Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My RSIT Log


  • This topic is locked This topic is locked
19 replies to this topic

#1 irmac4rfd

irmac4rfd

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 10 November 2009 - 12:57 AM

Pasting in information from another post. ~ OB

Hi everyone -- I'm new to any type of computer forum, so please bear with me. My computer runs on Windows XP and (at one point, thinking the problem could be an IE issue, I installed) IE8 (IE7 prior). Please let me know if any other pertinent info is needed.

It all started with "Windows" Police Pro popping up about a month ago. Thought I had gotten rid of the virus(es?), as everything seemed to be working ok. Then a few days later, upon search with any search engine, it started redirecting to unrelated websites. Next thing I know, I discover that all my security software was being disabled.

I've run full McAfee scan, Microsoft OneCare, AdAware, Malwarebytes, STOPzilla, and just today resorted to HijackThis. With Malwarebytes, when attempting removal of the detected items, computer freezes (but looking in the log, items show either Quarantined or Removed). Some items that have been detected on my computer are:

Trojan.Vundo
Trojan.Buzus
Trojan.Banker
Rootkit.TDSS
Virantix.B
gasfkybudnbegv.dat
gasfkyojunkdwo.dat
Hijack.sound
wuasirvy.dll

End of added information. ~ OB

Tried to follow the Prep Guide but was UNABLE to get DDS to run. garmanma suggested downloading RSIT and posting log, which is as follows:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Connie Edwards at 2009-11-10 00:29:33
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 51 GB (67%) free of 76 GB
Total RAM: 511 MB (45% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:35 AM, on 11/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Connie Edwards\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Connie Edwards.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.myidentitydefender.com/smallsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Connie Edwards\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Connie Edwards\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [Nhijayis] rundll32.exe "C:\WINDOWS\axirigafey.dll",Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WAB] C:\Documents and Settings\Connie Edwards\Application Data\Macromedia\Common\4297002619.exe
O4 - HKUS\S-1-5-21-3660946461-1434109735-2322020850-1003\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.malwarebytes.org
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Adventures%20of%20Robinson%20Crusoe/Images/stg_drm.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...776/mcfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O24 - Desktop Component 0: (no name) - https://www.vawc.virginia.gov/images/logo.gif

--
End of file - 8560 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{17840EE9-D359-47C2-896C-EAABF7F307EF}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll [2009-09-16 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
MyIdentityDefender - C:\Documents and Settings\Connie Edwards\Local Settings\Application Data\CyberDefender\cdmyidd.dll [2009-09-14 3962184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - MyIdentityDefender - C:\Documents and Settings\Connie Edwards\Local Settings\Application Data\CyberDefender\cdmyidd.dll [2009-09-14 3962184]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]
{8E718888-423F-11D2-876E-00A0C9082467}
SITEguard

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-08-20 155648]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-08-20 118784]
"srmclean"=C:\Cpqs\Scom\srmclean.exe [2001-07-24 36864]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-07-04 212992]
"IntelliType"=C:\Program Files\Microsoft Hardware\Keyboard\type32.exe [2002-03-21 94208]
"WCOLOREAL"=C:\Program Files\COMPAQ\Coloreal\coloreal.exe [2002-02-20 143360]
"Microsoft Works Update Detection"=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [2003-09-13 50688]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2004-12-18 278528]
"AlcxMonitor"=C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]
"MP10_EnsureFileVer"=C:\WINDOWS\inf\unregmp2.exe [2008-04-13 208896]
"Nhijayis"=C:\WINDOWS\axirigafey.dll [2008-04-13 173056]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"WAB"=C:\Documents and Settings\Connie Edwards\Application Data\Macromedia\Common\4297002619.exe [2009-11-10 16384]
"rundll32.exe"= []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-08-20 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
scecli
scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN\MSNCoreFiles\msn.exe"="C:\Program Files\MSN\MSNCoreFiles\msn.exe:*:Enabled:msn"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\DigitalFusion\Beach Head - Desert War\BH2Game\BH2.exe"="C:\Program Files\DigitalFusion\Beach Head - Desert War\BH2Game\BH2.exe:*:Enabled:BH2"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Activision Value\Apache AH-64 Air Assault\Apache.exe"="C:\Program Files\Activision Value\Apache AH-64 Air Assault\Apache.exe:*:Enabled:Apache"
"C:\Program Files\3DO\Army Men RTS\amrts.exe"="C:\Program Files\3DO\Army Men RTS\amrts.exe:*:Enabled:Army Men RTS"
"C:\Program Files\GameSpy Arcade\Aphex.exe"="C:\Program Files\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade"
"X:\Codemasters\Insane\Game.exe"="X:\Codemasters\Insane\Game.exe:*:Disabled:Game.exe"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:enable"
"C:\Program Files\CyberDefender\AntiSpyware\cdas78.exe"="C:\Program Files\CyberDefender\AntiSpyware\cdas78.exe:*:Enabled:CyberDefender Internet Security"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 1 months======

2009-11-10 00:11:47 ----D---- C:\rsit
2009-11-09 13:30:41 ----D---- C:\Program Files\NOS
2009-11-09 13:30:41 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-11-08 22:32:42 ----D---- C:\GameHouse Games
2009-11-08 16:09:04 ----D---- C:\Program Files\Trend Micro
2009-11-08 12:13:45 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\blg
2009-11-08 12:13:45 ----D---- C:\Documents and Settings\All Users\Application Data\blg
2009-11-08 11:50:43 ----SHD---- C:\Config.Msi
2009-11-07 23:01:53 ----D---- C:\Documents and Settings\All Users\Application Data\SITEguard
2009-11-07 22:59:47 ----D---- C:\Program Files\Common Files\iS3
2009-11-07 22:59:27 ----D---- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2009-11-07 22:00:00 ----D---- C:\Qoobox
2009-11-06 22:32:50 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\Lazy Turtle Games
2009-11-04 20:54:53 ----A---- C:\WINDOWS\rasqervy.dll
2009-11-04 20:54:45 ----A---- C:\WINDOWS\sdfinacs.dll
2009-11-04 09:08:23 ----A---- C:\WINDOWS\sdfixwcs.dll
2009-11-04 00:41:05 ----A---- C:\WINDOWS\Ransom.INI
2009-11-03 08:58:43 ----A---- C:\WINDOWS\wuasirvy.dll
2009-11-01 16:09:19 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\RobinsonCrusoeOM
2009-11-01 14:23:26 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\Dekovir
2009-10-29 21:26:44 ----D---- C:\Documents and Settings\All Users\Application Data\Astar Games
2009-10-29 20:18:49 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\SpinTop Games
2009-10-28 21:50:25 ----D---- C:\Documents and Settings\All Users\Application Data\AdventureChronicles1
2009-10-27 22:55:39 ----D---- C:\Documents and Settings\All Users\Application Data\Gogii
2009-10-24 21:03:38 ----D---- C:\WINDOWS\ie8updates
2009-10-24 21:01:01 ----HDC---- C:\WINDOWS\ie8
2009-10-24 01:11:53 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\Awem
2009-10-23 23:39:09 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\Merscom
2009-10-23 23:39:09 ----D---- C:\Documents and Settings\All Users\Application Data\Merscom
2009-10-23 23:15:46 ----A---- C:\WINDOWS\Game.INI
2009-10-23 21:57:32 ----D---- C:\Documents and Settings\All Users\Application Data\Trymedia
2009-10-21 21:43:34 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\TitanicMystery
2009-10-21 08:40:40 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-10-21 08:37:14 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-10-21 08:32:38 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-10-21 08:31:13 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-10-20 17:49:55 ----D---- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2009-10-20 17:43:22 ----D---- C:\Program Files\Common Files\McAfee
2009-10-20 17:43:18 ----D---- C:\Program Files\McAfee.com
2009-10-20 16:49:33 ----D---- C:\WINDOWS\Prefetch
2009-10-20 16:46:55 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2009-10-20 16:46:48 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2009-10-20 16:46:40 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2009-10-20 16:46:32 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2009-10-20 16:46:25 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-10-20 16:46:16 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-10-20 16:46:07 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-10-20 16:46:00 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-10-20 16:45:47 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-10-20 16:45:39 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-10-20 16:45:31 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-10-20 16:45:21 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2009-10-20 16:45:12 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-10-20 16:45:02 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2009-10-20 16:44:53 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-10-20 16:44:44 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-10-20 16:44:33 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-10-20 16:44:22 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-10-20 16:44:15 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-10-20 16:44:06 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-10-20 16:43:59 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-10-20 16:43:52 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-10-20 16:43:41 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-10-20 16:43:33 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-10-20 16:43:26 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-10-20 16:43:17 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-10-20 16:43:10 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-10-20 16:43:03 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-10-20 16:42:54 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-10-20 16:42:47 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2009-10-20 16:42:40 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-10-20 16:42:31 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-10-20 16:42:23 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-10-20 16:42:07 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-10-20 16:41:55 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-10-20 16:41:46 ----HDC---- C:\WINDOWS\$NtUninstallKB974112_1$
2009-10-20 16:41:40 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-10-20 16:41:33 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-10-20 16:41:24 ----HDC---- C:\WINDOWS\$NtUninstallKB953155$
2009-10-20 16:41:17 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-10-20 16:41:09 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-10-20 16:41:00 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-10-20 16:40:52 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-10-20 16:40:45 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-10-20 16:40:38 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-10-20 16:40:32 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2009-10-20 16:40:22 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-10-20 16:40:15 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-10-20 16:40:08 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-10-20 16:40:00 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-10-20 16:39:52 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-10-20 16:39:44 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-10-20 16:24:26 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-10-20 16:01:50 ----D---- C:\Program Files\Windows Resource Kits
2009-10-20 14:46:16 ----A---- C:\WINDOWS\system32\qmgr.dll
2009-10-20 14:46:10 ----A---- C:\WINDOWS\system32\xpsp2res.dll
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\nslookup.exe
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\msv1_0.dll
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\msgsvc.dll
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\mgmtapi.dll
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\lsasrv.dll
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\locator.exe
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\localspl.dll
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\lmhsvc.dll
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\kernel32.dll
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\imagehlp.dll
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\ftp.exe
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\format.com
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\dhcpcsvc.dll
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\csrsrv.dll
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\comdlg32.dll
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\comctl32.dll
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\cmd.exe
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\cacls.exe
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\autoconv.exe
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\autochk.exe
2009-10-20 14:44:52 ----A---- C:\WINDOWS\system32\advapi32.dll
2009-10-20 14:44:51 ----A---- C:\WINDOWS\system32\rasauto.dll
2009-10-20 14:44:51 ----A---- C:\WINDOWS\system32\rasapi32.dll
2009-10-20 14:44:51 ----A---- C:\WINDOWS\system32\printui.dll
2009-10-20 14:44:51 ----A---- C:\WINDOWS\system32\perfctrs.dll
2009-10-20 14:44:51 ----A---- C:\WINDOWS\system32\olecnv32.dll
2009-10-20 14:44:51 ----A---- C:\WINDOWS\system32\oleaut32.dll
2009-10-20 14:44:51 ----A---- C:\WINDOWS\system32\nwprovau.dll
2009-10-20 14:44:51 ----A---- C:\WINDOWS\system32\ntvdm.exe
2009-10-20 14:44:51 ----A---- C:\WINDOWS\system32\ntprint.dll
2009-10-20 14:44:51 ----A---- C:\WINDOWS\system32\ntlsapi.dll
2009-10-20 14:44:51 ----A---- C:\WINDOWS\system32\ntdll.dll
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\tcpmonui.dll
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\syssetup.dll
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\srvsvc.dll
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\smss.exe
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\setupapi.dll
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\sessmgr.exe
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\services.exe
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\schannel.dll
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\scardsvr.exe
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\savedump.exe
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\samsrv.dll
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\samlib.dll
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\rshx32.dll
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\rastapi.dll
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\rasman.dll
2009-10-20 14:44:50 ----A---- C:\WINDOWS\system32\rasdlg.dll
2009-10-20 14:44:49 ----A---- C:\WINDOWS\system32\wkssvc.dll
2009-10-20 14:44:49 ----A---- C:\WINDOWS\system32\win32spl.dll
2009-10-20 14:44:49 ----A---- C:\WINDOWS\system32\userinit.exe
2009-10-20 14:44:49 ----A---- C:\WINDOWS\system32\untfs.dll
2009-10-20 14:44:49 ----A---- C:\WINDOWS\system32\ulib.dll
2009-10-20 14:44:46 ----A---- C:\WINDOWS\system32\ntkrnlpa.exe
2009-10-20 14:44:46 ----A---- C:\WINDOWS\system32\HAL.DLL
2009-10-20 14:44:45 ----A---- C:\WINDOWS\system32\ntoskrnl.exe
2009-10-20 13:28:59 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\MissTeriTale3
2009-10-20 00:47:44 ----A---- C:\WINDOWS\system32\_004485_.tmp.dll
2009-10-20 00:47:38 ----A---- C:\WINDOWS\system32\_004484_.tmp.dll
2009-10-20 00:46:22 ----A---- C:\WINDOWS\system32\_004482_.tmp.dll
2009-10-20 00:46:22 ----A---- C:\WINDOWS\system32\_004477_.tmp.dll
2009-10-20 00:46:22 ----A---- C:\WINDOWS\system32\_004476_.tmp.dll
2009-10-20 00:46:22 ----A---- C:\WINDOWS\system32\_004475_.tmp.dll
2009-10-20 00:46:22 ----A---- C:\WINDOWS\system32\_004474_.tmp.dll
2009-10-20 00:46:21 ----A---- C:\WINDOWS\system32\_004473_.tmp.dll
2009-10-20 00:46:21 ----A---- C:\WINDOWS\system32\_004470_.tmp.dll
2009-10-20 00:46:21 ----A---- C:\WINDOWS\system32\_004469_.tmp.dll
2009-10-20 00:46:21 ----A---- C:\WINDOWS\system32\_004468_.tmp.dll
2009-10-20 00:46:21 ----A---- C:\WINDOWS\system32\_004467_.tmp.dll
2009-10-20 00:46:21 ----A---- C:\WINDOWS\system32\_004465_.tmp.dll
2009-10-20 00:46:21 ----A---- C:\WINDOWS\system32\_004462_.tmp.dll
2009-10-20 00:46:21 ----A---- C:\WINDOWS\system32\_004460_.tmp.dll
2009-10-20 00:46:21 ----A---- C:\WINDOWS\system32\_004459_.tmp.dll
2009-10-20 00:46:20 ----A---- C:\WINDOWS\system32\_004455_.tmp.dll
2009-10-20 00:46:20 ----A---- C:\WINDOWS\system32\_004454_.tmp.dll
2009-10-20 00:46:20 ----A---- C:\WINDOWS\system32\_004452_.tmp.dll
2009-10-20 00:46:20 ----A---- C:\WINDOWS\system32\_004449_.tmp.dll
2009-10-20 00:46:20 ----A---- C:\WINDOWS\system32\_004446_.tmp.dll
2009-10-20 00:46:20 ----A---- C:\WINDOWS\system32\_004445_.tmp.dll
2009-10-20 00:46:20 ----A---- C:\WINDOWS\system32\_004444_.tmp.dll
2009-10-20 00:46:20 ----A---- C:\WINDOWS\system32\_004437_.tmp.dll
2009-10-20 00:46:19 ----A---- C:\WINDOWS\system32\_004432_.tmp.dll
2009-10-20 00:46:19 ----A---- C:\WINDOWS\system32\_004427_.tmp.dll
2009-10-20 00:46:19 ----A---- C:\WINDOWS\system32\_004424_.tmp.dll
2009-10-20 00:46:19 ----A---- C:\WINDOWS\system32\_004422_.tmp.dll
2009-10-20 00:46:19 ----A---- C:\WINDOWS\system32\_004419_.tmp.dll
2009-10-20 00:46:19 ----A---- C:\WINDOWS\system32\_004413_.tmp.dll
2009-10-20 00:46:18 ----A---- C:\WINDOWS\system32\_004360_.tmp.dll
2009-10-20 00:46:18 ----A---- C:\WINDOWS\system32\_004355_.tmp.dll
2009-10-20 00:46:18 ----A---- C:\WINDOWS\system32\_004345_.tmp.dll
2009-10-20 00:46:18 ----A---- C:\WINDOWS\system32\_004342_.tmp.dll
2009-10-20 00:22:37 ----A---- C:\WINDOWS\IE4 Error Log.txt
2009-10-19 13:25:00 ----D---- C:\WINDOWS\McAfee.com
2009-10-19 01:26:32 ----A---- C:\WINDOWS\system32\lsdelete.exe
2009-10-19 00:02:22 ----HDC---- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-18 20:46:30 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\Shape games
2009-10-17 23:55:44 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\casanova
2009-10-17 00:20:04 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\Malwarebytes
2009-10-17 00:19:51 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-17 00:19:51 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-10-16 01:31:42 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2009-10-16 01:31:35 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2009-10-16 01:29:49 ----A---- C:\WINDOWS\system32\MRT.exe
2009-10-16 01:29:40 ----HDC---- C:\WINDOWS\$NtUninstallKB969059_0$
2009-10-16 01:28:57 ----HDC---- C:\WINDOWS\$NtUninstallKB974112_0$
2009-10-16 01:28:49 ----HDC---- C:\WINDOWS\$NtUninstallKB975025_0$
2009-10-16 01:28:03 ----HDC---- C:\WINDOWS\$NtUninstallKB975467_0$
2009-10-15 08:38:30 ----HDC---- C:\WINDOWS\$NtUninstallKB974571_0$
2009-10-15 08:36:57 ----HDC---- C:\WINDOWS\$NtUninstallKB971486_0$
2009-10-15 08:35:40 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2009-10-13 14:42:20 ----A---- C:\WINDOWS\system32\_004451_.tmp.dll
2009-10-13 14:42:15 ----A---- C:\WINDOWS\system32\_004450_.tmp.dll
2009-10-13 14:40:59 ----A---- C:\WINDOWS\system32\_004448_.tmp.dll
2009-10-13 14:40:59 ----A---- C:\WINDOWS\system32\_004443_.tmp.dll
2009-10-13 14:40:59 ----A---- C:\WINDOWS\system32\_004442_.tmp.dll
2009-10-13 14:40:59 ----A---- C:\WINDOWS\system32\_004441_.tmp.dll
2009-10-13 14:40:59 ----A---- C:\WINDOWS\system32\_004440_.tmp.dll
2009-10-13 14:40:59 ----A---- C:\WINDOWS\system32\_004439_.tmp.dll
2009-10-13 14:40:59 ----A---- C:\WINDOWS\system32\_004436_.tmp.dll
2009-10-13 14:40:58 ----A---- C:\WINDOWS\system32\_004435_.tmp.dll
2009-10-13 14:40:58 ----A---- C:\WINDOWS\system32\_004434_.tmp.dll
2009-10-13 14:40:58 ----A---- C:\WINDOWS\system32\_004433_.tmp.dll
2009-10-13 14:40:58 ----A---- C:\WINDOWS\system32\_004431_.tmp.dll
2009-10-13 14:40:58 ----A---- C:\WINDOWS\system32\_004428_.tmp.dll
2009-10-13 14:40:58 ----A---- C:\WINDOWS\system32\_004426_.tmp.dll
2009-10-13 14:40:58 ----A---- C:\WINDOWS\system32\_004425_.tmp.dll
2009-10-13 14:40:57 ----A---- C:\WINDOWS\system32\_004421_.tmp.dll
2009-10-13 14:40:57 ----A---- C:\WINDOWS\system32\_004420_.tmp.dll
2009-10-13 14:40:57 ----A---- C:\WINDOWS\system32\_004416_.tmp.dll
2009-10-13 14:40:57 ----A---- C:\WINDOWS\system32\_004414_.tmp.dll
2009-10-13 14:40:57 ----A---- C:\WINDOWS\system32\_004412_.tmp.dll
2009-10-13 14:40:57 ----A---- C:\WINDOWS\system32\_004411_.tmp.dll
2009-10-13 14:40:57 ----A---- C:\WINDOWS\system32\_004405_.tmp.dll
2009-10-13 14:40:57 ----A---- C:\WINDOWS\system32\_004399_.tmp.dll
2009-10-13 14:40:57 ----A---- C:\WINDOWS\system32\_004397_.tmp.dll
2009-10-13 14:40:57 ----A---- C:\WINDOWS\system32\_004391_.tmp.dll
2009-10-13 14:40:57 ----A---- C:\WINDOWS\system32\_004390_.tmp.dll
2009-10-13 14:40:56 ----A---- C:\WINDOWS\system32\_004386_.tmp.dll
2009-10-13 14:40:56 ----A---- C:\WINDOWS\system32\_004383_.tmp.dll
2009-10-13 14:40:56 ----A---- C:\WINDOWS\system32\_004380_.tmp.dll
2009-10-13 14:40:55 ----A---- C:\WINDOWS\system32\_004341_.tmp.dll
2009-10-13 14:40:55 ----A---- C:\WINDOWS\system32\_004338_.tmp.dll
2009-10-13 14:40:55 ----A---- C:\WINDOWS\system32\_004333_.tmp.dll
2009-10-13 14:40:55 ----A---- C:\WINDOWS\system32\_004332_.tmp.dll
2009-10-12 22:04:07 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\Ph03nixNewMedia
2009-10-12 00:32:42 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\RobinsonCrusoe

======List of files/folders modified in the last 1 months======

2009-11-10 00:29:35 ----D---- C:\WINDOWS\Temp
2009-11-09 21:59:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-09 13:31:08 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-09 13:30:41 ----AD---- C:\Program Files
2009-11-08 23:36:24 ----D---- C:\Program Files\RealArcade
2009-11-08 20:19:54 ----D---- C:\WINDOWS
2009-11-08 13:28:13 ----D---- C:\WINDOWS\system32\wbem
2009-11-08 13:14:30 ----D---- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2009-11-08 13:14:21 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-11-08 12:13:51 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-08 11:56:23 ----SHD---- C:\WINDOWS\Installer
2009-11-08 11:55:52 ----D---- C:\WINDOWS\system32\drivers
2009-11-08 11:55:52 ----D---- C:\WINDOWS\system32
2009-11-08 11:24:07 ----A---- C:\WINDOWS\ModemLog_Lucent Win Modem #2.txt
2009-11-07 23:25:51 ----D---- C:\WINDOWS\Minidump
2009-11-07 23:00:02 ----D---- C:\WINDOWS\WinSxS
2009-11-07 22:59:47 ----AD---- C:\Program Files\Common Files
2009-11-07 17:29:48 ----D---- C:\Program Files\Windows Live Safety Center
2009-11-07 14:23:30 ----HD---- C:\WINDOWS\inf
2009-11-05 23:42:33 ----AC---- C:\WINDOWS\ntbtlog.txt
2009-11-05 16:15:39 ----SD---- C:\WINDOWS\Tasks
2009-11-04 21:48:00 ----D---- C:\Temp
2009-11-04 21:26:33 ----D---- C:\Program Files\Yahoo!
2009-11-04 09:34:27 ----A---- C:\WINDOWS\imsins.BAK
2009-11-04 09:33:45 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-04 09:30:25 ----HD---- C:\WINDOWS\$hf_mig$
2009-11-03 21:35:22 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\PlayFirst
2009-11-03 21:35:22 ----D---- C:\Documents and Settings\All Users\Application Data\PlayFirst
2009-11-03 08:26:44 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\Macromedia
2009-11-03 02:25:53 ----D---- C:\WINDOWS\Help
2009-11-01 18:44:32 ----A---- C:\WINDOWS\win.ini
2009-11-01 16:26:28 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\funkitron
2009-11-01 08:30:15 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-31 21:27:38 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\HdO Adventure
2009-10-31 12:41:01 ----D---- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2009-10-31 12:26:47 ----D---- C:\Program Files\iTunes
2009-10-27 21:19:05 ----D---- C:\Documents and Settings\All Users\Application Data\Oberon Media
2009-10-25 02:11:59 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\Big Fish Games
2009-10-24 21:07:26 ----D---- C:\WINDOWS\system32\en-US
2009-10-24 21:07:25 ----D---- C:\WINDOWS\Media
2009-10-24 21:07:25 ----D---- C:\Program Files\Internet Explorer
2009-10-22 08:01:30 ----D---- C:\Program Files\McAfee
2009-10-22 04:19:04 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-10-21 08:34:12 ----D---- C:\WINDOWS\system32\CatRoot
2009-10-20 17:50:35 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2009-10-20 16:50:40 ----AC---- C:\WINDOWS\OEWABLog.txt
2009-10-20 16:49:51 ----AC---- C:\WINDOWS\setuplog.txt
2009-10-20 16:48:55 ----D---- C:\WINDOWS\system32\Setup
2009-10-20 16:48:55 ----D---- C:\WINDOWS\AppPatch
2009-10-20 16:48:54 ----RSD---- C:\WINDOWS\Fonts
2009-10-20 16:46:02 ----D---- C:\Program Files\Outlook Express
2009-10-20 16:45:18 ----D---- C:\WINDOWS\security
2009-10-20 16:40:01 ----D---- C:\Program Files\Messenger
2009-10-20 16:33:28 ----D---- C:\Program Files\Windows Media Player
2009-10-20 16:33:20 ----D---- C:\WINDOWS\network diagnostic
2009-10-20 16:33:20 ----D---- C:\WINDOWS\ime
2009-10-20 16:33:09 ----D---- C:\WINDOWS\system32\usmt
2009-10-20 16:33:08 ----D---- C:\WINDOWS\system32\scripting
2009-10-20 16:33:07 ----D---- C:\WINDOWS\l2schemas
2009-10-20 16:33:05 ----D---- C:\WINDOWS\system32\en
2009-10-20 16:33:05 ----D---- C:\WINDOWS\system32\bits
2009-10-20 16:33:05 ----D---- C:\WINDOWS\peernet
2009-10-20 16:33:05 ----D---- C:\Program Files\Movie Maker
2009-10-20 16:30:43 ----D---- C:\WINDOWS\ServicePackFiles
2009-10-20 16:30:35 ----D---- C:\WINDOWS\system32\Restore
2009-10-20 16:30:35 ----D---- C:\WINDOWS\system32\npp
2009-10-20 16:30:35 ----D---- C:\WINDOWS\msagent
2009-10-20 16:30:34 ----D---- C:\WINDOWS\srchasst
2009-10-20 16:30:33 ----D---- C:\Program Files\NetMeeting
2009-10-20 16:30:32 ----D---- C:\WINDOWS\system32\Com
2009-10-20 16:30:30 ----D---- C:\Program Files\Windows NT
2009-10-20 16:30:27 ----D---- C:\Program Files\Common Files\System
2009-10-20 16:30:10 ----AD---- C:\WINDOWS\system32\oobe
2009-10-20 16:30:09 ----D---- C:\WINDOWS\system
2009-10-20 16:27:08 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-10-20 16:24:21 ----D---- C:\WINDOWS\ehome
2009-10-20 12:56:21 ----D---- C:\Documents and Settings\All Users\Application Data\Visual Networks
2009-10-20 00:17:20 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2009-10-19 20:55:27 ----D---- C:\My Music
2009-10-19 01:26:29 ----D---- C:\Program Files\AWS
2009-10-19 00:04:14 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-10-19 00:01:40 ----D---- C:\Program Files\Lavasoft
2009-10-19 00:01:40 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-10-18 22:56:49 ----AC---- C:\WINDOWS\orun32.ini
2009-10-17 01:31:45 ----SHD---- C:\RECYCLER
2009-10-14 21:54:25 ----D---- C:\Documents and Settings\Connie Edwards\Application Data\Flood Light Games
2009-10-14 21:54:25 ----D---- C:\Documents and Settings\All Users\Application Data\Flood Light Games
2009-10-13 14:49:01 ----D---- C:\Program Files\MSN

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2009-09-16 214664]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2009-07-16 120136]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2004-09-14 13872]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2004-08-20 737874]
R3 ltmodem5;LT Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-03-31 625537]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2009-09-16 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2009-09-16 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2009-09-16 40552]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 {6080A529-897E-4629-A488-ABA0C29B635E};IntelŪ Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-05-22 90336]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2008-04-13 37760]
S1 krhffjjd;krhffjjd; \??\C:\WINDOWS\system32\drivers\krhffjjd.sys []
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};IntelŪ Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-05-22 69504]
S3 ATWPKT2;ATWPKT2; \??\C:\Program Files\America Online 8.0\ATWPKT2.SYS []
S3 CDAVFS;CDAVFS; C:\WINDOWS\system32\DRIVERS\CDAVFS.sys [2009-09-13 67424]
S3 eaps2kbd;Compaq Easy Access PS2 Internet Keyboard (Win2K); C:\WINDOWS\System32\DRIVERS\eaps2kbd.sys [2001-12-28 24035]
S3 hamachi_oem;PlayLinc Adapter; C:\WINDOWS\System32\DRIVERS\gan_adapter.sys [2006-09-27 10664]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2001-08-08 158140]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2001-08-08 12479]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2001-08-08 12031]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2001-08-08 11679]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2001-08-08 11999]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2001-08-08 19359]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2001-08-08 29215]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2001-08-08 19199]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys []
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2001-08-08 33503]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2001-08-08 23519]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2009-09-16 34248]
S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS []
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2002-07-13 155008]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 wandrv;WAN Network Driver; C:\WINDOWS\System32\DRIVERS\wandrv.sys [2001-08-10 22608]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-11-02 1179232]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-07-09 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-09-16 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-09-15 894136]
R3 iPodService;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2004-12-18 327680]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-09-16 606736]
S2 EPSONStatusAgent2;EPSON Printer Status Agent2; C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe []
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 getPlusHelper;getPlusŪ Helper; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-09-16 365072]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

Edited by Orange Blossom, 10 November 2009 - 06:37 PM.


BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:07:55 PM

Posted 16 November 2009 - 08:49 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 irmac4rfd

irmac4rfd
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 16 November 2009 - 01:33 PM

Dear pwgib,

Thanks for your response today, however, I don't think you saw the part in my post where I said, "Tried to follow the Prep Guide but was UNABLE to get DDS to run. garmanma suggested downloading RSIT and posting log, which is as follows . . . .

Thanks for your help.

irmac4rfd

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:55 AM

Posted 16 November 2009 - 11:10 PM

Hello irmac4rfd,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#5 irmac4rfd

irmac4rfd
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 22 November 2009 - 12:27 AM

Hi Syler,

Thanks for your message. I find this very strange . . . I tried downloading ComboFix and received an Error Copying File message - "Access is Denied", then a McAfee warning popped up saying it blocked and removed a Trojan (Artemis!5620411F53E9).

Obviously, I forgot to disable my AntiVirus and AntiSpyware applications before downloading ComboFix . . . but I find it rather strange that the ComboFix tutorial instructions were to disable these apps AFTER downloading ComboFix, and your instructions were to disable them BEFORE hand.

As you could understand, I'm a little hesitant to go forward with disabling my AntiVirus and AntiSpyware apps before downloading ComboFix, so I would appreciate your explanation.

Thanks,
irmac

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:55 AM

Posted 22 November 2009 - 07:51 AM

Hi,

In most cases disabling your AntiVirus after you have downloaded combofix is fine, the important thing is that it is disabled before running combofix, although in your
case you will need to disable it before downloading combofix, this is fine.

but I find it rather strange that the ComboFix tutorial instructions were to disable these apps AFTER downloading ComboFix, and your instructions were to disable them BEFORE hand.


My instruction do say to disable your protection after downloading not before.

unite.jpg


#7 irmac4rfd

irmac4rfd
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 22 November 2009 - 04:12 PM

Syler -- Attached is my ComboFix log.

Thanks,
irmac

Attached Files



#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:55 AM

Posted 22 November 2009 - 08:05 PM

irmac,

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either McAfee or Cyberdefender.

I would suggest that you uninstall Cyberdefender, I don't know much about this product but a quick search on google about it seem to bring up alot of questions about whether you can trust it.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\LocalService\Application Data\Macromedia\Common\4297002619.exe
c:\windows\Jjavuronecek.bin
c:\windows\Uwobikum.dat
c:\documents and settings\Connie Edwards\Application Data\Macromedia\Common\4297002619.exe
c:\documents and settings\Connie Edwards\Application Data\Macromedia\Common\429700261.dll
c:\windows\wp4.dat
c:\windows\wp3.dat
c:\program files\Common Files\japudezax.pif
c:\program files\Common Files\yjiqe.bin
c:\program files\Common Files\uratixyvi.ban
c:\program files\Common Files\myvi._sy
c:\program files\Common Files\zynugobe.dat
c:\program files\Common Files\sydemane.dl
c:\program files\Common Files\hymuceruku._sy
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"WAB"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=""
"wave1"=""
"aux2"=""
"mixer1"=""
"aux1"=""
"midi2"=""
"mixer2"=""
"wave2"=""
Driver::
krhffjjd

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#9 irmac4rfd

irmac4rfd
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 22 November 2009 - 08:13 PM

Hi Syler, Okay, will do. What I don't understand is, I thought I had uninstalled cyber defender even before asking for help from bleeping computer, when trying to straighten out the computer on my own. At least, I ran their uninstall program. It was only today that I noticed, when running CompuFix, that cyber defender was still installed!

Thanks for your help,

irmac

#10 irmac4rfd

irmac4rfd
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 22 November 2009 - 09:13 PM

Syler, as I said in my last post, I THOUGHT I had uninstalled Cyber Defender, but apparently not. Until today, when I received the msg while trying to run CompuFix that Cyber Defender was running, I had no idea it was still there. In fact, I know it was not listed in my programs. Now it's there, and the damn thing won't let me uninstall the program. It just hangs up and nothing happens.

I downloaded this program at the suggestion of an IT person @ my office. Go figure . . . .

How do you suggest remove it once and for all?

Thanks,

irmac

#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:55 AM

Posted 23 November 2009 - 08:16 AM

Ok, I though it wouldn't remove easily from what I have read, we will take it out manually with combofix, please run this new script.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::
SecCenter::
{205F01D8-D234-44F2-A720-4C3A6FCCD4E1}
Folder::
c:\program files\CyberDefender
c:\documents and settings\Connie Edwards\Local Settings\Application Data\CyberDefender
File::
c:\documents and settings\LocalService\Application Data\Macromedia\Common\4297002619.exe
c:\windows\Jjavuronecek.bin
c:\windows\Uwobikum.dat
c:\documents and settings\Connie Edwards\Application Data\Macromedia\Common\4297002619.exe
c:\documents and settings\Connie Edwards\Application Data\Macromedia\Common\429700261.dll
c:\windows\wp4.dat
c:\windows\wp3.dat
c:\program files\Common Files\japudezax.pif
c:\program files\Common Files\yjiqe.bin
c:\program files\Common Files\uratixyvi.ban
c:\program files\Common Files\myvi._sy
c:\program files\Common Files\zynugobe.dat
c:\program files\Common Files\sydemane.dl
c:\program files\Common Files\hymuceruku._sy
c:\windows\system32\drivers\kgpcpy.cfg
c:\windows\system32\drivers\kgpfr2.cfg
c:\windows\system32\drivers\CDAVFS.sys
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"WAB"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=""
"wave1"=""
"aux2"=""
"mixer1"=""
"aux1"=""
"midi2"=""
"mixer2"=""
"wave2"=""
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"=-
[-HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"=-
Driver::
krhffjjd
CDAVFS

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#12 irmac4rfd

irmac4rfd
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 27 November 2009 - 08:14 PM

Hi Syler,

Sorry it took me so long to get back to you. Yesterday was our Thanksgiving holiday . . . and I'm still recuperating, as is evident in the stupid thing I just did.

As per your last instructions, I copied & pasted the CODE into notepad and saved on desktop as "CFScript.txt", and when I started to drag CFScript.txt into ComboFix.exe, I discovered that the ComboFix icon was no longer on my desktop. And neither could I find the program anywhere on my computer.

Now comes the stupid part: I attempted to download ComboFix again and save it onto desktop, but instead of clicking on Save, I clicked on Run. I didn't want to interrupt the process, so I let it run...and run...and run, until it produced the attached log.

I then properly downloaded ComboFix to desktop and started to continue with your last instructions (to "drag CFScript.txt . . . .") but at this point, I am hesitant to run it again before consulting with you.

Hope I didn't screw up anything. Please advise.

Thanks,

irmac

Attached Files



#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:55 AM

Posted 28 November 2009 - 07:31 AM

Hello irmac,

Hope you had a good Thanksgiving, please go ahead and run combofix with the cfscript.

unite.jpg


#14 irmac4rfd

irmac4rfd
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 01 December 2009 - 01:01 AM

Hi Syler,

Sorry this took so long. Had trouble running ComboFix at the other night ... was getting an error that said a ComboFix file or files were corrupt. Just got a chance 2nite to search for and delete all files associated with CF that I could find on my computer, and then downloaded CF and saved it again. SO, after running CF w/ the CFScript, attached is my log.

Thanks!

irmac

Attached Files



#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:55 AM

Posted 01 December 2009 - 12:30 PM

irmac,
  • Go to Start >> Run, and type Notepad into the run box, then click Ok.
  • Copy and paste the following code into Notepad. ( Do not include the word "CODE")
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rundll32.exe"=-
  • Click on the File tab, and select Save.
  • In the box that opens type Regfix.reg for the File name.
  • Change the Save as type to All Files, then save it to your Desktop. (It should look like this Posted Image)
  • Double click Regfix.reg, Select yes when it prompts you, then Ok.


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please post back here with the following logs:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users