Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Malware, Rookits and Trojans. Help!


  • This topic is locked This topic is locked
6 replies to this topic

#1 patrick.waite01

patrick.waite01

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 14 February 2011 - 11:15 PM

My name is Patrick, I got one of my computers repaired on this website and now I'm hoping to fix my dad's computer. This computer is incredibly slow and restarts randomly..
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DDS (Ver_10-12-12.02) - NTFSx86
Run by Mark Waite at 20:44:58.76 on Mon 02/14/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.183 [GMT -7:00]

AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Mark Waite\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [nehlgmdo] c:\documents and settings\mark waite\local settings\application data\sulqlo\xwiesysguard.exe
uRun: [iasvrtds] c:\documents and settings\mark waite\local settings\application data\xkdyct\suqnsysguard.exe
uRun: [osnphgxh] c:\documents and settings\mark waite\local settings\application data\jpxcig\bdassysguard.exe
uRun: [Google Update] "c:\documents and settings\mark waite\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [nehlgmdo] c:\documents and settings\mark waite\local settings\application data\sulqlo\xwiesysguard.exe
mRun: [iasvrtds] c:\documents and settings\mark waite\local settings\application data\xkdyct\suqnsysguard.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: &Define - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Look Up in &Encyclopedia - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: google.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Pool 2 - hxxp://download2.games.yahoo.com/games/clients/y/poti_x.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123828290014
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232050172406
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://safaltek.webex.com/client/T26L/webex/ieatgpc.cab
Filter: text/html - {420776e3-3dd6-48d0-a8c4-9deb4f4fa58f} -
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-17 214664]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-4-12 47640]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-17 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-17 144704]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2010-7-9 65856]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-17 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-17 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-17 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-17 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\icrecusb.sys --> c:\windows\system32\drivers\IcRecUsb.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-17 34248]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2011-02-14 20:27:10 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2011-02-14 19:47:28 -------- dc-h--w- c:\windows\ie8
2011-02-14 19:20:02 -------- d-----w- c:\docume~1\markwa~1\applic~1\comcasttb
2011-02-14 18:55:12 -------- d-----w- c:\program files\CCleaner
2011-01-30 21:57:00 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-01-21 14:44:37 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ------w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-30 00:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 00:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2008-11-02 23:19:12 12588 ----a-w- c:\program files\common files\efulehapos.reg
2008-11-02 23:19:12 10695 ----a-w- c:\program files\common files\anuvazezik.reg

============= FINISH: 20:47:42.89 ===============
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Whenever I would try to run the GMER program my computer would randomly restart. I hope that doesn't effect too much..
Thanks so much for the help!!

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:00 AM

Posted 19 February 2011 - 05:48 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 patrick.waite01

patrick.waite01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 24 February 2011 - 07:20 PM

DDS (Ver_10-12-12.02) - NTFSx86
Run by Mark Waite at 17:09:26.42 on Thu 02/24/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.98 [GMT -7:00]

AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\FreeFileViewer\FFVCheckForUpdates.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Mark Waite\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [nehlgmdo] c:\documents and settings\mark waite\local settings\application data\sulqlo\xwiesysguard.exe
uRun: [iasvrtds] c:\documents and settings\mark waite\local settings\application data\xkdyct\suqnsysguard.exe
uRun: [osnphgxh] c:\documents and settings\mark waite\local settings\application data\jpxcig\bdassysguard.exe
uRun: [Google Update] "c:\documents and settings\mark waite\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [nehlgmdo] c:\documents and settings\mark waite\local settings\application data\sulqlo\xwiesysguard.exe
mRun: [iasvrtds] c:\documents and settings\mark waite\local settings\application data\xkdyct\suqnsysguard.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: &Define - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Look Up in &Encyclopedia - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: google.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Pool 2 - hxxp://download2.games.yahoo.com/games/clients/y/poti_x.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123828290014
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232050172406
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://safaltek.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/html - {420776e3-3dd6-48d0-a8c4-9deb4f4fa58f} -
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-17 214664]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-4-12 47640]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-17 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-17 144704]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2010-7-9 65856]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-17 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-17 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-17 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-17 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\icrecusb.sys --> c:\windows\system32\drivers\IcRecUsb.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-17 34248]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2011-02-22 02:04:27 -------- d-----w- c:\program files\iTunes
2011-02-22 02:02:57 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-22 02:02:57 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-22 02:01:36 -------- d-----w- c:\program files\Bonjour
2011-02-18 01:53:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2011-02-18 01:53:04 -------- d-----w- c:\program files\McAfee Security Scan
2011-02-14 20:27:10 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2011-02-14 19:47:28 -------- dc-h--w- c:\windows\ie8
2011-02-14 19:20:02 -------- d-----w- c:\docume~1\markwa~1\applic~1\comcasttb
2011-02-14 18:55:12 -------- d-----w- c:\program files\CCleaner
2011-01-30 21:57:00 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2011-02-24 22:17:56 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ------w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-30 00:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 00:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2008-11-02 23:19:12 12588 ----a-w- c:\program files\common files\efulehapos.reg
2008-11-02 23:19:12 10695 ----a-w- c:\program files\common files\anuvazezik.reg

============= FINISH: 17:12:14.42 ===============


Thank you for your help! NO worries about how long its takin, just glad to get some real help!

And my computer won't run the GMER program, it just auto quits it whenver I try.. Sorry!

Attached Files



#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:00 AM

Posted 26 February 2011 - 08:59 AM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#5 patrick.waite01

patrick.waite01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 27 February 2011 - 12:05 PM

OTL.txt:

OTL logfile created on: 2/27/2011 9:36:33 AM - Run 1
OTL by OldTimer - Version 3.2.22.1 Folder = C:\Documents and Settings\Mark Waite\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 62.00 Mb Available Physical Memory | 12.00% Memory free
1.00 Gb Paging File | 0.00 Gb Available in Paging File | 31.00% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 114.58 Gb Free Space | 76.87% Space Free | Partition Type: NTFS

Computer Name: DELL-DIMENSION | User Name: Mark Waite | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/27 09:34:46 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark Waite\Desktop\OTL.exe
PRC - [2010/08/23 18:32:22 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/07/09 11:40:24 | 000,065,856 | ---- | M] (Nalpeiron Ltd.) -- C:\WINDOWS\system32\NLSSRV32.EXE
PRC - [2010/01/15 05:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/10/29 06:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/01 16:43:06 | 000,378,176 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2009/09/17 13:29:04 | 000,806,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2009/09/16 09:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/09 23:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 10:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/07/24 17:46:10 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/02/27 09:34:46 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark Waite\Desktop\OTL.exe
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/07/09 11:40:24 | 000,065,856 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\WINDOWS\system32\NLSSRV32.EXE -- (nlsX86cc)
SRV - [2010/01/15 05:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/01 16:43:40 | 000,116,032 | ---- | M] (LogMeIn, Inc.) [Disabled | Stopped] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2009/09/16 10:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/09 23:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 10:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/07/24 17:46:10 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Disabled | Stopped] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)


========== Driver Services (SafeList) ==========

DRV - [2010/02/11 05:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/09/16 09:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 11:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/06/21 13:54:47 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/10/16 19:35:58 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2008/07/24 17:46:12 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/07/24 17:46:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2004/08/03 22:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/03 22:29:26 | 000,327,040 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtaa.sys -- (ati2mtaa)
DRV - [2001/08/17 06:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)
DRV - [2001/08/17 05:48:52 | 000,281,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpaa.sys -- (ati2mpaa)
DRV - [2001/08/13 10:17:34 | 000,737,973 | R--- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winachcf.sys -- (Winachcf)
DRV - [2001/05/14 17:15:40 | 000,010,368 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://news.yahoo.com [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2025429265-884357618-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/
IE - HKU\S-1-5-21-2025429265-884357618-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-2025429265-884357618-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2025429265-884357618-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2025429265-884357618-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2025429265-884357618-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-2025429265-884357618-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-2025429265-884357618-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-2025429265-884357618-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-2025429265-884357618-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2025429265-884357618-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/08/23 18:35:09 | 000,000,000 | ---D | M]

[2009/09/20 14:24:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mark Waite\Application Data\Mozilla\Extensions
[2009/09/20 14:24:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mark Waite\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2009/12/08 11:33:04 | 000,361,533 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 12430 more lines...
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-2025429265-884357618-725345543-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-2025429265-884357618-725345543-1004\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-2025429265-884357618-725345543-1004\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-2025429265-884357618-725345543-1004\..\Toolbar\WebBrowser: (no name) - {C17590D2-ECB4-4B15-8820-F58798DCC118} - No CLSID value found.
O3 - HKU\S-1-5-21-2025429265-884357618-725345543-1004\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [iasvrtds] File not found
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe (Microsoft® Corporation)
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (Microsoft® Corporation)
O4 - HKLM..\Run: [nehlgmdo] File not found
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe (Microsoft® Corporation)
O4 - HKU\S-1-5-21-2025429265-884357618-725345543-1004..\Run: [DW6] File not found
O4 - HKU\S-1-5-21-2025429265-884357618-725345543-1004..\Run: [iasvrtds] File not found
O4 - HKU\S-1-5-21-2025429265-884357618-725345543-1004..\Run: [nehlgmdo] File not found
O4 - HKU\S-1-5-21-2025429265-884357618-725345543-1004..\Run: [osnphgxh] File not found
O4 - HKU\S-1-5-21-2025429265-884357618-725345543-1004..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-2025429265-884357618-725345543-1004..\Run: [updateMgr] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2025429265-884357618-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM ()
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM ()
O9 - Extra Button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM ()
O9 - Extra 'Tools' menuitem : Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM ()
O9 - Extra Button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM ()
O9 - Extra 'Tools' menuitem : Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-2025429265-884357618-725345543-1004\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-2025429265-884357618-725345543-1004\..Trusted Domains: google.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2025429265-884357618-725345543-1004\..Trusted Domains: microsoft.com ([*.windowsupdate] http in Trusted sites)
O15 - HKU\S-1-5-21-2025429265-884357618-725345543-1004\..Trusted Domains: microsoft.com ([windowsupdate] http in Trusted sites)
O15 - HKU\S-1-5-21-2025429265-884357618-725345543-1004\..Trusted Domains: windowsupdate.com ([]http in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www.costcophotocenter.com/CostcoActivia.cab (Snapfish Activia)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123828290014 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232050172406 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://safaltek.webex.com/client/T26L/webex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Pool 2 http://download2.games.yahoo.com/games/clients/y/poti_x.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Mark Waite\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Mark Waite\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/11 22:27:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/27 09:35:34 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mark Waite\Desktop\OTL.exe
[2011/02/21 22:16:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2011/02/21 22:14:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Security Scan Plus
[2011/02/21 19:07:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/02/21 19:04:27 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/02/21 19:03:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/02/21 19:02:57 | 004,184,352 | ---- | C] (Apple, Inc.) -- C:\WINDOWS\System32\usbaaplrc.dll
[2011/02/21 19:01:36 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/02/21 19:01:17 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/02/17 18:53:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
[2011/02/17 18:53:04 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Security Scan
[2011/02/14 20:56:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark Waite\Desktop\gmer
[2011/02/14 13:27:10 | 000,025,992 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2011/02/14 12:47:28 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2011/02/14 12:20:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark Waite\Application Data\comcasttb
[2011/02/14 11:59:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Mark Waite\Recent
[2011/02/14 11:55:12 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[58 C:\Documents and Settings\All Users\My Documents\*.tmp files -> C:\Documents and Settings\All Users\My Documents\*.tmp -> ]
[3 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/02/27 09:34:46 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark Waite\Desktop\OTL.exe
[2011/02/27 09:32:08 | 000,033,481 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2011/02/26 18:19:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/02/26 18:12:00 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-884357618-725345543-1004UA.job
[2011/02/26 18:00:00 | 000,000,454 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration3.job
[2011/02/26 18:00:00 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2011/02/26 16:36:43 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-884357618-725345543-1004.job
[2011/02/26 16:36:42 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-884357618-725345543-1004.job
[2011/02/26 15:53:04 | 000,000,388 | ---- | M] () -- C:\WINDOWS\tasks\Free File Viewer Update Checker.job
[2011/02/25 20:19:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/02/25 19:12:06 | 000,000,946 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-884357618-725345543-1004Core.job
[2011/02/25 16:03:26 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/24 15:17:56 | 000,398,760 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid
[2011/02/23 20:04:40 | 000,002,205 | ---- | M] () -- C:\Documents and Settings\Mark Waite\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2011/02/23 14:26:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/02/21 22:15:01 | 000,001,611 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/02/21 22:14:59 | 000,001,619 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2011/02/21 18:50:45 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2011/02/21 18:18:17 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/21 18:15:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/21 18:15:55 | 535,904,256 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/14 20:54:44 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\Mark Waite\Desktop\gmer.zip
[2011/02/14 20:33:15 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\Mark Waite\Desktop\dds.scr
[2011/02/14 20:18:06 | 000,000,176 | ---- | M] () -- C:\Documents and Settings\Mark Waite\defogger_reenable
[2011/02/14 16:03:23 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/14 13:27:31 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2011/02/14 13:27:31 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2011/02/14 13:27:10 | 000,025,992 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2011/02/14 12:59:24 | 000,000,824 | ---- | M] () -- C:\Documents and Settings\Mark Waite\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/02/14 12:37:04 | 000,000,390 | ---- | M] () -- C:\WINDOWS\tasks\DriverCure.job
[2011/02/14 12:36:57 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2011/02/14 12:36:57 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2011/02/14 11:55:30 | 000,000,691 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/02/13 12:48:54 | 000,001,738 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/02/12 03:08:12 | 000,000,426 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Update Version2.job
[2011/02/08 16:42:34 | 000,325,912 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/08 16:40:46 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2011/02/08 16:40:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2011/02/07 12:31:52 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2011/02/07 12:31:52 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2011/02/05 14:57:05 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2011/02/05 14:57:05 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2011/02/02 18:44:50 | 000,069,324 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/01/31 16:27:44 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2011/01/31 16:27:43 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[58 C:\Documents and Settings\All Users\My Documents\*.tmp files -> C:\Documents and Settings\All Users\My Documents\*.tmp -> ]
[3 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/02/21 22:15:00 | 000,001,611 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/02/21 22:14:59 | 000,001,619 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2011/02/14 20:54:30 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Desktop\gmer.zip
[2011/02/14 20:33:14 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Desktop\dds.scr
[2011/02/14 20:17:37 | 000,000,176 | ---- | C] () -- C:\Documents and Settings\Mark Waite\defogger_reenable
[2011/02/14 12:59:24 | 000,000,824 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/02/14 12:50:07 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/02/14 11:55:29 | 000,000,691 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/02/13 12:48:54 | 000,001,738 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/02/02 18:44:50 | 000,069,324 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/01/21 17:47:17 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/23 18:39:28 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/09/22 19:43:51 | 000,000,676 | ---- | C] () -- C:\WINDOWS\Edmark.ini
[2009/09/16 16:27:58 | 000,508,224 | ---- | C] () -- C:\WINDOWS\System32\ICCProfiles.dll
[2009/01/17 17:38:04 | 000,000,289 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/01/15 13:32:00 | 000,000,197 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/01/15 10:21:52 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\drivers\RT2661.bin
[2009/01/15 10:21:52 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\drivers\RT2561s.bin
[2009/01/15 10:21:52 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\drivers\RT2561.bin
[2008/11/06 19:11:11 | 000,019,260 | ---- | C] () -- C:\Program Files\Common Files\cirux.db
[2008/11/06 19:11:11 | 000,019,003 | ---- | C] () -- C:\WINDOWS\ymyzyne.exe
[2008/11/06 19:11:11 | 000,017,777 | ---- | C] () -- C:\WINDOWS\System32\samese.dll
[2008/11/06 19:11:11 | 000,017,205 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Application Data\urylybimy.scr
[2008/11/06 19:11:11 | 000,015,569 | ---- | C] () -- C:\WINDOWS\qojyzunyk.sys
[2008/11/06 19:11:11 | 000,013,516 | ---- | C] () -- C:\WINDOWS\baloq.dat
[2008/11/06 19:11:11 | 000,013,310 | ---- | C] () -- C:\WINDOWS\yzik.dat
[2008/11/06 19:11:11 | 000,013,203 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Local Settings\Application Data\hegihoty.dll
[2008/11/06 19:11:11 | 000,011,964 | ---- | C] () -- C:\WINDOWS\System32\ijaja.com
[2008/11/06 19:01:18 | 000,019,164 | ---- | C] () -- C:\WINDOWS\yjedizew.sys
[2008/11/06 19:01:18 | 000,016,248 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Application Data\kexytufo.bat
[2008/11/06 19:01:18 | 000,016,170 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Local Settings\Application Data\icyvuc._dl
[2008/11/06 19:01:18 | 000,013,255 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\izyh.vbs
[2008/11/06 19:01:18 | 000,013,107 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Application Data\idisuse.db
[2008/11/06 19:01:18 | 000,011,307 | ---- | C] () -- C:\WINDOWS\mubeb.bin
[2008/11/06 19:01:18 | 000,010,069 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Application Data\ivuz.pif
[2008/11/02 16:40:18 | 000,019,522 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Local Settings\Application Data\ykopo.pif
[2008/11/02 16:40:18 | 000,018,803 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Local Settings\Application Data\ybecehony.dll
[2008/11/02 16:40:18 | 000,017,567 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\odibavajyc.dl
[2008/11/02 16:40:18 | 000,013,617 | ---- | C] () -- C:\WINDOWS\wepunol.dll
[2008/11/02 16:40:18 | 000,013,242 | ---- | C] () -- C:\WINDOWS\uwog.sys
[2008/11/02 16:40:18 | 000,012,237 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Application Data\gaginewi.dat
[2008/11/02 16:40:18 | 000,010,556 | ---- | C] () -- C:\WINDOWS\System32\bepo.bin
[2008/11/02 16:40:17 | 000,019,686 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\yhis.dat
[2008/11/02 16:40:17 | 000,014,984 | ---- | C] () -- C:\Program Files\Common Files\ebanup._dl
[2008/11/02 16:40:17 | 000,013,174 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\umeg.dll
[2008/11/02 16:19:12 | 000,018,216 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Local Settings\Application Data\nemyryxo.pif
[2008/11/02 16:19:12 | 000,018,009 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Application Data\uzycytuc.dl
[2008/11/02 16:19:12 | 000,014,735 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Local Settings\Application Data\ajidarek._dl
[2008/11/02 16:19:12 | 000,012,911 | ---- | C] () -- C:\Program Files\Common Files\icehesiji.dl
[2008/11/02 16:19:12 | 000,012,588 | ---- | C] () -- C:\Program Files\Common Files\efulehapos.reg
[2008/11/02 16:19:12 | 000,011,111 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Application Data\unuqewow.pif
[2008/11/02 16:19:12 | 000,010,695 | ---- | C] () -- C:\Program Files\Common Files\anuvazezik.reg
[2008/11/02 16:19:12 | 000,010,592 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ulajosozyn.bat
[2008/11/02 16:19:11 | 000,016,483 | ---- | C] () -- C:\Program Files\Common Files\evesotobi._sy
[2008/11/02 16:19:11 | 000,015,430 | ---- | C] () -- C:\WINDOWS\olehekape.com
[2008/11/02 16:19:11 | 000,013,364 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Application Data\qovemol.db
[2008/11/02 16:19:11 | 000,011,085 | ---- | C] () -- C:\Program Files\Common Files\uqag.lib
[2006/08/28 19:22:25 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Mark Waite\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/06/04 10:53:32 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\Rivet200.dll
[2006/01/07 18:50:11 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2006/01/06 13:31:37 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2006/01/06 13:31:37 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2006/01/06 13:31:37 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2005/11/10 15:15:52 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\impborl.dll
[2005/11/06 21:24:15 | 000,001,395 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/10/04 13:48:24 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\OPShDwn.dll
[2005/09/10 06:38:12 | 000,000,021 | ---- | C] () -- C:\WINDOWS\System32\p.dat
[2005/09/10 06:38:09 | 000,105,078 | ---- | C] () -- C:\WINDOWS\System32\system.dat
[2005/08/29 21:14:00 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\Voicech.dll
[2005/08/18 17:49:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2005/08/12 00:07:20 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/11 23:43:41 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2005/08/11 23:01:03 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/11 22:30:08 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/11 22:23:59 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/11 16:08:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/11 16:07:46 | 000,325,912 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/18 05:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/18 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/18 05:00:00 | 000,436,196 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/18 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/18 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/18 05:00:00 | 000,068,690 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/18 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/18 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/18 05:00:00 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/18 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/18 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2000/07/07 14:49:30 | 000,069,120 | ---- | C] () -- C:\WINDOWS\System32\LTDLL.DLL
[2000/03/25 19:00:00 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\clcd32.dll
[1999/09/20 13:43:10 | 000,006,784 | ---- | C] () -- C:\WINDOWS\System32\clcd16.dll
[1997/06/13 17:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

< End of report >




Extras.txt
OTL Extras logfile created on: 2/27/2011 9:36:33 AM - Run 1
OTL by OldTimer - Version 3.2.22.1 Folder = C:\Documents and Settings\Mark Waite\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 62.00 Mb Available Physical Memory | 12.00% Memory free
1.00 Gb Paging File | 0.00 Gb Available in Paging File | 31.00% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 114.58 Gb Free Space | 76.87% Space Free | Partition Type: NTFS

Computer Name: DELL-DIMENSION | User Name: Mark Waite | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-2025429265-884357618-725345543-1004\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirstRunDisabled" = 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\ccapp.exe" = %windir%\system32\ccapp.exe:*:Enabled:System Process
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
"C:\Documents and Settings\Mark Waite\Local Settings\Temp\~os132.tmp\ossproxy.exe" = C:\Documents and Settings\Mark Waite\Local Settings\Temp\~os132.tmp\ossproxy.exe:*:Enabled:ossproxy.exe
"C:\Documents and Settings\Mark Waite\Local Settings\Temp\~os20.tmp\ossproxy.exe" = C:\Documents and Settings\Mark Waite\Local Settings\Temp\~os20.tmp\ossproxy.exe:*:Enabled:ossproxy.exe
"C:\WINDOWS\Temp\~os3.tmp\ossproxy.exe" = C:\WINDOWS\Temp\~os3.tmp\ossproxy.exe:*:Enabled:ossproxy.exe
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\AGE2_X1.ICD" = C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\AGE2_X1.ICD:*:Disabled:Age of Empires II Expansion
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"C:\Program Files\FreeFileViewer\FFVCheckForUpdates.exe" = C:\Program Files\FreeFileViewer\FFVCheckForUpdates.exe:*:Enabled:Free File Viewer Update Checker -- (Bitberry Software)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00170409-78E1-11D2-B60F-006097C998E7}" = Microsoft Word 2000 SR-1
"{01001202-5D65-445A-B3B4-3DCE72BA0C6C}" = Microsoft Encarta Encyclopedia Standard 2001
"{15D9EB74-998E-4A04-B468-51C2E7B32182}" = Microsoft Picture It! Publishing 2001
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{1E0D8F69-A6AB-4934-9B2D-159D9F97BA4A}" = ParetoLogic DriverCure
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 23
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{37E1EB56-C59B-4C5C-B0B3-B5076046EF8A}" = BlackBerry Desktop Software 4.2
"{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{43DCF766-6838-4F9A-8C91-D92DA586DFA8}" = Microsoft Windows Journal Viewer
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50CE6FB8-23DF-42B1-98CE-AA17A0905C7A}" = Learning QuickBooks 2009
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}" = Apple Mobile Device Support
"{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}" = Microsoft Works Suite Add-in for Microsoft Word
"{6B9B0C6F-E5FA-4633-A640-AB98A272ECCA}" = Safari
"{7F831576-6246-42C7-B523-55B3F96509CC}" = LogMeIn
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A71D5E81-B967-43DB-93D7-FD31BFB95748}" = MobileMe Control Panel
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AAD47011-8518-4608-9656-951DA35B587B}" = iTunes
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CD55BC4A-C299-4632-91A9-88705157EAC2}" = RitzPix E-Z Print & Share
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D085A1B6-90A4-11D3-82B7-00C04FA309DE}" = Microsoft Money 2001
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DFCF56BA-1E6E-44D6-BBB4-47227F1F0A6E}" = JetTask
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{F8D0829C-9C6F-11D3-8080-00C04FA329AA}" = Microsoft Works 6.0
"{FAF7F1D7-C0E7-47EA-8AAA-84E4F9EA3C94}" = Works Suite OS Pack
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"BlackBerry_{37E1EB56-C59B-4C5C-B0B3-B5076046EF8A}" = BlackBerry Desktop Software 4.2
"CCleaner" = CCleaner
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"FreeFileViewer_is1" = Free File Viewer 2010
"Google Updater" = Google Updater
"GospeLink" = GospeLink
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10
"IrfanView" = IrfanView (remove only)
"JetTask" = JetTask
"Learning QuickBooks 2009" = Learning QuickBooks 2009
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Peachtree Pro Accounting" = Peachtree Pro Accounting 2009
"Picasa 3" = Picasa 3
"RealPlayer 12.0" = RealPlayer
"Shockwave" = Shockwave
"ST6UNST #1" = Hero Editor V0.95
"ST6UNST #2" = Hero Editor V0.95 (C:\Program Files\Hero Editor\)
"WavePad" = WavePad Sound Editor
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2001Setup" = Microsoft Works 2001 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2025429265-884357618-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/24/2011 10:24:12 PM | Computer Name = DELL-DIMENSION | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 2/24/2011 10:24:12 PM | Computer Name = DELL-DIMENSION | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 1969

Error - 2/24/2011 10:24:12 PM | Computer Name = DELL-DIMENSION | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1969

Error - 2/24/2011 10:24:14 PM | Computer Name = DELL-DIMENSION | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 2/24/2011 10:24:14 PM | Computer Name = DELL-DIMENSION | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3937

Error - 2/24/2011 10:24:14 PM | Computer Name = DELL-DIMENSION | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3937

Error - 2/24/2011 10:24:18 PM | Computer Name = DELL-DIMENSION | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 2/24/2011 10:24:18 PM | Computer Name = DELL-DIMENSION | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 7547

Error - 2/24/2011 10:24:18 PM | Computer Name = DELL-DIMENSION | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 7547

Error - 2/24/2011 10:29:39 PM | Computer Name = DELL-DIMENSION | Source = Application Error | ID = 1000
Description = Faulting application mDNSResponder.exe, version 2.0.4.0, faulting
module mDNSResponder.exe, version 2.0.4.0, fault address 0x00008108.

[ System Events ]
Error - 2/24/2011 10:15:05 PM | Computer Name = DELL-DIMENSION | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 2/24/2011 10:29:10 PM | Computer Name = DELL-DIMENSION | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.2.7 on
the Network Card with network address 0050FC58C278.

Error - 2/24/2011 10:29:46 PM | Computer Name = DELL-DIMENSION | Source = Service Control Manager | ID = 7034
Description = The Bonjour Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 2/25/2011 4:52:00 PM | Computer Name = DELL-DIMENSION | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.2.7 on
the Network Card with network address 0050FC58C278.

Error - 2/25/2011 10:10:39 PM | Computer Name = DELL-DIMENSION | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.2.7 on
the Network Card with network address 0050FC58C278.

Error - 2/26/2011 1:14:51 PM | Computer Name = DELL-DIMENSION | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.2.7 on
the Network Card with network address 0050FC58C278.

Error - 2/26/2011 6:53:04 PM | Computer Name = DELL-DIMENSION | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.2.7 on
the Network Card with network address 0050FC58C278.

Error - 2/26/2011 7:45:57 PM | Computer Name = DELL-DIMENSION | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.2.7 on
the Network Card with network address 0050FC58C278.

Error - 2/27/2011 12:30:15 PM | Computer Name = DELL-DIMENSION | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.2.7 on
the Network Card with network address 0050FC58C278.

Error - 2/27/2011 12:37:53 PM | Computer Name = DELL-DIMENSION | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.


< End of report >

THanks so much for the help!

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:00 AM

Posted 28 February 2011 - 11:01 AM

Hi-

Thanks for the logs. I do not see any obvious infections so we need to keep searching.

First, before we start, please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows


Please click this link-->Jotti
When the Jotti page has finished loading, click Jotti's Browse button and navigate to the following files in turn and click the Submit file button within Jotti.

C:\WINDOWS\yjedizew.sys
C:\WINDOWS\System32\samese.dll
C:\WINDOWS\wepunol.dll
C:\Program Files\Common Files\icehesiji.dl


If Jotti reports that the file has been scanned before and gives you those results, click on the Scan Again button.
To scan the next file, click on the Next File button.
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal

Next, please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ossproxy.*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Then, please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

In your reply, please copy in the SystemLook report and the RKU report. Let me know the results of the Jotti scans. Also, let me know what the computer is doing or not doing.
Shannon

#7 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:00 AM

Posted 07 March 2011 - 08:26 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users