Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do I enable Task Manager again after recovery from Win32.GEMA attack?


  • This topic is locked This topic is locked
30 replies to this topic

#1 Inveryes

Inveryes

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 PM

Posted 07 May 2012 - 06:23 AM

Hi

I'm running Windows XP SP3.

I recently suffered an attack of the Win32.GEMA trojan. Details of it are here: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRansirac.G

I recovered my system using:

AVG Rescue Disk

Kaspersky Rescue Disk

BitDefender Rescue Disk

MalwareBytes Scan

McAffee Scan

Hitman Pro Scan

Spybot Scan

Eusing Registry Cleaner

CCleaner


Overkill maybe? But it worked..........So far

Apparently the trojan disables Task Manager and it's this I am having trouble restoring.

I followed the advice in this Microsoft article - http://support.microsoft.com/kb/913623/ - but when I followed this part

To set the DisableTaskMgr registry entry value to 0 for a specific user, follow these steps:

1.Log off from the computer.
2.Log on to the computer by using a user account that has administrative permissions.
3.Click Start, click Run, type regedit in the Open box, and then click OK.
4.In the left pane, click the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
5.In the right pane, double-click DisableTaskMgr.
6.In the Value data box, type 0, and then click OK.
7.On the File menu, click Exit.
8.Restart the computer.


No. 5 says that Disable TaskMgr should appear in the right pane, but there was no entry for Disable TaskMgr. All there is is a small "ab" icon with (default) beside it, then, REG_SZ.

Posted Image

I then tried to follow this part of the Microsoft article

To set the DisableTaskMgr registry entry value to 0 for all users, follow these steps:

1.Log off from the computer.
2.Log on to the computer by using a user account that has administrative permissions.
3.Click Start, click Run, type regedit in the Open box, and then click OK.
4.In the left pane, click the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
5.In the right pane, double-click DisableTaskMgr.
6.In the Value data box, type 0, and then click OK.
7.On the File menu, click Exit.
8.Restart the computer.


This time Disable TaskMgr was in the right pane - this time with a smal "ohho"? icon followed by REG_DWORD

Posted Image

I tried creating a new entry for the current user by copying the one for all users, but no joy.

Any suggestions?

Ctrl + Alt + Delete gets no response whatsoever, neither does Ctrl+Shift+Esc nor right clicking the task bar and selecting Task Manager

Thanks in anticipation

Edited by hamluis, 07 May 2012 - 07:35 AM.
Edited for readability, moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:50 PM

Posted 07 May 2012 - 09:50 AM

Hello,see if this does the trick.

please download the following file to your desktop.

Fixtm.reg

Once the file is downloaded, double-click on it and select Yes when it asks if you want to merge the data into your Registry. Once that is completed you should be able to use the Windows Task Manager.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Inveryes

Inveryes
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 PM

Posted 08 May 2012 - 04:02 AM

Hello,see if this does the trick.

please download the following file to your desktop.

Fixtm.reg

Once the file is downloaded, double-click on it and select Yes when it asks if you want to merge the data into your Registry. Once that is completed you should be able to use the Windows Task Manager.


Thankyou! Unfortunately I'm having to post this from my phone as my pc problem is now that as soon as I log on, it logs me off immediately. Won't start in safe mode either. Trying the rescue disks again.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:50 AM

Posted 11 May 2012 - 02:00 AM

Hello, please see if the following fixes the logon problem.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download xPUD Userinit_fix to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see xPUD userinit fix that you downloaded there
  • Doubleclick the file to run it.
  • After it has finished a report will be located on your USB drive named UserinitFix.txt
  • Remove the USB drive and insert it back in your working computer and navigate to UserinitFix.txt

    Please note - all text entries are case sensitive
Copy and paste the UserinitFix.txt for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Inveryes

Inveryes
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 PM

Posted 11 May 2012 - 02:23 PM

Elise, thanks very much for your help.

I've done as you suggested and have copied the text from the report below:

Remote Registry Userinit Report

Hive </mnt/sda1/WINDOWS/system32/config/software>
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 64 [0x40]
C:WindowsSystem32userinit.exe,
(...)\Windows NT\CurrentVersion\Winlogon> EDIT: <Userinit> of type REG_SZ with length 64 [0x40]
[ 0]: C:WindowsSystem32userinit.exe,
-> newkv->len: 68
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 68 [0x44]
C:\WINDOWS\system32\userinit.exe,

userinit.exe search results

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda1/WINDOWS/ServicePackFiles/i386/userinit.exe
25.5K Apr 14 2008
a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda1/WINDOWS/system32/dllcache/userinit.exe
25.5K Apr 14 2008
39b1ffb03c2296323832acbae50d2aff /mnt/sda1/WINDOWS/system32/userinit.exe
24.0K Aug 4 2004
39b1ffb03c2296323832acbae50d2aff /mnt/sda1/WINDOWS/$NtServicePackUninstall$/userinit.exe
24.0K Aug 12 2004

winlogon.exe search results

097d0e812d7a9a3101ce46cb2be0474d /mnt/sda1/Program Files/Malwarebytes' Anti-Malware/Chameleon/winlogon.exe
194.6K Apr 4 14:56
ed0ef0a136dec83df69f04118870003e /mnt/sda1/WINDOWS/ServicePackFiles/i386/winlogon.exe
496.0K Apr 14 2008
ed0ef0a136dec83df69f04118870003e /mnt/sda1/WINDOWS/system32/dllcache/winlogon.exe
496.0K Apr 14 2008
ed0ef0a136dec83df69f04118870003e /mnt/sda1/WINDOWS/system32/winlogon.exe
496.0K Apr 14 2008
01c3346c241652f43aed8e2149881bfe /mnt/sda1/WINDOWS/$NtServicePackUninstall$/winlogon.exe
490.5K Aug 12 2004

explorer.exe search results

7712df0cdde3a5ac89843e61cd5b3658 /mnt/sda1/WINDOWS/$hf_mig$/KB938828/SP2QFE/explorer.exe
1009.0K Jun 13 2007
12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda1/WINDOWS/ServicePackFiles/i386/explorer.exe
1009.5K Apr 14 2008
12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda1/WINDOWS/explorer.exe
1009.5K Apr 14 2008
a0732187050030ae399b241436565e64 /mnt/sda1/WINDOWS/$NtUninstallKB938828$/explorer.exe
1008.0K Aug 12 2004
12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda1/WINDOWS/system32/dllcache/explorer.exe
1009.5K Apr 14 2008
97bd6515465659ff8f3b7be375b2ea87 /mnt/sda1/WINDOWS/$NtServicePackUninstall$/explorer.exe
1009.0K Jun 13 2007
-----------------------------------------------------------------------

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:50 AM

Posted 11 May 2012 - 02:56 PM

Can you now successfully get to the desktop?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Inveryes

Inveryes
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 PM

Posted 11 May 2012 - 03:45 PM

Can you now successfully get to the desktop?


I can!

You are a star!!!!

I'm scared to try and go beyond the desktop though.

Should I be brave?

#8 Inveryes

Inveryes
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 PM

Posted 11 May 2012 - 05:04 PM

I can now log on successfully but have just realised that I still cannot get Task Manager to run.

However this PC is actually seven years old and after the grief of the last few days, I have ordered a new one.

I'm reluctant to try and get Task Manager going again in case I mess it up in some other way. It would be nice to solve the problem but I wouldn't want to take up more of your time.

#9 Inveryes

Inveryes
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 PM

Posted 12 May 2012 - 01:00 AM

I have now managed to get Task Manager working by copying the tskmgr.exe file, renaming it and using the renamed file to run Task Manager. I don' t know if that means the pc is still infected or if it's some damage caused by the infection which needs repaired. I have scanned the system with half a dozen antivirus software and it appears to be clean.

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:50 PM

Posted 12 May 2012 - 01:11 AM

I have scanned the system with half a dozen antivirus software and it appears to be clean.

Did you scan with malwarebytes?

Press Windows+R key and type

regedit and click ok

Browse to this location

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Do you find a subkey called taskmgr under this key?

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:50 AM

Posted 12 May 2012 - 01:36 AM

Lets run a scan and see if there is a policy set.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Inveryes

Inveryes
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 PM

Posted 12 May 2012 - 04:42 AM

I have scanned the system with half a dozen antivirus software and it appears to be clean.

Did you scan with malwarebytes?

Press Windows+R key and type

regedit and click ok

Browse to this location

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Do you find a subkey called taskmgr under this key?


Hi narenxp. Yes, that file is there.

#13 Inveryes

Inveryes
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 PM

Posted 12 May 2012 - 04:45 AM

Lets run a scan and see if there is a policy set.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Elise, here is the result of the scan

*************************************************************

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by RW at 10:34:07 on 2012-05-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.628 [GMT 1:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Jasc Software Inc\Paint Shop Pro 8\Paint Shop Pro.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.google.co.uk/
uInternet Settings,ProxyServer = 192.168.1.1:80
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - McAfee Phishing Filter
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120428002909.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTHelper] CTHELPER.EXE
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: Disable TaskMgr = 0 (0x0)
mPolicies-system: <NO NAME> =
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
LSP: mswsock.dll
Trusted Zone: bing.com\www
Trusted Zone: microsoft.com\office
Trusted Zone: yesfans.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.8.05.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://www.facebook.com/fbplugin/win32/axfbootloader.cab?1265736413437
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,84/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,23/mcgdmgr.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: taskmgr.exe - P9KDMF.EXE
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\richard wright\application data\mozilla\firefox\profiles\4kplbipt.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 464304]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-9-23 3968]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-2-2 89792]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-2-1 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-2-1 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-2-1 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-2-1 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2012-2-1 161632]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-1 151880]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-4-9 3063968]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-2 57600]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-2 180848]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-2 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-2 340920]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-2-2 83856]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-10-16 27632]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-4-5 158856]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2012-1-23 92592]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-8 253600]
S3 CXPLRCAP;Capture Device;c:\windows\system32\drivers\CxPlrCap.sys [2011-1-18 187776]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2003-1-30 18864]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-10-16 13224]
S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-2-2 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-2 87656]
S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [2005-2-24 162176]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-10-16 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-10-16 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-10-16 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-10-16 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-10-16 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-10-16 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-10-16 115752]
S3 V2210VID;DigitalCam Pro;c:\windows\system32\drivers\V2210vid.sys [2007-5-16 434368]
S3 w900bus;Sony Ericsson 900i driver (WDM);c:\windows\system32\drivers\w900bus.sys [2006-3-19 58256]
S3 w900mdfl;Sony Ericsson 900i USB WMC Modem Filter;c:\windows\system32\drivers\w900mdfl.sys [2006-3-19 8336]
S3 w900mdm;Sony Ericsson 900i USB WMC Modem Drivers;c:\windows\system32\drivers\w900mdm.sys [2006-3-19 94064]
.
=============== Created Last 30 ================
.
2012-05-11 22:27:35 135680 ----a-w- c:\windows\system32\lentran.exe
2012-05-08 20:09:49 24576 ----a-w- c:\windows\system32\userinit.exe
2012-05-07 15:44:26 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-05-07 15:44:21 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-05-07 15:43:46 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2012-05-07 15:43:26 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2012-05-07 15:42:39 31744 -c--a-w- c:\windows\system32\dllcache\wceusbsh.sys
2012-05-07 15:41:36 5376 -c--a-w- c:\windows\system32\dllcache\viaide.sys
2012-05-07 15:40:51 17152 -c--a-w- c:\windows\system32\dllcache\usbohci.sys
2012-05-07 15:40:49 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2012-05-07 15:39:10 82944 -c--a-w- c:\windows\system32\dllcache\tp4mon.exe
2012-05-07 15:38:28 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2012-05-07 15:35:54 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2012-05-07 15:35:10 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2012-05-07 15:35:08 16000 -c--a-w- c:\windows\system32\dllcache\smbbatt.sys
2012-05-07 15:33:12 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2012-05-07 15:32:44 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2012-05-07 15:31:38 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2012-05-07 15:31:37 27648 -c--a-w- c:\windows\system32\dllcache\rw430ext.dll
2012-05-07 15:31:13 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2012-05-07 15:30:02 6016 -c--a-w- c:\windows\system32\dllcache\qic157.sys
2012-05-07 15:29:45 159232 -c--a-w- c:\windows\system32\dllcache\ptpusd.dll
2012-05-07 15:29:29 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2012-05-07 15:29:24 8832 -c--a-w- c:\windows\system32\dllcache\powerfil.sys
2012-05-07 15:28:42 259328 -c--a-w- c:\windows\system32\dllcache\perm3dd.dll
2012-05-07 15:28:40 28032 -c--a-w- c:\windows\system32\dllcache\perm3.sys
2012-05-07 15:28:39 211584 -c--a-w- c:\windows\system32\dllcache\perm2dll.dll
2012-05-07 15:28:38 27904 -c--a-w- c:\windows\system32\dllcache\perm2.sys
2012-05-07 15:26:20 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2012-05-07 15:24:29 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2012-05-07 15:24:11 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2012-05-07 15:23:46 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2012-05-07 15:23:03 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2012-05-07 15:22:23 7040 -c--a-w- c:\windows\system32\dllcache\ltotape.sys
2012-05-07 15:21:50 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2012-05-07 15:21:33 253952 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2012-05-07 15:21:32 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2012-05-07 15:21:14 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-05-07 15:20:49 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll
2012-05-07 15:20:45 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2012-05-07 15:20:44 88192 -c--a-w- c:\windows\system32\dllcache\irda.sys
2012-05-07 15:19:09 702845 -c--a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2012-05-07 15:19:02 18560 -c--a-w- c:\windows\system32\dllcache\i2omp.sys
2012-05-07 15:19:01 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2012-05-07 15:17:06 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-05-07 15:17:02 20352 -c--a-w- c:\windows\system32\dllcache\hidbatt.sys
2012-05-07 15:16:50 28288 -c--a-w- c:\windows\system32\dllcache\grserial.sys
2012-05-07 15:16:40 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2012-05-07 15:12:52 206976 -c--a-w- c:\windows\system32\dllcache\dot4.sys
2012-05-07 15:12:42 8320 -c--a-w- c:\windows\system32\dllcache\dlttape.sys
2012-05-07 15:10:50 249856 -c--a-w- c:\windows\system32\dllcache\ctmasetp.dll
2012-05-07 15:10:20 10240 -c--a-w- c:\windows\system32\dllcache\compbatt.sys
2012-05-07 15:10:10 13952 -c--a-w- c:\windows\system32\dllcache\cmbatt.sys
2012-05-07 15:09:50 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2012-05-07 15:09:20 121856 -c--a-w- c:\windows\system32\dllcache\camext30.dll
2012-05-07 15:07:48 14208 -c--a-w- c:\windows\system32\dllcache\battc.sys
2012-05-07 15:07:37 13696 -c--a-w- c:\windows\system32\dllcache\avcstrm.sys
2012-05-07 15:07:34 38912 -c--a-w- c:\windows\system32\dllcache\avc.sys
2012-05-07 14:53:08 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys
2012-05-07 14:53:08 12288 -c--a-w- c:\windows\system32\dllcache\4mmdat.sys
2012-05-07 13:06:05 -------- d-----w- c:\program files\Disk Heal
2012-05-06 11:22:39 -------- d-----w- c:\program files\HitmanPro
2012-05-04 23:08:10 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-05-03 23:34:22 -------- d-----w- C:\bd_logs
2012-05-03 20:35:52 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-05-02 15:40:51 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-05-02 15:40:23 -------- d-----w- c:\program files\common files\SimpleList
2012-04-27 23:29:07 29272 ----a-w- c:\program files\mozilla firefox\ScriptFF.dll
2012-04-23 18:19:45 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess
.
==================== Find3M ====================
.
2012-04-08 16:12:25 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-08 16:12:25 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-04 14:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-20 12:11:32 151880 ----a-w- c:\windows\system32\mfevtps.exe
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
2012-02-22 12:29:46 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-02-22 12:29:46 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-02-22 12:29:46 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-02-22 12:29:46 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-02-22 12:29:46 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-02-22 12:29:46 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-02-22 12:29:46 464304 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-02-22 12:29:46 340920 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-02-22 12:29:46 180848 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-02-22 12:29:46 121544 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2008-05-17 12:00:07 20597104 ----a-w- c:\program files\aaw2007.exe
2007-10-11 09:42:19 135528 ----a-w- c:\program files\315265.exe
2007-10-09 16:58:53 559856 ----a-w- c:\program files\WindowsXP-KB906569-v2-x86-ENU.exe
2007-10-05 21:55:07 401720 ----a-w- c:\program files\HiJackThis.exe
2007-09-20 16:27:17 66808 ----a-w- c:\program files\STOPzilla_Setup.exe
2007-05-07 21:21:57 1688176 ----a-w- c:\program files\dvdaudioextractor.exe
2005-07-18 19:17:02 348869 ----a-w- c:\program files\GoogleEarth.exe
2005-05-15 13:18:27 12754672 -c--a-w- c:\program files\common files\MP10Setup.exe
2005-05-03 21:25:51 20798256 -c--a-w- c:\program files\common files\AdbeRdr70_enu_full.exe
.
============= FINISH: 10:37:06.57 ===============


Do you want me to also post the results which I'll have to zip first?

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:50 AM

Posted 12 May 2012 - 05:16 AM

Unfortunately, besides the IFEO for taskmanager, you have a nasty rootkit infection. Please read the following information before continuing.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Inveryes

Inveryes
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 PM

Posted 12 May 2012 - 07:35 AM

Here is the Combofix log

*******************************************************

ComboFix 12-05-12.01 - Richard Wright 2012-05-12 12:11:54.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.670 [GMT 1:00]
Running from: c:\documents and settings\Richard Wright\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Richard Wright\GoToAssistDownloadHelper.exe
c:\documents and settings\Richard Wright\WINDOWS
c:\program files\315265.exe
c:\program files\aaw2007.exe
c:\program files\WindowsXP-KB906569-v2-x86-ENU.exe
c:\windows\$NtUninstallKB46956$
c:\windows\$NtUninstallKB46956$\3080323318\@
c:\windows\$NtUninstallKB46956$\3080323318\cfg.ini
c:\windows\$NtUninstallKB46956$\3080323318\Desktop.ini
c:\windows\$NtUninstallKB46956$\3080323318\L\nofemain
c:\windows\$NtUninstallKB46956$\3080323318\U\00000001.@
c:\windows\$NtUninstallKB46956$\3080323318\U\00000002.@
c:\windows\$NtUninstallKB46956$\3080323318\U\00000004.@
c:\windows\$NtUninstallKB46956$\3080323318\U\80000000.@
c:\windows\$NtUninstallKB46956$\3080323318\U\80000004.@
c:\windows\$NtUninstallKB46956$\3080323318\U\80000032.@
c:\windows\$NtUninstallKB46956$\3080323318\version
c:\windows\$NtUninstallKB46956$\772322572
c:\windows\system32\csrss.exe.tmp
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\default_user_class.dat.LOG
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\setb7.tmp
c:\windows\system32\STEC3.sys
c:\windows\system32\winsh320
c:\windows\system32\winsh321
c:\windows\system32\winsh322
c:\windows\system32\winsh323
c:\windows\system32\winsh324
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_STEC3
-------\Service_STEC3
.
.
((((((((((((((((((((((((( Files Created from 2012-04-12 to 2012-05-12 )))))))))))))))))))))))))))))))
.
.
2012-05-11 22:27 . 2008-04-14 00:12 135680 ----a-w- c:\windows\system32\lentran.exe
2012-05-07 15:10 . 2008-04-14 00:11 249856 -c--a-w- c:\windows\system32\dllcache\ctmasetp.dll
2012-05-07 15:10 . 2008-04-13 18:36 10240 -c--a-w- c:\windows\system32\dllcache\compbatt.sys
2012-05-07 15:10 . 2008-04-13 18:36 13952 -c--a-w- c:\windows\system32\dllcache\cmbatt.sys
2012-05-07 15:09 . 2008-04-13 18:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2012-05-07 15:09 . 2008-04-14 00:11 121856 -c--a-w- c:\windows\system32\dllcache\camext30.dll
2012-05-07 15:07 . 2008-04-13 18:36 14208 -c--a-w- c:\windows\system32\dllcache\battc.sys
2012-05-07 15:07 . 2008-04-13 18:46 13696 -c--a-w- c:\windows\system32\dllcache\avcstrm.sys
2012-05-07 15:07 . 2008-04-13 18:46 38912 -c--a-w- c:\windows\system32\dllcache\avc.sys
2012-05-07 14:53 . 2008-04-13 18:46 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys
2012-05-07 14:53 . 2008-04-13 18:40 12288 -c--a-w- c:\windows\system32\dllcache\4mmdat.sys
2012-05-07 13:06 . 2012-05-07 13:06 -------- d-----w- c:\program files\Disk Heal
2012-05-06 11:22 . 2012-05-06 11:22 -------- d-----w- c:\program files\HitmanPro
2012-05-04 23:08 . 2012-05-06 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-05-03 23:34 . 2012-05-09 17:39 -------- d-----w- C:\bd_logs
2012-05-03 20:35 . 2012-05-04 00:25 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-05-02 15:40 . 2012-05-03 20:28 -------- d-----w- c:\program files\Common Files\SimpleList
2012-04-27 23:29 . 2012-03-20 12:06 29272 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
2012-04-23 18:19 . 2012-05-12 12:09 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2012-04-23 18:17 . 2012-04-23 18:17 -------- d-----w- c:\program files\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-08 16:12 . 2012-04-08 16:12 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-08 16:12 . 2011-05-17 19:06 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 14:56 . 2010-04-26 22:36 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-20 12:11 . 2011-02-01 20:19 151880 ----a-w- c:\windows\system32\mfevtps.exe
2012-03-01 11:01 . 2004-08-12 14:09 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-12 13:59 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-12 13:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-12 14:09 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-12 13:58 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-12 13:57 385024 ------w- c:\windows\system32\html.iec
2012-02-22 12:29 . 2012-02-01 20:43 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-02-22 12:29 . 2011-02-02 01:48 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-02-22 12:29 . 2011-02-02 01:48 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-02-22 12:29 . 2011-02-02 01:48 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-02-22 12:29 . 2011-02-02 01:48 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-02-22 12:29 . 2011-02-02 01:48 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-02-22 12:29 . 2011-02-02 01:48 340920 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-02-22 12:29 . 2011-02-02 01:48 180848 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-02-22 12:29 . 2010-10-13 22:28 464304 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-02-22 12:29 . 2010-10-13 22:28 121544 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2007-10-05 21:55 . 2007-10-05 21:54 401720 ----a-w- c:\program files\HiJackThis.exe
2007-09-20 16:27 . 2007-09-20 16:27 66808 ----a-w- c:\program files\STOPzilla_Setup.exe
2007-05-07 21:21 . 2007-05-07 21:21 1688176 ----a-w- c:\program files\dvdaudioextractor.exe
2005-07-18 19:17 . 2005-07-18 19:10 348869 ----a-w- c:\program files\GoogleEarth.exe
2005-05-15 13:18 . 2005-05-15 13:18 12754672 -c--a-w- c:\program files\Common Files\MP10Setup.exe
2005-05-03 21:25 . 2005-05-03 21:18 20798256 -c--a-w- c:\program files\Common Files\AdbeRdr70_enu_full.exe
2011-10-31 21:14 . 2011-10-31 21:14 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-30 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2003-01-30 311296]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-21 1318816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Disable TaskMgr"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-07-26 15:10 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-10-08 17:04 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-08-19 00:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee QuickClean Imonitor]
2004-09-08 04:00 94208 ----a-w- c:\program files\McAfee\McAfee QuickClean\PlgUni.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 14:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-04 22:32 53248 ------w- c:\program files\REGSHAVE\REGSHAVE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
2004-01-26 10:38 866816 ----a-w- c:\program files\Thomson\SpeedTouch USB\dragdiag.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 12:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 00:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCPitstop Optimize Registration Reminder"=c:\program files\PCPitstop\Optimize\Reminder.exe
"PC Pitstop Optimize Scheduler"=c:\program files\PCPitstop\Optimize\PCPOptimize.exe -boot
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"UpdReg"=c:\windows\UpdReg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Joe\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Documents and Settings\\Katie\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-02-02 89792]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2012-02-01 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2012-02-01 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [2012-02-01 161632]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-02-01 151880]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-04-09 3063968]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2012-01-23 92592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-02-02 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-02-02 340920]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-02-02 83856]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-10-16 27632]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-04-05 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 253600]
S3 CXPLRCAP;Capture Device;c:\windows\system32\drivers\CxPlrCap.sys [2011-01-18 187776]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2003-01-30 18864]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-10-16 13224]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-02-02 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-02-02 87656]
S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [2005-02-24 162176]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-10-16 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-10-16 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-10-16 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-10-16 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-10-16 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-10-16 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-10-16 115752]
S3 V2210VID;DigitalCam Pro;c:\windows\system32\drivers\V2210vid.sys [2007-05-16 434368]
S3 w900bus;Sony Ericsson 900i driver (WDM);c:\windows\system32\drivers\w900bus.sys [2006-03-19 58256]
S3 w900mdfl;Sony Ericsson 900i USB WMC Modem Filter;c:\windows\system32\drivers\w900mdfl.sys [2006-03-19 8336]
S3 w900mdm;Sony Ericsson 900i USB WMC Modem Drivers;c:\windows\system32\drivers\w900mdm.sys [2006-03-19 94064]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
*Deregistered* - uphcleanhlp
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tmxpflt
HECI
ageremodemaudio
streamloadservice
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 16:12]
.
2012-03-17 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2012-03-14 22:04]
.
2012-05-07 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1606980848-1965331169-725345543-1008Core.job
- c:\documents and settings\Katie\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-10-19 12:40]
.
2012-05-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1606980848-1965331169-725345543-1008UA.job
- c:\documents and settings\Katie\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-10-19 12:40]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 16:28]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 16:28]
.
2012-04-22 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2012-04-03 19:13]
.
2012-05-01 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Software\Switch\switch.exe [2012-02-27 23:07]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.co.uk/
uInternet Settings,ProxyServer = 192.168.1.1:80
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: bing.com\www
Trusted Zone: microsoft.com\office
Trusted Zone: yesfans.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Richard Wright\Application Data\Mozilla\Firefox\Profiles\4kplbipt.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-12 13:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\OMSCAN]
"ImagePath"="\Sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1606980848-1965331169-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1164)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(844)
c:\windows\system32\WININET.dll
c:\windows\system32\ctagent.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\PAStiSvc.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\UAService7.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\CTHELPER.EXE
.
**************************************************************************
.
Completion time: 2012-05-12 13:31:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-12 12:31
.
Pre-Run: 49,896,763,392 bytes free
Post-Run: 50,395,549,696 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 40D517095ABA90A0F2965A70B62F2A92




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users