virus message keeps appearing
Recently, my antivirus detected a virus in my computer with the following message:
McAfee has automatically blocked and removed a Virus.
About this Virus
Detected: W32/Autorun.worm.h (Virus), W32/Autorun.worm.h (Virus), W32/Autorun.worm.h (Virus)
Location: C:\WINDOWS\System32\spool\PRINTERS\00075.SPL
A virus is a self-replicating program that can harm your computer, compromise its security, and damage valuable files.
However, the message repeats itself after a few minutes, although the filename with the SPL extension is different. I've tried to disable system restore, but could not even get system restore started. I had to right click on "My Computer", "Manage", "Services and Applications", to disable it manually. Similarly, I've also done the same for Print Spooler. Both did not prevent the message from reappearing.
The only way to temporarily stop the message from appearing is to delete the "PRINTERS" folder from the above location. However, this prevent me from printing, so I have to create the folder again, which will result in the message reappearing.
Is there any way to permanently remve the above virus? Help!
McAfee has automatically blocked and removed a Virus.
About this Virus
Detected: W32/Autorun.worm.h (Virus), W32/Autorun.worm.h (Virus), W32/Autorun.worm.h (Virus)
Location: C:\WINDOWS\System32\spool\PRINTERS\00075.SPL
A virus is a self-replicating program that can harm your computer, compromise its security, and damage valuable files.
However, the message repeats itself after a few minutes, although the filename with the SPL extension is different. I've tried to disable system restore, but could not even get system restore started. I had to right click on "My Computer", "Manage", "Services and Applications", to disable it manually. Similarly, I've also done the same for Print Spooler. Both did not prevent the message from reappearing.
The only way to temporarily stop the message from appearing is to delete the "PRINTERS" folder from the above location. However, this prevent me from printing, so I have to create the folder again, which will result in the message reappearing.
Is there any way to permanently remve the above virus? Help!
0
This discussion has been closed.
Comments
My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.
Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.
If you follow these instructions, everything should go smoothly.
:install hijackthis:
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
:uninstall list:
Make an uninstall list using HijackThis To access the Uninstall Manager you would do the following:
1. Start HijackThis2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.
:information and logs:
In your next post I need the following
1.log from hijackthis 2.uninstall list
Gringo
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:09 AM, on 4/13/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\ALaunch\ALaunch.exe
C:\Program Files\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\WinKey\WinKey.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsmap.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [App Launcher] C:\Program Files\ALaunch\ALaunch.exe
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Program Files\HDD Thermometer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "c:\backreg\rstore.ini"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: WinKey.lnk = C:\Program Files\WinKey\WinKey.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203693971215
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: McAfee Application Installer Cleanup (0256071208014418) (0256071208014418mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\025607~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
--
End of file - 12438 bytes
As well as the uninstall_list
AbsoluteShield File Shredder
ACDSee 10 Photo Manager
ACDSee Pro 2
Acer eManager for Notebook
Acer ePowerManagement
Active Desktop Calendar 7.0
Ad-Aware 2007
Adobe Acrobat 8.1.2 Professional
Adobe Flash Player ActiveX
Advanced Encryption Package 2008 Professional
Advanced Uninstaller PRO 2005 - version 7
Any Capture 3.12 Build 3121
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
BitComet 0.70
BitTorrent 4.0.4
Blancco - File Shredder
Blancco - File Shredder
Canon CanoScan Toolbox 5.0
Canon PhotoRecord
Canon PIXMA iP1000
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CanoScan LiDE 70
Conexant AC-Link Audio
dMC Power Pack
Easy-WebPrint
Extension Changer
Fellowes/NEATO MediaFACE
FinePrint
Football Manager 2008
HijackThis 2.0.2
iTunes
J2SE Runtime Environment 5.0 Update 4
Launch Manager
LimeWire PRO 4.12.3
Lingoes 2.2.0
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft ActiveSync 4.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Mobile Media for PC
MSVC80_x86
MSXML 4.0 SP2 (KB936181)
Nero 7 Ultra Edition
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
PC Connectivity Solution
PeerGuardian 2.0
PowerISO
Powerword 2005
Presto! PageManager 7.15.14
QuickTime
Recover My Files
RegRun Security Suite Gold
Safari
ScanSoft OmniPage SE 4.0
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB941569)
SmartUndelete
SoftV92 Data Fax Modem with SmartCP
Spyware Doctor 5.5
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
Unlocker 1.8.6
Viper Client
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2)
Windows Driver Package - Nokia Modem (10/12/2007 3.6)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows XP Service Pack 3
WinKey
WinRAR archiver
WinZip
:P2P Warning!:
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
LimeWire PRO 4.12.3
BitComet 0.70
BitTorrent 4.0.4
Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
I would recommend that you uninstall LimeWire PRO,BitComet and BitTorrent , however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.
: Malwarebytes' Anti-Malware :
Please download
Malwarebytes' Anti-Malware to your desktop.[*]Double-click mbam-setup.exe and follow the prompts to install the program.
[*]At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
[*] then click Finish.[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select Perform full scan, then click Scan.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Be sure that everything is checked, and click Remove Selected.
[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply
: Download and Run DSS :
Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
:Run Kaspersky Online AV Scanner:
Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
- Read the Requirements and limitations before you click Accept.
- Allow the ActiveX download if necessary.
- Once the database has downloaded, click Next.
- Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
- Click on "My Computer"
- When the scan has completed, click Save Report As...
- Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
- Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply:information and logs:
In your next post I need the following
1.log from malwarebytes 2.log from DSS 3.log from kaspersky 4.new log from hijackthis
Gringo
Malwarebytes' Anti-Malware 1.11
Database version: 612
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 123826
Time elapsed: 1 hour(s), 35 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Main.txt
Deckard's System Scanner v20071014.68
Run by Mark on 2008-04-14 21:27:02
Computer is in Normal Mode.
-- System Restore
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
8: 2008-04-14 13:27:10 UTC - RP8 - Deckard's System Scanner Restore Point
7: 2008-04-12 16:19:27 UTC - RP7 - Spyware Doctor: Cleaning Threats
6: 2008-04-12 15:40:15 UTC - RP6 - RegRun Virus Scan
5: 2008-04-10 11:10:42 UTC - RP5 - RegRun Virus Scan
4: 2008-04-10 11:10:16 UTC - RP4 - RegRun Virus Scan
-- First Restore Point --
1: 2008-04-07 14:38:39 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Mark.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:52 PM, on 4/14/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\ALaunch\ALaunch.exe
C:\Program Files\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\WinKey\WinKey.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Mark\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mark.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [App Launcher] C:\Program Files\ALaunch\ALaunch.exe
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Program Files\HDD Thermometer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "c:\backreg\rstore.ini"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: WinKey.lnk = C:\Program Files\WinKey\WinKey.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203693971215
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
--
End of file - 12191 bytes
-- File Associations
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 EpmPsd (Acer EPM Power Scheme Driver) - c:\windows\system32\drivers\epm-psd.sys <Not Verified; Acer Value Labs, USA; Acer EPM Power Scheme Driver>
R2 EpmShd (Acer EPM System Hardware Driver) - c:\windows\system32\drivers\epm-shd.sys <Not Verified; Acer Value Labs, USA; Acer EPM System Hardware Driver>
R3 DKbFltr (Dritek HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\dkbfltr.sys <Not Verified; Dritek System Inc.; Dritek MMKey>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 Partizan - c:\windows\system32\drivers\partizan.sys <Not Verified; Greatis Software; RegRun Security Suite>
S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 pgfilter - c:\program files\peerguardian2\pgfilter.sys
S3 RegGuard - c:\windows\system32\drivers\regguard.sys <Not Verified; Greatis Software; RegRun Security Suite>
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R2 anbmService (Notebook Manager Service) - c:\acer\emanager\anbmserv.exe <Not Verified; OSA Technologies Inc.; Acer eManager for Notebook>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
-- Device Manager: Disabled
No disabled devices found.
-- Scheduled Tasks
2008-04-14 01:02:02 252 --a
C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-04-01 01:00:14 330 --a
C:\WINDOWS\Tasks\McQcTask.job
2008-03-20 14:45:22 284 --a
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-03-15 06:34:06 338 --a
C:\WINDOWS\Tasks\McDefragTask.job
-- Files created between 2008-03-14 and 2008-04-14
2008-04-14 21:26:15 0 d
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 21:26:12 0 d
C:\WINDOWS\system32\Kaspersky Lab
2008-04-14 21:26:09 0 d
C:\WINDOWS\LastGood
2008-04-13 00:41:00 30946 --a
C:\WINDOWS\system32\drivers\Partizan.sys <Not Verified; Greatis Software; RegRun Security Suite>
2008-04-13 00:25:24 0 d
C:\Program Files\Trend Micro
2008-04-11 20:29:22 0 d
C:\Documents and Settings\Mark\Application Data\Malwarebytes
2008-04-11 20:29:17 0 d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 20:29:16 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 20:28:59 0 d
C:\Program Files\Common Files\Download Manager
2008-04-10 10:30:39 25773 --a
C:\WINDOWS\system32\drivers\regguard.sys <Not Verified; Greatis Software; RegRun Security Suite>
2008-04-10 10:29:57 25088 --a
C:\WINDOWS\system32\Partizan.exe <Not Verified; Greatis Software; RegRun Security Suite, UnHackMe>
2008-04-10 10:29:55 0 d
C:\Documents and Settings\Mark\Application Data\Regrun
2008-04-10 10:29:55 0 d
C:\backreg
2008-04-10 10:27:35 16384 --a
C:\WINDOWS\WinBait.exe
2008-04-10 10:27:35 441856 --a
C:\WINDOWS\RunGuard.exe <Not Verified; Greatis Software; RegRun Security Suite>
2008-04-10 10:27:22 0 d
C:\Program Files\Greatis
2008-04-07 22:24:32 0 d
C:\Program Files\Spyware Doctor
2008-04-07 22:24:32 0 d
C:\Documents and Settings\Mark\Application Data\PC Tools
2008-04-07 20:05:52 0 d
C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-06 19:48:36 63 --a
C:\WINDOWS\system\SysSD.dll
2008-04-06 19:48:06 0 d
C:\Program Files\SpywareDetector
2008-04-06 17:06:50 0 d
C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-06 17:05:02 0 d
C:\Documents and Settings\Mark\Application Data\Nokia
2008-04-06 17:04:57 0 d
C:\Program Files\DIFX
2008-04-06 17:04:29 0 d
C:\Program Files\Common Files\PCSuite
2008-04-06 17:04:28 0 d
C:\Program Files\Common Files\Nokia
2008-04-06 17:04:11 0 d
C:\Documents and Settings\Mark\Application Data\PC Suite
2008-04-06 17:04:03 0 d
C:\Program Files\PC Connectivity Solution
2008-04-06 17:03:41 0 d
C:\Program Files\Nokia
2008-04-06 17:02:50 0 d
C:\Documents and Settings\All Users\Application Data\Installations
2008-04-05 21:48:55 0 d
C:\Temp
2008-03-22 18:24:37 0 d
C:\Documents and Settings\Mark\Application Data\ArcSoft
2008-03-21 09:21:00 0 d
C:\Program Files\Sports Interactive
2008-03-20 14:51:13 0 d
C:\Program Files\Safari
2008-03-16 21:56:45 0 d
C:\Documents and Settings\Mark\Application Data\Sports Interactive
2008-03-16 21:47:04 0 d
C:\Documents and Settings\Mark\Application Data\DAEMON Tools Pro
2008-03-16 16:59:19 685816 --a
C:\WINDOWS\system32\drivers\sptd.sys
2008-03-16 00:47:44 0 dr-h
C:\Documents and Settings\Mark\Application Data\SecuROM
2008-03-16 00:44:04 0 d--h
C:\Program Files\Zero G Registry
2008-03-16 00:43:51 0 d--h
C:\Documents and Settings\Mark\InstallAnywhere
2008-03-15 17:27:20 0 d
C:\Documents and Settings\Mark\Application Data\Apple Computer
2008-03-15 17:27:00 0 d
C:\Program Files\iPod
2008-03-15 17:26:53 0 d
C:\Program Files\iTunes
2008-03-15 17:25:14 0 d
C:\Program Files\QuickTime
2008-03-15 17:24:41 0 d
C:\Program Files\Apple Software Update
2008-03-15 17:23:37 0 d
C:\Program Files\Common Files\Apple
2008-03-15 17:23:36 0 d
C:\Documents and Settings\All Users\Application Data\Apple
-- Find3M Report
2008-04-14 01:20:42 12 --a
C:\WINDOWS\bthservsdp.dat
2008-03-13 21:09:10 0 d
C:\Documents and Settings\Mark\Application Data\Lingoes
2008-03-13 21:09:00 0 d
C:\Program Files\Lingoes
2008-03-12 23:04:36 0 d
C:\Program Files\Plagiarism Scanner
2008-03-12 22:27:34 0 d--h
C:\Program Files\InstallJammer Registry
2008-03-12 21:38:42 0 d
C:\Documents and Settings\Mark\Application Data\NewSoft
2008-03-09 22:18:44 0 d
C:\Documents and Settings\Mark\Application Data\Canon
2008-03-07 21:28:08 0 d
C:\Program Files\Any Capture Screen
2008-03-07 01:02:28 0 d
C:\Documents and Settings\Mark\Application Data\Help
2008-03-05 00:24:02 0 d
C:\Program Files\PowerISO
2008-02-28 08:18:52 0 d
C:\Program Files\Recover My Files
2008-02-27 19:38:52 0 d
C:\Program Files\SmartUndelete
2008-02-27 18:06:18 0 d
C:\Program Files\Common Files\SecureAction Shared
2008-02-27 18:06:16 0 d
C:\Program Files\AEP2008 Pro
2008-02-27 18:05:34 0 d
C:\Documents and Settings\Mark\Application Data\Blancco
2008-02-27 14:59:24 0 d
C:\Program Files\Common Files\Blancco
2008-02-27 14:54:26 0 d
C:\Program Files\Blancco
2008-02-26 08:04:44 0 d
C:\Program Files\McAfee.com
2008-02-26 08:04:38 0 d
C:\Program Files\Common Files\McAfee
2008-02-26 08:04:34 0 d
C:\Program Files\McAfee
2008-02-26 07:33:00 4212 ---h
C:\WINDOWS\system32\zllictbl.dat
2008-02-25 21:30:08 0 d
C:\Documents and Settings\Mark\Application Data\LimeWire
2008-02-25 00:44:42 0 d
C:\Documents and Settings\Mark\Application Data\Desktop Sidebar
2008-02-24 20:36:32 0 d
C:\Program Files\Common Files\Macrovision Shared
2008-02-24 20:34:16 0 d
C:\Documents and Settings\Mark\Application Data\Sun
2008-02-24 07:52:42 0 d
C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-24 07:36:16 0 d
C:\Program Files\MSXML 4.0
2008-02-23 12:49:30 0 d
C:\Program Files\Launch Manager
2008-02-23 12:48:08 0 d
C:\Program Files\ATI Technologies
2008-02-23 09:15:28 0 d
C:\Documents and Settings\Mark\Application Data\ACD Systems
2008-02-23 08:48:30 0 d
C:\Documents and Settings\Mark\Application Data\.bittorrent
2008-02-23 08:46:30 0 d
C:\Documents and Settings\Mark\Application Data\AdobeUM
2008-02-23 00:25:08 0 d
C:\Program Files\Common Files\PDFView
2008-02-23 00:25:04 0 d
C:\Program Files\NewSoft
2008-02-23 00:22:34 0 d
C:\Documents and Settings\Mark\Application Data\ScanSoft
2008-02-23 00:22:20 0 d
C:\Program Files\Common Files\ScanSoft Shared
2008-02-23 00:21:44 0 d
C:\Program Files\ScanSoft
2008-02-23 00:20:10 0 d
C:\Program Files\ArcSoft
2008-02-23 00:19:20 0 d
C:\Program Files\Common Files\CANON
2008-02-23 00:18:08 0 d--h
C:\Program Files\CanonBJ
2008-02-23 00:10:08 0 d
C:\Program Files\Canon
2008-02-22 23:30:22 0 d
C:\Program Files\Windows Live Toolbar
2008-02-22 23:19:36 0 d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-22 23:19:24 0 d
C:\Program Files\Windows Live
2008-02-22 23:02:58 2508 --a
C:\Documents and Settings\Mark\Application Data\$_hpcst$.hpc
2008-02-22 22:59:08 0 d
C:\Program Files\Lavasoft
2008-02-22 22:58:34 0 d
C:\Program Files\SiteAdvisor
2008-02-22 22:58:28 0 d
C:\Documents and Settings\Mark\Application Data\SiteAdvisor
2008-02-22 22:56:02 0 d
C:\Documents and Settings\Mark\Application Data\Macromedia
2008-02-22 22:47:32 0 d
C:\Program Files\Xilisoft
2008-02-22 22:43:58 0 d
C:\Documents and Settings\Mark\Application Data\Ahead
2008-02-22 22:41:32 0 d
C:\Program Files\Nero
2008-02-22 22:41:32 0 d
C:\Program Files\Common Files\Ahead
2008-02-22 22:41:24 10840 --a
C:\WINDOWS\system32\SpoonUninstall-dMC Power Pack.dat
2008-02-22 22:41:24 164352 --a
C:\WINDOWS\system32\SpoonUninstall.exe
2008-02-22 22:41:06 0 d
C:\Program Files\Illustrate
2008-02-22 22:38:00 0 d
C:\Program Files\BitTorrent
2008-02-22 22:37:40 0 d
C:\Program Files\LimeWire
2008-02-22 22:37:30 0 d
C:\Program Files\BitComet
2008-02-22 22:36:30 0 d
C:\Program Files\Common Files\ACD Systems
2008-02-22 22:36:30 0 d
C:\Program Files\ACD Systems
2008-02-22 22:34:50 0 d
C:\Documents and Settings\Mark\Application Data\Adobe
2008-02-22 22:34:46 0 d
C:\Program Files\Common Files\Adobe Systems Shared
2008-02-22 22:32:02 0 d
C:\Program Files\Common Files\Adobe
2008-02-22 22:29:00 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 22:28:24 0 d
C:\Program Files\Java
2008-02-22 22:28:24 0 d
C:\Program Files\Common Files\Java
2008-02-22 22:28:18 0 d
C:\Program Files\WinKey
2008-02-22 22:27:58 0 d
C:\Program Files\SysShield Tools
2008-02-22 22:27:46 0 d
C:\Program Files\PeerGuardian2
2008-02-22 22:27:22 0 d
C:\Documents and Settings\Mark\Application Data\HDD Thermometer
2008-02-22 22:27:02 0 d
C:\Program Files\Extension Changer
2008-02-22 22:22:56 0 d
C:\Program Files\Common Files\L&H
2008-02-22 22:22:34 0 d
C:\Program Files\Microsoft ActiveSync
2008-02-22 22:22:12 0 d
C:\Program Files\Microsoft Works
2008-02-22 22:21:56 0 d
C:\Program Files\Microsoft.NET
2008-02-22 22:19:06 0 d
C:\Documents and Settings\Mark\Application Data\Kingsoft
2008-02-22 22:17:58 0 d
C:\Program Files\Common Files\kingsoft
2008-02-22 22:17:54 0 d
C:\Program Files\Kingsoft
2008-02-22 22:15:36 0 d
C:\Program Files\ALaunch
2008-02-22 22:15:18 0 d
C:\Program Files\Innovative Solutions
2008-02-22 22:14:22 0 d
C:\Documents and Settings\Mark\Application Data\XemiComputers
2008-02-22 22:14:10 0 d
C:\Program Files\XemiComputers
2008-02-22 22:05:14 0 d
C:\Program Files\Nevo
2008-02-22 22:00:24 0 d
C:\Program Files\MediaFACE
2008-02-22 21:40:14 4233 --a
C:\WINDOWS\CLEANUP.CMD
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
11/26/2007 10:46 AM 324936 --a
c:\PROGRA~1\mcafee\msk\mcapbho.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [05/20/2004 07:57 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [05/20/2004 07:57 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [12/01/2007 12:27 AM C:\WINDOWS\system32\bthprops.cpl]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [07/14/2004 02:19 PM]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [09/01/2004 05:38 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [08/14/2007 02:05 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 10:33 PM]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [11/30/2007 05:42 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"RegRun WinBait"="C:\WINDOWS\winbait.exe" [12/12/2000 07:56 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [05/28/2007 04:31 PM]
"App Launcher"="C:\Program Files\ALaunch\ALaunch.exe" [03/28/2000 02:32 PM]
"RSD_HDDThermo"="C:\Program Files\HDD Thermometer.exe" [04/12/2004 09:50 AM]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [12/01/2007 12:26 AM]
"Regrun2"="C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe" [02/13/2008 05:12 PM]
"Registry"="C:\Program Files\Greatis\RegRunSuite\lsoon.exe" [02/13/2008 05:10 PM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinKey.lnk - C:\Program Files\WinKey\WinKey.exe [2/22/2008 10:28:20 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F552DDE6-2090-4bf4-B924-6141E87789A5}"= C:\Program Files\Greatis\RegRunSuite\RRShell.dll [11/02/2004 09:15 AM 368711]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NevoMedia Server.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NevoMedia Server.lnk
backup=C:\WINDOWS\pss\NevoMedia Server.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^Thoosje Vista Sidebar.lnk]
path=C:\Documents and Settings\Mark\Start Menu\Programs\Startup\Thoosje Vista Sidebar.lnk
backup=C:\WINDOWS\pss\Thoosje Vista Sidebar.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyCaptureScreen]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
"C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
DevDetect.exe -autorun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FinePrint Dispatcher v5]
"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lingoes]
C:\Program Files\Lingoes\Translator2\Lingoes.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
C:\Program Files\Launch Manager\QtZgAcer.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
"C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
"C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
eapsvcs eaphost
dot3svc dot3svc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00bbfbf2-eb8b-11dc-a5a4-000e358229d5}]
1\Command- syssetup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1704c410-f6e6-11dc-8d8b-000e358229d5}]
1\Command- syssetup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cb42e90-056c-11dd-8dab-000e358229d5}]
1\Command- F:\syssetup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{804de9f1-e1c9-11dc-a588-806d6172696f}]
1\Command- syssetup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
-- End of Deckard's System Scanner: finished at 2008-04-14 21:30:32
Extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
-- System Information
Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) M processor 1.60GHz
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 1278.42 MiB / 660.62 MiB
Pagefile Memory (total/avail): 3053.34 MiB / 2344.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.27 MiB
C: is Fixed (FAT32) - 34.52 GiB total, 9.37 GiB free.
D: is Fixed (NTFS) - 40 GiB total, 8.12 GiB free.
E: is CDROM (No Media)
[URL="file://\\.\PHYSICALDRIVE0"]\\.\PHYSICALDRIVE0[/URL] - TOSHIBA MK8025GAS - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 34.53 GiB - C:
\PARTITION1 - Extended Partition - 40 GiB - D:
-- Security Center
AUOptions is scheduled to auto-install.
-- Environment Variables
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mark\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MARKG
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mark
LOGONSERVER=\\MARKG
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Mark\LOCALS~1\Temp
TMP=C:\DOCUME~1\Mark\LOCALS~1\Temp
USERDOMAIN=MARKG
USERNAME=Mark
USERPROFILE=C:\Documents and Settings\Mark
windir=C:\WINDOWS
-- User Profiles
Mark (admin)
-- Add/Remove Programs
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\UninstIPP.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{329899E1-CBBA-49BC-9FFE-199E94316727}\setup.exe" -l0x9 -removeonly
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AbsoluteShield File Shredder --> "C:\Program Files\SysShield Tools\File Shredder\unins000.exe"
ACDSee 10 Photo Manager --> MsiExec.exe /I{F8B98EB6-FC06-45BF-87D4-9784E0408611}
ACDSee Pro 2 --> MsiExec.exe /I{4AAC95F4-A30E-4EE5-A086-6F79581D0D70}
Acer eManager for Notebook --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{827289F5-B44F-4E49-9993-840741585A62}
Acer ePowerManagement --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\Setup.exe" -l0x9
Active Desktop Calendar 7.0 --> "C:\Program Files\XemiComputers\Active Desktop Calendar\unins000.exe"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 8.1.2 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Advanced Encryption Package 2008 Professional --> "C:\Program Files\AEP2008 Pro\unins000.exe"
Advanced Uninstaller PRO 2005 - version 7 --> "C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2005 version 7\unins000.exe"
Any Capture 3.12 Build 3121 --> "C:\Program Files\Any Capture Screen\unins000.exe"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft PhotoStudio 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85309D89-7BE9-4094-BB17-24999C6118FC}\SETUP.EXE" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
BitComet 0.70 --> C:\Program Files\BitComet\uninst.exe
BitTorrent 4.0.4 --> "C:\Program Files\BitTorrent\uninstall.exe"
Blancco - File Shredder --> "C:\Documents and Settings\All Users\Application Data\{BED24E2B-C79C-4948-863F-D211FD6088AA}\Blancco_File_Shredder.exe" REMOVE=TRUE MODIFY=FALSE
Blancco - File Shredder --> C:\Documents and Settings\All Users\Application Data\{BED24E2B-C79C-4948-863F-D211FD6088AA}\Blancco_File_Shredder.exe
Canon CanoScan Toolbox 5.0 --> "C:\Program Files\Canon\CanoScan Toolbox Ver5.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\CanoScan Toolbox Ver5.0\uninst.ini
Canon PhotoRecord --> MsiExec.exe /X{D958FAC4-BAE0-4B1D-A42E-DE9BFDE7DDEE}
Canon PIXMA iP1000 --> C:\WINDOWS\system32\CNMCP6e.exe "-PRINTERNAMECanon PIXMA iP1000" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000 Installer\Inst2\cnmi0409.dll"
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe C:\Program Files\Canon\Easy-PhotoPrint\uninst.ini
Canon Utilities Easy-PrintToolBox --> C:\WINDOWS\BJPSUNST.EXE
CanoScan LiDE 70 --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ2411\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ2411 /L0x0009
Conexant AC-Link Audio --> CIAunwdm.exe
dMC Power Pack --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dMC Power Pack.dat
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
Extension Changer --> C:\Program Files\Extension Changer\extuninstall.exe
Fellowes/NEATO MediaFACE --> C:\PROGRA~1\MEDIAF~1\UNWISE.EXE C:\PROGRA~1\MEDIAF~1\INSTALL.LOG
FinePrint --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpinst5.exe /uninstall
Football Manager 2008 --> "C:\Program Files\Sports Interactive\Football Manager 2008\Uninstall_Football Manager 2008\Uninstall Football Manager 2008.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Launch Manager --> C:\WINDOWS\UnInst32.exe QtZgAcer.UNI
LimeWire PRO 4.12.3 --> "C:\Program Files\LimeWire\uninstall.exe"
Lingoes 2.2.0 --> "C:\Program Files\Lingoes\Translator2\unins000.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft ActiveSync 4.0 --> MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mobile Media for PC --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{AF4EBCC6-C85F-4159-8B96-5EF47AA4F4F7}
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
Nero 7 Ultra Edition --> MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444441031}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0A3D3C54-2EC0-4D67-B265-FF17926E6D67}
Nokia PC Suite --> C:\Documents and Settings\All Users\Application Data\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Nokia_PC_Suite_rel_6_85_14_1_eng_web.exe
Nokia PC Suite --> MsiExec.exe /I{29466F9C-7C6A-419C-B301-F440FAF78760}
PC Connectivity Solution --> MsiExec.exe /I{BA084E7C-8ABA-4670-BDE8-B85E689A5C1B}
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
Powerword 2005 --> MsiExec.exe /I{5071F84A-FF33-4D2D-BD96-FCF45A201FF4}
Presto! PageManager 7.15.14 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}\PMSetup.exe" -l0x9 anything -removeonly
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Recover My Files --> "C:\Program Files\Recover My Files\unins000.exe"
RegRun Security Suite Gold --> C:\Program Files\Greatis\RegRunSuite\R3UR.exe
Safari --> MsiExec.exe /I{0AFC9710-5DD6-4C6A-BA52-91AE992B2C9D}
ScanSoft OmniPage SE 4.0 --> MsiExec.exe /I{C1E693A4-B1D5-4DCD-B68D-2087835B7184}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SmartUndelete --> "C:\Program Files\SmartUndelete\unins000.exe"
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_00641025\HXFSETUP.EXE -U -Iqta00645.inf
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{23C7348E-131C-4BFF-9763-2C804D6B87AE}
Unlocker 1.8.6 --> C:\Program Files\Unlocker\uninst.exe
Viper Client --> MsiExec.exe /I{03CC6D47-6D13-4DEB-B7EB-F8635CB51FAB}
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_1EB5F2E6F54A6BEDE9F436D1BA5D830FC71739BE\nokbtmdm.inf
Windows Driver Package - Nokia Modem (10/12/2007 3.6) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_0A5D98F754C6588B2E3DDE89DDEF097075ADFFB7\nokia_bluetooth.inf
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinKey --> C:\WINDOWS\uninst.exe -f"C:\Program Files\WinKey\DeIsL1.isu" -c"C:\Program Files\WinKey\_ISREG32.DLL"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Event Record #/Type657 / Error
Event Submitted/Written: 04/10/2008 07:28:03 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application LSUpdateManager.exe, version 7.0.2.6, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Event Record #/Type607 / Warning
Event Submitted/Written: 04/04/2008 08:40:36 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'EXCELFiles' failed during request for component '{A2B280D4-20FB-4720-99F7-40C09FBCE10A}'
Event Record #/Type606 / Warning
Event Submitted/Written: 04/04/2008 08:40:36 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'EXCELFiles', component '{43A46B81-37A6-11D2-AA89-00A0C90F57B0}' failed. The resource 'C:\Program Files\Microsoft Office\OFFICE11\XLSTART\' does not exist.
Event Record #/Type604 / Warning
Event Submitted/Written: 04/04/2008 08:12:34 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'EXCELFiles' failed during request for component '{A2B280D4-20FB-4720-99F7-40C09FBCE10A}'
Event Record #/Type603 / Warning
Event Submitted/Written: 04/04/2008 08:12:34 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'EXCELFiles', component '{43A46B81-37A6-11D2-AA89-00A0C90F57B0}' failed. The resource 'C:\Program Files\Microsoft Office\OFFICE11\XLSTART\' does not exist.
-- Security Event Log
No Errors/Warnings found.
-- System Event Log
Event Record #/Type8961 / Warning
Event Submitted/Written: 04/14/2008 09:19:39 PM
Event ID/Source: 825 / Rasman
Event Description:
The Network Access Protection (NAP) enforcement client failed to register with the Network Access Protection Agent (NAPAgent) service. Some network services or resources might not be available. If the problem persists, disconnect and retry the remote access connection or contact the administrator for the remote access server.
Event Record #/Type8960 / Error
Event Submitted/Written: 04/14/2008 09:19:39 PM
Event ID/Source: 10016 / DCOM
Event Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
Event Record #/Type8947 / Error
Event Submitted/Written: 04/14/2008 09:19:06 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
IKFileSec
Event Record #/Type8944 / Error
Event Submitted/Written: 04/14/2008 09:18:34 PM
Event ID/Source: 10016 / DCOM
Event Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
Event Record #/Type8943 / Error
Event Submitted/Written: 04/14/2008 09:18:30 PM
Event ID/Source: 10016 / DCOM
Event Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
-- End of Deckard's System Scanner: finished at 2008-04-14 21:30:32
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 15, 2008 7:44:01 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 3, v.3264 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/04/2008
Kaspersky Anti-Virus database records: 703811
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 94922
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:38:23
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\Temp\mcmsc_IMtaUPwvDlEGMDN Object is locked skipped
C:\WINDOWS\Temp\sqlite_66a68u4NqytVI2N Object is locked skipped
C:\WINDOWS\Temp\sqlite_psCl5BDblWPtMsr Object is locked skipped
C:\WINDOWS\Temp\sqlite_gHYp8XektHqjJLM Object is locked skipped
C:\WINDOWS\Temp\mcmsc_NMfj2YEFvLRIKcb Object is locked skipped
C:\WINDOWS\Temp\mcmsc_di5VxytJBNmAFap Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{862BE6A7-1D13-4780-82C2-0B99C1EEA778}.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR7.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{C6EA225A-EAAA-4006-B027-F4BE300189AF}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\EasyNet\MHNData Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mark\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Temp\~DFAFE.tmp Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Temp\sqlite_rurS1EC1tqbOwan Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\WJ7IA3S4\Download_mbam-setup[1].exe Infected: not-a-virusownloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\B5N54KQ9\bind[2].htm Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mark\My Documents\Download_mbam-setup.exe Infected: not-a-virusownloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\Mark\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mark\Application Data\XemiComputers\Active Desktop Calendar\Data\Active Desktop Calendar.xdat Object is locked skipped
C:\Documents and Settings\Mark\Application Data\XemiComputers\Active Desktop Calendar\Log\ADCLog.log Object is locked skipped
C:\Documents and Settings\Mark\Application Data\XemiComputers\Active Desktop Calendar\Log\ADC Errors Log.txt Object is locked skipped
C:\Documents and Settings\Mark\Application Data\XemiComputers\Active Desktop Calendar\Log\ADC Internet Errors Log.txt Object is locked skipped
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC World Clock.scr Infected: not-a-virus:Monitor.Win32.KeyPressHooker.f skipped
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP5\A0000251.exe/file005 Infected: not-a-virus:FraudTool.Win32.SpywareDetector.e skipped
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP5\A0000251.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP8\change.log Object is locked skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Mark\LOCALS~1\Temp\~DF25D6.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Mark\LOCALS~1\Temp\~DF25E3.tmp Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP8\change.log Object is locked skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:59 AM, on 4/15/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\ALaunch\ALaunch.exe
C:\Program Files\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\WinKey\WinKey.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Canon\CanoScan Toolbox Ver5.0\CSTBox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [App Launcher] C:\Program Files\ALaunch\ALaunch.exe
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Program Files\HDD Thermometer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "c:\backreg\rstore.ini"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: WinKey.lnk = C:\Program Files\WinKey\WinKey.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203693971215
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
--
End of file - 11804 bytes
:combofix:
download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
This allows us to more easily help you should your computer have a problem after an attempted removal of malware,
and will only take a few moments of your time.
After ensuring the Recovery Console is installed on your system...
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs
so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe & follow the prompts.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleaning the system:
:information and logs:
In your next post I need the following
1.C:\CF_RC.txt 2.C:\ComboFix.txt 3.New HijackThis log
Gringo
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.791 [GMT 8:00]
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.
2008-04-19 11:22 . 2008-04-19 11:22 <DIR> d
C:\Documents and Settings\Mark\Application Data\McAfee
2008-04-18 00:55 . 2008-04-18 00:55 <DIR> d
C:\Documents and Settings\Mark\Application Data\Nokia Multimedia Player
2008-04-17 15:16 . 2008-04-19 11:19 54,156 --ah
C:\WINDOWS\QTFont.qfn
2008-04-17 15:16 . 2008-04-17 15:16 1,409 --a
C:\WINDOWS\QTFont.for
2008-04-17 15:15 . 2008-04-17 15:15 <DIR> d
C:\Program Files\iTunes
2008-04-17 15:15 . 2008-04-17 15:15 <DIR> d
C:\Program Files\iPod
2008-04-17 15:13 . 2008-04-17 15:13 <DIR> d
C:\Program Files\QuickTime
2008-04-17 14:47 . 2008-04-17 14:47 <DIR> d
C:\Program Files\Apple Software Update
2008-04-14 21:26 . 2008-04-14 21:26 <DIR> d
C:\WINDOWS\system32\Kaspersky Lab
2008-04-14 21:26 . 2008-04-14 21:26 <DIR> d
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 21:26 . 2008-04-14 21:26 <DIR> d
C:\Deckard
2008-04-13 00:41 . 2008-04-13 00:41 30,946 --a
C:\WINDOWS\system32\drivers\Partizan.sys
2008-04-13 00:25 . 2008-04-13 00:25 <DIR> d
C:\Program Files\Trend Micro
2008-04-11 20:29 . 2008-04-11 20:29 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 20:29 . 2008-04-11 20:29 <DIR> d
C:\Documents and Settings\Mark\Application Data\Malwarebytes
2008-04-11 20:29 . 2008-04-11 20:29 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 20:28 . 2008-04-11 20:29 <DIR> d
C:\Program Files\Common Files\Download Manager
2008-04-10 18:57 . 2008-04-19 01:57 77 --a
C:\WINDOWS\lsoon.ini
2008-04-10 10:30 . 2008-04-12 23:34 25,773 --a
C:\WINDOWS\system32\drivers\regguard.sys
2008-04-10 10:30 . 2008-04-10 10:30 2 -rahs---- C:\WINDOWS\winstart.bat
2008-04-10 10:29 . 2008-04-10 10:29 <DIR> d
C:\Documents and Settings\Mark\Application Data\Regrun
2008-04-10 10:29 . 2008-04-10 10:29 <DIR> d
C:\backreg
2008-04-10 10:29 . 2008-04-10 10:29 25,088 --a
C:\WINDOWS\system32\Partizan.exe
2008-04-10 10:27 . 2008-04-10 10:27 <DIR> d
C:\Program Files\Greatis
2008-04-10 10:27 . 2008-02-13 11:41 441,856 --a
C:\WINDOWS\RunGuard.exe
2008-04-10 10:27 . 2003-09-06 15:55 57,556 --a
C:\WINDOWS\guard.bmp
2008-04-10 10:27 . 2000-12-12 19:56 16,384 --a
C:\WINDOWS\WinBait.org
2008-04-10 10:27 . 2000-12-12 19:56 16,384 --a
C:\WINDOWS\WinBait.exe
2008-04-07 22:24 . 2008-04-07 22:24 <DIR> d
C:\Program Files\Spyware Doctor
2008-04-07 22:24 . 2008-04-07 22:24 <DIR> d
C:\Documents and Settings\Mark\Application Data\PC Tools
2008-04-07 22:24 . 2007-12-10 14:53 81,288 --a
C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-07 22:24 . 2007-12-10 14:53 66,952 --a
C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-07 22:24 . 2008-02-01 12:55 42,376 --a
C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-07 22:24 . 2007-12-10 14:53 29,576 --a
C:\WINDOWS\system32\drivers\kcom.sys
2008-04-07 20:05 . 2008-04-07 20:05 <DIR> d
C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-06 19:49 . 2008-04-06 19:49 0 --a
C:\WINDOWS\system32\SDRemoveDB.db
2008-04-06 19:48 . 2008-04-06 19:48 <DIR> d
C:\Program Files\SpywareDetector
2008-04-06 19:48 . 2008-04-06 19:48 63 --a
C:\WINDOWS\system\SysSD.dll
2008-04-06 17:06 . 2008-04-06 17:06 <DIR> d
C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-06 17:05 . 2008-04-06 17:05 <DIR> d
C:\Documents and Settings\Mark\Application Data\Nokia
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Program Files\PC Connectivity Solution
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Program Files\DIFX
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Program Files\Common Files\PCSuite
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Program Files\Common Files\Nokia
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Documents and Settings\Mark\Application Data\PC Suite
2008-04-06 17:03 . 2008-04-06 17:03 <DIR> d
C:\Program Files\Nokia
2008-04-06 17:03 . 2007-02-22 10:15 137,216 --a
C:\WINDOWS\system32\drivers\nmwcd.sys
2008-04-06 17:03 . 2007-02-22 10:15 65,536 --a
C:\WINDOWS\system32\nmwcdcocls.dll
2008-04-06 17:03 . 2007-02-22 10:15 12,288 --a
C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-04-06 17:03 . 2007-02-22 10:15 12,288 --a
C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-04-06 17:03 . 2007-02-22 10:15 8,320 --a
C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-04-06 17:02 . 2008-04-06 17:02 <DIR> d
C:\Documents and Settings\All Users\Application Data\Installations
2008-04-05 21:48 . 2008-04-05 21:48 <DIR> d
C:\Temp
2008-04-01 06:01 . 2008-04-01 06:02 10,593 --a
C:\WINDOWS\CSTBox.INI
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a
C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a
C:\WINDOWS\system32\QuickTime.qts
2008-03-22 18:24 . 2008-03-22 18:24 <DIR> d
C:\Documents and Settings\Mark\Application Data\ArcSoft
2008-03-21 09:21 . 2008-03-21 09:21 <DIR> d
C:\Program Files\Sports Interactive
2008-03-20 14:51 . 2008-03-20 14:51 <DIR> d
C:\Program Files\Safari
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 13:56
d
w C:\Documents and Settings\Mark\Application Data\Sports Interactive
2008-03-16 13:47
d
w C:\Documents and Settings\Mark\Application Data\DAEMON Tools Pro
2008-03-16 08:59 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-15 16:47 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-15 16:47
d--h--r C:\Documents and Settings\Mark\Application Data\SecuROM
2008-03-15 16:44
d--h--w C:\Program Files\Zero G Registry
2008-03-15 09:27
d
w C:\Documents and Settings\Mark\Application Data\Apple Computer
2008-03-15 09:23
d
w C:\Program Files\Common Files\Apple
2008-03-15 09:23
d
w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-13 13:09
d
w C:\Program Files\Lingoes
2008-03-13 13:09
d
w C:\Documents and Settings\Mark\Application Data\Lingoes
2008-03-12 15:38
d
w C:\Documents and Settings\All Users\Application Data\Viper
2008-03-12 15:04
d
w C:\Program Files\Plagiarism Scanner
2008-03-12 14:27
d--h--w C:\Program Files\InstallJammer Registry
2008-03-12 13:38
d
w C:\Documents and Settings\Mark\Application Data\NewSoft
2008-03-09 14:18
d
w C:\Documents and Settings\Mark\Application Data\Canon
2008-03-07 13:28
d
w C:\Program Files\Any Capture Screen
2008-03-07 13:09
d
w C:\Program Files\Unlocker
2008-03-06 00:31 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-04 16:24
d
w C:\Program Files\PowerISO
2008-02-28 00:18
d
w C:\Program Files\Recover My Files
2008-02-27 11:38
d
w C:\Program Files\SmartUndelete
2008-02-27 10:06
d
w C:\Program Files\Common Files\SecureAction Shared
2008-02-27 10:06
d
w C:\Program Files\AEP2008 Pro
2008-02-27 10:05
d
w C:\Documents and Settings\Mark\Application Data\Blancco
2008-02-27 06:59
d--h--w C:\Documents and Settings\All Users\Application Data\{BED24E2B-C79C-4948-863F-D211FD6088AA}
2008-02-27 06:59
d
w C:\Program Files\Common Files\Blancco
2008-02-27 06:54
d
w C:\Program Files\Blancco
2008-02-26 00:04
d
w C:\Program Files\McAfee.com
2008-02-26 00:04
d
w C:\Program Files\McAfee
2008-02-26 00:04
d
w C:\Program Files\Common Files\McAfee
2008-02-25 13:30
d
w C:\Documents and Settings\Mark\Application Data\LimeWire
2008-02-24 16:44
d
w C:\Documents and Settings\Mark\Application Data\Desktop Sidebar
2008-02-24 12:36
d
w C:\Program Files\Common Files\Macrovision Shared
2008-02-24 12:36
d
w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-23 23:52
d
w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-23 23:36
d
w C:\Program Files\MSXML 4.0
2008-02-23 04:49
d
w C:\Program Files\Launch Manager
2008-02-23 04:48
d
w C:\Program Files\ATI Technologies
2008-02-23 01:15
d
w C:\Documents and Settings\Mark\Application Data\ACD Systems
2008-02-23 01:14
d
w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-23 00:48
d
w C:\Documents and Settings\Mark\Application Data\.bittorrent
2008-02-23 00:46
d
w C:\Documents and Settings\Mark\Application Data\AdobeUM
2008-02-22 16:25
d
w C:\Program Files\NewSoft
2008-02-22 16:25
d
w C:\Program Files\Common Files\PDFView
2008-02-22 16:22
d
w C:\Program Files\Common Files\ScanSoft Shared
2008-02-22 16:22
d
w C:\Documents and Settings\Mark\Application Data\ScanSoft
2008-02-22 16:22
d
w C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-02-22 16:22
d
w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-02-22 16:21
d
w C:\Program Files\ScanSoft
2008-02-22 16:20
d
w C:\Program Files\ArcSoft
2008-02-22 16:19
d
w C:\Program Files\Common Files\CANON
2008-02-22 16:18
d--h--w C:\Program Files\CanonBJ
2008-02-22 16:10
d
w C:\Program Files\Canon
2008-02-22 15:30
d
w C:\Program Files\Windows Live Toolbar
2008-02-22 15:19
d-sh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-22 15:19
d
w C:\Program Files\Windows Live
2008-02-22 15:19
d
w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-22 14:59
d
w C:\Program Files\Lavasoft
2008-02-22 14:59
d
w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-22 14:58
d
w C:\Program Files\SiteAdvisor
2008-02-22 14:58
d
w C:\Documents and Settings\Mark\Application Data\SiteAdvisor
2008-02-22 14:58
d
w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-22 14:58
d
w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-22 14:58
d
w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-22 14:47
d
w C:\Program Files\Xilisoft
2008-02-22 14:43
d
w C:\Documents and Settings\Mark\Application Data\Ahead
2008-02-22 14:41 164,352 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-02-22 14:41
d
w C:\Program Files\Nero
2008-02-22 14:41
d
w C:\Program Files\Illustrate
2008-02-22 14:41
d
w C:\Program Files\Common Files\Ahead
2008-02-22 14:38
d
w C:\Program Files\BitTorrent
2008-02-22 14:37
d
w C:\Program Files\LimeWire
2008-02-22 14:37
d
w C:\Program Files\BitComet
2008-02-22 14:36
d
w C:\Program Files\Common Files\ACD Systems
2008-02-22 14:36
d
w C:\Program Files\ACD Systems
2008-02-22 14:36
d
w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-02-22 14:35
d
w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-02-22 14:34
d
w C:\Program Files\Common Files\Adobe Systems Shared
2008-02-22 14:32
d
w C:\Program Files\Common Files\Adobe
2008-02-22 14:29
d
w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 14:28
d
w C:\Program Files\WinKey
2008-02-22 14:28
d
w C:\Program Files\Java
2008-02-22 14:28
d
w C:\Program Files\Common Files\Java
2008-02-22 14:27
d
w C:\Program Files\SysShield Tools
2008-02-22 14:27
d
w C:\Program Files\PeerGuardian2
2008-02-22 14:27
d
w C:\Program Files\Extension Changer
2008-02-22 14:27
d
w C:\Documents and Settings\Mark\Application Data\HDD Thermometer
2008-02-22 14:26
d
w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-22 14:22
d
w C:\Program Files\Microsoft Works
2008-02-22 14:22
d
w C:\Program Files\Microsoft ActiveSync
2008-02-22 14:22
d
w C:\Program Files\Common Files\L&H
2008-02-22 14:21
d
w C:\Program Files\Microsoft.NET
2008-02-22 14:19
d
w C:\Documents and Settings\Mark\Application Data\Kingsoft
2008-02-22 14:17
d
w C:\Program Files\Kingsoft
2008-02-22 14:17
d
w C:\Program Files\Common Files\kingsoft
2008-02-22 14:15
d
w C:\Program Files\Innovative Solutions
2008-02-22 14:15
d
w C:\Program Files\ALaunch
2008-02-22 14:14
d
w C:\Program Files\XemiComputers
2008-02-22 14:14
d
w C:\Documents and Settings\Mark\Application Data\XemiComputers
.
Sigcheck
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\system32\wininet.dll
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\system32\dllcache\wininet.dll
2007-12-07 10:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2004-08-03 22:00 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ie7\wininet.dll
2007-12-01 00:26 666112 e7f441cde6e418bb68fc700872c004a0 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2006-11-07 21:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2008-04-19_11.14.18.36"]snapshot@2008-04-19_11.14.18.36[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-19 03:22:30 16,384 ----a-w C:\WINDOWS\assembly\GAC\Arbus.Interfacing.Library\1.0.0.27362__2be3a081d8c94867\Arbus.Interfacing.Library.dll
+ 2008-04-19 03:22:30 16,384 ----a-w C:\WINDOWS\assembly\GAC\ArbusApplicationController\1.0.2563.27362__da57d5d39b1d6dd8\ArbusApplicationController.dll
- 2008-04-19 00:56:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-19 03:17:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-05-28 16:31 3653632]
"App Launcher"="C:\Program Files\ALaunch\ALaunch.exe" [2000-03-28 14:32 25088]
"RSD_HDDThermo"="C:\Program Files\HDD Thermometer.exe" [2004-04-12 09:50 249856]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
"Regrun2"="C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe" [2008-02-13 17:12 356352]
"Registry"="C:\Program Files\Greatis\RegRunSuite\lsoon.exe" [2008-02-13 17:10 312832]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13 1207080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 19:57 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 19:57 532480]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2007-12-01 00:27 110592 C:\WINDOWS\system32\bthprops.cpl]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 14:19 151552]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2004-09-01 17:38 2876416]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-14 02:05 36640]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"RegRun WinBait"="C:\WINDOWS\winbait.exe" [2000-12-12 19:56 16384]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinKey.lnk - C:\Program Files\WinKey\WinKey.exe [2008-02-22 22:28:20 99840]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F552DDE6-2090-4bf4-B924-6141E87789A5}"= C:\Program Files\Greatis\RegRunSuite\RRShell.dll [2004-11-02 09:15 368711]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NevoMedia Server.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NevoMedia Server.lnk
backup=C:\WINDOWS\pss\NevoMedia Server.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^Thoosje Vista Sidebar.lnk]
path=C:\Documents and Settings\Mark\Start Menu\Programs\Startup\Thoosje Vista Sidebar.lnk
backup=C:\WINDOWS\pss\Thoosje Vista Sidebar.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a
2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyCaptureScreen]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a
2004-08-25 13:27 65536 C:\WINDOWS\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a
2004-08-25 12:52 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a
2005-09-25 19:11 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a
2005-04-25 13:45 36040 C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
--a
2004-01-14 09:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FinePrint Dispatcher v5]
--a
2005-09-19 22:42 487424 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a
2006-06-26 16:13 1207080 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a
2004-08-04 05:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a
2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lingoes]
--a
2008-02-29 04:06 1966080 C:\Program Files\Lingoes\Translator2\Lingoes.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
--a
2004-07-30 11:30 319488 C:\Program Files\Launch Manager\QtZgAcer.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a
2007-12-01 00:26 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a
2004-08-04 05:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a
2005-09-25 19:11 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a
2006-10-11 12:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a
2007-12-10 10:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a
2004-08-04 05:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a
2004-08-04 05:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a
2006-05-20 18:13 188416 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a
2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a
2006-09-28 13:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a
2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
--a
2006-09-20 08:35 20480 C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"24632:TCP"= 24632:TCP:BitComet 24632 TCP
"24632:UDP"= 24632:UDP:BitComet 24632 UDP
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 13:57]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2004-08-14 20:59]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2007-11-30 17:31]
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 10:21]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-04-13 00:41]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-04-12 23:34]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00bbfbf2-eb8b-11dc-a5a4-000e358229d5}]
\Shell\1\Command - syssetup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1704c410-f6e6-11dc-8d8b-000e358229d5}]
\Shell\1\Command - syssetup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cb42e90-056c-11dd-8dab-000e358229d5}]
\Shell\1\Command - F:\syssetup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{804de9f1-e1c9-11dc-a588-806d6172696f}]
\Shell\1\Command - syssetup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
*Newly Created Service* - MBACKMONITOR
.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 03:02:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-31 17:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-04-14 23:19:22 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-17 06:47:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 11:26:23
Windows 5.1.2600 Service Pack 3, v.3264 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
App Launcher = C:\Program Files\ALaunch\ALaunch.exe?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-19 11:26:51
ComboFix-quarantined-files.txt 2008-04-19 03:26:48
ComboFix2.txt 2008-04-19 03:14:38
Pre-Run: 10,731,552,768 bytes free
Post-Run: 10,718,445,568 bytes free
370 --- E O F --- 2008-04-10 02:37:01
Scan saved at 2:23:47 PM, on 4/19/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\ALaunch\ALaunch.exe
C:\Program Files\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\WinKey\WinKey.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [App Launcher] C:\Program Files\ALaunch\ALaunch.exe
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Program Files\HDD Thermometer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "c:\backreg\rstore.ini"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: WinKey.lnk = C:\Program Files\WinKey\WinKey.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203693971215
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: McAfee Application Installer Cleanup (0190121208584357) (0190121208584357mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\019012~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
--
End of file - 12251 bytes
please have all jumpdrives or external drives pluged in at the time of the fix
:disable Ad-Aware 2007:
First please disable Ad-Aware 2007 as it may interfere with repairs.
:Run CFScript:
Open Notepad and copy/paste the text in the box into the window:
File:: F:\syssetup.exe Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00bbfbf2-eb8b-11dc-a5a4-000e358229d5}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1704c410-f6e6-11dc-8d8b-000e358229d5}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cb42e90-056c-11dd-8dab-000e358229d5}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{804de9f1-e1c9-11dc-a588-806d6172696f}] DirLook:: C:\WINDOWS\System32\spool\PRINTERSSave it to your desktop as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
:information and logs:
In your next post I need the following
1.log from combofix
Gringo
ComboFix 08-04-18.3 - Mark 2008-04-20 11:20:53.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.781 [GMT 8:00]
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
FILE ::
F:\syssetup.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.
2008-04-19 15:48 . 2008-04-19 15:48 <DIR> d
C:\Documents and Settings\LocalService\Application Data\McAfee
2008-04-19 11:22 . 2008-04-19 11:22 <DIR> d
C:\Documents and Settings\Mark\Application Data\McAfee
2008-04-18 00:55 . 2008-04-18 00:55 <DIR> d
C:\Documents and Settings\Mark\Application Data\Nokia Multimedia Player
2008-04-17 15:16 . 2008-04-20 09:23 54,156 --ah
C:\WINDOWS\QTFont.qfn
2008-04-17 15:16 . 2008-04-17 15:16 1,409 --a
C:\WINDOWS\QTFont.for
2008-04-17 15:15 . 2008-04-17 15:15 <DIR> d
C:\Program Files\iTunes
2008-04-17 15:15 . 2008-04-17 15:15 <DIR> d
C:\Program Files\iPod
2008-04-17 15:13 . 2008-04-17 15:13 <DIR> d
C:\Program Files\QuickTime
2008-04-17 14:47 . 2008-04-17 14:47 <DIR> d
C:\Program Files\Apple Software Update
2008-04-14 21:26 . 2008-04-14 21:26 <DIR> d
C:\WINDOWS\system32\Kaspersky Lab
2008-04-14 21:26 . 2008-04-14 21:26 <DIR> d
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 21:26 . 2008-04-14 21:26 <DIR> d
C:\Deckard
2008-04-13 00:41 . 2008-04-13 00:41 30,946 --a
C:\WINDOWS\system32\drivers\Partizan.sys
2008-04-13 00:25 . 2008-04-13 00:25 <DIR> d
C:\Program Files\Trend Micro
2008-04-11 20:29 . 2008-04-11 20:29 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 20:29 . 2008-04-11 20:29 <DIR> d
C:\Documents and Settings\Mark\Application Data\Malwarebytes
2008-04-11 20:29 . 2008-04-11 20:29 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 20:28 . 2008-04-11 20:29 <DIR> d
C:\Program Files\Common Files\Download Manager
2008-04-10 18:57 . 2008-04-20 09:23 77 --a
C:\WINDOWS\lsoon.ini
2008-04-10 10:30 . 2008-04-12 23:34 25,773 --a
C:\WINDOWS\system32\drivers\regguard.sys
2008-04-10 10:30 . 2008-04-10 10:30 2 -rahs---- C:\WINDOWS\winstart.bat
2008-04-10 10:29 . 2008-04-10 10:29 <DIR> d
C:\Documents and Settings\Mark\Application Data\Regrun
2008-04-10 10:29 . 2008-04-10 10:29 <DIR> d
C:\backreg
2008-04-10 10:29 . 2008-04-10 10:29 25,088 --a
C:\WINDOWS\system32\Partizan.exe
2008-04-10 10:27 . 2008-04-10 10:27 <DIR> d
C:\Program Files\Greatis
2008-04-10 10:27 . 2008-02-13 11:41 441,856 --a
C:\WINDOWS\RunGuard.exe
2008-04-10 10:27 . 2003-09-06 15:55 57,556 --a
C:\WINDOWS\guard.bmp
2008-04-10 10:27 . 2000-12-12 19:56 16,384 --a
C:\WINDOWS\WinBait.org
2008-04-10 10:27 . 2000-12-12 19:56 16,384 --a
C:\WINDOWS\WinBait.exe
2008-04-07 22:24 . 2008-04-07 22:24 <DIR> d
C:\Program Files\Spyware Doctor
2008-04-07 22:24 . 2008-04-07 22:24 <DIR> d
C:\Documents and Settings\Mark\Application Data\PC Tools
2008-04-07 22:24 . 2007-12-10 14:53 81,288 --a
C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-07 22:24 . 2007-12-10 14:53 66,952 --a
C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-07 22:24 . 2008-02-01 12:55 42,376 --a
C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-07 22:24 . 2007-12-10 14:53 29,576 --a
C:\WINDOWS\system32\drivers\kcom.sys
2008-04-07 20:05 . 2008-04-07 20:05 <DIR> d
C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-06 19:49 . 2008-04-06 19:49 0 --a
C:\WINDOWS\system32\SDRemoveDB.db
2008-04-06 19:48 . 2008-04-06 19:48 <DIR> d
C:\Program Files\SpywareDetector
2008-04-06 19:48 . 2008-04-06 19:48 63 --a
C:\WINDOWS\system\SysSD.dll
2008-04-06 17:06 . 2008-04-06 17:06 <DIR> d
C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-06 17:05 . 2008-04-06 17:05 <DIR> d
C:\Documents and Settings\Mark\Application Data\Nokia
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Program Files\PC Connectivity Solution
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Program Files\DIFX
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Program Files\Common Files\PCSuite
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Program Files\Common Files\Nokia
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Documents and Settings\Mark\Application Data\PC Suite
2008-04-06 17:03 . 2008-04-06 17:03 <DIR> d
C:\Program Files\Nokia
2008-04-06 17:03 . 2007-02-22 10:15 137,216 --a
C:\WINDOWS\system32\drivers\nmwcd.sys
2008-04-06 17:03 . 2007-02-22 10:15 65,536 --a
C:\WINDOWS\system32\nmwcdcocls.dll
2008-04-06 17:03 . 2007-02-22 10:15 12,288 --a
C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-04-06 17:03 . 2007-02-22 10:15 12,288 --a
C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-04-06 17:03 . 2007-02-22 10:15 8,320 --a
C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-04-06 17:02 . 2008-04-06 17:02 <DIR> d
C:\Documents and Settings\All Users\Application Data\Installations
2008-04-05 21:48 . 2008-04-05 21:48 <DIR> d
C:\Temp
2008-04-01 06:01 . 2008-04-01 06:02 10,593 --a
C:\WINDOWS\CSTBox.INI
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a
C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a
C:\WINDOWS\system32\QuickTime.qts
2008-03-22 18:24 . 2008-03-22 18:24 <DIR> d
C:\Documents and Settings\Mark\Application Data\ArcSoft
2008-03-21 09:21 . 2008-03-21 09:21 <DIR> d
C:\Program Files\Sports Interactive
2008-03-20 14:51 . 2008-03-20 14:51 <DIR> d
C:\Program Files\Safari
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 13:56
d
w C:\Documents and Settings\Mark\Application Data\Sports Interactive
2008-03-16 13:47
d
w C:\Documents and Settings\Mark\Application Data\DAEMON Tools Pro
2008-03-16 08:59 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-15 16:47 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-15 16:47
d--h--r C:\Documents and Settings\Mark\Application Data\SecuROM
2008-03-15 16:44
d--h--w C:\Program Files\Zero G Registry
2008-03-15 09:27
d
w C:\Documents and Settings\Mark\Application Data\Apple Computer
2008-03-15 09:23
d
w C:\Program Files\Common Files\Apple
2008-03-15 09:23
d
w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-13 13:09
d
w C:\Program Files\Lingoes
2008-03-13 13:09
d
w C:\Documents and Settings\Mark\Application Data\Lingoes
2008-03-12 15:38
d
w C:\Documents and Settings\All Users\Application Data\Viper
2008-03-12 15:04
d
w C:\Program Files\Plagiarism Scanner
2008-03-12 14:27
d--h--w C:\Program Files\InstallJammer Registry
2008-03-12 13:38
d
w C:\Documents and Settings\Mark\Application Data\NewSoft
2008-03-09 14:18
d
w C:\Documents and Settings\Mark\Application Data\Canon
2008-03-07 13:28
d
w C:\Program Files\Any Capture Screen
2008-03-07 13:09
d
w C:\Program Files\Unlocker
2008-03-06 00:31 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-04 16:24
d
w C:\Program Files\PowerISO
2008-02-28 00:18
d
w C:\Program Files\Recover My Files
2008-02-27 11:38
d
w C:\Program Files\SmartUndelete
2008-02-27 10:06
d
w C:\Program Files\Common Files\SecureAction Shared
2008-02-27 10:06
d
w C:\Program Files\AEP2008 Pro
2008-02-27 10:05
d
w C:\Documents and Settings\Mark\Application Data\Blancco
2008-02-27 06:59
d--h--w C:\Documents and Settings\All Users\Application Data\{BED24E2B-C79C-4948-863F-D211FD6088AA}
2008-02-27 06:59
d
w C:\Program Files\Common Files\Blancco
2008-02-27 06:54
d
w C:\Program Files\Blancco
2008-02-26 00:04
d
w C:\Program Files\McAfee.com
2008-02-26 00:04
d
w C:\Program Files\McAfee
2008-02-26 00:04
d
w C:\Program Files\Common Files\McAfee
2008-02-25 13:30
d
w C:\Documents and Settings\Mark\Application Data\LimeWire
2008-02-24 16:44
d
w C:\Documents and Settings\Mark\Application Data\Desktop Sidebar
2008-02-24 12:36
d
w C:\Program Files\Common Files\Macrovision Shared
2008-02-24 12:36
d
w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-23 23:52
d
w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-23 23:36
d
w C:\Program Files\MSXML 4.0
2008-02-23 04:49
d
w C:\Program Files\Launch Manager
2008-02-23 04:48
d
w C:\Program Files\ATI Technologies
2008-02-23 01:15
d
w C:\Documents and Settings\Mark\Application Data\ACD Systems
2008-02-23 01:14
d
w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-23 00:48
d
w C:\Documents and Settings\Mark\Application Data\.bittorrent
2008-02-23 00:46
d
w C:\Documents and Settings\Mark\Application Data\AdobeUM
2008-02-22 16:25
d
w C:\Program Files\NewSoft
2008-02-22 16:25
d
w C:\Program Files\Common Files\PDFView
2008-02-22 16:22
d
w C:\Program Files\Common Files\ScanSoft Shared
2008-02-22 16:22
d
w C:\Documents and Settings\Mark\Application Data\ScanSoft
2008-02-22 16:22
d
w C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-02-22 16:22
d
w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-02-22 16:21
d
w C:\Program Files\ScanSoft
2008-02-22 16:20
d
w C:\Program Files\ArcSoft
2008-02-22 16:19
d
w C:\Program Files\Common Files\CANON
2008-02-22 16:18
d--h--w C:\Program Files\CanonBJ
2008-02-22 16:10
d
w C:\Program Files\Canon
2008-02-22 15:30
d
w C:\Program Files\Windows Live Toolbar
2008-02-22 15:19
d-sh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-22 15:19
d
w C:\Program Files\Windows Live
2008-02-22 15:19
d
w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-22 14:59
d
w C:\Program Files\Lavasoft
2008-02-22 14:59
d
w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-22 14:58
d
w C:\Program Files\SiteAdvisor
2008-02-22 14:58
d
w C:\Documents and Settings\Mark\Application Data\SiteAdvisor
2008-02-22 14:58
d
w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-22 14:58
d
w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-22 14:58
d
w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-22 14:47
d
w C:\Program Files\Xilisoft
2008-02-22 14:43
d
w C:\Documents and Settings\Mark\Application Data\Ahead
2008-02-22 14:41 164,352 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-02-22 14:41
d
w C:\Program Files\Nero
2008-02-22 14:41
d
w C:\Program Files\Illustrate
2008-02-22 14:41
d
w C:\Program Files\Common Files\Ahead
2008-02-22 14:38
d
w C:\Program Files\BitTorrent
2008-02-22 14:37
d
w C:\Program Files\LimeWire
2008-02-22 14:37
d
w C:\Program Files\BitComet
2008-02-22 14:36
d
w C:\Program Files\Common Files\ACD Systems
2008-02-22 14:36
d
w C:\Program Files\ACD Systems
2008-02-22 14:36
d
w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-02-22 14:35
d
w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-02-22 14:34
d
w C:\Program Files\Common Files\Adobe Systems Shared
2008-02-22 14:32
d
w C:\Program Files\Common Files\Adobe
2008-02-22 14:29
d
w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 14:28
d
w C:\Program Files\WinKey
2008-02-22 14:28
d
w C:\Program Files\Java
2008-02-22 14:28
d
w C:\Program Files\Common Files\Java
2008-02-22 14:27
d
w C:\Program Files\SysShield Tools
2008-02-22 14:27
d
w C:\Program Files\PeerGuardian2
2008-02-22 14:27
d
w C:\Program Files\Extension Changer
2008-02-22 14:27
d
w C:\Documents and Settings\Mark\Application Data\HDD Thermometer
2008-02-22 14:26
d
w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-22 14:22
d
w C:\Program Files\Microsoft Works
2008-02-22 14:22
d
w C:\Program Files\Microsoft ActiveSync
2008-02-22 14:22
d
w C:\Program Files\Common Files\L&H
2008-02-22 14:21
d
w C:\Program Files\Microsoft.NET
2008-02-22 14:19
d
w C:\Documents and Settings\Mark\Application Data\Kingsoft
2008-02-22 14:17
d
w C:\Program Files\Kingsoft
2008-02-22 14:17
d
w C:\Program Files\Common Files\kingsoft
2008-02-22 14:15
d
w C:\Program Files\Innovative Solutions
2008-02-22 14:15
d
w C:\Program Files\ALaunch
2008-02-22 14:14
d
w C:\Program Files\XemiComputers
2008-02-22 14:14
d
w C:\Documents and Settings\Mark\Application Data\XemiComputers
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\WINDOWS\System32\spool\PRINTERS ----
Sigcheck
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\system32\wininet.dll
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\system32\dllcache\wininet.dll
2007-12-07 10:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2004-08-03 22:00 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ie7\wininet.dll
2007-12-01 00:26 666112 e7f441cde6e418bb68fc700872c004a0 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2006-11-07 21:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2008-04-19_11.14.18.36"]snapshot@2008-04-19_11.14.18.36[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-19 03:22:30 16,384 ----a-w C:\WINDOWS\assembly\GAC\Arbus.Interfacing.Library\1.0.0.27362__2be3a081d8c94867\Arbus.Interfacing.Library.dll
+ 2008-04-19 03:22:30 16,384 ----a-w C:\WINDOWS\assembly\GAC\ArbusApplicationController\1.0.2563.27362__da57d5d39b1d6dd8\ArbusApplicationController.dll
- 2008-04-19 00:56:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 01:22:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-19 06:45:06 307,200 ----a-r C:\WINDOWS\Installer\{40589552-3892-409E-B92C-9F5032A4B2F0}\SafariIco.exe
+ 2008-04-20 01:24:12 5,251,072 ----a-w C:\WINDOWS\system32\config\Regback\ntuser.dat
+ 2008-04-20 01:24:14 102,400 ----a-w C:\WINDOWS\system32\config\Regback\UsrClass.dat
- 2008-04-19 01:04:24 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-20 01:29:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-19 01:04:24 32,768
w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-20 01:29:04 32,768
w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-19 01:04:24 32,768
w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-20 01:29:04 32,768
w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-05-28 16:31 3653632]
"App Launcher"="C:\Program Files\ALaunch\ALaunch.exe" [2000-03-28 14:32 25088]
"RSD_HDDThermo"="C:\Program Files\HDD Thermometer.exe" [2004-04-12 09:50 249856]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
"Regrun2"="C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe" [2008-02-13 17:12 356352]
"Registry"="C:\Program Files\Greatis\RegRunSuite\lsoon.exe" [2008-02-13 17:10 312832]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13 1207080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 19:57 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 19:57 532480]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2007-12-01 00:27 110592 C:\WINDOWS\system32\bthprops.cpl]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 14:19 151552]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2004-09-01 17:38 2876416]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-14 02:05 36640]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"RegRun WinBait"="C:\WINDOWS\winbait.exe" [2000-12-12 19:56 16384]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinKey.lnk - C:\Program Files\WinKey\WinKey.exe [2008-02-22 22:28:20 99840]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F552DDE6-2090-4bf4-B924-6141E87789A5}"= C:\Program Files\Greatis\RegRunSuite\RRShell.dll [2004-11-02 09:15 368711]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe,"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NevoMedia Server.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NevoMedia Server.lnk
backup=C:\WINDOWS\pss\NevoMedia Server.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^Thoosje Vista Sidebar.lnk]
path=C:\Documents and Settings\Mark\Start Menu\Programs\Startup\Thoosje Vista Sidebar.lnk
backup=C:\WINDOWS\pss\Thoosje Vista Sidebar.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a
2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyCaptureScreen]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a
2004-08-25 13:27 65536 C:\WINDOWS\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a
2004-08-25 12:52 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a
2005-09-25 19:11 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a
2005-04-25 13:45 36040 C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
--a
2004-01-14 09:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FinePrint Dispatcher v5]
--a
2005-09-19 22:42 487424 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a
2006-06-26 16:13 1207080 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a
2004-08-04 05:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a
2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lingoes]
--a
2008-02-29 04:06 1966080 C:\Program Files\Lingoes\Translator2\Lingoes.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
--a
2004-07-30 11:30 319488 C:\Program Files\Launch Manager\QtZgAcer.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a
2007-12-01 00:26 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a
2004-08-04 05:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a
2005-09-25 19:11 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a
2006-10-11 12:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a
2007-12-10 10:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a
2004-08-04 05:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a
2004-08-04 05:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a
2006-05-20 18:13 188416 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a
2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a
2006-09-28 13:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a
2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
--a
2006-09-20 08:35 20480 C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"24632:TCP"= 24632:TCP:BitComet 24632 TCP
"24632:UDP"= 24632:UDP:BitComet 24632 UDP
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 13:57]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2004-08-14 20:59]
R3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-04-13 00:41]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2007-11-30 17:31]
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 10:21]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-04-12 23:34]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00bbfbf2-eb8b-11dc-a5a4-000e358229d5}]
\Shell\1\Command - syssetup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1704c410-f6e6-11dc-8d8b-000e358229d5}]
\Shell\1\Command - syssetup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cb42e90-056c-11dd-8dab-000e358229d5}]
\Shell\1\Command - F:\syssetup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{804de9f1-e1c9-11dc-a588-806d6172696f}]
\Shell\1\Command - syssetup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-20 03:02:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-31 17:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-04-14 23:19:22 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-19 06:41:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 11:23:05
Windows 5.1.2600 Service Pack 3, v.3264 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
App Launcher = C:\Program Files\ALaunch\ALaunch.exe?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
-> C:\Program Files\XemiComputers\Active Desktop Calendar\MouseHook.dll
.
Completion time: 2008-04-20 11:23:40
ComboFix-quarantined-files.txt 2008-04-20 03:23:38
ComboFix3.txt 2008-04-19 03:14:38
ComboFix2.txt 2008-04-19 03:26:54
Pre-Run: 10,431,561,728 bytes free
Post-Run: 10,525,704,192 bytes free
395 --- E O F --- 2008-04-10 02:37:01
please have all jumpdrives or external drives pluged in at the time of the fix
Are you still getting the popups from mcafee?
did you empty the printer folder?
Can you look into the printer folder and tell me what is inside?
I would like you to run this combofix script again, I have changed it a little.
:Run CFScript:
Open Notepad and copy/paste the text in the box into the window:
KILLALL:: Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00bbfbf2-eb8b-11dc-a5a4-000e358229d5}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1704c410-f6e6-11dc-8d8b-000e358229d5}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cb42e90-056c-11dd-8dab-000e358229d5}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{804de9f1-e1c9-11dc-a588-806d6172696f}] DirLook:: C:\WINDOWS\System32\spool\PRINTERS\Save it to your desktop as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
:information and logs:
In your next post I need the following
1.log from combofix 2.please answer my questions from the top of this post.
Gringo
: three day bump :
It has been three days since my last post.
Gringo
Are you still getting the popups from mcafee?
Yes.
did you empty the printer folder?
Can you look into the printer folder and tell me what is inside?
There is nothing inside the printer folder, even after changing to "view hidden files" option, so there is nothing to delete.
Here is the log report:
ComboFix 08-04-18.3 - Mark 2008-04-24 13:06:59.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.919 [GMT 8:00]
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.
2008-04-19 15:48 . 2008-04-19 15:48 <DIR> d
C:\Documents and Settings\LocalService\Application Data\McAfee
2008-04-19 11:22 . 2008-04-19 11:22 <DIR> d
C:\Documents and Settings\Mark\Application Data\McAfee
2008-04-18 00:55 . 2008-04-18 00:55 <DIR> d
C:\Documents and Settings\Mark\Application Data\Nokia Multimedia Player
2008-04-17 15:16 . 2008-04-24 13:12 54,156 --ah
C:\WINDOWS\QTFont.qfn
2008-04-17 15:16 . 2008-04-17 15:16 1,409 --a
C:\WINDOWS\QTFont.for
2008-04-17 15:15 . 2008-04-17 15:15 <DIR> d
C:\Program Files\iTunes
2008-04-17 15:15 . 2008-04-17 15:15 <DIR> d
C:\Program Files\iPod
2008-04-17 15:13 . 2008-04-17 15:13 <DIR> d
C:\Program Files\QuickTime
2008-04-17 14:47 . 2008-04-17 14:47 <DIR> d
C:\Program Files\Apple Software Update
2008-04-14 21:26 . 2008-04-14 21:26 <DIR> d
C:\WINDOWS\system32\Kaspersky Lab
2008-04-14 21:26 . 2008-04-14 21:26 <DIR> d
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 21:26 . 2008-04-14 21:26 <DIR> d
C:\Deckard
2008-04-13 00:41 . 2008-04-13 00:41 30,946 --a
C:\WINDOWS\system32\drivers\Partizan.sys
2008-04-13 00:25 . 2008-04-13 00:25 <DIR> d
C:\Program Files\Trend Micro
2008-04-11 20:29 . 2008-04-11 20:29 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 20:29 . 2008-04-11 20:29 <DIR> d
C:\Documents and Settings\Mark\Application Data\Malwarebytes
2008-04-11 20:29 . 2008-04-11 20:29 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 20:28 . 2008-04-11 20:29 <DIR> d
C:\Program Files\Common Files\Download Manager
2008-04-10 18:57 . 2008-04-24 13:12 77 --a
C:\WINDOWS\lsoon.ini
2008-04-10 10:30 . 2008-04-12 23:34 25,773 --a
C:\WINDOWS\system32\drivers\regguard.sys
2008-04-10 10:30 . 2008-04-10 10:30 2 -rahs---- C:\WINDOWS\winstart.bat
2008-04-10 10:29 . 2008-04-10 10:29 <DIR> d
C:\Documents and Settings\Mark\Application Data\Regrun
2008-04-10 10:29 . 2008-04-10 10:29 <DIR> d
C:\backreg
2008-04-10 10:29 . 2008-04-10 10:29 25,088 --a
C:\WINDOWS\system32\Partizan.exe
2008-04-10 10:27 . 2008-04-10 10:27 <DIR> d
C:\Program Files\Greatis
2008-04-10 10:27 . 2008-02-13 11:41 441,856 --a
C:\WINDOWS\RunGuard.exe
2008-04-10 10:27 . 2003-09-06 15:55 57,556 --a
C:\WINDOWS\guard.bmp
2008-04-10 10:27 . 2000-12-12 19:56 16,384 --a
C:\WINDOWS\WinBait.org
2008-04-10 10:27 . 2000-12-12 19:56 16,384 --a
C:\WINDOWS\WinBait.exe
2008-04-07 22:24 . 2008-04-07 22:24 <DIR> d
C:\Program Files\Spyware Doctor
2008-04-07 22:24 . 2008-04-07 22:24 <DIR> d
C:\Documents and Settings\Mark\Application Data\PC Tools
2008-04-07 22:24 . 2007-12-10 14:53 81,288 --a
C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-07 22:24 . 2007-12-10 14:53 66,952 --a
C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-07 22:24 . 2008-02-01 12:55 42,376 --a
C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-07 22:24 . 2007-12-10 14:53 29,576 --a
C:\WINDOWS\system32\drivers\kcom.sys
2008-04-07 20:05 . 2008-04-07 20:05 <DIR> d
C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-06 19:49 . 2008-04-06 19:49 0 --a
C:\WINDOWS\system32\SDRemoveDB.db
2008-04-06 19:48 . 2008-04-06 19:48 <DIR> d
C:\Program Files\SpywareDetector
2008-04-06 19:48 . 2008-04-06 19:48 63 --a
C:\WINDOWS\system\SysSD.dll
2008-04-06 17:06 . 2008-04-06 17:06 <DIR> d
C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-06 17:05 . 2008-04-06 17:05 <DIR> d
C:\Documents and Settings\Mark\Application Data\Nokia
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Program Files\PC Connectivity Solution
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Program Files\DIFX
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Program Files\Common Files\PCSuite
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Program Files\Common Files\Nokia
2008-04-06 17:04 . 2008-04-06 17:04 <DIR> d
C:\Documents and Settings\Mark\Application Data\PC Suite
2008-04-06 17:03 . 2008-04-06 17:03 <DIR> d
C:\Program Files\Nokia
2008-04-06 17:03 . 2007-02-22 10:15 137,216 --a
C:\WINDOWS\system32\drivers\nmwcd.sys
2008-04-06 17:03 . 2007-02-22 10:15 65,536 --a
C:\WINDOWS\system32\nmwcdcocls.dll
2008-04-06 17:03 . 2007-02-22 10:15 12,288 --a
C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-04-06 17:03 . 2007-02-22 10:15 12,288 --a
C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-04-06 17:03 . 2007-02-22 10:15 8,320 --a
C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-04-06 17:02 . 2008-04-06 17:02 <DIR> d
C:\Documents and Settings\All Users\Application Data\Installations
2008-04-01 06:01 . 2008-04-01 06:02 10,593 --a
C:\WINDOWS\CSTBox.INI
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a
C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a
C:\WINDOWS\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 10:24
d
w C:\Documents and Settings\Mark\Application Data\ArcSoft
2008-03-21 01:21
d
w C:\Program Files\Sports Interactive
2008-03-20 06:51
d
w C:\Program Files\Safari
2008-03-16 13:56
d
w C:\Documents and Settings\Mark\Application Data\Sports Interactive
2008-03-16 13:47
d
w C:\Documents and Settings\Mark\Application Data\DAEMON Tools Pro
2008-03-16 08:59 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-15 16:47 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-15 16:47
d--h--r C:\Documents and Settings\Mark\Application Data\SecuROM
2008-03-15 16:44
d--h--w C:\Program Files\Zero G Registry
2008-03-15 09:27
d
w C:\Documents and Settings\Mark\Application Data\Apple Computer
2008-03-15 09:23
d
w C:\Program Files\Common Files\Apple
2008-03-15 09:23
d
w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-13 13:09
d
w C:\Program Files\Lingoes
2008-03-13 13:09
d
w C:\Documents and Settings\Mark\Application Data\Lingoes
2008-03-12 15:38
d
w C:\Documents and Settings\All Users\Application Data\Viper
2008-03-12 15:04
d
w C:\Program Files\Plagiarism Scanner
2008-03-12 14:27
d--h--w C:\Program Files\InstallJammer Registry
2008-03-12 13:38
d
w C:\Documents and Settings\Mark\Application Data\NewSoft
2008-03-09 14:18
d
w C:\Documents and Settings\Mark\Application Data\Canon
2008-03-07 13:28
d
w C:\Program Files\Any Capture Screen
2008-03-07 13:09
d
w C:\Program Files\Unlocker
2008-03-06 00:31 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-04 16:24
d
w C:\Program Files\PowerISO
2008-02-28 00:18
d
w C:\Program Files\Recover My Files
2008-02-27 11:38
d
w C:\Program Files\SmartUndelete
2008-02-27 10:06
d
w C:\Program Files\Common Files\SecureAction Shared
2008-02-27 10:06
d
w C:\Program Files\AEP2008 Pro
2008-02-27 10:05
d
w C:\Documents and Settings\Mark\Application Data\Blancco
2008-02-27 06:59
d--h--w C:\Documents and Settings\All Users\Application Data\{BED24E2B-C79C-4948-863F-D211FD6088AA}
2008-02-27 06:59
d
w C:\Program Files\Common Files\Blancco
2008-02-27 06:54
d
w C:\Program Files\Blancco
2008-02-26 00:04
d
w C:\Program Files\McAfee.com
2008-02-26 00:04
d
w C:\Program Files\McAfee
2008-02-26 00:04
d
w C:\Program Files\Common Files\McAfee
2008-02-25 13:30
d
w C:\Documents and Settings\Mark\Application Data\LimeWire
2008-02-24 16:44
d
w C:\Documents and Settings\Mark\Application Data\Desktop Sidebar
2008-02-24 12:36
d
w C:\Program Files\Common Files\Macrovision Shared
2008-02-24 12:36
d
w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-22 14:41 164,352 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-02-22 13:40 4,233 ----a-w C:\WINDOWS\CLEANUP.CMD
2008-01-29 04:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2005-06-07 09:09 45,568 ----a-w C:\Program Files\apt.exe
2004-06-23 14:30 1,340,416 ----a-w C:\Program Files\MPLAYERC.EXE
2004-04-12 01:50 249,856 ----a-w C:\Program Files\HDD Thermometer.exe
1996-11-22 08:54 40,960 ----a-w C:\Program Files\nail.exe
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\WINDOWS\System32\spool\PRINTERS\ ----
Sigcheck
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\system32\wininet.dll
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\system32\dllcache\wininet.dll
2007-12-07 10:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2004-08-03 22:00 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ie7\wininet.dll
2007-12-01 00:26 666112 e7f441cde6e418bb68fc700872c004a0 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2006-11-07 21:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2008-04-19_11.14.18.36"]snapshot@2008-04-19_11.14.18.36[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-19 03:22:30 16,384 ----a-w C:\WINDOWS\assembly\GAC\Arbus.Interfacing.Library\1.0.0.27362__2be3a081d8c94867\Arbus.Interfacing.Library.dll
+ 2008-04-19 03:22:30 16,384 ----a-w C:\WINDOWS\assembly\GAC\ArbusApplicationController\1.0.2563.27362__da57d5d39b1d6dd8\ArbusApplicationController.dll
- 2008-04-19 00:56:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 05:11:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-19 06:45:06 307,200 ----a-r C:\WINDOWS\Installer\{40589552-3892-409E-B92C-9F5032A4B2F0}\SafariIco.exe
+ 2008-04-23 11:45:32 5,271,552 ----a-w C:\WINDOWS\system32\config\Regback\ntuser.dat
+ 2008-04-23 11:45:34 102,400 ----a-w C:\WINDOWS\system32\config\Regback\UsrClass.dat
- 2008-04-19 01:04:24 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-24 03:56:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-19 01:04:24 32,768
w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-24 03:56:50 32,768
w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-19 01:04:24 32,768
w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-24 03:56:50 32,768
w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-05-28 16:31 3653632]
"App Launcher"="C:\Program Files\ALaunch\ALaunch.exe" [2000-03-28 14:32 25088]
"RSD_HDDThermo"="C:\Program Files\HDD Thermometer.exe" [2004-04-12 09:50 249856]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
"Regrun2"="C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe" [2008-02-13 17:12 356352]
"Registry"="C:\Program Files\Greatis\RegRunSuite\lsoon.exe" [2008-02-13 17:10 312832]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13 1207080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 19:57 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 19:57 532480]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2007-12-01 00:27 110592 C:\WINDOWS\system32\bthprops.cpl]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 14:19 151552]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2004-09-01 17:38 2876416]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-14 02:05 36640]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"RegRun WinBait"="C:\WINDOWS\winbait.exe" [2000-12-12 19:56 16384]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinKey.lnk - C:\Program Files\WinKey\WinKey.exe [2008-02-22 22:28:20 99840]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F552DDE6-2090-4bf4-B924-6141E87789A5}"= C:\Program Files\Greatis\RegRunSuite\RRShell.dll [2004-11-02 09:15 368711]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NevoMedia Server.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NevoMedia Server.lnk
backup=C:\WINDOWS\pss\NevoMedia Server.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^Thoosje Vista Sidebar.lnk]
path=C:\Documents and Settings\Mark\Start Menu\Programs\Startup\Thoosje Vista Sidebar.lnk
backup=C:\WINDOWS\pss\Thoosje Vista Sidebar.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a
2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyCaptureScreen]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a
2004-08-25 13:27 65536 C:\WINDOWS\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a
2004-08-25 12:52 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a
2005-09-25 19:11 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a
2005-04-25 13:45 36040 C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
--a
2004-01-14 09:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FinePrint Dispatcher v5]
--a
2005-09-19 22:42 487424 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a
2006-06-26 16:13 1207080 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a
2004-08-04 05:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a
2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lingoes]
--a
2008-02-29 04:06 1966080 C:\Program Files\Lingoes\Translator2\Lingoes.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
--a
2004-07-30 11:30 319488 C:\Program Files\Launch Manager\QtZgAcer.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a
2007-12-01 00:26 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a
2004-08-04 05:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a
2005-09-25 19:11 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a
2006-10-11 12:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a
2007-12-10 10:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a
2004-08-04 05:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a
2004-08-04 05:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a
2006-05-20 18:13 188416 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a
2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a
2006-09-28 13:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a
2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
--a
2006-09-20 08:35 20480 C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"24632:TCP"= 24632:TCP:BitComet 24632 TCP
"24632:UDP"= 24632:UDP:BitComet 24632 UDP
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 13:57]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2004-08-14 20:59]
R3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-04-13 00:41]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2007-11-30 17:31]
S2 0307651209009399mcinstcleanup;McAfee Application Installer Cleanup (0307651209009399);C:\WINDOWS\TEMP\030765~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 10:21]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-04-12 23:34]
*Newly Created Service* - 0307651209009399MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 05:02:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-31 17:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-04-14 23:19:22 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-19 06:41:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 13:12:43
Windows 5.1.2600 Service Pack 3, v.3264 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
-> C:\Program Files\XemiComputers\Active Desktop Calendar\MouseHook.dll
.
Other Running Processes
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
C:\ACER\EMANAGER\ANBMSERV.EXE
C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
C:\PROGRAM FILES\MCAFEE\MBK\MBACKMONITOR.EXE
C:\PROGRAM FILES\MCAFEE\MSC\MCMSCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MNA\MCNASVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MCPROXY\MCPROXY.EXE
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCSHIELD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\MCAFEE\MPF\MPFSRV.EXE
C:\PROGRAM FILES\MCAFEE\MSK\MSKSRVER.EXE
C:\PROGRAM FILES\SITEADVISOR\6253\SASERVICE.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\PROGRAM FILES\GREATIS\REGRUNSUITE\WATCHDOG.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\RAPIMGR.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\SYSTEM32\IMAPI.EXE
.
**************************************************************************
.
Completion time: 2008-04-24 13:16:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 05:16:36
ComboFix4.txt 2008-04-19 03:14:38
ComboFix3.txt 2008-04-19 03:26:54
ComboFix2.txt 2008-04-20 03:23:42
Pre-Run: 6,469,746,688 bytes free
Post-Run: 6,489,014,272 bytes free
343 --- E O F --- 2008-04-10 02:37:01
I see some files I would like you to check out
the popups from McAfee are from the same folder ( the printer folder) that you said before?
:upload files to jotti:
Please upload a file for scanning:
- Open virusscan.jotti
- Copy/paste this file and path into the white box at the top:
C:\Program Files\apt.exePress Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
please do this with each of these files one at a time
C:\Program Files\MPLAYERC.EXE
C:\Program Files\HDD Thermometer.exe
C:\Program Files\nail.exe
save the reports and send with your next reply
Note: If Jotti is busy, you can use VirusTotal instead.
:information and logs:
In your next post I need the following
1.the four files from jotti
Gringo
: three day bump :
It has been three days since my last post.
Gringo
"the popups from McAfee are from the same folder ( the printer folder) that you said before?"
Yes, only different file were detected, though from the same .SPL extension.
Here are the log files:
C:\Program Files\apt.exe
Scanner results
Scan taken on 26 Apr 2008 15:48:45 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Backdoor.SdBot.5 (probable variant)
C:\Program Files\MPLAYERC.EXE
Scanner results
Scan taken on 26 Apr 2008 15:52:25 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
C:\Program Files\HDD Thermometer.exe
Scan taken on 26 Apr 2008 15:55:28 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Suspect code-parts (probable variant)
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Clicker.Delf.13 (paranoid heuristics) (probable variant)
C:\Program Files\nail.exe
Scanner results
Scan taken on 26 Apr 2008 15:57:15 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Sorry for the delay
been under the weather but doing better now will give new instructions soon
Gringo
Some questions first
!. what printer are you using?
2. do you have the software for this printer if we need to reinstall it?
now to some more fixes
:Run CFScript:
Open Notepad and copy/paste the text in the box into the window:
Save it to your desktop as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
:information and logs:
In your next post I need the following
1.the combofix log 2.answer my questions 3.and a new hijackthis log
Gringo
ComboFix 08-05-01.3 - Mark 2008-05-07 21:27:51.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.842 [GMT 8:00]
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Program Files\apt.exe
C:\Program Files\HDD Thermometer.exe
C:\Program Files\nail.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\apt.exe
C:\Program Files\HDD Thermometer.exe
C:\Program Files\nail.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.
2008-05-06 19:40 . 2008-05-06 19:40 <DIR> d
C:\WINDOWS\LastGood.Tmp
2008-05-03 00:19 . 2008-05-03 00:19 <DIR> d
C:\Program Files\CDCheck
2008-04-26 17:31 . 2008-04-26 17:31 <DIR> d
C:\Documents and Settings\Mark\Application Data\vlc
2008-04-26 16:09 . 2008-04-26 16:09 <DIR> d
C:\Program Files\VideoLAN
2008-04-19 15:48 . 2008-04-19 15:48 <DIR> d
C:\Documents and Settings\LocalService\Application Data\McAfee
2008-04-19 11:22 . 2008-04-19 11:22 <DIR> d
C:\Documents and Settings\Mark\Application Data\McAfee
2008-04-18 00:55 . 2008-04-18 00:55 <DIR> d
C:\Documents and Settings\Mark\Application Data\Nokia Multimedia Player
2008-04-17 15:16 . 2008-05-07 21:33 54,156 --ah
C:\WINDOWS\QTFont.qfn
2008-04-17 15:16 . 2008-04-17 15:16 1,409 --a
C:\WINDOWS\QTFont.for
2008-04-17 15:15 . 2008-04-17 15:15 <DIR> d
C:\Program Files\iTunes
2008-04-17 15:15 . 2008-04-17 15:15 <DIR> d
C:\Program Files\iPod
2008-04-17 15:13 . 2008-04-17 15:13 <DIR> d
C:\Program Files\QuickTime
2008-04-17 14:47 . 2008-04-17 14:47 <DIR> d
C:\Program Files\Apple Software Update
2008-04-14 21:26 . 2008-04-14 21:26 <DIR> d
C:\WINDOWS\system32\Kaspersky Lab
2008-04-14 21:26 . 2008-04-14 21:26 <DIR> d
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 21:26 . 2008-04-14 21:26 <DIR> d
C:\Deckard
2008-04-13 00:25 . 2008-04-13 00:25 <DIR> d
C:\Program Files\Trend Micro
2008-04-11 20:29 . 2008-04-11 20:29 <DIR> d
C:\Documents and Settings\Mark\Application Data\Malwarebytes
2008-04-11 20:29 . 2008-04-11 20:29 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 20:28 . 2008-04-11 20:29 <DIR> d
C:\Program Files\Common Files\Download Manager
2008-04-10 18:57 . 2008-04-26 18:46 77 --a
C:\WINDOWS\lsoon.ini
2008-04-10 10:30 . 2008-04-12 23:34 25,773 --a
C:\WINDOWS\system32\drivers\regguard.sys
2008-04-10 10:30 . 2008-04-10 10:30 2 -rahs---- C:\WINDOWS\winstart.bat
2008-04-10 10:29 . 2008-04-10 10:29 <DIR> d
C:\Documents and Settings\Mark\Application Data\Regrun
2008-04-10 10:29 . 2008-04-10 10:29 <DIR> d
C:\backreg
2008-04-10 10:27 . 2008-04-10 10:27 <DIR> d
C:\Program Files\Greatis
2008-04-10 10:27 . 2003-09-06 15:55 57,556 --a
C:\WINDOWS\guard.bmp
2008-04-07 22:24 . 2008-04-07 22:24 <DIR> d
C:\Program Files\Spyware Doctor
2008-04-07 22:24 . 2008-04-07 22:24 <DIR> d
C:\Documents and Settings\Mark\Application Data\PC Tools
2008-04-07 22:24 . 2007-12-10 14:53 81,288 --a
C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-07 22:24 . 2007-12-10 14:53 66,952 --a
C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-07 22:24 . 2008-02-01 12:55 42,376 --a
C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-07 22:24 . 2007-12-10 14:53 29,576 --a
C:\WINDOWS\system32\drivers\kcom.sys
2008-04-07 20:05 . 2008-04-07 20:05 <DIR> d
C:\Documents and Settings\All Users\Application Data\TEMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 11:48
d
w C:\Program Files\SpywareDetector
2008-04-06 09:06
d
w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-06 09:05
d
w C:\Documents and Settings\Mark\Application Data\Nokia
2008-04-06 09:04
d
w C:\Program Files\PC Connectivity Solution
2008-04-06 09:04
d
w C:\Program Files\DIFX
2008-04-06 09:04
d
w C:\Program Files\Common Files\PCSuite
2008-04-06 09:04
d
w C:\Program Files\Common Files\Nokia
2008-04-06 09:04
d
w C:\Documents and Settings\Mark\Application Data\PC Suite
2008-04-06 09:03
d
w C:\Program Files\Nokia
2008-04-06 09:02
d
w C:\Documents and Settings\All Users\Application Data\Installations
2008-03-22 10:24
d
w C:\Documents and Settings\Mark\Application Data\ArcSoft
2008-03-21 01:21
d
w C:\Program Files\Sports Interactive
2008-03-20 06:51
d
w C:\Program Files\Safari
2008-03-16 13:56
d
w C:\Documents and Settings\Mark\Application Data\Sports Interactive
2008-03-16 13:47
d
w C:\Documents and Settings\Mark\Application Data\DAEMON Tools Pro
2008-03-16 08:59 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-15 16:47 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-15 16:47
d--h--r C:\Documents and Settings\Mark\Application Data\SecuROM
2008-03-15 16:44
d--h--w C:\Program Files\Zero G Registry
2008-03-15 09:27
d
w C:\Documents and Settings\Mark\Application Data\Apple Computer
2008-03-15 09:23
d
w C:\Program Files\Common Files\Apple
2008-03-15 09:23
d
w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-13 13:09
d
w C:\Program Files\Lingoes
2008-03-13 13:09
d
w C:\Documents and Settings\Mark\Application Data\Lingoes
2008-03-12 15:38
d
w C:\Documents and Settings\All Users\Application Data\Viper
2008-03-12 15:04
d
w C:\Program Files\Plagiarism Scanner
2008-03-12 14:27
d--h--w C:\Program Files\InstallJammer Registry
2008-03-12 13:38
d
w C:\Documents and Settings\Mark\Application Data\NewSoft
2008-03-09 14:18
d
w C:\Documents and Settings\Mark\Application Data\Canon
2008-03-07 13:28
d
w C:\Program Files\Any Capture Screen
2008-03-07 13:09
d
w C:\Program Files\Unlocker
2008-03-06 00:31 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-22 14:41 164,352 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-02-22 13:40 4,233 ----a-w C:\WINDOWS\CLEANUP.CMD
2004-06-23 14:30 1,340,416 ----a-w C:\Program Files\MPLAYERC.EXE
.
Sigcheck
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\system32\wininet.dll
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\system32\dllcache\wininet.dll
2007-12-07 10:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2004-08-03 22:00 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ie7\wininet.dll
2007-12-01 00:26 666112 e7f441cde6e418bb68fc700872c004a0 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2006-11-07 21:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2008-04-19_11.14.18.36"]snapshot@2008-04-19_11.14.18.36[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-19 03:22:30 16,384 ----a-w C:\WINDOWS\assembly\GAC\Arbus.Interfacing.Library\1.0.0.27362__2be3a081d8c94867\Arbus.Interfacing.Library.dll
+ 2008-04-19 03:22:30 16,384 ----a-w C:\WINDOWS\assembly\GAC\ArbusApplicationController\1.0.2563.27362__da57d5d39b1d6dd8\ArbusApplicationController.dll
- 2008-04-19 00:56:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-07 13:32:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-19 06:45:06 307,200 ----a-r C:\WINDOWS\Installer\{40589552-3892-409E-B92C-9F5032A4B2F0}\SafariIco.exe
+ 2008-04-23 11:45:32 5,271,552 ----a-w C:\WINDOWS\system32\config\Regback\ntuser.dat
+ 2008-04-23 11:45:34 102,400 ----a-w C:\WINDOWS\system32\config\Regback\UsrClass.dat
- 2008-04-19 01:04:24 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-07 11:02:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-19 01:04:24 32,768
w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-07 11:02:46 32,768
w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-05-28 16:31 3653632]
"App Launcher"="C:\Program Files\ALaunch\ALaunch.exe" [2000-03-28 14:32 25088]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13 1207080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 19:57 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 19:57 532480]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2007-12-01 00:27 110592 C:\WINDOWS\system32\bthprops.cpl]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 14:19 151552]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2004-09-01 17:38 2876416]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-14 02:05 36640]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinKey.lnk - C:\Program Files\WinKey\WinKey.exe [2008-02-22 22:28:20 99840]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NevoMedia Server.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NevoMedia Server.lnk
backup=C:\WINDOWS\pss\NevoMedia Server.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^Thoosje Vista Sidebar.lnk]
path=C:\Documents and Settings\Mark\Start Menu\Programs\Startup\Thoosje Vista Sidebar.lnk
backup=C:\WINDOWS\pss\Thoosje Vista Sidebar.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a
2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyCaptureScreen]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a
2004-08-25 13:27 65536 C:\WINDOWS\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a
2004-08-25 12:52 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a
2005-09-25 19:11 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a
2005-04-25 13:45 36040 C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
--a
2004-01-14 09:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FinePrint Dispatcher v5]
--a
2005-09-19 22:42 487424 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a
2006-06-26 16:13 1207080 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a
2004-08-04 05:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a
2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lingoes]
--a
2008-02-29 04:06 1966080 C:\Program Files\Lingoes\Translator2\Lingoes.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
--a
2004-07-30 11:30 319488 C:\Program Files\Launch Manager\QtZgAcer.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a
2007-12-01 00:26 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a
2004-08-04 05:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a
2005-09-25 19:11 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a
2006-10-11 12:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a
2007-12-10 10:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a
2004-08-04 05:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a
2004-08-04 05:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a
2006-05-20 18:13 188416 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a
2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a
2006-09-28 13:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a
2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
--a
2006-09-20 08:35 20480 C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"24632:TCP"= 24632:TCP:BitComet 24632 TCP
"24632:UDP"= 24632:UDP:BitComet 24632 UDP
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 13:57]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2004-08-14 20:59]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2007-11-30 17:31]
S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys []
S2 0012651210074042mcinstcleanup;McAfee Application Installer Cleanup (0012651210074042);C:\WINDOWS\TEMP\001265~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 10:21]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-04-12 23:34]
*Newly Created Service* - 0012651210074042MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2008-05-07 13:02:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-30 17:00:12 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-04-14 23:19:22 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-03 06:41:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 21:33:11
Windows 5.1.2600 Service Pack 3, v.3264 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
-> C:\Program Files\XemiComputers\Active Desktop Calendar\MouseHook.dll
.
Other Running Processes
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
C:\ACER\EMANAGER\ANBMSERV.EXE
C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
C:\PROGRAM FILES\MCAFEE\MBK\MBACKMONITOR.EXE
C:\PROGRAM FILES\MCAFEE\MSC\MCMSCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MNA\MCNASVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MCPROXY\MCPROXY.EXE
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCSHIELD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\MCAFEE\MPF\MPFSRV.EXE
C:\PROGRAM FILES\MCAFEE\MSK\MSKSRVER.EXE
C:\PROGRAM FILES\SITEADVISOR\6253\SASERVICE.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\RAPIMGR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\SYSTEM32\IMAPI.EXE
.
**************************************************************************
.
Completion time: 2008-05-07 21:37:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-07 13:37:38
ComboFix5.txt 2008-04-19 03:14:38
ComboFix4.txt 2008-04-19 03:26:54
ComboFix3.txt 2008-04-20 03:23:42
ComboFix2.txt 2008-04-24 05:16:48
Pre-Run: 2,059,960,320 bytes free
Post-Run: 2,576,646,144 bytes free
312 --- E O F --- 2008-04-10 02:37:01
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:41 PM, on 5/7/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\ALaunch\ALaunch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\WinKey\WinKey.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [App Launcher] C:\Program Files\ALaunch\ALaunch.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: WinKey.lnk = C:\Program Files\WinKey\WinKey.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203693971215
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: McAfee Application Installer Cleanup (0012651210074042) (0012651210074042mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\001265~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
--
End of file - 11872 bytes
1. what printer are you using?
Canon iP1000
2. do you have the software for this printer if we need to reinstall it?
Yeap
1.uininstall the printer
2. delete the printer folder (let me know if you have problems here)
3.reinstall the printer
4. let me know if the popups come back
Gringo
: three day bump :
It has been three days since my last post.
Gringo
i've done as you instructed and almost as soon as the printer was reinstalled, the popup came back
WOW, the good news is all the people I have been talking to all has agreed this has to be a false positive.
now how to get rid of it?
1.Here is a download link to the drivers for the printer check to see if it is the same virsion as your if it is a newer then download it please
LINK
2. a.what virsion of mcafee are you useing?
b. How long is the subscription good for?
c.Is it up to date?
Gringo
that sounds great. the mcafee security centre i'm using is version 8.1, the antivirus is version 12.1.
subscription expires 25th Feb 2009 and is up to date.
i've also installed the driver from the link you provided.
did it help?
Gringo
Nope, didn't work after installing the driver; still getting the error messages
well I don't know what else to tell you except that it is not malware that is doing this.
You should ask here in the General Software forum, maybe they would know how to get mcafee to stop reporting this.
we have some very smart people in there and they should be able to help you.
that being said we can finish up here.
This is my general post for when your logs show no more signs of malware
:Time for some housekeeping:
:Set correct settings for files:
:clear system restore points:
This is a good time to clear your existing system restore points and establish a new clean restore point:
- Go to Start > All Programs > Accessories > System Tools > System Restore
- Select Create a restore point, and Ok it.
- Next, go to Start > Run and type in cleanmgr
- Select the More options tab
- Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.:Make your Internet Explorer more secure:
please visit this page that gives instructions to do this
http://surfthenetsafely.com/ieseczone8.htm:Turn On Automatic Updates:
Turn On Automatic Updates 1. Click
Start, click Run, type sysdm.cpl, and then press ENTER.2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them
If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.
or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
:antispyware programs:
you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also I would reccomend the download and installation of some or all of the following programs (all free),
and the updating of them regularly:Consider a custom hosts file
Consider a custom hosts file such as
MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
Also please read this great article by Tony Klein So How Did I Get Infected In First Place
Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........
Malware Complaints
If you were infected .... Stand Up and be Counted.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.
Gringo
you've been extremely helpful and patient in your diagnosis and guidance! thanks for all your help so far!
As this topic looks to be resolved This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.
If you are not the user who started this thread, you must start your own Thread instead
_______________________________
Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.