Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blank Window 2 Windows and Alerts of hello4.exe Not Responding When Attempting Shutdown


  • This topic is locked This topic is locked
34 replies to this topic

#1 Pi-Face

Pi-Face

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 10 August 2011 - 04:57 PM

From my original topic:

On last Saturday, August 6, the family computer was infected with XP Antivirus 2012. The next morning, my younger brothers alerted me of its presence. I replied that they should get rid of it. Unfortunately, they were unable to do so, and, because they migrated to using my personal laptop, I decided to try to fix whatever issues the computer was having. Over the next few days, I started the computer in safe mode and ran scans using McAfee, Malwarebytes' Anti-Malware, SuperAntiSpyware, and TDSSKiller. The first few scans by McAfee weren't successful, as they seemed to not progress at all. That is when I noticed that the processes tab of the task manager was filled with qttask.exe. One time when I was starting in safe mode, Blank Window 2 windows appeared for the first time. And unresponsive hello4.exe program alerts appeared when I tried to shutdown. Eventually, qttask.exe and hello4.exe seemed to be taken care of and no longer appeared in safe mode. In the most recent scans, no threats were detected.

When I started the computer normally, it seemed to be slower. (I wasn't exactly sure because the family computer is probably around eight or nine years old.) Also, for some reason, the desktop icons disappeared. When I saw this, I restarted the computer in safe mode and ran a few scans, but neither the desktop or the taskbar would appear. This actually happened before, but they would always appear eventually. When my older brother saw this, he told me to just make a new user since we didn't need any of the files on the old one. (My two younger brothers only really surfed the Internet and played MapleStory.) On the new user, the desktop and taskbar appeared, but the computer ran noticeably slower. Also, when I shutdown, the same Blank Window 2 windows and hello4.exe alerts appeared. I started the computer normally again. And while I was using it, I became unable to run Internet Explorer. When I started in safe mode, I was still unable to use Internet Explorer, so I decided I needed help, which is why I'm posting here.


I followed the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help, as instructed by Orange Blossom. Everything was fine from steps six to eight but running the scan for GMER took quite some time, so I left the computer to scan. Unfortunately, the other members of my family turned out to have been using the computer, during this scan and even in the previous scans. When I checked the scan this morning,I didn't find a finished scan but something called Security Protection. Security Protection stopped from opening any other programs, so I restarted in safe mode again. Strangely, during the shutdown of the restart, hello4.exe alerts did not appear. However, once in safe mode, I continued to follow the steps of the guide starting from step six again.

.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Adrian at 7:48:44 on 2011-08-10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.152 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = localhost
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mWinlogon: SFCDisable=4 (0x4)
BHO: AC-Pro: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\program files\autocompletepro\AutocompletePro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110511145916.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: QuickNet BHO: {ea5ca8b6-9b9c-4994-a7a1-947b6c631be7} - c:\program files\regtweaker\key.dll
TB: {2C0A5F28-48D8-408B-9172-9C6121025BCE} - No File
TB: {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: @c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Security Protection] c:\documents and settings\all users\application data\defender.exe
mRun: [j4201536] rundll32 c:\windows\system32\j4201536.dll sook
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRunOnce: [Malwarebytes' Anti-Malware] c:\malwarebytes' anti-malware\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [8DDYX0ZBPZ] c:\windows\temp\Dx1 .exe
dRun: [ZU6RKI1ONY] c:\windows\temp\Dx0 .exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{C38A4D5A-47CE-4C07-95D2-0B55B791D7D7} : NameServer = 68.105.28.12,68.105.29.12
TCP: Interfaces\{C38A4D5A-47CE-4C07-95D2-0B55B791D7D7} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
Notify: temgvw32 - temgvw32.dll
Notify: termfsvces - temgvw32.dll
AppInit_DLLs: hadjajr.ini
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SwUpdate - {003541A1-3BC0-1B1C-AAF3-040114001C01} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-1 387480]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-24 84200]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-24 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-24 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-1-24 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-24 88736]
S1 SASDIFSV;SASDIFSV;c:\docume~1\admini~1.002\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2011-7-12 12880]
S1 SASKUTIL;SASKUTIL;c:\docume~1\admini~1.002\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\common files\magix services\database\bin\FABS.exe [2009-8-27 1253376]
S2 gupdate1c9f8d07501f69e;Google Update Service (gupdate1c9f8d07501f69e);c:\program files\google\update\GoogleUpdate.exe [2009-6-29 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-9-1 88176]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-24 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-24 271480]
S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-24 271480]
S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-24 171168]
S2 mrtRate;mrtRate; [x]
S2 TermServices;Remote Desktop Services;c:\windows\system32\svchost.exe -k termfvc [2004-4-29 14336]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-9-12 24652]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-24 56064]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\common files\magix services\database\bin\fbserver.exe [2008-8-7 3276800]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-29 133104]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-12-13 153280]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-12-13 52320]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-24 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-24 84488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-6 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-12-13 40552]
S3 XDva202;XDva202;\??\c:\windows\system32\xdva202.sys --> c:\windows\system32\XDva202.sys [?]
S3 XDva277;XDva277;\??\c:\windows\system32\xdva277.sys --> c:\windows\system32\XDva277.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
.
=============== Created Last 30 ================
.
2011-08-10 11:08:37 856064 ----a-w- c:\documents and settings\all users\application data\defender.exe
2011-08-10 00:27:38 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-10 00:27:34 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-10 00:26:39 -------- d-----w- C:\Malwarebytes' Anti-Malware
2011-08-09 22:06:59 -------- d-sh--w- c:\documents and settings\adrian\IECompatCache
2011-08-09 19:22:03 -------- d-----w- c:\documents and settings\adrian\local settings\application data\PCHealth
2011-08-09 18:45:27 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-09 03:23:15 -------- d-----w- c:\documents and settings\adrian\local settings\application data\Mozilla
2011-08-09 02:30:41 -------- d-sh--w- c:\documents and settings\adrian\PrivacIE
2011-08-09 01:38:28 -------- d-----w- c:\documents and settings\adrian\local settings\application data\Apple Computer
2011-08-09 01:38:11 -------- d-----w- c:\documents and settings\adrian\application data\Malwarebytes
2011-08-09 01:37:59 -------- d-----w- c:\documents and settings\adrian\local settings\application data\Google
2011-08-09 01:32:08 -------- d-sh--w- c:\documents and settings\adrian\IETldCache
2011-08-09 01:12:26 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-08-09 01:12:05 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-08-08 21:59:15 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-08 19:26:18 -------- d-----w- c:\program files\Free Window Registry Repair
2011-08-08 18:34:08 -------- d-----w- c:\documents and settings\all users\application data\SpeedMaxPc
2011-08-08 12:33:19 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-08 12:33:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-08 12:07:20 -------- d-----w- C:\System Repair
2011-08-07 02:53:21 113664 ---ha-w- c:\documents and settings\all users\application data\50rhMfeN.exe_
2011-08-07 02:53:21 113664 ---ha-w- c:\documents and settings\all users\application data\50rhMfeN.exe
2011-08-06 22:49:49 118272 --sha-r- c:\windows\system32\gfhkj2.dll
2011-08-06 22:45:33 218624 ----a-w- c:\windows\system32\terdvw32.dll
2011-08-06 22:45:31 35840 ----a-w- c:\windows\system32\temgvw32.dll
2011-08-06 14:20:26 0 ---ha-w- c:\documents and settings\all users\application data\xluk.exe
2011-08-06 14:20:23 0 ---ha-w- c:\documents and settings\all users\application data\ylmk.exe
2011-08-06 14:20:22 0 ---ha-w- c:\documents and settings\all users\application data\gryj.exe
2011-08-06 14:20:21 0 ---ha-w- c:\documents and settings\all users\application data\heqv.exe
2011-07-30 17:02:49 6881616 ---h--w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\updates\mpengine.dll
2011-07-26 06:17:40 6881616 ---h--w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{0797b424-1c1c-4952-a0f4-8e2e04663583}\mpengine.dll
2011-07-14 13:04:58 1858944 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 7:51:26.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:16 PM

Posted 16 August 2011 - 12:13 AM

Hi,

If help still needed post fresh dds logs, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Pi-Face

Pi-Face
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 16 August 2011 - 09:17 AM

Security Protection began to show up even in Safe Mode and blocked my use of programs, so I decided to remove it with Malwarebytes. That scan is the only action I have taken since posting this topic. However, some of my family has continued to use the Internet over the past week.

.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Administrator at 9:45:39 on 2011-08-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.166 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = localhost
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: SFCDisable=4 (0x4)
BHO: AC-Pro: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\program files\autocompletepro\AutocompletePro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110511145916.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: QuickNet BHO: {ea5ca8b6-9b9c-4994-a7a1-947b6c631be7} - c:\program files\regtweaker\key.dll
TB: {2C0A5F28-48D8-408B-9172-9C6121025BCE} - No File
TB: {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: @c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10i_Plugin.exe -update plugin
mRun: [j4201536] rundll32 c:\windows\system32\j4201536.dll sook
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [8DDYX0ZBPZ] c:\windows\temp\Dx1 .exe
dRun: [ZU6RKI1ONY] c:\windows\temp\Dx0 .exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{C38A4D5A-47CE-4C07-95D2-0B55B791D7D7} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
Notify: temgvw32 - temgvw32.dll
Notify: termfsvces - temgvw32.dll
AppInit_DLLs: hadjajr.ini
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SwUpdate - {003541A1-3BC0-1B1C-AAF3-040114001C01} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-1 387480]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-24 84200]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-24 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-24 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-1-24 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-24 88736]
S1 SASDIFSV;SASDIFSV;c:\docume~1\admini~1.002\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2011-7-12 12880]
S1 SASKUTIL;SASKUTIL;c:\docume~1\admini~1.002\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\common files\magix services\database\bin\FABS.exe [2009-8-27 1253376]
S2 gupdate1c9f8d07501f69e;Google Update Service (gupdate1c9f8d07501f69e);c:\program files\google\update\GoogleUpdate.exe [2009-6-29 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-9-1 88176]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-24 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-24 271480]
S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-24 271480]
S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-24 171168]
S2 mrtRate;mrtRate; [x]
S2 TermServices;Remote Desktop Services;c:\windows\system32\svchost.exe -k termfvc [2004-4-29 14336]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-9-12 24652]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-24 56064]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\common files\magix services\database\bin\fbserver.exe [2008-8-7 3276800]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-29 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-15 41272]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-12-13 153280]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-12-13 52320]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-24 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-24 84488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-6 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-12-13 40552]
S3 XDva202;XDva202;\??\c:\windows\system32\xdva202.sys --> c:\windows\system32\XDva202.sys [?]
S3 XDva277;XDva277;\??\c:\windows\system32\xdva277.sys --> c:\windows\system32\XDva277.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
.
=============== Created Last 30 ================
.
2011-08-15 20:53:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-15 20:53:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-15 12:07:03 0 ----a-w- c:\documents and settings\all users\application data\xhqn.exe
2011-08-15 12:07:03 0 ----a-w- c:\documents and settings\all users\application data\ryce.exe
2011-08-15 12:07:03 0 ----a-w- c:\documents and settings\all users\application data\pxtb.exe
2011-08-15 12:07:03 0 ----a-w- c:\documents and settings\all users\application data\awhe.exe
2011-08-15 12:07:03 0 ----a-w- c:\documents and settings\administrator.administrator.002\local settings\application data\yxkm.exe
2011-08-15 12:07:03 0 ----a-w- c:\documents and settings\administrator.administrator.002\local settings\application data\sjwl.exe
2011-08-15 12:07:03 0 ----a-w- c:\documents and settings\administrator.administrator.002\local settings\application data\lvdf.exe
2011-08-15 12:07:03 0 ----a-w- c:\documents and settings\administrator.administrator.002\local settings\application data\erek.exe
2011-08-11 17:59:10 -------- d-----w- c:\documents and settings\administrator.administrator.002\local settings\application data\Mozilla
2011-08-11 14:54:55 0 ----a-w- c:\documents and settings\all users\application data\ncbf.exe
2011-08-11 14:54:54 0 ----a-w- c:\documents and settings\all users\application data\wyxs.exe
2011-08-11 14:54:54 0 ----a-w- c:\documents and settings\all users\application data\rmvm.exe
2011-08-11 14:54:54 0 ----a-w- c:\documents and settings\all users\application data\hbjh.exe
2011-08-10 00:26:39 -------- d-----w- C:\Malwarebytes' Anti-Malware
2011-08-09 18:45:27 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-09 01:12:26 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-08-09 01:12:05 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-08-08 21:59:15 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-08 21:59:15 -------- d-----w- c:\documents and settings\administrator.administrator.002\application data\SUPERAntiSpyware.com
2011-08-08 19:26:18 -------- d-----w- c:\program files\Free Window Registry Repair
2011-08-08 19:23:26 -------- d-----w- c:\documents and settings\administrator.administrator.002\application data\ElevatedDiagnostics
2011-08-08 18:34:37 -------- d-----w- c:\documents and settings\administrator.administrator.002\application data\DriverCure
2011-08-08 18:34:36 -------- d-----w- c:\documents and settings\administrator.administrator.002\application data\SpeedMaxPc
2011-08-08 18:34:08 -------- d-----w- c:\documents and settings\all users\application data\SpeedMaxPc
2011-08-08 12:33:41 -------- d-----w- c:\documents and settings\administrator.administrator.002\application data\Malwarebytes
2011-08-08 12:33:19 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-08 12:33:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-08 12:23:49 -------- d-sh--w- c:\documents and settings\administrator.administrator.002\PrivacIE
2011-08-08 12:23:44 -------- d-sh--w- c:\documents and settings\administrator.administrator.002\IETldCache
2011-08-08 12:07:20 -------- d-----w- C:\System Repair
2011-08-07 02:53:21 113664 ---ha-w- c:\documents and settings\all users\application data\50rhMfeN.exe_
2011-08-07 02:53:21 113664 ---ha-w- c:\documents and settings\all users\application data\50rhMfeN.exe
2011-08-06 22:49:49 118272 --sha-r- c:\windows\system32\gfhkj2.dll
2011-08-06 22:45:33 218624 ----a-w- c:\windows\system32\terdvw32.dll
2011-08-06 22:45:31 35840 ----a-w- c:\windows\system32\temgvw32.dll
2011-08-06 14:20:26 0 ---ha-w- c:\documents and settings\all users\application data\xluk.exe
2011-08-06 14:20:23 0 ---ha-w- c:\documents and settings\all users\application data\ylmk.exe
2011-08-06 14:20:22 0 ---ha-w- c:\documents and settings\all users\application data\gryj.exe
2011-08-06 14:20:21 0 ---ha-w- c:\documents and settings\all users\application data\heqv.exe
2011-07-30 17:02:49 6881616 ---h--w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\updates\mpengine.dll
2011-07-26 06:17:40 6881616 ---h--w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{0797b424-1c1c-4952-a0f4-8e2e04663583}\mpengine.dll
.
==================== Find3M ====================
.
2011-08-16 02:16:34 113664 ----a-w- c:\windows\fonts\7J13CI.com
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 9:48:22.51 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:16 PM

Posted 16 August 2011 - 12:29 PM

Hello again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Pi-Face

Pi-Face
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 16 August 2011 - 05:14 PM

I'm not sure how much of an issue it will be, but, when I ran ComboFix, it gave me several alerts saying that a RootKit was detected. The last one, I believe it was the third, told me to reboot. I did so, but, when ComboFix started up again, the Security Center popped up showing me that I had one Firewall still enabled: McAfee. However, because ComboFix continued to run and I didn't know how to get to McAfee to turn it off (the desktop background loaded, but the taskbar, desktop icons, and start menu did not), I let it continue to run.

After ComboFix finished, the computer's speed is faster than it has been for quite some time, and I did not experience any problems, aside from Google redirects which I experienced when attempting to reach these forums.

ComboFix 11-08-16.05 - Adrian 08/16/2011 16:35:01.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.125 [GMT -4:00]
Running from: c:\documents and settings\Administrator.ADMINISTRATOR.002\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.ADMINISTRATOR.000\WINDOWS
c:\documents and settings\Administrator.ADMINISTRATOR.001\WINDOWS
c:\documents and settings\Administrator.ADMINISTRATOR.002\Local Settings\Application Data\erek.exe
c:\documents and settings\Administrator.ADMINISTRATOR.002\Local Settings\Application Data\lvdf.exe
c:\documents and settings\Administrator.ADMINISTRATOR.002\Local Settings\Application Data\sjwl.exe
c:\documents and settings\Administrator.ADMINISTRATOR.002\Local Settings\Application Data\yxkm.exe
c:\documents and settings\Administrator.ADMINISTRATOR.002\WINDOWS
c:\documents and settings\Administrator.ADMINISTRATOR\WINDOWS
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Adrian\Local Settings\Application Data\bosa.exe
c:\documents and settings\Adrian\Local Settings\Application Data\btar.exe
c:\documents and settings\Adrian\Local Settings\Application Data\psxt.exe
c:\documents and settings\Adrian\Local Settings\Application Data\yayq.exe
c:\documents and settings\Adrian\WINDOWS
c:\documents and settings\All Users\Application Data\50rhMfeN.exe
c:\documents and settings\All Users\Application Data\50rhMfeN.exe_
c:\documents and settings\Default User\WINDOWS
C:\LOG5C1.tmp
C:\LOG5FC.tmp
C:\LOG607.tmp
C:\LOG6D7.tmp
C:\LOGB9D.tmp
C:\LOGBED.tmp
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\AutocompletePro
c:\program files\AutocompletePro\AcRemoteUpdate.exe
c:\program files\AutocompletePro\AutocompletePro.dll
c:\program files\AutocompletePro\InstTracker.exe
c:\program files\AutocompletePro\support@predictad.com\chrome.manifest
c:\program files\AutocompletePro\support@predictad.com\chrome\content\browserOverlay.xul
c:\program files\AutocompletePro\support@predictad.com\chrome\content\options.js
c:\program files\AutocompletePro\support@predictad.com\chrome\content\options.xul
c:\program files\AutocompletePro\support@predictad.com\chrome\content\utils.js
c:\program files\AutocompletePro\support@predictad.com\defaults\preferences\predictad.js
c:\program files\AutocompletePro\support@predictad.com\install.rdf
c:\program files\AutocompletePro\TaskScheduler.dll
c:\program files\AutocompletePro\unins000.dat
c:\program files\AutocompletePro\unins000.exe
c:\program files\cmapp
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
c:\program files\McAfee.com\Agent\mcagent.exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
c:\program files\Real\RealPlayer\Update\realsched.exe
c:\temp\0b9
c:\temp\0b9\tmpTF.log
c:\windows\$NtUninstallKB41068$\2560884315
c:\windows\$NtUninstallKB41068$\3821321303\@.dll
c:\windows\$NtUninstallKB41068$\3821321303\bckfg.tmp
c:\windows\$NtUninstallKB41068$\3821321303\cfg.ini
c:\windows\$NtUninstallKB41068$\3821321303\Desktop.ini
c:\windows\$NtUninstallKB41068$\3821321303\L\nooshrfi
c:\windows\$NtUninstallKB41068$\3821321303\lsflt7.ver
c:\windows\bundles
c:\windows\bundles\bs5-vwqouc.exe
c:\windows\bundles\icDW1.exe
c:\windows\bundles\optimize.exe
c:\windows\bundles\setup_silent_17125.exe
c:\windows\Fonts\7J13CI.com
c:\windows\system32\abadd.bak2
c:\windows\system32\abeeg.ini
c:\windows\system32\aexgyhxl.ini
c:\windows\system32\ahtfattq.ini
c:\windows\system32\aiyhegnk.ini
c:\windows\system32\ajmwcvla.ini
c:\windows\system32\amontfcu.ini
c:\windows\system32\amttjblb.ini
c:\windows\system32\anawufpg.ini
c:\windows\system32\aquahgsi.ini
c:\windows\system32\asflomvs.ini
c:\windows\system32\avarqmxy.ini
c:\windows\system32\ayvwysfi.ini
c:\windows\system32\bbadd.bak2
c:\windows\system32\bbyxeqyc.ini
c:\windows\system32\bccdd.bak1
c:\windows\system32\becwsdwx.ini
c:\windows\system32\beqhsdvs.ini
c:\windows\system32\blivwxdd.ini
c:\windows\system32\blrlmfsk.ini
c:\windows\system32\bmjdqsyg.ini
c:\windows\system32\bnxnamue.ini
c:\windows\system32\btmsnlen.ini
c:\windows\system32\bvqtuueh.ini
c:\windows\system32\byetkxce.ini
c:\windows\system32\ccbeg.bak1
c:\windows\system32\cccdd.bak2
c:\windows\system32\cccdd.ini
c:\windows\system32\ccymwjni.ini
c:\windows\system32\cflhtfei.ini
c:\windows\system32\clgbnpsb.ini
c:\windows\system32\cmkfmqhf.ini
c:\windows\system32\conaxgev.ini
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\crfvcfdx.ini
c:\windows\system32\crnnwuwm.ini
c:\windows\system32\ctxosqob.ini
c:\windows\system32\cupdidme.ini
c:\windows\system32\cxjpcvxn.ini
c:\windows\system32\daixonnu.ini
c:\windows\system32\dbfgnlxa.ini
c:\windows\system32\dbqvupwj.ini
c:\windows\system32\ddepjjah.ini
c:\windows\system32\dfdhlauj.ini
c:\windows\system32\dgjlm.bak2
c:\windows\system32\dioccpv.dat
c:\windows\system32\dioccpv_nav.dat
c:\windows\system32\dioccpv_navps.dat
c:\windows\system32\diumlemv.ini
c:\windows\system32\djyroqhw.ini
c:\windows\system32\dolbeqss.ini
c:\windows\system32\donddndt.ini
c:\windows\system32\dqqtmrmj.ini
c:\windows\system32\drdkdcax.ini
c:\windows\system32\dsbktwyt.ini
c:\windows\system32\dsjtprjn.ini
c:\windows\system32\ecnpjolp.ini
c:\windows\system32\eecicget.ini
c:\windows\system32\eejfydcj.ini
c:\windows\system32\efbvvtyy.ini
c:\windows\system32\efhkj.bak2
c:\windows\system32\ekaulgxa.ini
c:\windows\system32\ekcdcxog.ini
c:\windows\system32\elewbabe.ini
c:\windows\system32\ersmxevv.ini
c:\windows\system32\etgpanmp.ini
c:\windows\system32\eudopxgq.ini
c:\windows\system32\fcxhypgx.ini
c:\windows\system32\fgcfsaps.ini
c:\windows\system32\fgjlm.ini
c:\windows\system32\fhhkj.bak1
c:\windows\system32\fhhkj.bak2
c:\windows\system32\fhhkj.ini
c:\windows\system32\fhhkj.ini2
c:\windows\system32\fhhkj.tmp
c:\windows\system32\fhkmp.bak1
c:\windows\system32\fhkmp.bak2
c:\windows\system32\fjcdkjdk.ini
c:\windows\system32\fovadvqa.ini
c:\windows\system32\fwmxtwbr.ini
c:\windows\system32\fwyxkvft.ini
c:\windows\system32\gekkapat.ini
c:\windows\system32\gfhkj.bak2
c:\windows\system32\gflpjvuh.ini
c:\windows\system32\gfvwnoyb.ini
c:\windows\system32\ggnsnohj.ini
c:\windows\system32\ghwgqjso.ini
c:\windows\system32\ghyumyjr.ini
c:\windows\system32\gjkmp.bak2
c:\windows\system32\gjmckflg.ini
c:\windows\system32\gjsbfyro.ini
c:\windows\system32\gjxcoaah.ini
c:\windows\system32\glfqnpvx.ini
c:\windows\system32\glspwpek.ini
c:\windows\system32\gltfxnco.ini
c:\windows\system32\gpdlppro.ini
c:\windows\system32\gsddsmfl.ini
c:\windows\system32\hasdaikq.ini
c:\windows\system32\hdixxsbm.ini
c:\windows\system32\hecocvny.ini
c:\windows\system32\heoogjlf.ini
c:\windows\system32\hhhkj.bak2
c:\windows\system32\hhhkj.ini
c:\windows\system32\hhwdnowa.ini
c:\windows\system32\hjbuwyet.ini
c:\windows\system32\hjmowyhx.ini
c:\windows\system32\hlnxfffd.ini
c:\windows\system32\hpiyllbt.ini
c:\windows\system32\htymudem.ini
c:\windows\system32\huwrtlrs.ini
c:\windows\system32\hwepjcol.ini
c:\windows\system32\hysqmyga.ini
c:\windows\system32\ibmvqxqk.ini
c:\windows\system32\iddalxpv.ini
c:\windows\system32\ighatkdp.ini
c:\windows\system32\ihhkj.bak1
c:\windows\system32\ihvidfie.ini
c:\windows\system32\ijjlm.bak2
c:\windows\system32\ilwcmred.ini
c:\windows\system32\irtlhyww.ini
c:\windows\system32\jafmrgfa.ini
c:\windows\system32\jaxavlqe.ini
c:\windows\system32\jbalenfp.ini
c:\windows\system32\jbdyefog.ini
c:\windows\system32\jhsxwoqn.ini
c:\windows\system32\jjkmp.ini
c:\windows\system32\jjkpftaj.ini
c:\windows\system32\jjlruksq.ini
c:\windows\system32\jlnmp.bak1
c:\windows\system32\jlnmp.bak2
c:\windows\system32\jlnmp.ini
c:\windows\system32\jmutstfs.ini
c:\windows\system32\jncqbrwn.ini
c:\windows\system32\jprhknwy.ini
c:\windows\system32\jqkrrhjd.ini
c:\windows\system32\jramicny.ini
c:\windows\system32\jslvgvai.ini
c:\windows\system32\jsnvkjpd.ini
c:\windows\system32\jtfuppvp.ini
c:\windows\system32\jwgpfksa.ini
c:\windows\system32\jynkrqmg.ini
c:\windows\system32\kaighjbq.ini
c:\windows\system32\kboydlex.ini
c:\windows\system32\kcwnjqeb.ini
c:\windows\system32\kilyjwkq.ini
c:\windows\system32\klnmp.bak2
c:\windows\system32\klnmp.tmp
c:\windows\system32\knnmp.bak1
c:\windows\system32\knnmp.bak2
c:\windows\system32\knthckvf.ini
c:\windows\system32\kodnrsmu.ini
c:\windows\system32\kppsfmmd.ini
c:\windows\system32\krrkypub.ini
c:\windows\system32\ksadugsi.ini
c:\windows\system32\kxnfntst.ini
c:\windows\system32\ldniwwyv.ini
c:\windows\system32\lfvsdxjf.ini
c:\windows\system32\lguigyvx.ini
c:\windows\system32\lkmoixop.ini
c:\windows\system32\llteahod.ini
c:\windows\system32\lnpvfnwv.ini
c:\windows\system32\logs
c:\windows\system32\logs\Settings.dat
c:\windows\system32\lplykrty.ini
c:\windows\system32\lrxaarkq.ini
c:\windows\system32\lsqxxtnd.ini
c:\windows\system32\lyasdgcc.ini
c:\windows\system32\maxcwpxx.ini
c:\windows\system32\mcefxvba.ini
c:\windows\system32\mcshymyn.ini
c:\windows\system32\migcnbsx.ini
c:\windows\system32\mikvhfsa.ini
c:\windows\system32\mjtgbyxt.ini
c:\windows\system32\moigplrb.ini
c:\windows\system32\mpmxofqs.ini
c:\windows\system32\mqrgsmud.ini
c:\windows\system32\mulfhmdw.ini
c:\windows\system32\mvqcxtmi.ini
c:\windows\system32\mwawiwwr.ini
c:\windows\system32\mwuvqtjw.ini
c:\windows\system32\mxwaslig.ini
c:\windows\system32\mynxcdms.ini
c:\windows\system32\neuxrtdp.ini
c:\windows\system32\nicemihu.ini
c:\windows\system32\nispqjmw.ini
c:\windows\system32\njuiwqca.ini
c:\windows\system32\nmcclyfv.ini
c:\windows\system32\nnhxicwr.ini
c:\windows\system32\nnnmp.bak1
c:\windows\system32\nnnmp.bak2
c:\windows\system32\nnnmp.tmp
c:\windows\system32\nnnyyfvy.ini
c:\windows\system32\nqtss.ini
c:\windows\system32\nqtwa.bak2
c:\windows\system32\nvnyebfa.ini
c:\windows\system32\nxoxynry.ini
c:\windows\system32\oggrmvsw.ini
c:\windows\system32\ogkvnqfe.ini
c:\windows\system32\ohixwfrf.ini
c:\windows\system32\oixnexfm.ini
c:\windows\system32\ojncywqb.ini
c:\windows\system32\orutv.ini
c:\windows\system32\ovwaepxu.ini
c:\windows\system32\oxvcvnrj.ini
c:\windows\system32\paildjkq.ini
c:\windows\system32\pbmdtxmh.ini
c:\windows\system32\pcppgqnq.ini
c:\windows\system32\percefje.ini
c:\windows\system32\pfjfrrwh.ini
c:\windows\system32\pfmbcwsl.ini
c:\windows\system32\phdilxpm.ini
c:\windows\system32\phonqyhy.ini
c:\windows\system32\pkcdxuju.ini
c:\windows\system32\pmwwukgx.ini
c:\windows\system32\pognnlii.ini
c:\windows\system32\pqstv.bak1
c:\windows\system32\pqstv.ini
c:\windows\system32\ps2.bat
c:\windows\system32\pstwa.bak1
c:\windows\system32\pstwa.bak2
c:\windows\system32\pstwa.ini
c:\windows\system32\pxmtepmc.ini
c:\windows\system32\qamrbaba.ini
c:\windows\system32\qawwhnks.ini
c:\windows\system32\qbgdvjwy.ini
c:\windows\system32\qdwwtvbe.ini
c:\windows\system32\qiiuuimr.ini
c:\windows\system32\qktlocjl.ini
c:\windows\system32\qogylche.ini
c:\windows\system32\qpbfuycg.ini
c:\windows\system32\qqtss.bak1
c:\windows\system32\qqtss.bak2
c:\windows\system32\qqtss.ini
c:\windows\system32\qssxkqge.ini
c:\windows\system32\qttss.bak2
c:\windows\system32\ralpviti.ini
c:\windows\system32\rdtbnlqh.ini
c:\windows\system32\rduayjef.ini
c:\windows\system32\remmglcj.ini
c:\windows\system32\rgfxpypk.ini
c:\windows\system32\rnwlycjt.ini
c:\windows\system32\rqgscokk.ini
c:\windows\system32\rqstv.bak2
c:\windows\system32\rqumogow.ini
c:\windows\system32\rqwdvniq.ini
c:\windows\system32\rrutv.bak2
c:\windows\system32\rrutv.ini
c:\windows\system32\rtobfael.ini
c:\windows\system32\rtutv.bak2
c:\windows\system32\rtutv.ini
c:\windows\system32\rtvwa.bak2
c:\windows\system32\rwfpnqer.ini
c:\windows\system32\sahuutdb.ini
c:\windows\system32\seugmyam.ini
c:\windows\system32\skjvdtwx.ini
c:\windows\system32\smfqjblt.ini
c:\windows\system32\snaopnma.ini
c:\windows\system32\srutv.bak2
c:\windows\system32\srutv.ini
c:\windows\system32\sttss.bak1
c:\windows\system32\sttss.bak2
c:\windows\system32\sttss.ini
c:\windows\system32\sttss.tmp
c:\windows\system32\stvwa.bak2
c:\windows\system32\svvwa.bak1
c:\windows\system32\svvwa.bak2
c:\windows\system32\swntygyt.ini
c:\windows\system32\T3
c:\windows\system32\T4
c:\windows\system32\T6
c:\windows\system32\telpvipn.ini
c:\windows\system32\Temp
c:\windows\system32\tfywrnjh.ini
c:\windows\system32\thaaqoqh.ini
c:\windows\system32\thejhdio.ini
c:\windows\system32\thidvgko.ini
c:\windows\system32\tklglvow.ini
c:\windows\system32\tlnuriji.ini
c:\windows\system32\tmwwanqp.ini
c:\windows\system32\tqynngop.ini
c:\windows\system32\trvmppqb.ini
c:\windows\system32\tstwa.bak2
c:\windows\system32\tstwa.ini2
c:\windows\system32\tstwa.tmp
c:\windows\system32\ttstv.ini
c:\windows\system32\tttss.bak1
c:\windows\system32\tttss.tmp
c:\windows\system32\ttutv.bak1
c:\windows\system32\ttutv.bak2
c:\windows\system32\tyiiqlnk.ini
c:\windows\system32\ucfhmxmi.ini
c:\windows\system32\udbeuxdv.ini
c:\windows\system32\ugmjchei.ini
c:\windows\system32\ugtcauvj.ini
c:\windows\system32\uhkwuagi.ini
c:\windows\system32\uhtgljho.ini
c:\windows\system32\ujavwbdr.ini
c:\windows\system32\ujlxybbl.ini
c:\windows\system32\usssxtvk.ini
c:\windows\system32\utmitxix.ini
c:\windows\system32\uttss.bak2
c:\windows\system32\uwqqktlg.ini
c:\windows\system32\uypxavqu.ini
c:\windows\system32\vasubwbf.ini
c:\windows\system32\vcvxonxp.ini
c:\windows\system32\vfqwsvoc.ini
c:\windows\system32\vordohjn.ini
c:\windows\system32\vrrnseuj.ini
c:\windows\system32\vtrlomgj.ini
c:\windows\system32\vvvwa.bak2
c:\windows\system32\vvvwa.ini
c:\windows\system32\vwijlrme.ini
c:\windows\system32\vxshjbsq.ini
c:\windows\system32\vycdd.bak2
c:\windows\system32\waesgjqs.ini
c:\windows\system32\woffurco.ini
c:\windows\system32\wogxdeay.ini
c:\windows\system32\wtcqffjt.ini
c:\windows\system32\wuqwglbn.ini
c:\windows\system32\wwgquyvb.ini
c:\windows\system32\wwsonyup.ini
c:\windows\system32\wxbndcim.ini
c:\windows\system32\xekgregv.ini
c:\windows\system32\xhiepupm.ini
c:\windows\system32\xisuhibl.ini
c:\windows\system32\xldjdfgt.ini
c:\windows\system32\xpivnbaw.ini
c:\windows\system32\xrktamci.ini
c:\windows\system32\xwybcxau.ini
c:\windows\system32\xxgwrvbj.ini
c:\windows\system32\xxkkidbl.ini
c:\windows\system32\xxxtmlmb.ini
c:\windows\system32\ybeeg.bak1
c:\windows\system32\yduoqgil.ini
c:\windows\system32\yhhmiopt.ini
c:\windows\system32\yikbxeob.ini
c:\windows\system32\ymadwygc.ini
c:\windows\system32\ynukarjf.ini
c:\windows\system32\ywehpwmu.ini
c:\windows\system32\yywggyg_nav.dat
c:\windows\Tasks\At1.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At15.job
D:\Autorun.inf
c:\windows\$NtUninstallKB41068$ . . . . Failed to delete
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_DOMAINSERVICE
-------\Legacy_FOPN
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2011-07-16 to 2011-08-16 )))))))))))))))))))))))))))))))
.
.
2011-08-16 21:03 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-08-16 21:03 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-15 20:53 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-15 20:53 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-15 12:07 . 2011-08-15 12:07 0 ----a-w- c:\documents and settings\All Users\Application Data\xhqn.exe
2011-08-15 12:07 . 2011-08-15 12:07 0 ----a-w- c:\documents and settings\All Users\Application Data\ryce.exe
2011-08-15 12:07 . 2011-08-15 12:07 0 ----a-w- c:\documents and settings\All Users\Application Data\pxtb.exe
2011-08-15 12:07 . 2011-08-15 12:07 0 ----a-w- c:\documents and settings\All Users\Application Data\awhe.exe
2011-08-11 14:54 . 2011-08-11 14:54 0 ----a-w- c:\documents and settings\All Users\Application Data\ncbf.exe
2011-08-11 14:54 . 2011-08-11 14:54 0 ----a-w- c:\documents and settings\All Users\Application Data\wyxs.exe
2011-08-11 14:54 . 2011-08-11 14:54 0 ----a-w- c:\documents and settings\All Users\Application Data\rmvm.exe
2011-08-11 14:54 . 2011-08-11 14:54 0 ----a-w- c:\documents and settings\All Users\Application Data\hbjh.exe
2011-08-10 00:26 . 2011-08-15 20:47 -------- d-----w- C:\Malwarebytes' Anti-Malware
2011-08-09 18:45 . 2011-08-09 18:45 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-09 01:30 . 2011-08-16 21:02 -------- d-----w- c:\documents and settings\Adrian
2011-08-09 01:12 . 2011-08-09 01:12 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-09 01:12 . 2011-08-09 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-08 21:59 . 2011-08-08 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-08 19:26 . 2011-08-09 01:27 -------- d-----w- c:\program files\Free Window Registry Repair
2011-08-08 18:34 . 2011-08-09 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedMaxPc
2011-08-08 12:33 . 2011-08-08 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-08 12:33 . 2011-08-15 20:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-08 12:27 . 2011-08-08 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2011-08-08 12:07 . 2011-08-08 12:07 -------- d-----w- C:\System Repair
2011-08-07 01:41 . 2011-08-07 01:41 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-07 00:20 . 2011-08-07 00:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-08-07 00:19 . 2011-08-07 00:19 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-08-06 23:02 . 2011-08-16 21:02 -------- d--h--w- c:\documents and settings\Administrator
2011-08-06 22:49 . 2011-08-06 22:49 118272 --sha-r- c:\windows\system32\gfhkj2.dll
2011-08-06 22:45 . 2011-08-06 22:45 218624 ----a-w- c:\windows\system32\terdvw32.dll
2011-08-06 22:45 . 2011-08-06 22:45 35840 ----a-w- c:\windows\system32\temgvw32.dll
2011-08-06 15:04 . 2011-08-06 15:07 -------- d--h--w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-08-06 14:20 . 2011-08-06 14:20 0 ---ha-w- c:\documents and settings\All Users\Application Data\xluk.exe
2011-08-06 14:20 . 2011-08-06 14:20 0 ---ha-w- c:\documents and settings\All Users\Application Data\ylmk.exe
2011-08-06 14:20 . 2011-08-06 14:20 0 ---ha-w- c:\documents and settings\All Users\Application Data\gryj.exe
2011-08-06 14:20 . 2011-08-06 14:20 0 ---ha-w- c:\documents and settings\All Users\Application Data\heqv.exe
2011-07-30 17:02 . 2011-07-20 13:44 6881616 ---h--w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2011-07-27 20:43 . 2011-07-27 20:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-07-26 06:17 . 2011-07-13 03:39 6881616 ---h--w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{0797B424-1C1C-4952-A0F4-8E2E04663583}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 03:39 . 2007-01-20 00:25 6881616 ---h--w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-06-16 13:38 . 2010-02-18 01:58 112640 -c-ha-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-06-16 13:36 . 2010-02-18 01:57 416 -c-ha-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-06-02 14:02 . 2011-07-14 13:04 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14 . 2009-10-02 16:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2008-09-10 18:49 . 2008-09-10 18:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2011-04-14 18:01 . 2011-01-24 05:34 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
</pre>
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-04-16 . B24A4E23A2FEDB6976EB04D334AD82B2 . 634648 . . [7.00.6000.21256] . . c:\windows\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
[7] 2010-02-23 . B5116340B84824DDD0A641E36B126194 . 634648 . . [7.00.6000.17023] . . c:\windows\ie7updates\KB982381-IE7\iexplore.exe
[7] 2010-02-23 . C8DDA4028065D5CE39CBE7A156B72AB9 . 634648 . . [7.00.6000.21228] . . c:\windows\$hf_mig$\KB980182-IE7\SP3QFE\iexplore.exe
[7] 2009-12-18 . 53C291F3B01EECECBD7FD358EA3ACC94 . 634648 . . [7.00.6000.16981] . . c:\windows\ie7updates\KB980182-IE7\iexplore.exe
[7] 2009-12-18 . D19E56D5930C37CF211867DF450C372A . 634632 . . [7.00.6000.21183] . . c:\windows\$hf_mig$\KB978207-IE7\SP3QFE\iexplore.exe
[7] 2009-10-28 . 80675329E0FD54F016C4F8A83C616349 . 634632 . . [7.00.6000.21148] . . c:\windows\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe
[7] 2009-10-28 . 4F9B04D546C23A295F3F0AE015BE51DB . 634632 . . [7.00.6000.16945] . . c:\windows\ie7updates\KB978207-IE7\iexplore.exe
[7] 2009-08-27 . F232BA9F39BC0F722672C7E79E68EBEA . 634648 . . [7.00.6000.16915] . . c:\windows\ie7updates\KB976325-IE7\iexplore.exe
[7] 2009-08-27 . 332EC7562F3AA7364F2D4231C56DA986 . 634648 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe
[7] 2009-06-29 . 3CFC56F73D494FC1AA2B6E981DF15ACD . 634632 . . [7.00.6000.16876] . . c:\windows\ie7updates\KB974455-IE7\iexplore.exe
[7] 2009-06-29 . 02E2754D3E566C11A4934825920C47DD . 634632 . . [7.00.6000.21073] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[7] 2009-04-25 . 092A7F2B49A19ECCE5369D3CB2276148 . 636088 . . [7.00.6000.16850] . . c:\windows\ie7updates\KB972260-IE7\iexplore.exe
[7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB969897-IE7\iexplore.exe
[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe
[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB961260-IE7\iexplore.exe
[7] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 197B7E4030CFBD8D2979D375E1787AA2 . 625664 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 232B22817B90AE0AFF2D189E3E3735AC . 625664 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2008-02-29 . 2D0E5592AB5A46C27DAF7CCAFF4F5B59 . 625664 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\iexplore.exe
[7] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\iexplore.exe
[7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe
[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB944533-IE7\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
[7] 2007-08-17 . 3AC2BC667DA0AF2C968E96E1630F5AB5 . 625152 . . [7.00.6000.16544] . . c:\windows\ie7updates\KB942615-IE7\iexplore.exe
[7] 2007-08-17 . 5577D0E3AC2F9F035ACD81B44AF5F511 . 625152 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\iexplore.exe
[7] 2007-06-27 . BD8502DFD53FC24FB8D6929DC46B8C2C . 625152 . . [7.00.6000.20627] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\iexplore.exe
[7] 2007-06-27 . 275CEE268B9E5D82474C43D5D249D111 . 625152 . . [7.00.6000.16512] . . c:\windows\ie7updates\KB939653-IE7\iexplore.exe
[7] 2007-04-24 . 10BDB55982586A432A3951EB19A26009 . 625152 . . [7.00.6000.16473] . . c:\windows\ie7updates\KB937143-IE7\iexplore.exe
[7] 2007-04-24 . 9B3516C1F30DA17ADD3818573047D63C . 625152 . . [7.00.6000.20583] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\iexplore.exe
[7] 2007-02-28 . D321092F8529CDAE843D6E24E3CAC6CB . 625152 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"j4201536"="c:\windows\system32\j4201536.dll" [N/A]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [N/A]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\temgvw32]
2011-08-06 22:45 35840 ----a-w- c:\windows\system32\temgvw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termfsvces]
2011-08-06 22:45 35840 ----a-w- c:\windows\system32\temgvw32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Audiosrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318}]
@="[6cFgE][S??d, ?de ??d g? o?tr?l?? !!! !!! !]"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{640167b4-59b0-47a6-b335-a6b3c0695aea}]
@="Portable Media Devices"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Music Communication Module.lnk]
backup=c:\windows\pss\Music Communication Module.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
backup=c:\windows\pss\IMStart.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# K"h'9Ӝ3rWC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# K"h'9Ӝ3rWC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# K"h'9Ӝ3rWc:\program files\ISTsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 16:06 88363 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 12:38 241664 -c--a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
c:\program files\HP\HP Software Update\HPWuSchd.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-08 00:04 52736 -c--a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
c:\hp\KBD\KBD.EXE [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2003-09-13 03:13 98304 -c--a-w- c:\windows\system32\ps2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-14 04:43 233472 -c--a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-10-22 18:53 53248 ----a-w- c:\windows\system32\VTTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YaplockTray.exe]
2005-09-13 19:40 94208 -c--a-w- c:\progra~1\Yaplock\YaplockTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# K"h'9Ӝ3rWc:\program files\ISTsvc\istsvc.exe]
[N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Nexon\\MapleStory\\MapleStory.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager
"30857:TCP"= 30857:TCP:*:Disabled:SolidNetworkManager
"30857:UDP"= 30857:UDP:*:Disabled:SolidNetworkManager
"30997:TCP"= 30997:TCP:*:Disabled:SolidNetworkManager
"30997:UDP"= 30997:UDP:*:Disabled:SolidNetworkManager
"56649:TCP"= 56649:TCP:Pando Media Booster
"56649:UDP"= 56649:UDP:Pando Media Booster
"57016:TCP"= 57016:TCP:Pando Media Booster
"57016:UDP"= 57016:UDP:Pando Media Booster
"58938:TCP"= 58938:TCP:Pando Media Booster
"58938:UDP"= 58938:UDP:Pando Media Booster
"58473:TCP"= 58473:TCP:Pando Media Booster
"58473:UDP"= 58473:UDP:Pando Media Booster
"56809:TCP"= 56809:TCP:Pando Media Booster
"56809:UDP"= 56809:UDP:Pando Media Booster
"58032:TCP"= 58032:TCP:Pando Media Booster
"58032:UDP"= 58032:UDP:Pando Media Booster
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/24/2011 1:34 AM 84200]
R2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [8/27/2009 5:09 PM 1253376]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/1/2009 9:39 AM 88176]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [1/24/2011 1:34 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/24/2011 1:34 AM 141792]
R2 TermServices;Remote Desktop Services;c:\windows\System32\svchost.exe -k termfvc [4/29/2004 5:06 PM 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/12/2008 5:10 PM 24652]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [1/24/2011 1:34 AM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/24/2011 1:34 AM 88736]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1.002\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1.002\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1.002\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1.002\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 gupdate1c9f8d07501f69e;Google Update Service (gupdate1c9f8d07501f69e);c:\program files\Google\Update\GoogleUpdate.exe [6/29/2009 11:43 AM 133104]
S2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [1/24/2011 1:33 AM 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [1/24/2011 1:33 AM 271480]
S2 mrtRate;mrtRate; [x]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/24/2011 1:34 AM 56064]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [8/7/2008 11:10 AM 3276800]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/29/2009 11:43 AM 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/15/2011 4:53 PM 41272]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/24/2011 1:34 AM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/24/2011 1:34 AM 84488]
S3 XDva202;XDva202;\??\c:\windows\system32\XDva202.sys --> c:\windows\system32\XDva202.sys [?]
S3 XDva277;XDva277;\??\c:\windows\system32\XDva277.sys --> c:\windows\system32\XDva277.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 3:49 AM 242712]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/31/2008 5:21 AM 717296]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
termfvc REG_MULTI_SZ TermServices
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-08-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-16 04:31]
.
2011-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 15:43]
.
2011-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 15:43]
.
2011-08-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
2011-08-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2213381718-712660878-1100219755-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-08-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2213381718-712660878-1100219755-1015.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-08-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2213381718-712660878-1100219755-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-08-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2213381718-712660878-1100219755-1015.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-08-16 c:\windows\Tasks\User_Feed_Synchronization-{DDC36FAD-610D-40AE-8FC3-6FA7BD475968}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
2011-08-15 c:\windows\Tasks\WebReg Photosmart C4200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-12-11 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{EA5CA8B6-9B9C-4994-A7A1-947B6C631BE7} - c:\program files\RegTweaker\key.dll
Toolbar-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
Toolbar-Locked - (no file)
Notify-awtst - (no file)
Notify-awvvu - (no file)
Notify-gebcc - (no file)
Notify-pmnli - (no file)
Notify-pmnlk - (no file)
Notify-ssttt - (no file)
SafeBoot-drmkaud
SafeBoot-AudioEndpointBuilder
SafeBoot-HdAudAddService
SafeBoot-HDAudBus
SafeBoot-MMCSS
AddRemove-AutocompletePro2_is1 - c:\program files\AutocompletePro\unins000.exe
AddRemove-DVD Decrypter - c:\documents and settings\Owner\My Documents\ff\FFT\DVD Decrypter\uninstall.exe
AddRemove-GIF Animator - c:\documents and settings\owner\my documents\my projects\my sprites\setup\GifACME.exe
AddRemove-Neffy - c:\program files\Neffy\uninst.exe
AddRemove-QuicktimePluginDeinstallKey - c:\program files\Netscape\Netscape Browser\plugins\npqtw\DeIsL1.isu
AddRemove-{08234a0d-cf39-4dca-99f0-0c5cb496da81} - c:\program files\Bing Bar Installer\InstallManager.exe
AddRemove-{11056249-9F13-49F9-B64B-39E760EC656D} - c:\documents and settings\Owner\My Documents\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-16 17:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.cdrom]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1056)
c:\windows\system32\temgvw32.dll
.
- - - - - - - > 'explorer.exe'(3020)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\rundll32.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\System32\logon.scr
.
**************************************************************************
.
Completion time: 2011-08-16 17:36:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-16 21:36
.
Pre-Run: 104,924,037,120 bytes free
Post-Run: 108,289,142,784 bytes free
.
- - End Of File - - FFE17CC6CFCEE5879B04402C224CC7B3

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:16 PM

Posted 17 August 2011 - 12:06 AM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic413814.html
Collect::
c:\windows\system32\gfhkj2.dll
c:\windows\system32\terdvw32.dll
c:\windows\system32\temgvw32.dll
Driver::
TermServices
DDS::
TB: {2C0A5F28-48D8-408B-9172-9C6121025BCE} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
File::
c:\documents and settings\All Users\Application Data\xhqn.exe
c:\documents and settings\All Users\Application Data\ryce.exe
c:\documents and settings\All Users\Application Data\pxtb.exe
c:\documents and settings\All Users\Application Data\awhe.exe
c:\documents and settings\All Users\Application Data\ncbf.exe
c:\documents and settings\All Users\Application Data\wyxs.exe
c:\documents and settings\All Users\Application Data\rmvm.exe
c:\documents and settings\All Users\Application Data\hbjh.exe
c:\documents and settings\All Users\Application Data\xluk.exe
c:\documents and settings\All Users\Application Data\ylmk.exe
c:\documents and settings\All Users\Application Data\gryj.exe
c:\documents and settings\All Users\Application Data\heqv.exe
RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"j4201536"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\temgvw32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termfsvces]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"termfvc"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 7.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Pi-Face

Pi-Face
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 17 August 2011 - 12:29 PM

Unfortunately, I cannot launch Internet Explorer. When I try to run it, either nothing happens or I am told that "Windows cannot access the specified device, path, or file..." I definitely have the permissions to access the item. This happened when this computer was infected. When I tried to execute a program, nothing would happen, and, afterwards, I would receive the same message. This happened to MalwareBytes earlier, so I simply uninstalled and reinstalled it. When I tried to remove Internet Explorer using Add or Remove Programs in the Control Panel, it showed up as Internet Explorer (DEP Enabled), and it was removed extremely quickly. I have tried to reinstall Internet Explorer, but I have received an error every time. Also, for the Internet Explorer Troubleshooting and Microsoft Fix it files, I receive the same message as the one when I try to run Internet Explorer.

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:16 PM

Posted 17 August 2011 - 03:13 PM

Hi,

Please do the browser related steps with Firefox then.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Pi-Face

Pi-Face
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 17 August 2011 - 08:23 PM

I tried to uninstall Adobe Reader, but I am told: "The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance." However, I started Windows normally. This also occurs when I tried to remove older versions of Java.

Edited by Pi-Face, 17 August 2011 - 08:25 PM.


#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:16 PM

Posted 18 August 2011 - 12:08 AM

Hi,

Please try this utility.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Pi-Face

Pi-Face
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 18 August 2011 - 11:49 AM

I downloaded it, but, when I tried to open it, Windows Script Host tells me:

Script: C:\DOCUME~1\ADMINI~1.002\LOCALS~1\Temp\IXP000.TMP\Start.Msi.vbs
Line: 21
Char: 1
Error: Permission denied
Code: 800A0046
Source: Microsoft VBScript runtime error

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:16 PM

Posted 18 August 2011 - 02:33 PM

Skip over uninstalling for now and follow other steps in my earlier post.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 Pi-Face

Pi-Face
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 19 August 2011 - 08:38 AM

For ESET, I had to install onto my computer for it to work, but, when it finished it only made a list of found threats, I don't know if that's what you meant by its report.

ComboFix 11-08-18.03 - Adrian 08/18/2011 20:34:49.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.241 [GMT -4:00]
Running from: c:\documents and settings\Adrian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Adrian\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\documents and settings\All Users\Application Data\awhe.exe"
"c:\documents and settings\All Users\Application Data\gryj.exe"
"c:\documents and settings\All Users\Application Data\hbjh.exe"
"c:\documents and settings\All Users\Application Data\heqv.exe"
"c:\documents and settings\All Users\Application Data\ncbf.exe"
"c:\documents and settings\All Users\Application Data\pxtb.exe"
"c:\documents and settings\All Users\Application Data\rmvm.exe"
"c:\documents and settings\All Users\Application Data\ryce.exe"
"c:\documents and settings\All Users\Application Data\wyxs.exe"
"c:\documents and settings\All Users\Application Data\xhqn.exe"
"c:\documents and settings\All Users\Application Data\xluk.exe"
"c:\documents and settings\All Users\Application Data\ylmk.exe"
.
.
((((((((((((((((((((((((( Files Created from 2011-07-19 to 2011-08-19 )))))))))))))))))))))))))))))))
.
.
2011-08-19 00:11 . 2011-08-19 00:11 -------- d-----w- c:\program files\ESET
2011-08-18 16:31 . 2011-08-18 16:31 -------- d-----w- c:\program files\MSECACHE
2011-08-18 01:50 . 2011-08-18 01:50 -------- d-----w- c:\program files\McAfee.com
2011-08-18 01:30 . 2011-05-20 15:01 282640 ----a-w- c:\windows\sediag.exe
2011-08-17 23:52 . 2011-08-17 23:52 0 ----a-w- c:\documents and settings\All Users\Application Data\svqi.exe
2011-08-17 23:52 . 2011-08-17 23:52 0 ----a-w- c:\documents and settings\All Users\Application Data\qerl.exe
2011-08-17 23:52 . 2011-08-17 23:52 0 ----a-w- c:\documents and settings\All Users\Application Data\oslw.exe
2011-08-17 23:52 . 2011-08-17 23:52 0 ----a-w- c:\documents and settings\All Users\Application Data\sysx.exe
2011-08-17 01:58 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-17 01:57 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-17 00:53 . 2011-08-17 00:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-16 21:03 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-08-16 21:03 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-10 00:26 . 2011-08-15 20:47 -------- d-----w- C:\Malwarebytes' Anti-Malware
2011-08-09 18:45 . 2011-08-09 18:45 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-09 01:30 . 2011-08-17 00:49 -------- d-----w- c:\documents and settings\Adrian
2011-08-09 01:12 . 2011-08-09 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-09 01:12 . 2011-08-09 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-08 21:59 . 2011-08-08 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-08 19:26 . 2011-08-09 01:27 -------- d-----w- c:\program files\Free Window Registry Repair
2011-08-08 18:34 . 2011-08-09 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedMaxPc
2011-08-08 12:33 . 2011-08-08 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-08 12:33 . 2011-08-18 01:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-08 12:27 . 2011-08-08 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2011-08-08 12:07 . 2011-08-08 12:07 -------- d-----w- C:\System Repair
2011-08-07 01:41 . 2011-08-07 01:41 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-07 00:20 . 2011-08-07 00:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-08-07 00:19 . 2011-08-07 00:19 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-08-06 23:02 . 2011-08-16 21:02 -------- d-----w- c:\documents and settings\Administrator
2011-08-06 15:04 . 2011-08-06 15:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-07-30 17:02 . 2011-07-20 13:44 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2011-07-27 20:43 . 2011-07-27 20:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-07-26 06:17 . 2011-07-13 03:39 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{0797B424-1C1C-4952-A0F4-8E2E04663583}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-04-02 06:52 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-13 03:39 . 2007-01-20 00:25 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-07-08 14:02 . 2004-04-29 21:06 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2004-04-29 21:06 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-20 17:44 . 2004-04-02 06:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 13:38 . 2010-02-18 01:58 112640 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-06-16 13:36 . 2010-02-18 01:57 416 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-06-02 14:02 . 2011-07-14 13:04 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14 . 2009-10-02 16:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2008-09-10 18:49 . 2008-09-10 18:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Audiosrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318}]
@="[6cFgE][S??d, ?de ??d g? o?tr?l?? !!! !!! !]"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{640167b4-59b0-47a6-b335-a6b3c0695aea}]
@="Portable Media Devices"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Music Communication Module.lnk]
backup=c:\windows\pss\Music Communication Module.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
backup=c:\windows\pss\IMStart.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 16:06 88363 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 12:38 241664 -c--a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-08 00:04 52736 -c--a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2003-09-13 03:13 98304 -c--a-w- c:\windows\system32\ps2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-14 04:43 233472 -c--a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-10-22 18:53 53248 ----a-w- c:\windows\system32\VTTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YaplockTray.exe]
2005-09-13 19:40 94208 -c--a-w- c:\progra~1\Yaplock\YaplockTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Nexon\\MapleStory\\MapleStory.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager
"30857:TCP"= 30857:TCP:*:Disabled:SolidNetworkManager
"30857:UDP"= 30857:UDP:*:Disabled:SolidNetworkManager
"30997:TCP"= 30997:TCP:*:Disabled:SolidNetworkManager
"30997:UDP"= 30997:UDP:*:Disabled:SolidNetworkManager
"56649:TCP"= 56649:TCP:Pando Media Booster
"56649:UDP"= 56649:UDP:Pando Media Booster
"57016:TCP"= 57016:TCP:Pando Media Booster
"57016:UDP"= 57016:UDP:Pando Media Booster
"58938:TCP"= 58938:TCP:Pando Media Booster
"58938:UDP"= 58938:UDP:Pando Media Booster
"58473:TCP"= 58473:TCP:Pando Media Booster
"58473:UDP"= 58473:UDP:Pando Media Booster
"56809:TCP"= 56809:TCP:Pando Media Booster
"56809:UDP"= 56809:UDP:Pando Media Booster
"58032:TCP"= 58032:TCP:Pando Media Booster
"58032:UDP"= 58032:UDP:Pando Media Booster
.
R1 SASDIFSV;SASDIFSV;c:\docume~1\ADMINI~1.002\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\docume~1\ADMINI~1.002\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 gupdate1c9f8d07501f69e;Google Update Service (gupdate1c9f8d07501f69e);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 133104]
R2 mrtRate;mrtRate; [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 133104]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 XDva202;XDva202;c:\windows\system32\XDva202.sys [x]
R3 XDva277;XDva277;c:\windows\system32\XDva277.sys [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]
R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-10-31 717296]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-08-08 94880]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-08-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-16 04:31]
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 15:43]
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 15:43]
.
2011-08-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
2011-08-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2213381718-712660878-1100219755-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-08-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2213381718-712660878-1100219755-1015.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-08-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2213381718-712660878-1100219755-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-08-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2213381718-712660878-1100219755-1015.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-08-19 c:\windows\Tasks\User_Feed_Synchronization-{DDC36FAD-610D-40AE-8FC3-6FA7BD475968}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
2011-08-18 c:\windows\Tasks\WebReg Photosmart C4200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-12-11 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-18 20:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.cdrom]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3476)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\rundll32.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2011-08-18 21:13:45 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-19 01:13
ComboFix2.txt 2011-08-18 00:59
ComboFix3.txt 2011-08-16 21:36
.
Pre-Run: 107,652,358,144 bytes free
Post-Run: 107,955,634,176 bytes free
.
- - End Of File - - 2A2E84A5AB16BA17F344420788B6A8BA

Attached Files



#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:16 PM

Posted 19 August 2011 - 11:36 AM

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic413814.html
Suspect::[76]
C:\WINDOWS\system32\drivers\amdk7.sys
File::
c:\documents and settings\All Users\Application Data\svqi.exe
c:\documents and settings\All Users\Application Data\qerl.exe
c:\documents and settings\All Users\Application Data\oslw.exe
c:\documents and settings\All Users\Application Data\sysx.exe
C:\Documents and Settings\Administrator.ADMINISTRATOR.000\Local Settings\Temp\hki123001.exe
C:\Documents and Settings\Administrator.ADMINISTRATOR.000\Local Settings\Temp\hki123002.exe
C:\Documents and Settings\Administrator.ADMINISTRATOR.000\Local Settings\Temp\hki123019.exe
C:\Documents and Settings\Administrator.ADMINISTRATOR.000\Local Settings\Temp\hki123022.exe
C:\Documents and Settings\Administrator.ADMINISTRATOR.002\Application Data\Sun\Java\Deployment\cache\6.0\31\2d2372df-7b17b08b
C:\Documents and Settings\Adrian\Application Data\Sun\Java\Deployment\cache\6.0\28\1271d21c-4c1317c2
C:\Documents and Settings\Adrian\Application Data\Sun\Java\Deployment\cache\6.0\36\70b76564-54cc8bd6
C:\Documents and Settings\Adrian\Application Data\Sun\Java\Deployment\cache\6.0\51\37a2ee33-29cabae9
C:\Documents and Settings\Adrian\Application Data\Sun\Java\Deployment\cache\6.0\62\6660d8be-1535ce8f
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\hykcuoy.exe
C:\WINDOWS\system32\yccdd.tmp


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 Pi-Face

Pi-Face
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 19 August 2011 - 05:38 PM

ComboFix 11-08-19.01 - Adrian 08/19/2011 15:03:11.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.238 [GMT -4:00]
Running from: c:\documents and settings\Adrian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Adrian\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\documents and settings\Administrator.ADMINISTRATOR.000\Local Settings\Temp\hki123001.exe"
"c:\documents and settings\Administrator.ADMINISTRATOR.000\Local Settings\Temp\hki123002.exe"
"c:\documents and settings\Administrator.ADMINISTRATOR.000\Local Settings\Temp\hki123019.exe"
"c:\documents and settings\Administrator.ADMINISTRATOR.000\Local Settings\Temp\hki123022.exe"
"c:\documents and settings\Administrator.ADMINISTRATOR.002\Application Data\Sun\Java\Deployment\cache\6.0\31\2d2372df-7b17b08b"
"c:\documents and settings\Adrian\Application Data\Sun\Java\Deployment\cache\6.0\28\1271d21c-4c1317c2"
"c:\documents and settings\Adrian\Application Data\Sun\Java\Deployment\cache\6.0\36\70b76564-54cc8bd6"
"c:\documents and settings\Adrian\Application Data\Sun\Java\Deployment\cache\6.0\51\37a2ee33-29cabae9"
"c:\documents and settings\Adrian\Application Data\Sun\Java\Deployment\cache\6.0\62\6660d8be-1535ce8f"
"c:\documents and settings\All Users\Application Data\oslw.exe"
"c:\documents and settings\All Users\Application Data\qerl.exe"
"c:\documents and settings\All Users\Application Data\svqi.exe"
"c:\documents and settings\All Users\Application Data\sysx.exe"
"c:\windows\system32\dfhkj.tmp"
"c:\windows\system32\hykcuoy.exe"
"c:\windows\system32\yccdd.tmp"
.
file zipped: c:\windows\system32\drivers\amdk7.sys
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.ADMINISTRATOR.000\Local Settings\Temp\hki123001.exe
c:\documents and settings\Administrator.ADMINISTRATOR.000\Local Settings\Temp\hki123002.exe
c:\documents and settings\Administrator.ADMINISTRATOR.000\Local Settings\Temp\hki123019.exe
c:\documents and settings\Administrator.ADMINISTRATOR.000\Local Settings\Temp\hki123022.exe
c:\documents and settings\Administrator.ADMINISTRATOR.002\Application Data\Sun\Java\Deployment\cache\6.0\31\2d2372df-7b17b08b
c:\documents and settings\Adrian\Application Data\Sun\Java\Deployment\cache\6.0\28\1271d21c-4c1317c2
c:\documents and settings\Adrian\Application Data\Sun\Java\Deployment\cache\6.0\36\70b76564-54cc8bd6
c:\documents and settings\Adrian\Application Data\Sun\Java\Deployment\cache\6.0\51\37a2ee33-29cabae9
c:\documents and settings\Adrian\Application Data\Sun\Java\Deployment\cache\6.0\62\6660d8be-1535ce8f
c:\documents and settings\All Users\Application Data\oslw.exe
c:\documents and settings\All Users\Application Data\qerl.exe
c:\documents and settings\All Users\Application Data\svqi.exe
c:\documents and settings\All Users\Application Data\sysx.exe
c:\windows\system32\dfhkj.tmp
c:\windows\system32\hykcuoy.exe
c:\windows\system32\yccdd.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-07-19 to 2011-08-19 )))))))))))))))))))))))))))))))
.
.
2011-08-19 00:11 . 2011-08-19 00:11 -------- d-----w- c:\program files\ESET
2011-08-18 16:31 . 2011-08-18 16:31 -------- d-----w- c:\program files\MSECACHE
2011-08-18 01:50 . 2011-08-18 01:50 -------- d-----w- c:\program files\McAfee.com
2011-08-18 01:30 . 2011-05-20 15:01 282640 ----a-w- c:\windows\sediag.exe
2011-08-17 01:58 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-17 01:57 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-17 00:53 . 2011-08-17 00:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-16 21:03 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-08-16 21:03 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-10 00:26 . 2011-08-15 20:47 -------- d-----w- C:\Malwarebytes' Anti-Malware
2011-08-09 18:45 . 2011-08-09 18:45 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-09 01:30 . 2011-08-17 00:49 -------- d-----w- c:\documents and settings\Adrian
2011-08-09 01:12 . 2011-08-09 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-09 01:12 . 2011-08-09 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-08 21:59 . 2011-08-08 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-08 19:26 . 2011-08-09 01:27 -------- d-----w- c:\program files\Free Window Registry Repair
2011-08-08 18:34 . 2011-08-09 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedMaxPc
2011-08-08 12:33 . 2011-08-08 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-08 12:33 . 2011-08-18 01:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-08 12:27 . 2011-08-08 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2011-08-08 12:07 . 2011-08-08 12:07 -------- d-----w- C:\System Repair
2011-08-07 01:41 . 2011-08-07 01:41 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-07 00:20 . 2011-08-07 00:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-08-07 00:19 . 2011-08-07 00:19 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-08-06 23:02 . 2011-08-16 21:02 -------- d-----w- c:\documents and settings\Administrator
2011-08-06 15:04 . 2011-08-06 15:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-07-30 17:02 . 2011-07-20 13:44 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2011-07-27 20:43 . 2011-07-27 20:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-07-26 06:17 . 2011-07-13 03:39 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{0797B424-1C1C-4952-A0F4-8E2E04663583}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-04-02 06:52 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-13 03:39 . 2007-01-20 00:25 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-07-08 14:02 . 2004-04-29 21:06 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2004-04-29 21:06 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-20 17:44 . 2004-04-02 06:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 13:38 . 2010-02-18 01:58 112640 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-06-16 13:36 . 2010-02-18 01:57 416 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-06-02 14:02 . 2011-07-14 13:04 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14 . 2009-10-02 16:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2008-09-10 18:49 . 2008-09-10 18:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-04-16 . B24A4E23A2FEDB6976EB04D334AD82B2 . 634648 . . [7.00.6000.21256] . . c:\windows\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
[7] 2010-02-23 . B5116340B84824DDD0A641E36B126194 . 634648 . . [7.00.6000.17023] . . c:\windows\ie7updates\KB982381-IE7\iexplore.exe
[7] 2010-02-23 . C8DDA4028065D5CE39CBE7A156B72AB9 . 634648 . . [7.00.6000.21228] . . c:\windows\$hf_mig$\KB980182-IE7\SP3QFE\iexplore.exe
[7] 2009-12-18 . 53C291F3B01EECECBD7FD358EA3ACC94 . 634648 . . [7.00.6000.16981] . . c:\windows\ie7updates\KB980182-IE7\iexplore.exe
[7] 2009-12-18 . D19E56D5930C37CF211867DF450C372A . 634632 . . [7.00.6000.21183] . . c:\windows\$hf_mig$\KB978207-IE7\SP3QFE\iexplore.exe
[7] 2009-10-28 . 80675329E0FD54F016C4F8A83C616349 . 634632 . . [7.00.6000.21148] . . c:\windows\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe
[7] 2009-10-28 . 4F9B04D546C23A295F3F0AE015BE51DB . 634632 . . [7.00.6000.16945] . . c:\windows\ie7updates\KB978207-IE7\iexplore.exe
[7] 2009-08-27 . F232BA9F39BC0F722672C7E79E68EBEA . 634648 . . [7.00.6000.16915] . . c:\windows\ie7updates\KB976325-IE7\iexplore.exe
[7] 2009-08-27 . 332EC7562F3AA7364F2D4231C56DA986 . 634648 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe
[7] 2009-06-29 . 3CFC56F73D494FC1AA2B6E981DF15ACD . 634632 . . [7.00.6000.16876] . . c:\windows\ie7updates\KB974455-IE7\iexplore.exe
[7] 2009-06-29 . 02E2754D3E566C11A4934825920C47DD . 634632 . . [7.00.6000.21073] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[7] 2009-04-25 . 092A7F2B49A19ECCE5369D3CB2276148 . 636088 . . [7.00.6000.16850] . . c:\windows\ie7updates\KB972260-IE7\iexplore.exe
[7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB969897-IE7\iexplore.exe
[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe
[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB961260-IE7\iexplore.exe
[7] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 197B7E4030CFBD8D2979D375E1787AA2 . 625664 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 232B22817B90AE0AFF2D189E3E3735AC . 625664 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2008-02-29 . 2D0E5592AB5A46C27DAF7CCAFF4F5B59 . 625664 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\iexplore.exe
[7] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\iexplore.exe
[7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe
[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB944533-IE7\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
[7] 2007-08-17 . 3AC2BC667DA0AF2C968E96E1630F5AB5 . 625152 . . [7.00.6000.16544] . . c:\windows\ie7updates\KB942615-IE7\iexplore.exe
[7] 2007-08-17 . 5577D0E3AC2F9F035ACD81B44AF5F511 . 625152 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\iexplore.exe
[7] 2007-06-27 . BD8502DFD53FC24FB8D6929DC46B8C2C . 625152 . . [7.00.6000.20627] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\iexplore.exe
[7] 2007-06-27 . 275CEE268B9E5D82474C43D5D249D111 . 625152 . . [7.00.6000.16512] . . c:\windows\ie7updates\KB939653-IE7\iexplore.exe
[7] 2007-04-24 . 10BDB55982586A432A3951EB19A26009 . 625152 . . [7.00.6000.16473] . . c:\windows\ie7updates\KB937143-IE7\iexplore.exe
[7] 2007-04-24 . 9B3516C1F30DA17ADD3818573047D63C . 625152 . . [7.00.6000.20583] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\iexplore.exe
[7] 2007-02-28 . D321092F8529CDAE843D6E24E3CAC6CB . 625152 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\iexplore.exe
[7] 2007-02-21 . 683DDE71BCF03B501B912D20CB93B549 . 623616 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\iexplore.exe
[7] 2007-01-08 . 93A6A4F5293AE19E3B37021AABCF0902 . 623616 . . [7.00.6000.16414] . . c:\windows\ie7updates\KB931768-IE7\iexplore.exe
[-] 2006-10-17 . 5334D4461AA92A7B008755FE6D13C5F2 . 622080 . . [7.00.5730.11] . . c:\windows\ie7updates\KB928090-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Audiosrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318}]
@="[6cFgE][S??d, ?de ??d g? o?tr?l?? !!! !!! !]"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{640167b4-59b0-47a6-b335-a6b3c0695aea}]
@="Portable Media Devices"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Music Communication Module.lnk]
backup=c:\windows\pss\Music Communication Module.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
backup=c:\windows\pss\IMStart.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 16:06 88363 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 12:38 241664 -c--a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-08 00:04 52736 -c--a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2003-09-13 03:13 98304 -c--a-w- c:\windows\system32\ps2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-14 04:43 233472 -c--a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-10-22 18:53 53248 ----a-w- c:\windows\system32\VTTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YaplockTray.exe]
2005-09-13 19:40 94208 -c--a-w- c:\progra~1\Yaplock\YaplockTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Nexon\\MapleStory\\MapleStory.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager
"30857:TCP"= 30857:TCP:*:Disabled:SolidNetworkManager
"30857:UDP"= 30857:UDP:*:Disabled:SolidNetworkManager
"30997:TCP"= 30997:TCP:*:Disabled:SolidNetworkManager
"30997:UDP"= 30997:UDP:*:Disabled:SolidNetworkManager
"56649:TCP"= 56649:TCP:Pando Media Booster
"56649:UDP"= 56649:UDP:Pando Media Booster
"57016:TCP"= 57016:TCP:Pando Media Booster
"57016:UDP"= 57016:UDP:Pando Media Booster
"58938:TCP"= 58938:TCP:Pando Media Booster
"58938:UDP"= 58938:UDP:Pando Media Booster
"58473:TCP"= 58473:TCP:Pando Media Booster
"58473:UDP"= 58473:UDP:Pando Media Booster
"56809:TCP"= 56809:TCP:Pando Media Booster
"56809:UDP"= 56809:UDP:Pando Media Booster
"58032:TCP"= 58032:TCP:Pando Media Booster
"58032:UDP"= 58032:UDP:Pando Media Booster
.
R2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [8/27/2009 5:09 PM 1253376]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/1/2009 9:39 AM 94880]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/12/2008 5:10 PM 24652]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1.002\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1.002\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1.002\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1.002\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 gupdate1c9f8d07501f69e;Google Update Service (gupdate1c9f8d07501f69e);c:\program files\Google\Update\GoogleUpdate.exe [6/29/2009 11:43 AM 133104]
S2 mrtRate;mrtRate; [x]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [8/7/2008 11:10 AM 3276800]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/29/2009 11:43 AM 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 XDva202;XDva202;\??\c:\windows\system32\XDva202.sys --> c:\windows\system32\XDva202.sys [?]
S3 XDva277;XDva277;\??\c:\windows\system32\XDva277.sys --> c:\windows\system32\XDva277.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 3:49 AM 242712]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/31/2008 5:21 AM 717296]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-08-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-16 04:31]
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 15:43]
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 15:43]
.
2011-08-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
2011-08-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2213381718-712660878-1100219755-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-08-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2213381718-712660878-1100219755-1015.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-08-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2213381718-712660878-1100219755-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-08-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2213381718-712660878-1100219755-1015.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-08-19 c:\windows\Tasks\User_Feed_Synchronization-{DDC36FAD-610D-40AE-8FC3-6FA7BD475968}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
2011-08-19 c:\windows\Tasks\WebReg Photosmart C4200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-12-11 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-19 15:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.cdrom]
"ImagePath"="\*"
.
Completion time: 2011-08-19 15:26:39
ComboFix-quarantined-files.txt 2011-08-19 19:26
ComboFix2.txt 2011-08-19 01:13
ComboFix3.txt 2011-08-18 00:59
ComboFix4.txt 2011-08-16 21:36
.
Pre-Run: 107,693,436,928 bytes free
Post-Run: 107,673,509,888 bytes free
.
- - End Of File - - 41F5203BC226089A32286278573B464E
Upload was successful




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users