Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser redirect second computer


  • Please log in to reply
12 replies to this topic

#1 annmeris

annmeris

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 08 July 2010 - 08:48 PM

I have 3 computers at home. All with the same redirect problem. This is the second one. When I ran Gmer the first time it came up with rootkit do you want to do a fll scan. I think this one is worse than the other one and this one has the most important data on it.

I loaded the logs with cmp2 at the ends of the file names before .* This is the second computer with the problem. Gmer crashed every time, but I ran it until the point I didn't feel save. There should be some information in the log. Please take a look at this one too.
Thanks hysterical.gif

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:35 PM

Posted 12 July 2010 - 01:45 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 13 July 2010 - 08:57 PM

Here is the dds log, the extra log, and Gmer in safe mode. Gmer ran 22 hours and I stopped it.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Admin at 22:05:54.92 on Mon 07/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2380 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\java.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientSRV.exe
C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: C49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: HCB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - No File
BHO: hDJ - No File
BHO: rsion - No File
BHO: xC497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0989.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0989.0\msneshellx.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182054205796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697}
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-22 214664]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 cportio;cportio;c:\windows\system32\drivers\cportio.sys [2007-1-11 12384]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-23 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-23 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-23 144704]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-4-27 316992]
R2 VaultClientSRV;Media Store and Share Backup Manager Service;c:\program files\cox\media store and share backup manager\VaultClientSRV.exe [2008-10-8 981456]
R2 VaultClientUpgrade;Backup Manager Upgrade Service;c:\program files\cox\media store and share backup manager\VaultClientUpgrade.exe [2008-10-8 55760]
R3 cmcdrv;cmcdrv;c:\windows\system32\drivers\cmcdrv.sys [2008-4-3 2304]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-23 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-22 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-22 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-22 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-21 135664]
S3 AATIVPEOLY;AATIVPEOLY;c:\docume~1\admin\locals~1\temp\AATIVPEOLY.exe [2010-7-11 359296]
S3 AKKMHS;AKKMHS;c:\docume~1\hp_adm~1\locals~1\temp\akkmhs.exe --> c:\docume~1\hp_adm~1\locals~1\temp\AKKMHS.exe [?]
S3 FAQHJNUVC;FAQHJNUVC;c:\docume~1\admin\locals~1\temp\FAQHJNUVC.exe [2010-7-11 543616]
S3 GOOSOIRKXY;GOOSOIRKXY;c:\docume~1\admin\locals~1\temp\GOOSOIRKXY.exe [2010-7-11 486272]
S3 JKVOLDQJXU;JKVOLDQJXU;c:\docume~1\admin\locals~1\temp\JKVOLDQJXU.exe [2010-7-11 408448]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-22 34248]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2009-5-27 29262680]
S3 NeatReceipts Database Controller;NeatReceipts Database Controller;c:\program files\common files\neatreceipts\db controller\NeatReceiptsDBController.exe [2008-2-5 228480]
S3 NMUSB;NMUSB;c:\windows\system32\drivers\Nmusb.sys [2007-9-24 40625]
S3 OECKDU;OECKDU;c:\docume~1\hp_adm~1\locals~1\temp\oeckdu.exe --> c:\docume~1\hp_adm~1\locals~1\temp\OECKDU.exe [?]
S3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\drivers\rcblan.sys [2007-10-4 39704]
S3 SydexFDD;Sydex Diskette Driver;c:\windows\system32\drivers\SYDEXFDD.SYS [2007-7-21 13359]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [2007-1-7 728516]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [2007-1-7 45756]
S3 wdpnp;Handheld USB Client;c:\windows\system32\drivers\wdpnp.sys [2002-7-12 22748]
S3 YV;YV;c:\docume~1\admin\locals~1\temp\YV.exe [2010-7-11 531328]
S4 Dptirvi5vs;Dptirvi5vs; [x]
S4 FlashCP-Service;FlashCP-Service;c:\program files\flashcp\FlashCP-Service.exe [2005-10-21 126976]
S4 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]

=============== Created Last 30 ================

2010-07-12 21:37:38 0 d-----w- C:\router
2010-07-10 17:45:08 0 d-----w- c:\docume~1\admin\applic~1\Research In Motion
2010-07-10 17:41:59 0 d-----w- c:\docume~1\admin\applic~1\Windows Search
2010-07-09 22:51:57 0 d-----w- C:\ComboFix
2010-07-09 20:33:30 0 d-sh--w- c:\documents and settings\admin\IECompatCache
2010-07-09 20:29:49 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-07-09 20:28:33 0 d-----r- c:\program files\Skype
2010-07-09 20:24:11 0 d-sh--w- c:\documents and settings\admin\PrivacIE
2010-07-09 17:45:33 0 d-sh--w- c:\documents and settings\admin\IETldCache
2010-07-09 17:44:24 0 d-----w- c:\docume~1\admin\applic~1\Symantec
2010-07-09 17:44:24 0 d-----w- c:\docume~1\admin\applic~1\Intuit
2010-07-09 00:42:54 98816 ----a-w- c:\windows\sed.exe
2010-07-09 00:42:54 77312 ----a-w- c:\windows\MBR.exe
2010-07-09 00:42:54 256512 ----a-w- c:\windows\PEV.exe
2010-07-09 00:42:54 161792 ----a-w- c:\windows\SWREG.exe
2010-07-08 18:30:37 0 d-----w- C:\adobenew
2010-06-28 08:13:41 0 d-----w- C:\malware
2010-06-26 18:31:04 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-06-26 18:31:02 0 d-----w- c:\program files\IObit
2010-06-22 16:44:30 0 d-----w- C:\quicktest
2010-06-16 03:40:09 0 d-----w- C:\sysinternals

==================== Find3M ====================

2010-07-13 05:00:32 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-06-21 23:15:43 39304 ----a-w- c:\windows\fonts\CACLA___.TTF
2010-05-18 23:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2009-12-22 18:01:04 34578 ----a-w- c:\program files\uninstal.log
2008-05-02 17:43:40 82144 ----a-w- c:\program files\Quicken.QIF
2007-03-18 01:07:14 251 ----a-w- c:\program files\wt3d.ini
2006-01-05 20:52:57 22 --sha-w- c:\windows\sminst\HPCD.sys
2009-06-11 16:10:28 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-05-09 18:55:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050920080510\index.dat
2008-08-04 02:20:41 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080320080804\index.dat

============= FINISH: 22:07:36.82 ===============

Gmer

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-13 18:21:01
Windows 5.1.2600 Service Pack 3
Running: 6xdqxvnz.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\kxldqpog.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Cdfs \Cdfs B9E32400

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@Baby Lock Embroidery CDs Alphabet Garden\xa0(BLDP-P37)_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\Baby Lock Embroidery CDs Alphabet Garden?(BLDP-P37)_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@Baby Lock Embroidery Cards Large Flower Designs II\xa0(BLEC-31)_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\singer\Baby Lock Embroidery Cards Large Flower Designs II?(BLEC-31)_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@Inside Embroidery \x2013 A Magazine for Machine Embroiderers_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\singer\Inside Embroidery ? A Magazine for Machine Embroiderers_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@SINGER\xae SEWING CO_ Free Designs_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\singer\SINGER? SEWING CO_ Free Designs_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@SINGER\xae SEWING CO_ Projects_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\singer\SINGER? SEWING CO_ Projects_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@SINGER\x00aeeaster_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\singer\SINGER?easter_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@SINGER\xae SEWING CO_ Projects1_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\SINGER? SEWING CO_ Projects1_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@SINGER\xae SEWING CO_ Projects2_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\SINGER? SEWING CO_ Projects2_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\ControlSet002\Services\lanmanserver\Shares@Baby Lock Embroidery CDs Alphabet Garden\xa0(BLDP-P37)_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\Baby Lock Embroidery CDs Alphabet Garden?(BLDP-P37)_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\ControlSet002\Services\lanmanserver\Shares@Baby Lock Embroidery Cards Large Flower Designs II\xa0(BLEC-31)_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\singer\Baby Lock Embroidery Cards Large Flower Designs II?(BLEC-31)_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\ControlSet002\Services\lanmanserver\Shares@Inside Embroidery \x2013 A Magazine for Machine Embroiderers_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\singer\Inside Embroidery ? A Magazine for Machine Embroiderers_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\ControlSet002\Services\lanmanserver\Shares@SINGER\xae SEWING CO_ Free Designs_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\singer\SINGER? SEWING CO_ Free Designs_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\ControlSet002\Services\lanmanserver\Shares@SINGER\xae SEWING CO_ Projects_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\singer\SINGER? SEWING CO_ Projects_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\ControlSet002\Services\lanmanserver\Shares@SINGER\x00aeeaster_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\singer\SINGER?easter_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\ControlSet002\Services\lanmanserver\Shares@SINGER\xae SEWING CO_ Projects1_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\SINGER? SEWING CO_ Projects1_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\ControlSet002\Services\lanmanserver\Shares@SINGER\xae SEWING CO_ Projects2_files CSCFlags=0?MaxUses=4294967295?Path=C:\sewing\SINGER? SEWING CO_ Projects2_files?Permissions=0?Remark=?Type=0?
Reg HKLM\SOFTWARE\Classes\.art\PersistentHandler@ {098f2470-bae0-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.exp\PersistentHandler@ {098f2470-bae0-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\CLSID\{2C8AE1A8-F88F-64CD-F61B-7FF9FED92FAD}\CurVer@ ZbDmv.DmvVolumeDisplayFiles.1
Reg HKLM\SOFTWARE\Classes\CLSID\{E261929D-3B76-E25A-BEEE-FE4A843C8BFB}\InprocServer@ C:\WINDOWS\SYSTEM\DBLIST16.OCX
Reg HKLM\SOFTWARE\Classes\EMBIRD.File.max\shellex\ContextMenuHandlers\opshell32@ {4F91869D-5699-4156-847B-21A4994A250E}


That's it

#4 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 14 July 2010 - 01:44 AM

I ran combofix, this is the log.

ComboFix 10-07-13.04 - HP_Administrator 07/13/2010 23:13:20.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2336 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-06-14 to 2010-07-14 )))))))))))))))))))))))))))))))
.

2010-07-14 01:47 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 21:37 . 2010-07-12 21:37 -------- d-----w- C:\router
2010-07-10 17:45 . 2010-07-10 17:45 -------- d-----w- c:\documents and settings\Admin\Application Data\Research In Motion
2010-07-10 17:41 . 2010-07-10 17:41 -------- d-----w- c:\documents and settings\Admin\Application Data\Windows Search
2010-07-10 05:05 . 2010-07-10 05:05 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-07-09 22:41 . 2010-07-09 22:41 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\mymebjdem
2010-07-09 22:39 . 2010-07-09 22:40 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Adobe
2010-07-09 21:07 . 2010-07-09 21:07 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Macromedia
2010-07-09 20:33 . 2010-07-09 20:33 -------- d-sh--w- c:\documents and settings\Admin\IECompatCache
2010-07-09 20:31 . 2010-07-09 20:31 -------- d-----w- c:\documents and settings\Admin\Application Data\Yahoo!
2010-07-09 20:29 . 2010-07-09 20:29 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-07-09 20:29 . 2010-07-09 20:29 -------- d-----w- c:\documents and settings\Admin\Application Data\skypePM
2010-07-09 20:28 . 2010-07-09 20:31 -------- d-----w- c:\documents and settings\Admin\Application Data\Skype
2010-07-09 20:28 . 2010-07-09 20:28 -------- d-----w- c:\program files\Common Files\Skype
2010-07-09 20:28 . 2010-07-09 20:28 -------- d-----r- c:\program files\Skype
2010-07-09 20:24 . 2010-07-09 20:24 -------- d-sh--w- c:\documents and settings\Admin\PrivacIE
2010-07-09 17:45 . 2010-07-09 17:45 -------- d-sh--w- c:\documents and settings\Admin\IETldCache
2010-07-08 19:39 . 2010-07-08 19:39 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-08 18:30 . 2010-07-08 19:32 -------- d-----w- C:\adobenew
2010-07-06 07:49 . 2010-07-06 07:49 322576 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-05 17:10 . 2010-07-05 17:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-07-05 06:38 . 2010-07-05 06:38 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\qudxumjia
2010-06-28 08:13 . 2010-07-10 07:19 -------- d-----w- C:\malware
2010-06-27 21:02 . 2010-06-27 21:02 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\iwhsklspb
2010-06-26 18:31 . 2010-06-26 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-06-26 18:31 . 2010-06-26 18:31 -------- d-----w- c:\program files\IObit
2010-06-23 06:20 . 2010-06-23 06:20 -------- d-----w- c:\documents and settings\HP_Administrator\DoctorWeb
2010-06-22 16:44 . 2010-06-22 16:50 -------- d-----w- C:\quicktest
2010-06-16 03:40 . 2010-07-11 20:56 -------- d-----w- C:\sysinternals

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 04:25 . 2009-02-05 21:37 256 ----a-w- c:\documents and settings\HP_Administrator\pool.bin
2010-07-14 04:24 . 2006-03-08 04:06 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-14 04:17 . 2007-08-05 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-12 20:57 . 2007-10-03 20:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-09 22:12 . 2010-07-09 17:44 128 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\fusioncache.dat
2010-07-09 20:28 . 2007-12-08 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-08 20:10 . 2007-01-20 04:14 -------- d-----w- c:\program files\Intuit
2010-07-08 19:53 . 2005-10-19 17:25 -------- d-----w- c:\program files\iTunes
2010-07-08 19:51 . 2005-10-19 17:25 -------- d-----w- c:\program files\iPod
2010-07-08 19:51 . 2007-08-06 16:41 -------- d-----w- c:\program files\Common Files\Apple
2010-07-08 19:41 . 2008-04-06 19:43 -------- d-----w- c:\program files\Bonjour
2010-07-08 04:25 . 2009-01-13 20:23 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
2010-07-04 19:25 . 2006-01-06 04:37 183416 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-23 17:45 . 2007-01-20 05:03 10297 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2010-06-20 20:19 . 2009-06-24 04:28 -------- d-----w- c:\program files\McAfee
2010-06-14 14:31 . 2004-08-10 05:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 07:17 . 2010-06-12 07:17 -------- d-----w- c:\program files\Citrix
2010-06-12 07:12 . 2010-06-12 07:12 300384 ----a-w- c:\documents and settings\HP_Administrator\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-06-12 07:12 . 2010-06-12 07:12 300384 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Supportability\Content\MVT\XMLFiles\detect.dll
2010-06-12 07:11 . 2010-06-12 07:11 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\McAfee
2010-06-12 07:10 . 2008-06-22 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-11 05:21 . 2005-10-19 17:41 -------- d-----w- c:\program files\Google
2010-06-11 05:19 . 2008-10-04 15:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-10 21:54 . 2008-04-06 20:14 -------- d-----w- c:\program files\Safari
2010-06-10 21:49 . 2010-06-10 21:49 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-04 18:43 . 2008-07-25 20:03 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 18:51 . 2009-01-17 21:53 256 ----a-w- c:\windows\system32\pool.bin
2010-05-31 00:26 . 2007-08-06 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-27 21:52 . 2010-05-27 21:46 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Costco Photo Viewer US
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2004-08-10 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 05:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 05:20 . 2010-04-27 05:20 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-20 05:30 . 2004-08-10 05:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-12-22 18:01 . 2009-12-22 18:01 34578 ----a-w- c:\program files\uninstal.log
2008-05-02 17:43 . 2008-05-02 06:47 82144 ----a-w- c:\program files\Quicken.QIF
2007-03-18 01:07 . 2007-03-18 01:07 251 ----a-w- c:\program files\wt3d.ini
2006-01-05 20:52 . 2006-01-05 20:52 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-07-09_23.04.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-14 04:25 . 2010-07-14 04:25 16384 c:\windows\Temp\Perflib_Perfdata_43c.dat
- 2005-01-28 02:29 . 2010-07-09 22:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-01-28 02:29 . 2010-07-14 01:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-07-10 02:37 . 2010-07-14 01:46 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-08-05 20:47 . 2010-07-14 04:17 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
- 2007-08-05 20:47 . 2010-07-04 19:04 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-08-05 20:47 . 2010-07-14 04:17 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-08-05 20:47 . 2010-07-04 19:04 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2007-08-05 20:47 . 2010-07-14 04:17 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2007-08-05 20:47 . 2010-07-04 19:04 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-01-20 01:32 . 2010-07-14 04:29 226337 c:\windows\system32\inetsrv\MetaBase.bin
+ 2007-08-05 20:47 . 2010-07-14 04:17 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
- 2007-08-05 20:47 . 2010-07-04 19:04 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2007-08-05 20:47 . 2010-07-14 04:17 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
- 2007-08-05 20:47 . 2010-07-04 19:04 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2007-08-05 20:47 . 2010-07-14 04:17 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2007-08-05 20:47 . 2010-07-04 19:04 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2007-08-05 20:47 . 2010-07-04 19:04 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
+ 2007-08-05 20:47 . 2010-07-14 04:17 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2007-08-05 20:47 . 2010-07-04 19:04 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2007-08-05 20:47 . 2010-07-14 04:17 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2010-05-21 02:57 . 2010-05-21 02:57 4989952 c:\windows\Installer\46f2c5.msp
+ 2010-05-21 02:57 . 2010-05-21 02:57 5907456 c:\windows\Installer\46f2c4.msp
+ 2010-06-11 18:03 . 2010-06-11 18:03 5021184 c:\windows\Installer\46f2a7.msp
+ 2007-08-05 20:47 . 2010-07-14 04:17 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
- 2007-08-05 20:47 . 2010-07-04 19:04 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2007-08-05 20:47 . 2010-07-14 04:17 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
- 2007-08-05 20:47 . 2010-07-04 19:04 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2006-01-06 06:21 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
+ 2010-05-21 02:58 . 2010-05-21 02:58 12114432 c:\windows\Installer\46f293.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2008-10-08 21:44 495616 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon2]
@="{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}"
[HKEY_CLASSES_ROOT\CLSID\{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}]
2008-10-08 21:44 491520 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RIMDeviceManager"="c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" [2010-03-11 1598808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-06-17 00:20 624056 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-05 01:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2005-08-12 21:43 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2010-03-11 05:32 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashCP]
2005-10-21 17:03 40960 ----a-w- c:\program files\FlashCP\FlashCP-Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2005-02-25 22:34 245760 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
2005-06-01 23:35 49152 ----a-w- c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 16:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2008-10-24 16:14 206112 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 23:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 23:44 61440 ----a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2006-03-10 22:07 36864 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 23:33 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 23:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2008-12-13 01:06 642856 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMDeviceManager]
2010-03-11 00:32 1598808 ----a-w- c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 20:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanSoft OmniPage 16-reminder]
2007-08-31 16:02 328992 ----a-w- c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-12-13 01:57 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-10-19 17:12 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayStartup]
2008-10-08 21:45 293328 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2006-08-09 22:41 4617720 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"QBFCService"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"FlashCP-Service"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Bonjour Service"=2 (0x2)
"BcmSqlStartupSvc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe Version Cue CS2"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Phanfare 2.0\\Phanfare.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\silex technology\\ExtendView\\Extendview.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 cportio;cportio;c:\windows\system32\drivers\cportio.sys [1/11/2007 3:19 PM 12384]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/23/2009 9:31 PM 93320]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [4/27/2007 2:00 AM 316992]
R2 VaultClientSRV;Media Store and Share Backup Manager Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientSRV.exe [10/8/2008 2:45 PM 981456]
R2 VaultClientUpgrade;Backup Manager Upgrade Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe [10/8/2008 2:45 PM 55760]
R3 cmcdrv;cmcdrv;c:\windows\system32\drivers\cmcdrv.sys [4/3/2008 2:42 AM 2304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/21/2010 3:06 PM 135664]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 12:43 PM 204800]
S3 AATIVPEOLY;AATIVPEOLY;c:\docume~1\Admin\LOCALS~1\Temp\AATIVPEOLY.exe --> c:\docume~1\Admin\LOCALS~1\Temp\AATIVPEOLY.exe [?]
S3 AKKMHS;AKKMHS;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\AKKMHS.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\AKKMHS.exe [?]
S3 FAQHJNUVC;FAQHJNUVC;c:\docume~1\Admin\LOCALS~1\Temp\FAQHJNUVC.exe --> c:\docume~1\Admin\LOCALS~1\Temp\FAQHJNUVC.exe [?]
S3 GOOSOIRKXY;GOOSOIRKXY;c:\docume~1\Admin\LOCALS~1\Temp\GOOSOIRKXY.exe --> c:\docume~1\Admin\LOCALS~1\Temp\GOOSOIRKXY.exe [?]
S3 JKVOLDQJXU;JKVOLDQJXU;c:\docume~1\Admin\LOCALS~1\Temp\JKVOLDQJXU.exe --> c:\docume~1\Admin\LOCALS~1\Temp\JKVOLDQJXU.exe [?]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
S3 NeatReceipts Database Controller;NeatReceipts Database Controller;c:\program files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe [2/5/2008 1:03 PM 228480]
S3 NMUSB;NMUSB;c:\windows\system32\drivers\Nmusb.sys [9/24/2007 1:49 PM 40625]
S3 OECKDU;OECKDU;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\OECKDU.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\OECKDU.exe [?]
S3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\drivers\rcblan.sys [10/4/2007 10:00 PM 39704]
S3 SydexFDD;Sydex Diskette Driver;c:\windows\system32\drivers\SYDEXFDD.SYS [7/21/2007 9:34 AM 13359]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [1/7/2007 4:05 PM 728516]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [1/7/2007 4:05 PM 45756]
S3 wdpnp;Handheld USB Client;c:\windows\system32\drivers\wdpnp.sys [7/12/2002 5:42 PM 22748]
S3 YV;YV;c:\docume~1\Admin\LOCALS~1\Temp\YV.exe --> c:\docume~1\Admin\LOCALS~1\Temp\YV.exe [?]
S4 Dptirvi5vs;Dptirvi5vs; [x]
S4 FlashCP-Service;FlashCP-Service;c:\program files\FlashCP\FlashCP-Service.exe [10/21/2005 10:02 AM 126976]
S4 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 22:05]

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 22:05]

2010-07-10 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-04-25 09:03]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 19:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 19:22]

2009-08-15 c:\windows\Tasks\User_Feed_Synchronization-{93565145-9F34-4C60-935D-53C1ACB1A319}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\4x83nfx6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\4x83nfx6.default\extensions\createandprint@ag.com\platform\WINNT_x86-msvc\plugins\NpPopup.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsmart.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npversck.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-13 23:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2717736901-3850292271-1558533183-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(6136)
c:\windows\system32\WININET.dll
c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll
c:\program files\Cox\Media Store and Share Backup Manager\LIBEXPAT.dll
c:\program files\Cox\Media Store and Share Backup Manager\VaultClientCOM.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-13 23:23:06
ComboFix-quarantined-files.txt 2010-07-14 06:23
ComboFix2.txt 2010-07-09 23:07
ComboFix3.txt 2010-07-09 01:10

Pre-Run: 167,615,229,952 bytes free
Post-Run: 167,593,713,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 722FBD3F767076B0C99C35BE0B875C70


Please help! hysterical.gif

#5 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:35 AM

Posted 14 July 2010 - 07:57 PM

ok we will use combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

CODE
File::
c:\docume~1\Admin\LOCALS~1\Temp\AATIVPEOLY.exe
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\AKKMHS.exe
c:\docume~1\Admin\LOCALS~1\Temp\FAQHJNUVC.exe
c:\docume~1\Admin\LOCALS~1\Temp\GOOSOIRKXY.exe
c:\docume~1\Admin\LOCALS~1\Temp\JKVOLDQJXU.exe
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\OECKDU.exe
c:\docume~1\Admin\LOCALS~1\Temp\YV.exe

Driver::
AATIVPEOLY
AKKMHS
FAQHJNUVC
GOOSOIRKXY
JKVOLDQJXU
OECKDU
YV


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log

How Can I Reduce My Risk to Malware?


#6 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 15 July 2010 - 12:36 AM

Here it is:

ComboFix 10-07-13.04 - HP_Administrator 07/14/2010 20:33:46.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2152 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\docume~1\Admin\LOCALS~1\Temp\AATIVPEOLY.exe"
"c:\docume~1\Admin\LOCALS~1\Temp\FAQHJNUVC.exe"
"c:\docume~1\Admin\LOCALS~1\Temp\GOOSOIRKXY.exe"
"c:\docume~1\Admin\LOCALS~1\Temp\JKVOLDQJXU.exe"
"c:\docume~1\Admin\LOCALS~1\Temp\YV.exe"
"c:\docume~1\HP_ADM~1\LOCALS~1\Temp\AKKMHS.exe"
"c:\docume~1\HP_ADM~1\LOCALS~1\Temp\OECKDU.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AATIVPEOLY
-------\Legacy_AKKMHS
-------\Legacy_FAQHJNUVC
-------\Legacy_GOOSOIRKXY
-------\Legacy_JKVOLDQJXU
-------\Legacy_OECKDU
-------\Legacy_YV
-------\Service_AATIVPEOLY
-------\Service_AKKMHS
-------\Service_FAQHJNUVC
-------\Service_GOOSOIRKXY
-------\Service_JKVOLDQJXU
-------\Service_OECKDU
-------\Service_YV


((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-14 01:47 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 21:37 . 2010-07-12 21:37 -------- d-----w- C:\router
2010-07-10 17:45 . 2010-07-10 17:45 -------- d-----w- c:\documents and settings\Admin\Application Data\Research In Motion
2010-07-10 17:41 . 2010-07-10 17:41 -------- d-----w- c:\documents and settings\Admin\Application Data\Windows Search
2010-07-10 05:05 . 2010-07-10 05:05 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-07-09 22:41 . 2010-07-09 22:41 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\mymebjdem
2010-07-09 22:39 . 2010-07-09 22:40 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Adobe
2010-07-09 21:07 . 2010-07-09 21:07 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Macromedia
2010-07-09 20:33 . 2010-07-09 20:33 -------- d-sh--w- c:\documents and settings\Admin\IECompatCache
2010-07-09 20:31 . 2010-07-09 20:31 -------- d-----w- c:\documents and settings\Admin\Application Data\Yahoo!
2010-07-09 20:29 . 2010-07-09 20:29 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-07-09 20:29 . 2010-07-09 20:29 -------- d-----w- c:\documents and settings\Admin\Application Data\skypePM
2010-07-09 20:28 . 2010-07-09 20:31 -------- d-----w- c:\documents and settings\Admin\Application Data\Skype
2010-07-09 20:28 . 2010-07-09 20:28 -------- d-----w- c:\program files\Common Files\Skype
2010-07-09 20:28 . 2010-07-09 20:28 -------- d-----r- c:\program files\Skype
2010-07-09 20:24 . 2010-07-09 20:24 -------- d-sh--w- c:\documents and settings\Admin\PrivacIE
2010-07-09 17:45 . 2010-07-09 17:45 -------- d-sh--w- c:\documents and settings\Admin\IETldCache
2010-07-08 18:30 . 2010-07-08 19:32 -------- d-----w- C:\adobenew
2010-07-06 07:49 . 2010-07-06 07:49 322576 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-05 17:10 . 2010-07-05 17:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-07-05 06:38 . 2010-07-05 06:38 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\qudxumjia
2010-06-28 08:13 . 2010-07-10 07:19 -------- d-----w- C:\malware
2010-06-27 21:02 . 2010-06-27 21:02 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\iwhsklspb
2010-06-26 18:31 . 2010-06-26 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-06-26 18:31 . 2010-06-26 18:31 -------- d-----w- c:\program files\IObit
2010-06-23 06:20 . 2010-06-23 06:20 -------- d-----w- c:\documents and settings\HP_Administrator\DoctorWeb
2010-06-22 16:44 . 2010-06-22 16:50 -------- d-----w- C:\quicktest
2010-06-16 03:40 . 2010-07-11 20:56 -------- d-----w- C:\sysinternals

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 04:42 . 2009-02-05 21:37 256 ----a-w- c:\documents and settings\HP_Administrator\pool.bin
2010-07-15 03:46 . 2006-03-08 04:06 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-14 04:17 . 2007-08-05 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-12 20:57 . 2007-10-03 20:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-09 22:12 . 2010-07-09 17:44 128 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\fusioncache.dat
2010-07-09 20:28 . 2007-12-08 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-08 20:10 . 2007-01-20 04:14 -------- d-----w- c:\program files\Intuit
2010-07-08 19:53 . 2005-10-19 17:25 -------- d-----w- c:\program files\iTunes
2010-07-08 19:51 . 2005-10-19 17:25 -------- d-----w- c:\program files\iPod
2010-07-08 19:51 . 2007-08-06 16:41 -------- d-----w- c:\program files\Common Files\Apple
2010-07-08 19:41 . 2008-04-06 19:43 -------- d-----w- c:\program files\Bonjour
2010-07-08 04:25 . 2009-01-13 20:23 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
2010-07-04 19:25 . 2006-01-06 04:37 183416 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-20 20:19 . 2009-06-24 04:28 -------- d-----w- c:\program files\McAfee
2010-06-14 14:31 . 2004-08-10 05:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 07:17 . 2010-06-12 07:17 -------- d-----w- c:\program files\Citrix
2010-06-12 07:11 . 2010-06-12 07:11 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\McAfee
2010-06-12 07:10 . 2008-06-22 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-11 05:21 . 2005-10-19 17:41 -------- d-----w- c:\program files\Google
2010-06-11 05:19 . 2008-10-04 15:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-10 21:54 . 2008-04-06 20:14 -------- d-----w- c:\program files\Safari
2010-06-04 18:43 . 2008-07-25 20:03 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 18:51 . 2009-01-17 21:53 256 ----a-w- c:\windows\system32\pool.bin
2010-05-31 00:26 . 2007-08-06 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-27 21:52 . 2010-05-27 21:46 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Costco Photo Viewer US
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2004-08-10 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 05:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-10 05:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 03:47 . 2009-04-01 19:09 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-20 03:47 . 2009-02-20 18:19 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-12-22 18:01 . 2009-12-22 18:01 34578 ----a-w- c:\program files\uninstal.log
2008-05-02 17:43 . 2008-05-02 06:47 82144 ----a-w- c:\program files\Quicken.QIF
2007-03-18 01:07 . 2007-03-18 01:07 251 ----a-w- c:\program files\wt3d.ini
2006-01-05 20:52 . 2006-01-05 20:52 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2008-10-08 21:44 495616 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon2]
@="{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}"
[HKEY_CLASSES_ROOT\CLSID\{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}]
2008-10-08 21:44 491520 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RIMDeviceManager"="c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" [2010-03-11 1598808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-06-17 00:20 624056 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-05 01:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2005-08-12 21:43 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2010-03-11 05:32 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashCP]
2005-10-21 17:03 40960 ----a-w- c:\program files\FlashCP\FlashCP-Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2005-02-25 22:34 245760 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
2005-06-01 23:35 49152 ----a-w- c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 16:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2008-10-24 16:14 206112 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 23:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 23:44 61440 ----a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2006-03-10 22:07 36864 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 23:33 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 23:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2008-12-13 01:06 642856 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMDeviceManager]
2010-03-11 00:32 1598808 ----a-w- c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 20:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanSoft OmniPage 16-reminder]
2007-08-31 16:02 328992 ----a-w- c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-12-13 01:57 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-10-19 17:12 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayStartup]
2008-10-08 21:45 293328 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2006-08-09 22:41 4617720 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"QBFCService"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"FlashCP-Service"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Bonjour Service"=2 (0x2)
"BcmSqlStartupSvc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe Version Cue CS2"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Phanfare 2.0\\Phanfare.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\silex technology\\ExtendView\\Extendview.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 cportio;cportio;c:\windows\system32\drivers\cportio.sys [1/11/2007 3:19 PM 12384]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 12:43 PM 204800]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/23/2009 9:31 PM 93320]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [4/27/2007 2:00 AM 316992]
R2 VaultClientSRV;Media Store and Share Backup Manager Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientSRV.exe [10/8/2008 2:45 PM 981456]
R2 VaultClientUpgrade;Backup Manager Upgrade Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe [10/8/2008 2:45 PM 55760]
R3 cmcdrv;cmcdrv;c:\windows\system32\drivers\cmcdrv.sys [4/3/2008 2:42 AM 2304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/21/2010 3:06 PM 135664]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
S3 NeatReceipts Database Controller;NeatReceipts Database Controller;c:\program files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe [2/5/2008 1:03 PM 228480]
S3 NMUSB;NMUSB;c:\windows\system32\drivers\Nmusb.sys [9/24/2007 1:49 PM 40625]
S3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\drivers\rcblan.sys [10/4/2007 10:00 PM 39704]
S3 SydexFDD;Sydex Diskette Driver;c:\windows\system32\drivers\SYDEXFDD.SYS [7/21/2007 9:34 AM 13359]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [1/7/2007 4:05 PM 728516]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [1/7/2007 4:05 PM 45756]
S3 wdpnp;Handheld USB Client;c:\windows\system32\drivers\wdpnp.sys [7/12/2002 5:42 PM 22748]
S4 Dptirvi5vs;Dptirvi5vs; [x]
S4 FlashCP-Service;FlashCP-Service;c:\program files\FlashCP\FlashCP-Service.exe [10/21/2005 10:02 AM 126976]
S4 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 22:05]

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 22:05]

2010-07-10 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-04-25 09:03]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 19:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 19:22]

2009-08-15 c:\windows\Tasks\User_Feed_Synchronization-{93565145-9F34-4C60-935D-53C1ACB1A319}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\4x83nfx6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\4x83nfx6.default\extensions\createandprint@ag.com\platform\WINNT_x86-msvc\plugins\NpPopup.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsmart.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npversck.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 21:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2717736901-3850292271-1558533183-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(7020)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll
c:\program files\Cox\Media Store and Share Backup Manager\LIBEXPAT.dll
c:\program files\Cox\Media Store and Share Backup Manager\VaultClientCOM.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\crypserv.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\java.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-07-14 21:50:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-15 04:50
ComboFix2.txt 2010-07-14 06:23
ComboFix3.txt 2010-07-09 23:07
ComboFix4.txt 2010-07-09 01:10

Pre-Run: 174,095,556,608 bytes free
Post-Run: 174,109,253,632 bytes free

- - End Of File - - 2CCCF347D1FBE60443937AE2CA503A40


I'm so glad you're going to stay with me! I posted the 3rd computer. I did a lot of program running, but if you do take a look at it. The last thing I ran was Root repeal and there are a lot of hooks listed. It is in the posting so you wouldn't have to look at the uploads.

Thanks!

#7 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:35 AM

Posted 15 July 2010 - 06:09 PM

ok so far so good. You can install Malwarebytes and run it:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

How Can I Reduce My Risk to Malware?


#8 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 16 July 2010 - 02:06 AM

Here is the Malwarebytes log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4317

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/15/2010 11:19:24 PM
mbam-log-2010-07-15 (23-19-24).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 536223
Time elapsed: 1 hour(s), 55 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Now that looks good to me.


#9 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 16 July 2010 - 10:15 AM

Good or not good, one log does not make a clean computer:

Results of Eset:

C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\h6mvnsfj.tmp JS/Exploit.Pdfka.OCR.Gen trojan cleaned by deleting - quarantined
C:\Documents and Settings\HP_Administrator\My Documents\My Music\Morph2021.exe multiple threats deleted - quarantined
C:\hold\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\limeshareno\Steven Spielberg gets a hilarious prank phone call.wma probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP3\A0000163.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined


I turned off System Restore before I rebooted. I'm concerned about the Spielberg phone call: Not from limewire. That was from an app, "your mail" for my cell phone. I guess, things sneak by Blackberry too.

Question: do we need to run combofix with a script to remove registry keys?

#10 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:35 AM

Posted 16 July 2010 - 08:41 PM

I dont see any Reg keys that need removing. There is plenty of malware that is distributed via p2p networks. Files can be named anything, be outright malware or have malware embedded in them. This isnt to say this is how you got it but just a FYI.

QUOTE
from an app, "your mail" for my cell phone


Yes malware for mobile technology has arrived, no surprises there. Any re-direction going on?

How Can I Reduce My Risk to Malware?


#11 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 16 July 2010 - 11:34 PM

Yes, when I want to call someone, it calls someone else. clown2.gif

No I haven't had any redirects in a while.

Next please.

#12 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 17 July 2010 - 11:19 PM

I ran Rootrepeal yesterday, here is the log;

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/07/16 08:25
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA6E19000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA610000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA1C8000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==


Thn combofix today I'll upload the log: name combolast.txt

I think I'm done with this computer??? Please confirm.

Thanks, Ann

#13 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:35 AM

Posted 18 July 2010 - 09:39 AM

Looks like Eset removed some 'goodies' also. The Smitfraud 'restart' is part of a legit tool you must have used at one time.

The rest looks good to me. You can delete the RootRepeal and Gmer icons. you can uninstall combofix like this:
start>run and type in combofix /uninstall
note the space after the x and before the /

You can run this also:

Please download OTCleanIt and save it to desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Keep Malwarebytes and note that the free version must be updated manually and a scan started manually.
since system restore is off all you have to do is turn it back on to create a new one on a now clean computer.
I will spare you my 'close post' since I already posted it.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users