Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Security 2010


  • This topic is locked This topic is locked
29 replies to this topic

#1 gierzak

gierzak

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 25 May 2010 - 12:14 AM

So I've been infected with the Desktop Security 2010 virus. I had it a few months ago on one of my log in usernames, got rid of it due to help from here and now its back on 2 of my other usernames (my brother and moms sign in name). I did the Malware removal scan and it wouldnt let me delete the files after teh scan.

So I did the DDS scan and I have the two logs that were produced from that scan, I tried to do the GMER log but my computer froze during the process. Any hlep would be great. Thanks.

Here are my logs.

DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by Kathy at 21:20:21.84 on Mon 05/24/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1438 [GMT -7:00]

AV: Digital Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
c:\windows\system32\svchost -k dcomlaunch
svchost.exe
c:\windows\system32\svchost.exe -k netsvcs
c:\windows\system32\svchost.exe -k wudfservicegroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Kathy\LOCALS~1\Temp\wsdkrlxp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\DOCUME~1\Kathy\LOCALS~1\Temp\wscsvc32.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
c:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\system32\svchost.exe -k httpfilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Kathy\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/a/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100517184318.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.8.0\ViewBarBHO.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
uRun: [Spyware Doctor] "c:\program files\spyware doctor\swdoctor.exe" /Q
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [wsdkrlxp.exe] c:\docume~1\kathy\locals~1\temp\wsdkrlxp.exe
mRun: [SiteAdvisor] c:\program files\siteadvisor\6253\SiteAdv.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: Compare Prices with &Dealio - c:\program files\dealio\res\DealioSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {00000162-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/B/B/0BB06A5C-8611-4840-86B3-54DDDD0344B9/wma9dmo.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} - hxxp://messenger.zone.msn.com/binary/Upwords.cab31267.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {32564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/OnlineScanner.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158636037250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab31267.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kathy\applic~1\mozilla\firefox\profiles\5vwowmw1.default\
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-1-20 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-22 82952]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-22 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-22 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-22 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-22 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-1-20 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-1-20 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-22 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-22 88480]
S0 hiskwyrs;hiskwyrs;c:\windows\system32\drivers\mifpnif.sys --> c:\windows\system32\drivers\mifpnif.sys [?]
S0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys --> c:\windows\system32\drivers\tclondrv.sys [?]
S2 gupdate1c9de6a36ca70ca;Google Update Service (gupdate1c9de6a36ca70ca);c:\program files\google\update\GoogleUpdate.exe [2009-5-26 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-22 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-22 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-1-20 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-1-20 40552]

=============== Created Last 30 ================

2010-05-25 00:14:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 00:14:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-25 00:14:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 00:51:53 0 d-----w- c:\program files\common files\Software Update Utility
2010-05-11 00:51:43 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
2010-05-11 00:51:37 0 d-----w- c:\program files\AIM7
2010-05-05 18:30:00 0 d-----w- c:\program files\Digital Protection
2010-05-04 03:49:23 574 ----a-w- C:\cleanup.bat
2010-05-04 03:49:23 135168 ----a-w- C:\zip.exe
2010-05-02 09:09:44 35840 ----a-w- c:\windows\system32\o.dat
2010-04-25 08:08:15 0 d-----w- c:\windows\system32\drivers\down

==================== Find3M ====================

2010-05-04 03:55:50 731136 ----a-w- c:\program files\avenger.exe
2010-05-02 15:55:14 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-04-28 00:16:24 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-28 00:16:24 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-28 00:16:24 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-28 00:16:24 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-28 00:16:24 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-28 00:16:24 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-28 00:16:24 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-28 00:16:24 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-28 00:16:24 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-28 00:16:24 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-21 17:52:53 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-04-16 01:59:55 958171 ----a-w- c:\program files\Uninst_Baseball Mogul 2011.log
2010-04-16 01:57:47 186930 ----a-w- c:\program files\Uninst_Baseball Mogul 2011.exe
2010-03-13 01:02:38 261632 ----a-w- c:\windows\PEV.exe
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-11-17 04:25:04 66936 --sha-w- c:\windows\slinfo_0.drv
2008-08-22 18:01:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 21:25:20.04 ===============


ATTACH

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/10/2005 8:44:29 PM
System Uptime: 5/24/2010 9:16:16 PM (0 hours ago)

Motherboard: Dell Inc. | | 0U7077
Processor: Intel® Pentium® 4 CPU 3.20GHz | Microprocessor | 3192/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 0.994 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&10416D21&0&10F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&10416D21&0&10F0
Service:

==== System Restore Points ===================

RP1826: 5/20/2010 9:56:22 PM - System Checkpoint

==== Installed Programs ======================

1310
1310_Help
1310Tour
1310Trb
Adobe Acrobat 4.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
AIM 7
AiO_Scan
AIOMinimal
AiOSoftware
AnswerWorks 4.0 Runtime - English
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Baseball Mogul 2011
Battle.net
BitTorrent
Bonjour
Broadcom Gigabit Integrated Controller
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window MC 5 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
CCleaner (remove only)
CDDRV_Installer
Comcast High-Speed Internet Install Wizard
Compatibility Pack for the 2007 Office system
Copy
CreativeProjects
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
Digital Protection
Director
DocProc
Download Updater (AOL LLC)
ESET Online Scanner
Fax
Google Earth
Google Earth Plug-in
Google Talk (remove only)
Google Update Helper
Heroes of Might and Magic V
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
HP Software Update
HPSystemDiagnostics
InstantShare
iPod Agent
iPod for Windows 2005-02-07
iPod for Windows 2005-09-23
iTunes
J2SE Runtime Environment 5.0 Update 3
Java™ 6 Update 11
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
KhalInstallWrapper
LG USB Modem driver
LimeWire 5.1.2
Logitech Registration
Logitech SetPoint
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee AntiVirus Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
MovieEdit Task
Mozilla Firefox (3.6.3)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MusicIP MyDJ Plug-in
overland
PhotoGallery
PhotoStitch
PrintScreen
QFolder
QuickProjects
QuickTime
RAW Image Task 2.1
Readme
Rhapsody Player Engine
Scan
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SkinsHP1
SkinsHP2
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
TrayApp
Unity Web Player
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VZAccess Manager for RIM
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
Windows Movie Maker 2.0
Windows XP Service Pack 3
YOU DON'T KNOW JACK Volume 2

==== Event Viewer Messages From Past Week ========

5/24/2010 9:16:41 PM, error: Dhcp [1002] - The IP address lease 192.168.10.2 for the Network Card with network address 00111182671F has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
5/24/2010 9:06:10 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: hiskwyrs
5/24/2010 9:06:10 PM, error: Service Control Manager [7022] - The Windows Image Acquisition (WIA) service hung on starting.
5/24/2010 8:53:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Workstation service to connect.
5/24/2010 8:53:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Wireless Zero Configuration service to connect.
5/24/2010 8:53:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Audio service to connect.
5/24/2010 8:53:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
5/24/2010 8:53:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Task Scheduler service to connect.
5/24/2010 8:53:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Shell Hardware Detection service to connect.
5/24/2010 8:53:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the DHCP Client service to connect.
5/24/2010 8:53:32 PM, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
5/24/2010 8:53:32 PM, error: Service Control Manager [7000] - The Workstation service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/24/2010 8:53:32 PM, error: Service Control Manager [7000] - The Wireless Zero Configuration service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/24/2010 8:53:32 PM, error: Service Control Manager [7000] - The Windows Audio service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/24/2010 8:53:32 PM, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/24/2010 8:53:32 PM, error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/24/2010 8:53:32 PM, error: Service Control Manager [7000] - The DHCP Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/20/2010 7:09:15 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
5/18/2010 11:59:22 AM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
5/18/2010 10:54:24 AM, error: DCOM [10001] - Unable to start a DCOM Server: {6DFC2D17-579D-4C1C-93B7-B05B7DCCD766} as /. The error: "%233" Happened while starting this command: "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" -Embedding

==== End Of File ===========================

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 26 May 2010 - 04:56 PM

Hello and welcome to Bleeping Computer

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.

Since you're having issues with GMER< please try GMER in safe mode. If that doesn't work, try in safe mode, but uncheck 'devices'. If all else fails, try in safe mode and only check 'files' and 'sections'


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 gierzak

gierzak
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 28 May 2010 - 10:16 AM

Please dont close this topic, I havent had much time to try to work on the computer. I'll be posting my logs tonight after I get off work. Thanks.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 28 May 2010 - 06:24 PM

ok, i'll keep this open for you.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 gierzak

gierzak
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 29 May 2010 - 05:06 PM

I did the OTL scan, I've tried to do the gmer scan but it wont let me and when I do it in safe mode it was scanning for over 14 hours and still wasnt finished. So here is the OTL log, I'll try the GMER again too.

OTL logfile created on: 6/13/2010 6:20:35 PM - Run 2
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Jason\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 3069 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.43 Gb Total Space | 0.98 Gb Free Space | 1.37% Space Free | Partition Type: NTFS
Drive D: | 625.19 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KATHY-619DD36AC
Current User Name: Jason
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/13 17:50:27 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jason\Desktop\OTL.exe
PRC - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2010/04/19 13:54:07 | 003,972,440 | ---- | M] (AOL Inc.) -- C:\Program Files\AIM7\aim.exe
PRC - [2010/04/01 23:30:31 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/01 23:05:04 | 001,180,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/23 05:00:00 | 000,692,224 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2007/04/11 16:32:22 | 000,056,080 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
PRC - [2006/08/10 12:38:30 | 000,035,416 | ---- | M] (McAfee, Inc.) -- C:\Program Files\SiteAdvisor\6253\SiteAdv.exe


========== Modules (SafeList) ==========

MOD - [2010/06/13 17:50:27 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jason\Desktop\OTL.exe
MOD - [2009/07/12 02:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2009/07/12 02:09:20 | 000,554,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
MOD - [2008/04/13 17:11:50 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cabinet.dll
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/12/18 00:28:42 | 000,011,552 | ---- | M] () -- C:\Program Files\SiteAdvisor\6253\saHook.dll
MOD - [2007/04/23 05:00:00 | 000,045,568 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/03/10 11:16:56 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2007/01/19 12:54:14 | 000,097,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2004/02/25 23:18:00 | 000,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\hpzipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2010/04/27 17:16:24 | 000,385,880 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/04/27 17:16:24 | 000,312,616 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/04/27 17:16:24 | 000,152,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/04/27 17:16:24 | 000,095,568 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/04/27 17:16:24 | 000,083,496 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/04/27 17:16:24 | 000,082,952 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/04/27 17:16:24 | 000,055,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/04/27 17:16:24 | 000,051,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/08/10 20:29:31 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/02/20 13:47:34 | 000,027,936 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tbhsd.sys -- (tbhsd)
DRV - [2007/04/11 16:32:58 | 000,036,112 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2007/04/11 16:32:52 | 000,034,832 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2007/04/09 09:56:22 | 000,021,248 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2007/04/09 09:55:08 | 000,022,912 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2007/04/09 09:53:24 | 000,012,672 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2004/09/29 13:36:29 | 000,015,360 | RH-- | M] (Motorola Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NetMotCM.sys -- (ndiscm)
DRV - [2004/09/17 11:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/25 14:28:46 | 000,787,456 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/08/12 07:11:50 | 000,467,200 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iastor)
DRV - [2004/04/29 19:55:42 | 000,186,112 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Local Page = http://www.google.com/


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1220945662-329068152-725345543-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1220945662-329068152-725345543-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-1220945662-329068152-725345543-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/?src=aim&ncid=snsusaimc00000001
IE - HKU\S-1-5-21-1220945662-329068152-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1220945662-329068152-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-1220945662-329068152-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yoog Search"
FF - prefs.js..browser.search.defaulturl: "http://www3.yoog.com/search.php?q="
FF - prefs.js..browser.search.selectedEngine: "Yoog Search"
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546
FF - prefs.js..keyword.URL: "http://www3.yoog.com/search.php?q="
FF - prefs.js..network.proxy.ftp: ":0"
FF - prefs.js..network.proxy.gopher: ":0"
FF - prefs.js..network.proxy.http: ":0"
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: ":0"
FF - prefs.js..network.proxy.ssl: ":0"

FF - user.js..browser.search.selectedEngine: "Yoog Search"
FF - user.js..keyword.URL: "http://www3.yoog.com/search.php?q="
FF - user.js..keyword.enabled: true
FF - user.js..browser.search.defaultenginename: "Yoog Search"
FF - user.js..browser.search.defaulturl: "http://www3.yoog.com/search.php?q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/12 00:11:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/10 17:51:37 | 000,000,000 | ---D | M]

[2009/03/12 15:02:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jason\Application Data\Mozilla\Extensions
[2009/03/12 15:02:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jason\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/06/12 22:51:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\itjajcmh.default\extensions
[2010/04/13 07:32:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\itjajcmh.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/30 11:07:18 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\itjajcmh.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/05/10 17:51:43 | 000,001,490 | ---- | M] () -- C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\itjajcmh.default\searchplugins\AOL Search.xml
[2008/04/17 15:55:38 | 000,001,000 | ---- | M] () -- C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\itjajcmh.default\searchplugins\FireSearch.xml
[2009/01/06 12:11:15 | 000,000,246 | ---- | M] () -- C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\itjajcmh.default\searchplugins\Yoog Search.xml
[2010/06/12 22:51:20 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/27 17:16:24 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/05/10 17:51:43 | 000,001,490 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\AOL Search.xml
[2010/02/02 00:21:04 | 000,003,803 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\MyHeritage.xml

O1 HOSTS File: ([2010/04/18 14:40:00 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll ()
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100517184318.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Viewpoint Toolbar BHO) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll File not found
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll ()
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1220945662-329068152-725345543-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-1220945662-329068152-725345543-1006\..\Toolbar\WebBrowser: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - No CLSID value found.
O3 - HKU\S-1-5-21-1220945662-329068152-725345543-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe (McAfee, Inc.)
O4 - HKU\S-1-5-21-1220945662-329068152-725345543-1006..\Run: [Aim] C:\Program Files\AIM7\aim.exe (AOL Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Startup\PowerReg Scheduler.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1220945662-329068152-725345543-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1220945662-329068152-725345543-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1220945662-329068152-725345543-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1220945662-329068152-725345543-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll (Sun Microsystems, Inc.)
O9 - Extra Button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe File not found
O9 - Extra 'Tools' menuitem : PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1220945662-329068152-725345543-1006\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {00000162-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/B...4B9/wma9dmo.cab (Reg Error: Key error.)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (Checkers Class)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/Facebo...toUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} http://messenger.zone.msn.com/binary/Upwords.cab31267.cab (ZoneUpwords Object)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (MessengerStatsClient Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {32564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv8dmo.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1005.cab (MySpace Uploader Control)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/Facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1158636037250 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (MessengerStatsClient Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab (CBreakshotControl Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} http://messenger.zone.msn.com/binary/WoF.cab31267.cab (WheelofFortune Object)
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (Solitaire Showdown Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\siteadvisor {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll ()
O18 - Protocol\Filter\video/x-flv {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/03/06 14:04:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/04/11 16:15:11 | 000,323,584 | R--- | M] (Nival Interactive) - D:\AutoRun.exe -- [ CDFS ]
O32 - AutoRun File - [2006/04/05 17:38:16 | 000,050,534 | R--- | M] () - D:\AutoRun.ico -- [ CDFS ]
O32 - AutoRun File - [2006/04/19 22:29:22 | 000,000,000 | R--D | M] - D:\Autorun -- [ CDFS ]
O32 - AutoRun File - [2003/03/14 12:03:15 | 000,000,047 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{148865fa-997c-11dc-a465-0014041323ea}\Shell - "" = AutoRun
O33 - MountPoints2\{148865fa-997c-11dc-a465-0014041323ea}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{148865fa-997c-11dc-a465-0014041323ea}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/12/14 07:26:25 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk - C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe - (Hewlett-Packard Co.)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE - (Microsoft Corporation)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: AppleSyncNotifier - hkey= - key= - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
MsConfig - StartUpReg: ATIPTA - hkey= - key= - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
MsConfig - StartUpReg: googletalk - hkey= - key= - C:\Program Files\Google\Google Talk\googletalk.exe (Google)
MsConfig - StartUpReg: HP Component Manager - hkey= - key= - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: HP Software Update - hkey= - key= - C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Co.)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: Kernel and Hardware Abstraction Layer - hkey= - key= - C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: MsnMsgr - hkey= - key= - C:\Program Files\MSN Messenger\msnmsgr.exe (Microsoft Corporation)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: SoundMAXPnP - hkey= - key= - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corp.)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.LEAD - LCODCCMP.DLL File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (67849024304054272)

========== Files/Folders - Created Within 90 Days ==========

[2010/06/13 17:50:27 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jason\Desktop\OTL.exe
[2010/05/24 21:17:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\PRAGMArciqxtirpr
[2010/05/24 17:14:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/24 17:14:10 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/19 15:58:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jason\Desktop\made showdown
[2010/05/05 11:19:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\PRAGMAxgqxdnnkbw
[2010/04/25 01:08:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\down
[2010/04/22 02:48:26 | 000,009,344 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeclnk.sys
[2010/04/22 02:48:17 | 000,312,616 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfefirek.sys
[2010/04/22 02:48:17 | 000,095,568 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys
[2010/04/22 02:48:17 | 000,088,480 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
[2010/04/22 02:48:17 | 000,083,496 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2010/04/22 02:48:17 | 000,082,952 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdi2k.sys
[2010/04/22 02:48:17 | 000,055,456 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\cfwids.sys
[2010/04/21 18:01:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jason\My Documents\My Games
[2010/04/21 10:52:53 | 000,098,304 | ---- | C] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/04/19 20:19:04 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/15 18:58:15 | 000,186,930 | ---- | C] (Sports Mogul Inc.) -- C:\Program Files\Uninst_Baseball Mogul 2011.exe
[2010/04/15 17:25:02 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/15 17:25:02 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/15 17:25:02 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/15 17:25:01 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/15 17:24:07 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/14 22:47:15 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[2005/03/10 22:39:57 | 000,151,552 | ---- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll

========== Files - Modified Within 90 Days ==========

[2010/06/13 17:50:27 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jason\Desktop\OTL.exe
[2010/06/13 17:43:14 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/13 17:43:04 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee AntiVirus Plus.lnk
[2010/06/13 17:43:01 | 006,029,312 | -H-- | M] () -- C:\Documents and Settings\Jason\NTUSER.DAT
[2010/06/13 17:42:38 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/13 17:42:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/13 17:42:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/13 03:38:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/12 09:44:49 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Jason\ntuser.ini
[2010/05/25 10:45:56 | 000,041,258 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\Ana_Ivanovic.jpg
[2010/05/25 00:20:30 | 000,000,147 | ---- | M] () -- C:\WINDOWS\System32\pragmasrcr.dat
[2010/05/24 17:01:42 | 000,001,162 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll
[2010/05/24 13:24:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/23 10:20:05 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/22 00:16:40 | 000,607,072 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\drogba2.jpg
[2010/05/22 00:16:31 | 000,672,402 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\drogbra1.jpg
[2010/05/20 19:09:33 | 000,001,039 | ---- | M] () -- C:\WINDOWS\hegames.ini
[2010/05/20 15:51:47 | 000,068,423 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\colin2.jpg
[2010/05/20 15:50:53 | 000,024,534 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\colin1.jpg
[2010/05/19 22:18:00 | 000,492,231 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\gangster.jpg
[2010/05/19 15:25:34 | 000,082,809 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\mommy and me.jpg
[2010/05/19 13:15:50 | 000,323,077 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\colin and jason.jpg
[2010/05/19 13:08:49 | 000,383,005 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\colin bday.jpg
[2010/05/18 19:48:39 | 000,036,794 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\mlb2.jpg
[2010/05/18 19:46:52 | 000,036,801 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\51DX5Q9PVPL.jpg
[2010/05/18 13:05:10 | 000,057,974 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\sal.jpg
[2010/05/18 10:34:45 | 000,185,344 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\jasons showdown.xls
[2010/05/18 10:16:22 | 000,185,344 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\Copy of Showdown Sheet(1).xls
[2010/05/17 16:37:58 | 001,701,376 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\MegaStat.xla
[2010/05/17 12:39:28 | 000,024,534 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\colin444.jpg
[2010/05/16 22:59:48 | 000,124,416 | ---- | M] () -- C:\Documents and Settings\Jason\My Documents\Showdown Sheet(1).xls
[2010/05/16 17:14:04 | 000,082,432 | ---- | M] () -- C:\Documents and Settings\Jason\My Documents\Showdown Sheet.xls
[2010/05/12 19:08:16 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/12 11:33:48 | 005,339,182 | -H-- | M] () -- C:\Documents and Settings\Jason\Local Settings\Application Data\IconCache.db
[2010/05/10 19:53:10 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Jason\My Documents\Showdown2010.xls
[2010/05/10 17:51:57 | 000,002,226 | -H-- | M] () -- C:\IPH.PH
[2010/05/10 17:51:41 | 000,001,585 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk
[2010/05/03 20:56:13 | 000,135,168 | ---- | M] () -- C:\zip.exe
[2010/05/03 20:56:13 | 000,000,574 | ---- | M] () -- C:\cleanup.bat
[2010/05/03 20:55:50 | 000,731,136 | ---- | M] () -- C:\Program Files\avenger.exe
[2010/05/03 09:38:27 | 2145,583,104 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010/05/02 02:09:44 | 000,035,840 | ---- | M] () -- C:\WINDOWS\System32\o.dat
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 00:59:57 | 000,000,916 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\c7vdif
[2010/04/27 17:16:24 | 000,385,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2010/04/27 17:16:24 | 000,312,616 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfefirek.sys
[2010/04/27 17:16:24 | 000,152,320 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/04/27 17:16:24 | 000,095,568 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys
[2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
[2010/04/27 17:16:24 | 000,083,496 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2010/04/27 17:16:24 | 000,082,952 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdi2k.sys
[2010/04/27 17:16:24 | 000,055,456 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\cfwids.sys
[2010/04/27 17:16:24 | 000,051,688 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/04/27 17:16:24 | 000,009,344 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeclnk.sys
[2010/04/25 01:08:27 | 000,001,008 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\f1pKdvbneJkm
[2010/04/24 10:08:49 | 000,001,132 | -HS- | M] () -- C:\Documents and Settings\Jason\Local Settings\Application Data\118F261KX
[2010/04/24 10:08:49 | 000,001,132 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\118F261KX
[2010/04/24 08:26:13 | 000,000,442 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2010/04/21 10:52:53 | 000,098,304 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/04/21 09:51:18 | 000,000,976 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Heroes of Might and Magic V.lnk
[2010/04/21 09:33:53 | 000,000,001 | ---- | M] () -- C:\WINDOWS\System32\SI.bin
[2010/04/18 14:40:27 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/18 14:40:00 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/18 14:08:28 | 003,919,755 | R--- | M] () -- C:\Documents and Settings\Jason\Desktop\ComboFix.exe
[2010/04/17 17:36:57 | 000,001,052 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\JH40y5L
[2010/04/17 17:36:57 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/16 23:20:28 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\gmer.exe
[2010/04/15 18:59:55 | 000,001,631 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Baseball Mogul 2011.lnk
[2010/04/15 18:57:47 | 000,186,930 | ---- | M] (Sports Mogul Inc.) -- C:\Program Files\Uninst_Baseball Mogul 2011.exe
[2010/04/15 18:27:05 | 002,385,224 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\bradley3.gif
[2010/04/15 17:17:38 | 000,022,200 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\how-to-use-combofix.htm
[2010/04/15 17:15:30 | 000,011,076 | -HS- | M] () -- C:\Documents and Settings\Jason\Local Settings\Application Data\21a34KM55vORW
[2010/04/15 17:15:30 | 000,011,076 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\21a34KM55vORW
[2010/04/15 16:57:08 | 000,011,622 | -HS- | M] () -- C:\Documents and Settings\Jason\Local Settings\Application Data\3768234786
[2010/04/15 16:57:08 | 000,011,622 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3768234786
[2010/04/15 07:20:57 | 000,011,626 | -HS- | M] () -- C:\Documents and Settings\Jason\Local Settings\Application Data\757469097
[2010/04/15 07:09:41 | 000,011,610 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\757469097
[2010/04/15 07:06:26 | 000,011,622 | -HS- | M] () -- C:\Documents and Settings\Jason\Local Settings\Application Data\TcP0eIPn2W
[2010/04/15 06:30:30 | 000,011,618 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\TcP0eIPn2W
[2010/04/14 07:05:45 | 000,441,734 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/14 07:05:45 | 000,071,670 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/14 07:05:44 | 000,523,394 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/14 03:06:43 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/13 17:23:06 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\gmer.zip
[2010/04/13 17:17:11 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\dds.scr
[2010/04/13 03:04:37 | 000,142,032 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/12 20:18:48 | 000,000,869 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/11 16:53:56 | 000,176,128 | ---- | M] () -- C:\Documents and Settings\Jason\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/11 13:35:20 | 000,001,224 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\82H7x6
[2010/03/28 17:38:14 | 000,007,245 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\camera bag.jpg
[2010/03/17 21:31:00 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Jason\My Documents\Selena Close.doc

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | ---- | C] () -- C:\WINDOWS\System32\zuziloho
[2010/05/25 10:45:56 | 000,041,258 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\Ana_Ivanovic.jpg
[2010/05/24 21:17:47 | 000,000,147 | ---- | C] () -- C:\WINDOWS\System32\pragmasrcr.dat
[2010/05/22 00:16:40 | 000,607,072 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\drogba2.jpg
[2010/05/22 00:16:31 | 000,672,402 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\drogbra1.jpg
[2010/05/20 15:51:47 | 000,068,423 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\colin2.jpg
[2010/05/20 15:50:53 | 000,024,534 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\colin1.jpg
[2010/05/19 22:17:59 | 000,492,231 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\gangster.jpg
[2010/05/19 15:25:34 | 000,082,809 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\mommy and me.jpg
[2010/05/19 13:15:50 | 000,323,077 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\colin and jason.jpg
[2010/05/19 13:08:49 | 000,383,005 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\colin bday.jpg
[2010/05/18 19:48:39 | 000,036,794 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\mlb2.jpg
[2010/05/18 19:46:52 | 000,036,801 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\51DX5Q9PVPL.jpg
[2010/05/18 13:05:09 | 000,057,974 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\sal.jpg
[2010/05/18 10:33:12 | 000,185,344 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\jasons showdown.xls
[2010/05/18 10:16:21 | 000,185,344 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\Copy of Showdown Sheet(1).xls
[2010/05/17 12:39:27 | 000,024,534 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\colin444.jpg
[2010/05/16 21:46:30 | 000,124,416 | ---- | C] () -- C:\Documents and Settings\Jason\My Documents\Showdown Sheet(1).xls
[2010/05/16 09:12:26 | 000,082,432 | ---- | C] () -- C:\Documents and Settings\Jason\My Documents\Showdown Sheet.xls
[2010/05/10 19:53:10 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Jason\My Documents\Showdown2010.xls
[2010/05/10 17:51:41 | 000,001,585 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk
[2010/05/05 12:23:39 | 000,001,162 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll
[2010/05/05 11:14:43 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee AntiVirus Plus.lnk
[2010/05/03 20:49:23 | 000,135,168 | ---- | C] () -- C:\zip.exe
[2010/05/03 20:49:23 | 000,000,574 | ---- | C] () -- C:\cleanup.bat
[2010/05/02 02:09:44 | 000,035,840 | ---- | C] () -- C:\WINDOWS\System32\o.dat
[2010/04/28 00:59:57 | 000,000,916 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\c7vdif
[2010/04/25 01:08:27 | 000,001,008 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\f1pKdvbneJkm
[2010/04/24 10:08:49 | 000,001,132 | -HS- | C] () -- C:\Documents and Settings\Jason\Local Settings\Application Data\118F261KX
[2010/04/24 10:08:49 | 000,001,132 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\118F261KX
[2010/04/21 09:51:18 | 000,000,976 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Heroes of Might and Magic V.lnk
[2010/04/21 09:33:53 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\SI.bin
[2010/04/17 17:36:57 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/17 17:36:56 | 000,001,052 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\JH40y5L
[2010/04/17 17:36:56 | 000,001,052 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\JH40y5L
[2010/04/15 18:59:55 | 000,001,631 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Baseball Mogul 2011.lnk
[2010/04/15 18:58:15 | 000,958,171 | ---- | C] () -- C:\Program Files\Uninst_Baseball Mogul 2011.log
[2010/04/15 18:26:58 | 002,385,224 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\bradley3.gif
[2010/04/15 17:25:02 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/15 17:25:02 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/15 17:25:02 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/15 17:25:02 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/15 17:25:02 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/15 17:17:38 | 000,022,200 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\how-to-use-combofix.htm
[2010/04/15 17:16:47 | 003,919,755 | R--- | C] () -- C:\Documents and Settings\Jason\Desktop\ComboFix.exe
[2010/04/15 17:09:39 | 000,011,076 | -HS- | C] () -- C:\Documents and Settings\Jason\Local Settings\Application Data\21a34KM55vORW
[2010/04/15 16:59:50 | 000,011,076 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\21a34KM55vORW
[2010/04/15 16:59:50 | 000,001,332 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\21a34KM55vORW
[2010/04/15 07:08:30 | 000,011,626 | -HS- | C] () -- C:\Documents and Settings\Jason\Local Settings\Application Data\757469097
[2010/04/15 07:08:30 | 000,011,622 | -HS- | C] () -- C:\Documents and Settings\Jason\Local Settings\Application Data\3768234786
[2010/04/15 07:08:30 | 000,011,610 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\757469097
[2010/04/15 07:06:07 | 000,011,622 | -HS- | C] () -- C:\Documents and Settings\Jason\Local Settings\Application Data\TcP0eIPn2W
[2010/04/15 07:06:07 | 000,011,622 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3768234786
[2010/04/14 23:27:20 | 000,011,618 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\TcP0eIPn2W
[2010/04/14 23:27:20 | 000,011,618 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\TcP0eIPn2W
[2010/04/13 17:23:06 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\gmer.zip
[2010/04/13 17:17:00 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\dds.scr
[2010/04/11 13:35:20 | 000,001,224 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\82H7x6
[2010/04/11 13:35:20 | 000,001,224 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\82H7x6
[2010/03/28 17:38:13 | 000,007,245 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\camera bag.jpg
[2010/03/17 21:30:59 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Jason\My Documents\Selena Close.doc
[2009/11/16 21:25:04 | 000,066,936 | -HS- | C] () -- C:\WINDOWS\slinfo_0.drv
[2008/12/17 01:38:16 | 000,000,153 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/08/26 20:00:17 | 000,000,026 | ---- | C] () -- C:\WINDOWS\WAR2R.INI
[2008/08/07 00:29:13 | 000,000,720 | ---- | C] () -- C:\WINDOWS\avscan.ini
[2008/07/15 17:33:12 | 000,000,040 | ---- | C] () -- C:\WINDOWS\nero.INI
[2007/12/31 01:54:00 | 000,001,039 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2007/08/06 14:17:40 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerLang.dll
[2007/08/02 19:11:28 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLA.dll
[2007/08/02 19:11:14 | 000,241,664 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLW.dll
[2007/07/27 16:49:02 | 000,225,355 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiW.dll
[2007/07/27 16:49:02 | 000,196,683 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiA.dll
[2007/01/20 15:29:22 | 000,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/08/02 18:58:58 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2006/08/02 18:58:58 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2006/08/02 18:58:58 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2005/12/31 15:36:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/12/05 21:25:22 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\lnod32umc.dll
[2005/12/05 14:37:10 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\lnod32upd.dll
[2005/03/20 19:52:39 | 000,000,047 | ---- | C] () -- C:\WINDOWS\InoSetup.ini
[2005/03/20 15:22:54 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/03/10 22:39:57 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2004/08/12 06:55:52 | 000,285,696 | ---- | C] () -- C:\WINDOWS\System32\atmfd.dll
[2004/02/25 23:18:04 | 000,565,248 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[1997/11/17 18:13:16 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll

========== LOP Check ==========


========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2010/03/11 05:38:51 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2010/03/11 05:38:51 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2010/03/11 05:38:52 | 000,192,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >
[2010/05/03 20:56:13 | 000,135,168 | ---- | M] () -- C:\zip.exe


< MD5 for: AGP440.SYS >
[2004/08/12 07:06:15 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/22 10:30:20 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/08/22 10:30:20 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/12 07:06:15 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/12 07:06:15 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/22 10:30:20 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/08/22 10:30:20 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/12 06:55:51 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/12 06:57:17 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2004/08/12 07:11:50 | 000,467,200 | ---- | M] (Intel Corporation) MD5=F26BFD48B1C314E0F23BF77ACFA75940 -- C:\WINDOWS\dell\iastor\iastor.sys
[2004/08/12 07:11:50 | 000,467,200 | ---- | M] (Intel Corporation) MD5=F26BFD48B1C314E0F23BF77ACFA75940 -- C:\WINDOWS\system32\drivers\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/12 07:02:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/12 07:04:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B174FAE
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C39E55C5
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 30 May 2010 - 06:42 AM

Hello, gierzak.

We have enough to go on at this point...oddly enough I can see the rootkit in the files. Might be an incomplete install.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Viewpoint (foistware) Warning"

I see Viewpoint is installed on your machine. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to the Control Panel, then Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.



Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as gierzakCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on gierzakCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 02 June 2010 - 06:42 PM

Hi, have you had a chance to run Combofix yet?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 gierzak

gierzak
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 04 June 2010 - 10:09 AM

I have the scan running while I'm at work today, will have the log posted tonight. Thanks.

#9 gierzak

gierzak
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 05 June 2010 - 02:14 AM

Sorry for the delay, here is the Combofix log. I also attached it. Thanks!




ComboFix 10-06-03.01 - Kathy 06/21/2010 7:32.8.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1515 [GMT -7:00]
Running from: c:\documents and settings\Kathy\Desktop\gierzakCF.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kathy\Favorites\Download programs.url
c:\documents and settings\Kathy\Favorites\Games.url
c:\documents and settings\Kathy\Favorites\Translator.url
c:\documents and settings\Kathy\Favorites\Videos.url
c:\windows\msv1_0.dll
c:\windows\system32\drivers\ggrm.sys
c:\windows\system32\drivers\mleuismx.sys
c:\windows\system32\PRAGMAerrors.log
C:\zip.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PRAGMARCIQXTIRPR
-------\Legacy_PRAGMAXGQXDNNKBW
-------\Service_PRAGMArciqxtirpr
-------\Service_PRAGMAxgqxdnnkbw
-------\Legacy_altkfrmx
-------\Legacy_vigxrhn
-------\Service_altkfrmx
-------\Service_vigxrhn


((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.

2010-06-20 07:14 . 2010-05-21 21:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-20 07:11 . 2010-06-20 07:11 -------- d-----w- c:\program files\Windows Defender
2010-05-25 00:14 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 00:14 . 2010-06-12 03:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 00:14 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 14:30 . 2009-06-18 03:31 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-20 23:54 . 2007-01-20 22:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\SiteAdvisor
2010-06-20 07:11 . 2005-10-22 01:18 23792 ----a-w- c:\documents and settings\Kathy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-19 02:55 . 2004-08-12 14:03 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-06-18 00:22 . 2008-06-26 19:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-12 03:39 . 2007-01-20 23:46 -------- d-----w- c:\documents and settings\Kathy\Application Data\SiteAdvisor
2010-05-24 00:00 . 2010-04-16 01:58 -------- d-----w- c:\program files\Baseball Mogul 2011
2010-05-23 23:28 . 2005-09-21 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-21 02:12 . 2008-07-06 23:41 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2010-05-21 02:10 . 2009-08-08 20:06 -------- d-----w- c:\program files\GameSpy Arcade
2010-05-11 00:51 . 2010-05-11 00:51 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-05-11 00:51 . 2010-05-11 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-05-11 00:51 . 2010-05-11 00:51 -------- d-----w- c:\program files\AIM7
2010-05-11 00:51 . 2005-06-11 00:06 -------- d-----w- c:\program files\Common Files\AOL
2010-05-04 03:56 . 2010-05-04 03:49 574 ----a-w- C:\cleanup.bat
2010-05-04 03:55 . 2008-05-31 06:09 731136 ----a-w- c:\program files\avenger.exe
2010-05-02 09:09 . 2010-05-02 09:09 35840 ----a-w- c:\windows\system32\o.dat
2010-04-28 00:16 . 2010-04-22 09:48 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-28 00:16 . 2010-04-22 09:48 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-28 00:16 . 2010-04-22 09:48 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-28 00:16 . 2010-04-22 09:48 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-28 00:16 . 2010-04-22 09:48 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-28 00:16 . 2010-04-22 09:48 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-28 00:16 . 2010-04-22 09:48 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-28 00:16 . 2007-01-20 22:18 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-28 00:16 . 2007-01-20 22:18 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-28 00:16 . 2007-01-20 22:18 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-24 15:25 . 2007-01-20 22:17 -------- d-----w- c:\program files\McAfee.com
2010-04-23 08:04 . 2007-01-20 22:17 -------- d-----w- c:\program files\McAfee
2010-04-23 08:03 . 2007-01-20 22:17 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-21 17:52 . 2010-04-21 17:52 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-04-21 16:33 . 2010-04-21 16:33 1 ----a-w- c:\windows\system32\SI.bin
2010-04-18 00:36 . 2010-04-18 00:36 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-16 01:59 . 2010-04-16 01:58 958171 ----a-w- c:\program files\Uninst_Baseball Mogul 2011.log
2010-04-16 01:57 . 2010-04-16 01:58 186930 ----a-w- c:\program files\Uninst_Baseball Mogul 2011.exe
2010-04-28 00:16 . 2010-04-22 09:48 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2009-11-17 04:25 . 2009-11-17 04:25 66936 --sha-w- c:\windows\slinfo_0.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2006-08-10 35416]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-17 692224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 23:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 20:52 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2006-08-16 00:42 3661824 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 22:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2007-04-11 23:32 56080 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 19:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 23:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-10 13:43 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Java\\jre1.5.0_03\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ares Ultra\\Ares Ultra.exe"=
"c:\\program files\\mozilla firefox\\firefox.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcuimgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\McAfee\\MSM\\McSmtFwk.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\SiteAdvisor\\6253\\SiteAdv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Diablo
"8357:TCP"= 8357:TCP:BND
"26996:TCP"= 26996:TCP:BND
"27196:TCP"= 27196:TCP:BND
"16528:TCP"= 16528:TCP:BND
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7876:TCP"= 7876:TCP:Services
"7877:TCP"= 7877:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"7381:TCP"= 7381:TCP:Services
"7382:TCP"= 7382:TCP:Services

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/22/2010 2:48 AM 82952]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/22/2010 2:48 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/22/2010 2:48 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/22/2010 2:48 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/22/2010 2:48 AM 141792]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/22/2010 2:48 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/22/2010 2:48 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/22/2010 2:48 AM 88480]
S0 hiskwyrs;hiskwyrs;c:\windows\system32\drivers\mifpnif.sys --> c:\windows\system32\drivers\mifpnif.sys [?]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys --> c:\windows\system32\DRIVERS\tclondrv.sys [?]
S2 gupdate1c9de6a36ca70ca;Google Update Service (gupdate1c9de6a36ca70ca);c:\program files\Google\Update\GoogleUpdate.exe [5/26/2009 6:26 PM 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/22/2010 2:48 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/22/2010 2:48 AM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 19:34]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-27 01:26]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-27 01:26]

2010-06-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/a/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: Compare Prices with &Dealio - c:\program files\Dealio\res\DealioSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Kathy\Application Data\Mozilla\Firefox\Profiles\5vwowmw1.default\
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - www.comcast.net
FF - prefs.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Spyware Doctor - c:\program files\Spyware Doctor\swdoctor.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKCU-Run-Data Protection - c:\program files\Data Protection\datprot.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-22 00:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8870578A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74c6852
\Driver\iaStor -> ntoskrnl.exe @ 0x805c3d35
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x8876bad0
PacketIndicateHandler -> NDIS.sys @ 0xf797ca21
SendHandler -> NDIS.sys @ 0xf795a87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1188)
c:\windows\system32\WININET.dll
c:\program files\SiteAdvisor\6253\saHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2010-06-22 00:11:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-22 07:11
ComboFix2.txt 2010-04-18 21:50
ComboFix3.txt 2010-04-16 01:04

Pre-Run: 455,503,872 bytes free
Post-Run: 1,514,090,496 bytes free

- - End Of File - - CC568A32FF8929F7C8214564809BE262

Attached Files



#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 05 June 2010 - 05:58 AM

Hello, gierzak.

OK, round 2.



Step 1

Download and run HAMeb_check.exe
Post the contents of the resulting log.



Step 2

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
folder::
C:\WINDOWS\PRAGMArciqxtirpr
C:\WINDOWS\PRAGMAxgqxdnnkbw
C:\Documents and Settings\All Users\Application Data\f1pKdvbneJkm
C:\Documents and Settings\Jason\Local Settings\Application Data\118F261KX
C:\Documents and Settings\All Users\Application Data\118F261KX
C:\Documents and Settings\All Users\Application Data\JH40y5L
C:\Documents and Settings\Jason\Local Settings\Application Data\21a34KM55vORW
C:\Documents and Settings\All Users\Application Data\21a34KM55vORW
C:\Documents and Settings\Jason\Local Settings\Application Data\3768234786
C:\Documents and Settings\All Users\Application Data\3768234786
C:\Documents and Settings\Jason\Local Settings\Application Data\757469097
C:\Documents and Settings\All Users\Application Data\757469097
C:\Documents and Settings\Jason\Local Settings\Application Data\TcP0eIPn2W
C:\Documents and Settings\All Users\Application Data\TcP0eIPn2W
C:\Documents and Settings\Jason\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\Documents and Settings\All Users\Application Data\82H7x6
C:\Documents and Settings\All Users\Application Data\c7vdif
C:\Documents and Settings\NetworkService\Local Settings\Application Data\JH40y5L
C:\Documents and Settings\NetworkService\Local Settings\Application Data\21a34KM55vORW
C:\Documents and Settings\NetworkService\Local Settings\Application Data\TcP0eIPn2W
C:\Documents and Settings\NetworkService\Local Settings\Application Data\82H7x6
file::
C:\WINDOWS\System32\pragmasrcr.dat
C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll
C:\WINDOWS\System32\SI.bin
C:\WINDOWS\slinfo_0.drv
C:\WINDOWS\System32\o.dat
C:\WINDOWS\System32\zuziloho
registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 1


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 gierzak

gierzak
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 05 June 2010 - 12:40 PM

Here are the 2 logs you asked me to produce. The first is the HAlog and teh second is the combofix one.

C:\Documents and Settings\Kathy\Desktop\HAMeb_check.exe
Tue 06/22/2010 at 10:15:00.29

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-1220945662-329068152-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8878878A]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7876:TCP"=7876:TCP:*:Enabled:Services
"7877:TCP"=7877:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"7381:TCP"=7381:TCP:*:Enabled:Services
"7382:TCP"=7382:TCP:*:Enabled:Services
"4508:TCP"=4508:TCP:*:Enabled:Services
"7516:TCP"=7516:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7876:TCP"=7876:TCP:*:Enabled:Services
"7877:TCP"=7877:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"7381:TCP"=7381:TCP:*:Enabled:Services
"7382:TCP"=7382:TCP:*:Enabled:Services
"4508:TCP"=4508:TCP:*:Enabled:Services
"7516:TCP"=7516:TCP:*:Enabled:Services


~~ EOF ~~






ComboFix 10-06-03.01 - Kathy 06/22/2010 10:22:01.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1532 [GMT -7:00]
Running from: c:\documents and settings\Kathy\Desktop\gierzakCF.exe
Command switches used :: c:\documents and settings\Kathy\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active


FILE ::
"c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll"
"c:\windows\slinfo_0.drv"
"c:\windows\System32\o.dat"
"c:\windows\System32\pragmasrcr.dat"
"c:\windows\System32\SI.bin"
"c:\windows\System32\zuziloho"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\slinfo_0.drv
c:\windows\System32\o.dat
c:\windows\System32\SI.bin
c:\windows\System32\zuziloho

.
((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.

2010-06-20 07:14 . 2010-05-21 21:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-20 07:11 . 2010-06-20 07:11 -------- d-----w- c:\program files\Windows Defender
2010-05-25 00:14 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 00:14 . 2010-06-12 03:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 00:14 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 14:30 . 2009-06-18 03:31 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-20 23:54 . 2007-01-20 22:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\SiteAdvisor
2010-06-20 07:11 . 2005-10-22 01:18 23792 ----a-w- c:\documents and settings\Kathy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-19 02:55 . 2004-08-12 14:03 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-06-18 00:22 . 2008-06-26 19:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-12 03:39 . 2007-01-20 23:46 -------- d-----w- c:\documents and settings\Kathy\Application Data\SiteAdvisor
2010-05-24 00:00 . 2010-04-16 01:58 -------- d-----w- c:\program files\Baseball Mogul 2011
2010-05-23 23:28 . 2005-09-21 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-21 02:12 . 2008-07-06 23:41 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2010-05-21 02:10 . 2009-08-08 20:06 -------- d-----w- c:\program files\GameSpy Arcade
2010-05-11 00:51 . 2010-05-11 00:51 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-05-11 00:51 . 2010-05-11 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-05-11 00:51 . 2010-05-11 00:51 -------- d-----w- c:\program files\AIM7
2010-05-11 00:51 . 2005-06-11 00:06 -------- d-----w- c:\program files\Common Files\AOL
2010-05-04 03:56 . 2010-05-04 03:49 574 ----a-w- C:\cleanup.bat
2010-05-04 03:55 . 2008-05-31 06:09 731136 ----a-w- c:\program files\avenger.exe
2010-04-28 00:16 . 2010-04-22 09:48 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-28 00:16 . 2010-04-22 09:48 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-28 00:16 . 2010-04-22 09:48 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-28 00:16 . 2010-04-22 09:48 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-28 00:16 . 2010-04-22 09:48 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-28 00:16 . 2010-04-22 09:48 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-28 00:16 . 2010-04-22 09:48 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-28 00:16 . 2007-01-20 22:18 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-28 00:16 . 2007-01-20 22:18 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-28 00:16 . 2007-01-20 22:18 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-24 15:25 . 2007-01-20 22:17 -------- d-----w- c:\program files\McAfee.com
2010-04-21 17:52 . 2010-04-21 17:52 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-04-18 00:36 . 2010-04-18 00:36 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-16 01:59 . 2010-04-16 01:58 958171 ----a-w- c:\program files\Uninst_Baseball Mogul 2011.log
2010-04-16 01:57 . 2010-04-16 01:58 186930 ----a-w- c:\program files\Uninst_Baseball Mogul 2011.exe
2010-04-28 00:16 . 2010-04-22 09:48 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2006-08-10 35416]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-17 692224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Java\\jre1.5.0_03\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ares Ultra\\Ares Ultra.exe"=
"c:\\program files\\mozilla firefox\\firefox.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcuimgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\McAfee\\MSM\\McSmtFwk.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\SiteAdvisor\\6253\\SiteAdv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Diablo
"8357:TCP"= 8357:TCP:BND
"26996:TCP"= 26996:TCP:BND
"27196:TCP"= 27196:TCP:BND
"16528:TCP"= 16528:TCP:BND
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7876:TCP"= 7876:TCP:Services
"7877:TCP"= 7877:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"7381:TCP"= 7381:TCP:Services
"7382:TCP"= 7382:TCP:Services
"4508:TCP"= 4508:TCP:Services
"7516:TCP"= 7516:TCP:Services

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/22/2010 2:48 AM 82952]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/22/2010 2:48 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/22/2010 2:48 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/22/2010 2:48 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/22/2010 2:48 AM 141792]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/22/2010 2:48 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/22/2010 2:48 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/22/2010 2:48 AM 88480]
S0 hiskwyrs;hiskwyrs;c:\windows\system32\drivers\mifpnif.sys --> c:\windows\system32\drivers\mifpnif.sys [?]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys --> c:\windows\system32\DRIVERS\tclondrv.sys [?]
S2 gupdate1c9de6a36ca70ca;Google Update Service (gupdate1c9de6a36ca70ca);c:\program files\Google\Update\GoogleUpdate.exe [5/26/2009 6:26 PM 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/22/2010 2:48 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/22/2010 2:48 AM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/a/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: Compare Prices with &Dealio - c:\program files\Dealio\res\DealioSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Kathy\Application Data\Mozilla\Firefox\Profiles\5vwowmw1.default\
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - www.comcast.net
FF - prefs.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-22 10:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x88B9778A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74c6852
\Driver\iaStor -> ntoskrnl.exe @ 0x805c3d35
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x88bfdad0
PacketIndicateHandler -> NDIS.sys @ 0xf797ca21
SendHandler -> NDIS.sys @ 0xf795a87b
user & kernel MBR OK

**************************************************************************
.
Completion time: 2010-06-22 10:37:12
ComboFix-quarantined-files.txt 2010-06-22 17:37
ComboFix2.txt 2010-06-22 07:11
ComboFix3.txt 2010-04-18 21:50
ComboFix4.txt 2010-04-16 01:04

Pre-Run: 1,546,928,128 bytes free
Post-Run: 1,502,171,136 bytes free

- - End Of File - - AFB50F4F3FFF98AAD9ED2266ACB786D1

Attached Files



#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 05 June 2010 - 01:06 PM

Hello, gierzak.
You're showing some partial signs of the HelpAssistant rootkit as well. Let's clean up the remnants.

Let's also run PRAGMAfix in case Combofix couldn't clear the remnants.



Step 1

Download this tool and save it to your desktop.

Double-click it to run it and post the contents of that logfile.




Step 2

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 gierzak

gierzak
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 06 June 2010 - 01:38 AM

I tried to run the mbr -f but everytime I tried it just opened a box for a second and then closed with no log produced. But here are the logs that were produced.

Tue 06/22/2010 23:12:21.03

No embedded null keys found


There was no log produced from the HelpAsst program.

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 06 June 2010 - 05:21 AM

is there a log here? if so, can you please paste the contents?
C:\HelpAsst.log


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 gierzak

gierzak
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 06 June 2010 - 11:28 AM

There were 2 of them there, so here they are.

C:\Documents and Settings\Kathy\Desktop\HelpAsst_mebroot_fix.exe
Tue 06/22/2010 at 23:15:25.18

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"7876:TCP"=-
"7877:TCP"=-
"3389:TCP"=-
"7381:TCP"=-
"7382:TCP"=-
"4508:TCP"=-
"7516:TCP"=-
"9756:TCP"=-
"9757:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"7876:TCP"=-
"7877:TCP"=-
"3389:TCP"=-
"7381:TCP"=-
"7382:TCP"=-
"4508:TCP"=-
"7516:TCP"=-
"9756:TCP"=-
"9757:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1220945662-329068152-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 06/22/2010 at 23:28:27.53

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8866F78A]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~



C:\Documents and Settings\Kathy\Desktop\HelpAsst_mebroot_fix.exe
Tue 06/22/2010 at 23:37:24.53

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"9757:TCP"=-
"9756:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"9757:TCP"=-
"9756:TCP"=-

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK





Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users