17:00:31 ----A---- C:\Windows\system32\imgutil.dll
2009-10-11 17:00:31 ----A---- C:\Windows\system32\dxtrans.dll
2009-10-11 17:00:31 ----A---- C:\Windows\system32\dxtmsft.dll
2009-10-11 17:00:29 ----A---- C:\Windows\system32\licmgr10.dll
2009-10-11 17:00:28 ----A---- C:\Windows\system32\inseng.dll
2009-10-11 17:00:28 ----A---- C:\Windows\system32\ieaksie.dll
2009-10-11 17:00:27 ----A---- C:\Windows\system32\webcheck.dll
2009-10-11 17:00:27 ----A---- C:\Windows\system32\msrating.dll
2009-10-11 17:00:26 ----A---- C:\Windows\system32\WinFXDocObj.exe
2009-10-11 17:00:26 ----A---- C:\Windows\system32\wextract.exe
2009-10-11 17:00:26 ----A---- C:\Windows\system32\mstime.dll
2009-10-11 17:00:26 ----A---- C:\Windows\system32\ieakui.dll
2009-10-11 17:00:25 ----A---- C:\Windows\system32\pngfilt.dll
2009-10-11 17:00:25 ----A---- C:\Windows\system32\advpack.dll
2009-10-11 17:00:23 ----A---- C:\Windows\system32\ieapfltr.dll
2009-10-11 17:00:22 ----A---- C:\Windows\system32\vbscript.dll
2009-10-11 17:00:21 ----A---- C:\Windows\system32\url.dll
2009-10-11 17:00:17 ----A---- C:\Windows\system32\SetIEInstalledDate.exe
2009-10-11 17:00:17 ----A---- C:\Windows\system32\SetDepNx.exe
2009-10-11 17:00:17 ----A---- C:\Windows\system32\RegisterIEPKEYs.exe
2009-10-11 17:00:17 ----A---- C:\Windows\system32\mshta.exe
2009-10-11 17:00:17 ----A---- C:\Windows\system32\iexpress.exe
2009-10-11 17:00:16 ----A---- C:\Windows\system32\PDMSetup.exe
2009-10-10 15:35:32 ----SHD---- C:\$RECYCLE.BIN
2009-10-07 18:26:07 ----N---- C:\Windows\system32\MpSigStub.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\SPReview.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\netsh.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\dllhost.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\dlbcih.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\dlbccoms.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\dlbccfg.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\DivXsm.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\DivXCodecVersionChecker.exe
2009-10-07 18:26:07 ----A---- C:\Windows\system32\cmd.exe
2009-10-07 18:26:06 ----A---- C:\Windows\system32\cleanmgr.exe
2009-10-05 09:24:43 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-10-01 19:19:45 ----A---- C:\Windows\system32\XceedCry.dll
2009-10-01 19:19:41 ----D---- C:\Program Files\Driver Magician
2009-09-27 08:05:25 ----A---- C:\Windows\system32\javaws.exe
2009-09-27 08:05:24 ----A---- C:\Windows\system32\javaw.exe
2009-09-27 08:05:24 ----A---- C:\Windows\system32\java.exe

======List of files/folders modified in the last 1 months======

2009-10-24 07:13:14 ----D---- C:\Windows\Temp
2009-10-24 07:10:47 ----D---- C:\Windows\Prefetch
2009-10-24 07:09:17 ----D---- C:\Program Files\Mozilla Firefox
2009-10-24 01:18:14 ----SHD---- C:\System Volume Information
2009-10-23 21:51:30 ----SD---- C:\Windows\Downloaded Program Files
2009-10-23 21:51:27 ----D---- C:\Windows
2009-10-23 21:48:41 ----D---- C:\Windows\Tasks
2009-10-23 21:38:58 ----D---- C:\Windows\System32
2009-10-23 21:38:55 ----A---- C:\Windows\system32\MPFServiceFailureCount.txt
2009-10-22 07:13:39 ----RD---- C:\Program Files
2009-10-21 16:42:15 ----D---- C:\Windows\system32\drivers
2009-10-21 09:45:52 ----D---- C:\Windows\Debug
2009-10-21 09:24:42 ----D---- C:\Program Files\McAfee
2009-10-20 17:33:44 ----D---- C:\Windows\winsxs
2009-10-20 07:28:08 ----SHD---- C:\Windows\Installer
2009-10-20 07:28:08 ----D---- C:\Program Files\Common Files
2009-10-20 07:28:06 ----D---- C:\Config.Msi
2009-10-18 15:51:11 ----D---- C:\Program Files\FlashFXP
2009-10-18 13:21:54 ----D---- C:\Windows\inf
2009-10-18 13:21:54 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-10-18 07:05:15 ----A---- C:\Windows\system32\HPPDEVX.DLL.log
2009-10-15 03:41:01 ----D---- C:\Windows\Microsoft.NET
2009-10-15 03:40:44 ----RSD---- C:\Windows\assembly
2009-10-15 03:26:53 ----D---- C:\Windows\system32\catroot
2009-10-15 03:21:52 ----D---- C:\Program Files\Windows Mail
2009-10-15 03:21:51 ----D---- C:\Windows\ehome
2009-10-15 03:21:47 ----D---- C:\Windows\system32\migration
2009-10-15 03:21:44 ----D---- C:\Program Files\Internet Explorer
2009-10-15 03:08:51 ----D---- C:\Windows\system32\catroot2
2009-10-14 09:13:42 ----D---- C:\Program Files\EZClaim
2009-10-14 09:07:44 ----A---- C:\Windows\win.ini
2009-10-13 11:48:17 ----D---- C:\Windows\system32\Tasks
2009-10-12 03:11:38 ----D---- C:\ProgramData
2009-10-11 18:39:39 ----D---- C:\Windows\rescache
2009-10-11 18:16:25 ----D---- C:\Windows\system32\en-US
2009-10-11 18:16:25 ----D---- C:\Windows\PolicyDefinitions
2009-10-11 16:26:45 ----D---- C:\ProgramData\Lavasoft
2009-10-11 16:26:45 ----D---- C:\Program Files\Lavasoft
2009-10-11 16:26:02 ----DC---- C:\Windows\system32\DRVSTORE
2009-10-10 16:10:56 ----D---- C:\Windows\ERDNT
2009-10-10 15:32:58 ----A---- C:\Windows\system.ini
2009-10-10 15:26:07 ----D---- C:\Windows\AppPatch
2009-10-10 07:35:35 ----D---- C:\Program Files\lx_cats
2009-10-02 14:01:57 ----A---- C:\Windows\system32\mrt.exe
2009-10-01 07:29:19 ----D---- C:\Program Files\Xvid
2009-09-27 08:03:40 ----A---- C:\Windows\system32\deploytk.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2009-09-16 214664]
R1 MPFP;MPFP; C:\Windows\System32\Drivers\Mpfp.sys [2009-07-16 130424]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2004-03-16 13059]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2008-01-19 179712]
R3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
R3 CAMCAUD;Conexant AMC Audio; C:\Windows\system32\drivers\camc6aud.sys [2005-04-20 38016]
R3 CAMCHALA;CAMCHALA; C:\Windows\system32\drivers\camc6hal.sys [2005-04-20 350080]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSF_DPV.sys [2004-12-14 1038208]
R3 HSFHWATI;HSFHWATI; C:\Windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\Windows\system32\drivers\mfeavfk.sys [2009-09-16 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\Windows\system32\drivers\mfebopk.sys [2009-09-16 35272]
R3 mferkdk;McAfee Inc. mferkdk; C:\Windows\system32\drivers\mferkdk.sys [2009-09-16 34248]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\Windows\system32\drivers\mfesmfk.sys [2009-09-16 40552]
R3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2007-01-25 2387456]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-19 88576]
R3 tifm21;tifm21; C:\Windows\system32\drivers\tifm21.sys [2005-06-23 162176]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]
S2 adfs;adfs; C:\Windows\system32\drivers\adfs.sys []
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\Windows\system32\drivers\RTKVAC.SYS [2009-02-01 4137312]
S3 APLMp50;APLMp50 NDIS Protocol Driver; C:\Windows\System32\Drivers\APLMp50.sys [2006-11-29 28224]
S3 athrusb;Atheros Wireless LAN USB device driver; C:\Windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
S3 BthEnum;Bluetooth Request Block Driver; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-01-31 19456]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-19 92160]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2009-01-31 220160]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2009-01-31 29184]
S3 catchme;catchme; \??\C:\Users\Baylus\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\Windows\system32\227E.tmp []
S3 motmodem;Motorola USB CDC ACM Driver; C:\Windows\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 pgfilter;pgfilter; \??\C:\Program Files\PeerGuardian2\pgfilter.sys [2007-06-02 8192]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2008-01-19 49664]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-19 73088]
S3 usbbus;LGE Mobile Composite USB Device; C:\Windows\system32\DRIVERS\lgusbbus.sys [2005-05-26 21344]
S3 UsbDiag;LGE Mobile USB Serial Port; C:\Windows\system32\DRIVERS\lgusbdiag.sys [2005-05-26 38144]
S3 USBModem;LGE Mobile USB Modem; C:\Windows\system32\DRIVERS\lgusbmodem.sys [2005-06-24 39036]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2007-01-25 561152]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 lxcr_device;lxcr_device; C:\Windows\system32\lxcrcoms.exe [2006-12-11 537520]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-07-10 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-09-16 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-09-15 894136]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-09-16 606736]
S2 0005861256131550mcinstcleanup;McAfee Application Installer Cleanup (0005861256131550); C:\Windows\TEMP\000586~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service []
S2 gupdate1c9fabb4a7b7ea;Google Update Service (gupdate1c9fabb4a7b7ea); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-01 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-01 190448]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-05-23 655624]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-09-16 365072]
S4 TlntSvr;@%SystemRoot%\system32\tlntsvr.exe,-119; C:\Windows\System32\tlntsvr.exe [2008-01-19 75776]

-----------------EOF-----------------



Thanks!!

Gene

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:23 PM

Posted 24 October 2009 - 06:32 AM

Hi,

Looks good :(. Still any problems with your system?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 esbaylus

esbaylus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 24 October 2009 - 07:14 AM

I THINK things are ok. You always look for quirkiness. Firefox will occasionally suddenly close, occasionally difficult to resume, but otherwise I THINK I'm good!


Thanks for the help!

Gene




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users