View Full Version : Cannot remove virtumonde.prx
bhendrick
2009-11-04, 15:07
Spybot installed
Malwarebytes' Anti-Malware installed also
Comcast McAfee Security Center installed and up to date
ran both many times to remove. Vundo and virtumonde detected many times. Finally removed. But this one re-creates.
Ran ERUNT
System Restore still turned on
========================HJK Log========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:56 AM, on 11/04/09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {9c51076b-4847-4376-9a81-3e4539fdf8ea} - dubozoje.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [vizuhadud] Rundll32.exe "c:\windows\system32\bolizude.dll",a
O4 - HKCU\..\Run: [Updates Notifier] C:\Program Files\Common Files\Lacerte Shared\UpdNotif\UpdNotif.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-2985599247-3525398264-376927324-1015\..\Run: [Sonic RecordNow!] (User 'QBDataServiceUser')
O4 - HKUS\S-1-5-21-2985599247-3525398264-376927324-1015\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'QBDataServiceUser')
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Voyager\High Speed Internet Service\ControlPad\Misc\a_menu.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124161126531
O20 - AppInit_DLLs: zeyudoke.dll c:\windows\system32\
O21 - SSODL: puzibiyid - {57ac93b7-f2e0-4de0-ad88-1ecc9bfc8b26} - (no file)
O21 - SSODL: luhogufot - {223addae-69bf-4c09-a4fa-70761b6a2e6e} - c:\windows\system32\nonabefa.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {223addae-69bf-4c09-a4fa-70761b6a2e6e} - c:\windows\system32\nonabefa.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Unknown owner - C:\Program Files\DynDNS Updater\DynDNS.exe (file missing)
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUC22A~1\QBDBMgrN.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinPPPoverEthernet - Unknown owner - C:\Program Files\Verizon Voyager\High Speed Internet Service\WinPoET\WrOS.EXE (file missing)
--
End of file - 11483 bytes
disabled teatimer....but on reboot looks like it is still turned on!
------------------------------------------------
Tea Timer successfully disabled after reboot.
Also get this error on startup:
error loading c:\windows\system32\bolizude.dll. Specified module cannot be found
Also get exception error:
UpdNotif.exe application generated an exception that cannot be handled. Process id=0x968 (2408) Thread id=0xff4 (4084)
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
bhendrick
2009-11-07, 04:46
Here you go....thanks!!!
=====================================================
DDS (Ver_09-10-26.01) - NTFSx86
Run by Art at 22:38:43.09 on 11/06/09
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.101 [GMT -5:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\MSC\mcshell.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\DOCUME~1\Art\LOCALS~1\Temp\Google Toolbar\gtb4B4.tmp.exe
C:\Documents and Settings\Art\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.comcast.net/
mSearch Bar = about:blank
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {9c51076b-4847-4376-9a81-3e4539fdf8ea} - dubozoje.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Updates Notifier] c:\program files\common files\lacerte shared\updnotif\UpdNotif.EXE
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [vizuhadud] Rundll32.exe "c:\windows\system32\bolizude.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\flashp~1.lnk - c:\program files\smartdisk\flashpath\sdstat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: <NO NAME> =
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - c:\program files\verizon voyager\high speed internet service\controlpad\misc\a_menu.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: frame.crazywinnings.com
Trusted Zone: static.topconverting.com
Trusted Zone: 05p.com
Trusted Zone: frame.crazywinnings.com
Trusted Zone: scoobidoo.com
Trusted Zone: static.topconverting.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124161126531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38007.3574074074
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
AppInit_DLLs: zeyudoke.dll c:\windows\system32\
SSODL: puzibiyid - {57ac93b7-f2e0-4de0-ad88-1ecc9bfc8b26} - No File
SSODL: luhogufot - {223addae-69bf-4c09-a4fa-70761b6a2e6e} - c:\windows\system32\nonabefa.dll
STS: kupuhivus: {223addae-69bf-4c09-a4fa-70761b6a2e6e} - c:\windows\system32\nonabefa.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
LSA: Notification Packages = scecli motivepa.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\art\applic~1\mozilla\firefox\profiles\wt2jk9e0.avenger9002\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
============= SERVICES / DRIVERS ===============
R2 FlashNT;FlashNT;c:\windows\system32\drivers\FLASHNT.SYS [2005-4-3 72784]
R2 Sdselect;Sdselect;c:\windows\system32\drivers\sdselect.sys [2005-4-3 73296]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\common files\intuit\fuse\service\Intuit Fuse Service.exe [2006-12-8 72704]
S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\VisorUsb.sys [2004-5-1 19968]
S3 WrKPoET2000;WrKPoET2000;\??\c:\program files\verizon voyager\high speed internet service\winpoet\wrkpoet2000.sys --> c:\program files\verizon voyager\high speed internet service\winpoet\WrKPoET2000.sys [?]
=============== Created Last 30 ================
2009-11-04 14:00:11 0 d-----w- c:\program files\Trend Micro
2009-11-03 04:02:46 0 d-----w- C:\VundoFix Backups
2009-11-03 04:02:19 0 d-----w- c:\docume~1\art\applic~1\Malwarebytes
2009-11-03 04:02:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 04:01:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-03 04:01:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 04:01:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 19:38:12 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-31 19:34:19 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
==================== Find3M ====================
2009-10-21 04:08:54 3598336 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-16 14:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-13 15:16:05 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2006-12-27 04:58:51 2008 ----a-w- c:\program files\common files\cfgbak.tgb
2008-10-28 13:22:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029\index.dat
============= FINISH: 22:41:49.12 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-10-26.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 01/21/04 11:01:35 AM
System Uptime: 11/04/09 10:14:24 AM (60 hours ago)
Motherboard: Dell Computer Corp. | | 0F4491
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz | Microprocessor | 2593/800mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 46.859 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\3529D80C5042A1
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\3529D80C5042A1
Service: NIC1394
==== System Restore Points ===================
RP1932: 08/09/09 3:00:29 AM - Software Distribution Service 3.0
RP1933: 08/10/09 3:36:10 AM - System Checkpoint
RP1934: 08/11/09 4:36:06 AM - System Checkpoint
RP1935: 08/12/09 5:36:03 AM - System Checkpoint
RP1936: 08/13/09 9:10:30 AM - System Checkpoint
RP1937: 08/14/09 3:00:28 AM - Software Distribution Service 3.0
RP1938: 08/15/09 3:20:18 AM - System Checkpoint
RP1939: 08/16/09 8:33:55 AM - System Checkpoint
RP1940: 08/17/09 8:48:48 AM - System Checkpoint
RP1941: 08/18/09 8:58:54 AM - System Checkpoint
RP1942: 08/19/09 9:12:32 AM - System Checkpoint
RP1943: 08/20/09 3:00:26 AM - Software Distribution Service 3.0
RP1944: 08/20/09 1:00:09 PM - Installed Java(TM) 6 Update 15
RP1945: 08/21/09 1:32:45 PM - System Checkpoint
RP1946: 08/22/09 2:44:40 PM - System Checkpoint
RP1947: 08/23/09 3:13:45 PM - System Checkpoint
RP1948: 08/24/09 3:32:45 PM - System Checkpoint
RP1949: 08/25/09 4:32:38 PM - System Checkpoint
RP1950: 08/26/09 3:00:17 AM - Software Distribution Service 3.0
RP1951: 08/27/09 3:32:46 AM - System Checkpoint
RP1952: 08/28/09 8:56:44 AM - System Checkpoint
RP1953: 08/29/09 9:56:34 AM - System Checkpoint
RP1954: 08/30/09 8:23:21 PM - System Checkpoint
RP1955: 08/31/09 8:27:38 PM - System Checkpoint
RP1956: 09/01/09 8:32:43 PM - System Checkpoint
RP1957: 09/02/09 3:00:23 AM - Software Distribution Service 3.0
RP1958: 09/03/09 3:09:05 AM - System Checkpoint
RP1959: 09/04/09 3:32:37 AM - System Checkpoint
RP1960: 09/05/09 4:08:40 AM - System Checkpoint
RP1961: 09/06/09 4:32:42 AM - System Checkpoint
RP1962: 09/07/09 5:32:39 AM - System Checkpoint
RP1963: 09/08/09 10:26:22 AM - System Checkpoint
RP1964: 09/09/09 1:45:23 PM - System Checkpoint
RP1965: 09/10/09 3:00:33 AM - Software Distribution Service 3.0
RP1966: 09/11/09 7:47:44 AM - System Checkpoint
RP1967: 09/12/09 8:38:13 AM - System Checkpoint
RP1968: 09/13/09 9:17:13 AM - System Checkpoint
RP1969: 09/14/09 12:18:28 PM - System Checkpoint
RP1970: 09/15/09 1:29:11 PM - System Checkpoint
RP1971: 09/16/09 2:17:06 PM - System Checkpoint
RP1972: 09/17/09 4:28:35 PM - System Checkpoint
RP1973: 09/18/09 5:09:18 PM - System Checkpoint
RP1974: 09/19/09 6:08:33 PM - System Checkpoint
RP1975: 09/20/09 10:17:36 PM - System Checkpoint
RP1976: 09/21/09 11:08:43 PM - System Checkpoint
RP1977: 09/23/09 12:08:29 AM - System Checkpoint
RP1978: 09/24/09 1:08:33 AM - System Checkpoint
RP1979: 09/25/09 1:44:18 AM - System Checkpoint
RP1980: 09/26/09 2:08:24 AM - System Checkpoint
RP1981: 09/27/09 2:14:04 AM - System Checkpoint
RP1982: 09/28/09 2:20:24 AM - System Checkpoint
RP1983: 09/29/09 2:32:22 AM - System Checkpoint
RP1984: 09/30/09 3:08:20 AM - System Checkpoint
RP1985: 10/01/09 3:14:29 AM - System Checkpoint
RP1986: 10/02/09 3:20:12 AM - System Checkpoint
RP1987: 10/03/09 5:33:26 AM - System Checkpoint
RP1988: 10/04/09 6:56:19 AM - System Checkpoint
RP1989: 10/05/09 7:08:18 AM - System Checkpoint
RP1990: 10/06/09 9:56:23 AM - System Checkpoint
RP1991: 10/07/09 10:25:11 AM - System Checkpoint
RP1992: 10/08/09 11:08:14 AM - System Checkpoint
RP1993: 10/09/09 12:09:43 PM - System Checkpoint
RP1994: 10/10/09 12:16:09 PM - System Checkpoint
RP1995: 10/11/09 6:10:34 PM - System Checkpoint
RP1996: 10/12/09 10:26:25 PM - System Checkpoint
RP1997: 10/14/09 12:58:23 AM - System Checkpoint
RP1998: 10/15/09 1:35:42 AM - System Checkpoint
RP1999: 10/16/09 3:00:37 AM - Software Distribution Service 3.0
RP2000: 10/17/09 3:23:22 AM - System Checkpoint
RP2001: 10/18/09 12:44:39 PM - System Checkpoint
RP2002: 10/19/09 7:50:22 PM - System Checkpoint
RP2003: 10/20/09 8:40:03 PM - System Checkpoint
RP2004: 10/21/09 8:56:02 PM - System Checkpoint
RP2005: 10/22/09 10:06:53 PM - System Checkpoint
RP2006: 10/23/09 10:08:31 PM - System Checkpoint
RP2007: 10/24/09 10:14:55 PM - System Checkpoint
RP2008: 10/25/09 10:54:54 PM - System Checkpoint
RP2009: 10/26/09 11:16:56 PM - System Checkpoint
RP2010: 10/28/09 8:29:32 AM - System Checkpoint
RP2011: 10/29/09 9:08:31 AM - System Checkpoint
RP2012: 10/30/09 11:33:26 AM - System Checkpoint
RP2013: 10/31/09 12:11:10 PM - System Checkpoint
RP2014: 10/31/09 3:03:38 PM - ADVANCED REGISTRY OPTIMIZER - FIRST RUN
RP2015: 11/01/09 6:53:03 PM - Restore Operation
RP2016: 11/01/09 7:11:07 PM - Restore Operation
RP2017: 11/01/09 7:24:12 PM - Restore Operation
RP2018: 11/01/09 7:37:33 PM - Restore Operation
RP2019: 11/02/09 7:48:25 PM - System Checkpoint
RP2020: 11/04/09 12:25:11 AM - System Checkpoint
RP2021: 11/04/09 4:00:35 AM - Software Distribution Service 3.0
RP2022: 11/05/09 4:19:05 AM - System Checkpoint
RP2023: 11/06/09 8:31:42 AM - System Checkpoint
==== Installed Programs ======================
2000 Lacerte Tax
2001 Lacerte Tax
2002 Lacerte Tax
2003 Lacerte Tax
2004 Lacerte Tax
2005 Lacerte Tax
5600
5600_Help
5600Trb
Ad-Aware
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Professional
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Shockwave Player
AiO_Scan
AiOSoftware
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
ATX / Kleinrock Tax Products 2006 (Remove Only)
ATX XML Printer
Banctec Service Agreement
BCM V.92 56K Modem
BufferChm
Business Complete Care Services Agreement
Client Write-Up Suite
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CustomerResearchQFolder
Dell Digital Jukebox Driver
Dell Inkjet Printer J740
Dell Media Experience
Dell Networking Guide
Dell Printer Software Uninstall
Dell Solution Center
Dell Support 5.0.0 (766)
Destinations
DeviceManagementQFolder
DJ740EN
DocProc
DS21Patch
ERUNT 1.1j
eSupportQFolder
Fax
FlashPath
Google Toolbar for Internet Explorer
GoToMyPC
Help and Support Customization
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP LaserJet 2200 Uninstaller
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet
Internet Explorer Default Page
Jasc Paint Shop Pro 8
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2
Java Web Start
Java(TM) 6 Update 15
Learn2 Player (Uninstall Only)
Linsys IPSec Tool
Malwarebytes' Anti-Malware
MarketResearch
Maryland 2003 Property Tax
Maryland 2004 Property Tax
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Windows Journal Viewer
Modem Helper
Mozilla Firefox (3.5.4)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MUSICMATCH® Jukebox
NewCopy
NVIDIA Windows 2000/XP Display Drivers
palmOne
ProductContext
ProSeries 2005
ProSeries 2006
QuickBooks Premier: Accountant Edition 2003
QuickBooks Premier: Accountant Edition 2004
QuickBooks Premier: Accountant Edition 2006
QuickBooks Pro 2000
QuickBooks Pro 2001
QuickTime
Readme
RealPlayer
Roxio VideoWave Movie Creator
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shockwave
SolutionCenter
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Live!
Spybot - Search & Destroy
Status
TextPad
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebEx
WebFldrs XP
WebReg
WexTech AnswerWorks
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WordPerfect Office 11
Yahoo! Browser Services
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
11/02/09 6:28:36 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8292eda0,
parameter3 8292ef14, parameter4 8060567e.
11/02/09 10:31:59 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s)
failed to load: AFD Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD
Networking Support Environment service which failed to start because of the following error: A device attached to
the system is not functioning.
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC
driver service which failed to start because of the following error: A device attached to the system is not
functioning.
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The DynDNS Updater Service service depends on the
DHCP Client service which failed to start because of the following error: The dependency service or group failed
to start.
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP
Protocol Driver service which failed to start because of the following error: A device attached to the system is
not functioning.
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over
Tcpip service which failed to start because of the following error: A device attached to the system is not
functioning.
11/02/09 10:31:42 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/01/09 8:38:12 PM, error: Service Control Manager [7034] - The QuickBooksDB service terminated unexpectedly. It
has done this 1 time(s).
11/01/09 8:27:26 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly.
It has done this 1 time(s).
11/01/09 8:15:17 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated
unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds:
Restart the service.
11/01/09 8:14:50 PM, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly.
It has done this 1 time(s).
11/01/09 8:14:50 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated
unexpectedly. It has done this 1 time(s).
11/01/09 8:14:25 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service
terminated unexpectedly. It has done this 1 time(s).
11/01/09 8:14:24 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service
terminated unexpectedly. It has done this 1 time(s).
11/01/09 6:52:58 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed
to start due to the following error: The service did not respond to the start or control request in a timely
fashion.
11/01/09 6:52:50 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a
transaction response from the mcmscsvc service.
11/01/09 6:52:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the
Application Layer Gateway Service service to connect.
11/01/09 6:24:15 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a
corrective action (Restart the service) after the unexpected termination of the McAfee Real-time Scanner service,
but this action failed with the following error: An instance of the service is already running.
11/01/09 12:22:11 AM, error: Service Control Manager [7000] - The WMI Performance Adapter service failed to start
due to the following error: The service did not respond to the start or control request in a timely fashion.
11/01/09 12:22:10 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the WMI
Performance Adapter service to connect.
11/01/09 12:14:30 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network
address 000CF19264D3 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
11/01/09 10:00:10 PM, error: Service Control Manager [7000] - The McAfee Real-time Scanner service failed to start
due to the following error: Waiting for a process to open the other end of the pipe.
11/01/09 1:15:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with
arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
11/01/09 1:13:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
11/01/09 1:12:52 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with
arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/01/09 1:12:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s)
failed to load: Fips intelppm mfehidk
11/01/09 1:12:07 PM, error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service
which failed to start because of the following error: The dependency service or group failed to start.
11/01/09 1:06:23 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated
unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds:
Restart the service.
11/01/09 1:02:36 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated
unexpectedly. It has done this 1 time(s).
10/31/09 9:05:34 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
10/31/09 3:44:27 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated
unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.
10/31/09 12:28:49 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to
start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/31/09 12:28:48 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI
CD-Burning COM Service service to connect.
10/31/09 12:27:12 AM, error: Service Control Manager [7000] - The DynDNS Updater Service service failed to start
due to the following error: The system cannot find the file specified.
10/31/09 12:27:11 AM, error: Service Control Manager [7000] - The WinPPPoverEthernet service failed to start due
to the following error: The system cannot find the file specified.
10/31/09 12:12:28 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee
SystemGuards service to connect.
10/31/09 12:12:28 AM, error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due
to the following error: The service did not respond to the start or control request in a timely fashion.
10/30/09 9:35:17 AM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated
unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.
10/30/09 9:27:39 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google
Updater Service service to connect.
10/30/09 9:27:34 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service gusvc with
arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}
10/30/09 12:19:26 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a
transaction response from the wscsvc service.
10/30/09 1:18:05 AM, error: Service Control Manager [7034] - The McAfee Real-time Scanner service terminated
unexpectedly. It has done this 3 time(s).
==== End Of File ===========================
Thanks for the logs. Let's continue.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
bhendrick
2009-11-07, 19:04
Here is the combofix log.......
=======================
ComboFix 09-11-06.03 - Art 11/07/09 11:16.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.185 [GMT -5:00]
Running from: c:\documents and settings\Art\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\jestertb.dll
c:\windows\system32\Data
c:\windows\system32\drivers\etc\lmhosts
c:\windows\winhelp.ini
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.
2009-11-07 16:56 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-07 16:56 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-04 14:00 . 2009-11-04 14:00 -------- d-----w- c:\program files\Trend Micro
2009-11-04 13:58 . 2009-11-04 13:59 -------- d-----w- c:\program files\ERUNT
2009-11-03 04:02 . 2009-11-03 04:02 -------- d-----w- C:\VundoFix Backups
2009-11-03 04:02 . 2009-11-03 04:02 -------- d-----w- c:\documents and settings\Art\Application Data\Malwarebytes
2009-11-03 04:02 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 04:01 . 2009-11-03 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-03 04:01 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 04:01 . 2009-11-03 04:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 19:38 . 2009-11-02 00:26 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-31 19:38 . 2009-10-31 19:37 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-31 19:34 . 2009-11-02 00:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-31 19:34 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-10-31 19:33 . 2009-11-02 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 02:57 . 2007-05-19 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-02 00:35 . 2007-05-19 18:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-02 00:29 . 2007-05-19 20:07 -------- d-----w- c:\program files\Lavasoft
2009-10-28 19:57 . 2009-07-15 03:10 -------- d-----w- c:\program files\McAfee
2009-10-10 04:00 . 2004-04-20 10:17 -------- d-----w- c:\documents and settings\Art\Application Data\AdobeUM
2009-09-17 12:01 . 2009-07-24 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-17 09:06 . 2004-01-21 16:01 83128 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 14:22 . 2009-07-15 03:13 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-07-15 03:13 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-07-15 03:13 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-07-15 03:13 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-07-15 03:06 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2002-08-29 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-08-29 11:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 16:58 . 2009-08-20 16:58 152576 ----a-w- c:\documents and settings\Art\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2006-12-27 04:58 . 2006-12-27 04:58 2008 ----a-w- c:\program files\Common Files\cfgbak.tgb
2009-01-09 18:58 . 2009-01-09 18:58 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-01-09 18:58 . 2009-01-09 18:58 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-01-09 18:58 . 2009-01-09 18:58 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Updates Notifier"="c:\program files\Common Files\Lacerte Shared\UpdNotif\UpdNotif.EXE" [2006-06-22 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-10 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-30 4800512]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"combofix"="c:\combofix\CF26407.exe" [2009-11-07 389120]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
FlashPath Monitor.lnk - c:\program files\SmartDisk\FlashPath\sdstat.exe [2005-4-3 184320]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 20:04 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Art^Start Menu^Programs^Startup^Palm Registration.lnk]
path=c:\documents and settings\Art\Start Menu\Programs\Startup\Palm Registration.lnk
backup=c:\windows\pss\Palm Registration.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpsvc.exe"=
"c:\\WINDOWS\\SYSTEM32\\wscntfy.exe"=
"c:\\WINDOWS\\SYSTEM32\\rundll32.exe"=
"c:\\WINDOWS\\SYSTEM32\\wuauclt.exe"=
"c:\\Program Files\\SmartDisk\\FlashPath\\sdstat.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\WINDOWS\\SYSTEM32\\logonui.exe"=
"c:\\WINDOWS\\SYSTEM32\\winlogon.exe"=
"c:\\WINDOWS\\SYSTEM32\\lsass.exe"=
R2 FlashNT;FlashNT;c:\windows\SYSTEM32\DRIVERS\FLASHNT.SYS [04/03/05 3:53 PM 72784]
R2 Sdselect;Sdselect;c:\windows\SYSTEM32\DRIVERS\sdselect.sys [04/03/05 3:53 PM 73296]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [12/08/06 9:37 AM 72704]
S3 VisorUsb;Handspring USB;c:\windows\SYSTEM32\DRIVERS\VisorUsb.sys [05/01/04 2:22 PM 19968]
S3 WrKPoET2000;WrKPoET2000;\??\c:\program files\Verizon Voyager\High Speed Internet Service\WinPoET\WrKPoET2000.sys --> c:\program files\Verizon Voyager\High Speed Internet Service\WinPoET\WrKPoET2000.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-15 16:22]
2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-15 16:22]
2009-11-02 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-11-02 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mSearch Bar = about:blank
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - c:\program files\Verizon Voyager\High Speed Internet Service\ControlPad\Misc\a_menu.exe
Trusted Zone: frame.crazywinnings.com
Trusted Zone: static.topconverting.com
Trusted Zone: 05p.com
Trusted Zone: frame.crazywinnings.com
Trusted Zone: scoobidoo.com
Trusted Zone: static.topconverting.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Art\Application Data\Mozilla\Firefox\Profiles\wt2jk9e0.avenger9002\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.
- - - - ORPHANS REMOVED - - - -
BHO-{9c51076b-4847-4376-9a81-3e4539fdf8ea} - dubozoje.dll
HKLM-Run-vizuhadud - c:\windows\system32\bolizude.dll
SharedTaskScheduler-{223addae-69bf-4c09-a4fa-70761b6a2e6e} - c:\windows\system32\nonabefa.dll
SSODL-puzibiyid-{57ac93b7-f2e0-4de0-ad88-1ecc9bfc8b26} - (no file)
SSODL-luhogufot-{223addae-69bf-4c09-a4fa-70761b6a2e6e} - c:\windows\system32\nonabefa.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 12:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(688)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\progra~1\Intuit\QUC22A~1\QBDBMgrN.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\proquota.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\HPZipm12.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Citrix\GoToMyPC\g2mainh.exe
c:\program files\Citrix\GoToMyPC\g2host.exe
c:\program files\Citrix\GoToMyPC\g2printh.exe
c:\program files\Citrix\GoToMyPC\g2audioh.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
.
**************************************************************************
.
Completion time: 2009-11-07 13:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-07 17:59
ComboFix2.txt 2008-01-20 21:33
Pre-Run: 50,283,196,416 bytes free
Post-Run: 50,428,428,288 bytes free
- - End Of File - - C36772BC6E9BFF27CB8022334D3FBE32
bhendrick
2009-11-07, 22:24
new DDS log................
PC is reeeealllly slow!
===================
DDS (Ver_09-10-26.01) - NTFSx86
Run by Art at 16:18:19.62 on 11/07/09
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.88 [GMT -5:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Art\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.comcast.net/
mSearch Bar = about:blank
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [Updates Notifier] c:\program files\common files\lacerte shared\updnotif\UpdNotif.EXE
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\flashp~1.lnk - c:\program files\smartdisk\flashpath\sdstat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: <NO NAME> =
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - c:\program files\verizon voyager\high speed internet service\controlpad\misc\a_menu.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: frame.crazywinnings.com
Trusted Zone: static.topconverting.com
Trusted Zone: 05p.com
Trusted Zone: frame.crazywinnings.com
Trusted Zone: scoobidoo.com
Trusted Zone: static.topconverting.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124161126531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38007.3574074074
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\art\applic~1\mozilla\firefox\profiles\wt2jk9e0.avenger9002\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
============= SERVICES / DRIVERS ===============
R2 FlashNT;FlashNT;c:\windows\system32\drivers\FLASHNT.SYS [2005-4-3 72784]
R2 Sdselect;Sdselect;c:\windows\system32\drivers\sdselect.sys [2005-4-3 73296]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\common files\intuit\fuse\service\Intuit Fuse Service.exe [2006-12-8 72704]
S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\VisorUsb.sys [2004-5-1 19968]
S3 WrKPoET2000;WrKPoET2000;\??\c:\program files\verizon voyager\high speed internet service\winpoet\wrkpoet2000.sys --> c:\program files\verizon voyager\high speed internet service\winpoet\WrKPoET2000.sys [?]
=============== Created Last 30 ================
2009-11-07 16:56:36 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-07 16:56:36 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-07 16:04:10 0 d-sha-r- C:\cmdcons
2009-11-07 16:01:41 77312 ----a-w- c:\windows\MBR.exe
2009-11-07 16:01:40 98816 ----a-w- c:\windows\sed.exe
2009-11-07 16:01:40 267264 ----a-w- c:\windows\PEV.exe
2009-11-07 16:01:40 161792 ----a-w- c:\windows\SWREG.exe
2009-11-04 14:00:11 0 d-----w- c:\program files\Trend Micro
2009-11-03 04:02:46 0 d-----w- C:\VundoFix Backups
2009-11-03 04:02:19 0 d-----w- c:\docume~1\art\applic~1\Malwarebytes
2009-11-03 04:02:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 04:01:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-03 04:01:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 04:01:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 19:38:12 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-31 19:34:19 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
==================== Find3M ====================
2009-10-21 04:08:54 3598336 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-16 14:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-13 15:16:05 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2006-12-27 04:58:51 2008 ----a-w- c:\program files\common files\cfgbak.tgb
2008-10-28 13:22:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029\index.dat
============= FINISH: 16:23:40.23 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-10-26.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 01/21/04 11:01:35 AM
System Uptime: 11/07/09 2:07:32 PM (2 hours ago)
Motherboard: Dell Computer Corp. | | 0F4491
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz | Microprocessor | 2593/800mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 47.001 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\3529D80C5042A1
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\3529D80C5042A1
Service: NIC1394
==== System Restore Points ===================
RP1933: 08/10/09 3:36:10 AM - System Checkpoint
RP1934: 08/11/09 4:36:06 AM - System Checkpoint
RP1935: 08/12/09 5:36:03 AM - System Checkpoint
RP1936: 08/13/09 9:10:30 AM - System Checkpoint
RP1937: 08/14/09 3:00:28 AM - Software Distribution Service 3.0
RP1938: 08/15/09 3:20:18 AM - System Checkpoint
RP1939: 08/16/09 8:33:55 AM - System Checkpoint
RP1940: 08/17/09 8:48:48 AM - System Checkpoint
RP1941: 08/18/09 8:58:54 AM - System Checkpoint
RP1942: 08/19/09 9:12:32 AM - System Checkpoint
RP1943: 08/20/09 3:00:26 AM - Software Distribution Service 3.0
RP1944: 08/20/09 1:00:09 PM - Installed Java(TM) 6 Update 15
RP1945: 08/21/09 1:32:45 PM - System Checkpoint
RP1946: 08/22/09 2:44:40 PM - System Checkpoint
RP1947: 08/23/09 3:13:45 PM - System Checkpoint
RP1948: 08/24/09 3:32:45 PM - System Checkpoint
RP1949: 08/25/09 4:32:38 PM - System Checkpoint
RP1950: 08/26/09 3:00:17 AM - Software Distribution Service 3.0
RP1951: 08/27/09 3:32:46 AM - System Checkpoint
RP1952: 08/28/09 8:56:44 AM - System Checkpoint
RP1953: 08/29/09 9:56:34 AM - System Checkpoint
RP1954: 08/30/09 8:23:21 PM - System Checkpoint
RP1955: 08/31/09 8:27:38 PM - System Checkpoint
RP1956: 09/01/09 8:32:43 PM - System Checkpoint
RP1957: 09/02/09 3:00:23 AM - Software Distribution Service 3.0
RP1958: 09/03/09 3:09:05 AM - System Checkpoint
RP1959: 09/04/09 3:32:37 AM - System Checkpoint
RP1960: 09/05/09 4:08:40 AM - System Checkpoint
RP1961: 09/06/09 4:32:42 AM - System Checkpoint
RP1962: 09/07/09 5:32:39 AM - System Checkpoint
RP1963: 09/08/09 10:26:22 AM - System Checkpoint
RP1964: 09/09/09 1:45:23 PM - System Checkpoint
RP1965: 09/10/09 3:00:33 AM - Software Distribution Service 3.0
RP1966: 09/11/09 7:47:44 AM - System Checkpoint
RP1967: 09/12/09 8:38:13 AM - System Checkpoint
RP1968: 09/13/09 9:17:13 AM - System Checkpoint
RP1969: 09/14/09 12:18:28 PM - System Checkpoint
RP1970: 09/15/09 1:29:11 PM - System Checkpoint
RP1971: 09/16/09 2:17:06 PM - System Checkpoint
RP1972: 09/17/09 4:28:35 PM - System Checkpoint
RP1973: 09/18/09 5:09:18 PM - System Checkpoint
RP1974: 09/19/09 6:08:33 PM - System Checkpoint
RP1975: 09/20/09 10:17:36 PM - System Checkpoint
RP1976: 09/21/09 11:08:43 PM - System Checkpoint
RP1977: 09/23/09 12:08:29 AM - System Checkpoint
RP1978: 09/24/09 1:08:33 AM - System Checkpoint
RP1979: 09/25/09 1:44:18 AM - System Checkpoint
RP1980: 09/26/09 2:08:24 AM - System Checkpoint
RP1981: 09/27/09 2:14:04 AM - System Checkpoint
RP1982: 09/28/09 2:20:24 AM - System Checkpoint
RP1983: 09/29/09 2:32:22 AM - System Checkpoint
RP1984: 09/30/09 3:08:20 AM - System Checkpoint
RP1985: 10/01/09 3:14:29 AM - System Checkpoint
RP1986: 10/02/09 3:20:12 AM - System Checkpoint
RP1987: 10/03/09 5:33:26 AM - System Checkpoint
RP1988: 10/04/09 6:56:19 AM - System Checkpoint
RP1989: 10/05/09 7:08:18 AM - System Checkpoint
RP1990: 10/06/09 9:56:23 AM - System Checkpoint
RP1991: 10/07/09 10:25:11 AM - System Checkpoint
RP1992: 10/08/09 11:08:14 AM - System Checkpoint
RP1993: 10/09/09 12:09:43 PM - System Checkpoint
RP1994: 10/10/09 12:16:09 PM - System Checkpoint
RP1995: 10/11/09 6:10:34 PM - System Checkpoint
RP1996: 10/12/09 10:26:25 PM - System Checkpoint
RP1997: 10/14/09 12:58:23 AM - System Checkpoint
RP1998: 10/15/09 1:35:42 AM - System Checkpoint
RP1999: 10/16/09 3:00:37 AM - Software Distribution Service 3.0
RP2000: 10/17/09 3:23:22 AM - System Checkpoint
RP2001: 10/18/09 12:44:39 PM - System Checkpoint
RP2002: 10/19/09 7:50:22 PM - System Checkpoint
RP2003: 10/20/09 8:40:03 PM - System Checkpoint
RP2004: 10/21/09 8:56:02 PM - System Checkpoint
RP2005: 10/22/09 10:06:53 PM - System Checkpoint
RP2006: 10/23/09 10:08:31 PM - System Checkpoint
RP2007: 10/24/09 10:14:55 PM - System Checkpoint
RP2008: 10/25/09 10:54:54 PM - System Checkpoint
RP2009: 10/26/09 11:16:56 PM - System Checkpoint
RP2010: 10/28/09 8:29:32 AM - System Checkpoint
RP2011: 10/29/09 9:08:31 AM - System Checkpoint
RP2012: 10/30/09 11:33:26 AM - System Checkpoint
RP2013: 10/31/09 12:11:10 PM - System Checkpoint
RP2014: 10/31/09 3:03:38 PM - ADVANCED REGISTRY OPTIMIZER - FIRST RUN
RP2015: 11/01/09 6:53:03 PM - Restore Operation
RP2016: 11/01/09 7:11:07 PM - Restore Operation
RP2017: 11/01/09 7:24:12 PM - Restore Operation
RP2018: 11/01/09 7:37:33 PM - Restore Operation
RP2019: 11/02/09 7:48:25 PM - System Checkpoint
RP2020: 11/04/09 12:25:11 AM - System Checkpoint
RP2021: 11/04/09 4:00:35 AM - Software Distribution Service 3.0
RP2022: 11/05/09 4:19:05 AM - System Checkpoint
RP2023: 11/06/09 8:31:42 AM - System Checkpoint
RP2024: 11/07/09 9:19:04 AM - System Checkpoint
==== Installed Programs ======================
2000 Lacerte Tax
2001 Lacerte Tax
2002 Lacerte Tax
2003 Lacerte Tax
2004 Lacerte Tax
2005 Lacerte Tax
5600
5600_Help
5600Trb
Ad-Aware
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Professional
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Shockwave Player
AiO_Scan
AiOSoftware
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
ATX / Kleinrock Tax Products 2006 (Remove Only)
ATX XML Printer
Banctec Service Agreement
BCM V.92 56K Modem
BufferChm
Business Complete Care Services Agreement
Client Write-Up Suite
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CustomerResearchQFolder
Dell Digital Jukebox Driver
Dell Inkjet Printer J740
Dell Media Experience
Dell Networking Guide
Dell Printer Software Uninstall
Dell Solution Center
Dell Support 5.0.0 (766)
Destinations
DeviceManagementQFolder
DJ740EN
DocProc
DS21Patch
ERUNT 1.1j
eSupportQFolder
Fax
FlashPath
Google Toolbar for Internet Explorer
GoToMyPC
Help and Support Customization
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP LaserJet 2200 Uninstaller
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet
Internet Explorer Default Page
Jasc Paint Shop Pro 8
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2
Java Web Start
Java(TM) 6 Update 15
Learn2 Player (Uninstall Only)
Linsys IPSec Tool
Malwarebytes' Anti-Malware
MarketResearch
Maryland 2003 Property Tax
Maryland 2004 Property Tax
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Windows Journal Viewer
Modem Helper
Mozilla Firefox (3.5.4)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MUSICMATCH® Jukebox
NewCopy
NVIDIA Windows 2000/XP Display Drivers
palmOne
ProductContext
ProSeries 2005
ProSeries 2006
QuickBooks Premier: Accountant Edition 2003
QuickBooks Premier: Accountant Edition 2004
QuickBooks Premier: Accountant Edition 2006
QuickBooks Pro 2000
QuickBooks Pro 2001
QuickTime
Readme
RealPlayer
Roxio VideoWave Movie Creator
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shockwave
SolutionCenter
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Live!
Spybot - Search & Destroy
Status
TextPad
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebEx
WebFldrs XP
WebReg
WexTech AnswerWorks
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WordPerfect Office 11
Yahoo! Browser Services
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
11/07/09 1:32:52 PM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/02/09 6:28:36 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8292eda0, parameter3 8292ef14, parameter4 8060567e.
11/02/09 10:31:59 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The DynDNS Updater Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/09 10:31:42 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/01/09 8:38:12 PM, error: Service Control Manager [7034] - The QuickBooksDB service terminated unexpectedly. It has done this 1 time(s).
11/01/09 8:27:26 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
11/01/09 8:15:17 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
11/01/09 8:14:50 PM, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
11/01/09 8:14:50 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
11/01/09 8:14:25 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
11/01/09 8:14:24 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
11/01/09 7:03:14 PM, error: Service Control Manager [7000] - The DynDNS Updater Service service failed to start due to the following error: The system cannot find the file specified.
11/01/09 7:03:13 PM, error: Service Control Manager [7000] - The WinPPPoverEthernet service failed to start due to the following error: The system cannot find the file specified.
11/01/09 6:52:58 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/01/09 6:52:50 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.
11/01/09 6:52:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
11/01/09 6:36:17 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/01/09 6:24:15 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McAfee Real-time Scanner service, but this action failed with the following error: An instance of the service is already running.
11/01/09 6:23:15 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/01/09 6:16:45 PM, error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/01/09 6:16:43 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SystemGuards service to connect.
11/01/09 6:11:34 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/01/09 12:22:11 AM, error: Service Control Manager [7000] - The WMI Performance Adapter service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/01/09 12:22:10 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the WMI Performance Adapter service to connect.
11/01/09 10:00:10 PM, error: Service Control Manager [7000] - The McAfee Real-time Scanner service failed to start due to the following error: Waiting for a process to open the other end of the pipe.
11/01/09 1:15:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
11/01/09 1:15:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
11/01/09 1:12:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm mfehidk
11/01/09 1:12:07 PM, error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service which failed to start because of the following error: The dependency service or group failed to start.
11/01/09 1:11:41 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 000CF19264D3 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
11/01/09 1:06:23 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
11/01/09 1:02:36 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/31/09 9:05:34 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
10/31/09 12:28:49 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/31/09 12:28:48 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
==== End Of File ===========================
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
DDS::
mSearch Bar = about:blank
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Trusted Zone: frame.crazywinnings.com
Trusted Zone: static.topconverting.com
Trusted Zone: 05p.com
Trusted Zone: frame.crazywinnings.com
Trusted Zone: scoobidoo.com
Trusted Zone: static.topconverting.com
FileLook::
c:\program files\common files\cfgbak.tgb
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Do you use Adobe Acrobat for other stuff than just converting files to pdfs?
Uninstall your current Adobe shockwave player & shockwave instances and get the fresh one here (http://get.adobe.com/shockwave/) if needed.
Uninstall vulnerable Flash versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 17 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Also, start MBAM, update its definitions on update tab and run a quick scan. Post back the results.
bhendrick
2009-11-08, 05:16
removed and installed new flash and shockwave
removed all old versions of JRE
installed new JRE
completed all other except Kaspersky. Its still running. 2 hours...only 15% done. Will post that log in the morning.
==========combofix log =========
ComboFix 09-11-07.02 - Art 11/07/09 18:04.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.196 [GMT -5:00]
Running from: c:\documents and settings\Art\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Art\Desktop\cleanup\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.
2009-11-07 16:56 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-07 16:56 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-04 14:00 . 2009-11-04 14:00 -------- d-----w- c:\program files\Trend Micro
2009-11-04 13:58 . 2009-11-04 13:59 -------- d-----w- c:\program files\ERUNT
2009-11-03 04:02 . 2009-11-03 04:02 -------- d-----w- C:\VundoFix Backups
2009-11-03 04:02 . 2009-11-03 04:02 -------- d-----w- c:\documents and settings\Art\Application Data\Malwarebytes
2009-11-03 04:02 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 04:01 . 2009-11-03 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-03 04:01 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 04:01 . 2009-11-03 04:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 19:38 . 2009-11-02 00:26 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-31 19:38 . 2009-10-31 19:37 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-31 19:34 . 2009-11-02 00:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-31 19:34 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-10-31 19:33 . 2009-11-02 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 02:57 . 2007-05-19 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-02 00:35 . 2007-05-19 18:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-02 00:29 . 2007-05-19 20:07 -------- d-----w- c:\program files\Lavasoft
2009-10-28 19:57 . 2009-07-15 03:10 -------- d-----w- c:\program files\McAfee
2009-10-10 04:00 . 2004-04-20 10:17 -------- d-----w- c:\documents and settings\Art\Application Data\AdobeUM
2009-09-17 12:01 . 2009-07-24 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-17 09:06 . 2004-01-21 16:01 83128 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 14:22 . 2009-07-15 03:13 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-07-15 03:13 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-07-15 03:13 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-07-15 03:13 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-07-15 03:06 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2002-08-29 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-08-29 11:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 16:58 . 2009-08-20 16:58 152576 ----a-w- c:\documents and settings\Art\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2006-12-27 04:58 . 2006-12-27 04:58 2008 ----a-w- c:\program files\Common Files\cfgbak.tgb
2009-01-09 18:58 . 2009-01-09 18:58 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-01-09 18:58 . 2009-01-09 18:58 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-01-09 18:58 . 2009-01-09 18:58 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
--- c:\program files\common files\cfgbak.tgb ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 2008
Created time: 2006-12-27 04:58
Modified time: 2006-12-27 04:58
MD5: 85587E9BE19C1850A46EC021B1C07DA8
SHA1: A66D83CAFB041FA2B3F8C7F55A27E363215F8F93
((((((((((((((((((((((((((((( SnapShot@2009-11-07_17.09.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-07 18:13 . 2009-11-07 18:13 16384 c:\windows\Temp\Perflib_Perfdata_7c4.dat
- 2009-11-07 17:04 . 2009-11-07 17:04 16384 c:\windows\Temp\Perflib_Perfdata_730.dat
+ 2009-11-07 18:08 . 2009-11-07 18:08 16384 c:\windows\Temp\Perflib_Perfdata_730.dat
+ 2003-10-16 21:50 . 2009-11-07 21:59 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2003-10-16 21:50 . 2009-11-07 17:24 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-11-07 21:55 . 2009-11-07 21:59 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2003-10-16 21:50 . 2009-11-07 17:24 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Updates Notifier"="c:\program files\Common Files\Lacerte Shared\UpdNotif\UpdNotif.EXE" [2006-06-22 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-10 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-30 4800512]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
FlashPath Monitor.lnk - c:\program files\SmartDisk\FlashPath\sdstat.exe [2005-4-3 184320]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 20:04 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Art^Start Menu^Programs^Startup^Palm Registration.lnk]
path=c:\documents and settings\Art\Start Menu\Programs\Startup\Palm Registration.lnk
backup=c:\windows\pss\Palm Registration.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpsvc.exe"=
"c:\\WINDOWS\\SYSTEM32\\wscntfy.exe"=
"c:\\WINDOWS\\SYSTEM32\\wuauclt.exe"=
"c:\\Program Files\\SmartDisk\\FlashPath\\sdstat.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
R2 FlashNT;FlashNT;c:\windows\SYSTEM32\DRIVERS\FLASHNT.SYS [04/03/05 3:53 PM 72784]
R2 Sdselect;Sdselect;c:\windows\SYSTEM32\DRIVERS\sdselect.sys [04/03/05 3:53 PM 73296]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [12/08/06 9:37 AM 72704]
S3 VisorUsb;Handspring USB;c:\windows\SYSTEM32\DRIVERS\VisorUsb.sys [05/01/04 2:22 PM 19968]
S3 WrKPoET2000;WrKPoET2000;\??\c:\program files\Verizon Voyager\High Speed Internet Service\WinPoET\WrKPoET2000.sys --> c:\program files\Verizon Voyager\High Speed Internet Service\WinPoET\WrKPoET2000.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder
2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-15 16:22]
2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-15 16:22]
2009-11-02 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-11-02 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - c:\program files\Verizon Voyager\High Speed Internet Service\ControlPad\Misc\a_menu.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Art\Application Data\Mozilla\Firefox\Profiles\wt2jk9e0.avenger9002\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 18:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(684)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
- - - - - - - > 'explorer.exe'(908)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-07 18:42
ComboFix-quarantined-files.txt 2009-11-07 23:42
ComboFix2.txt 2009-11-07 18:00
ComboFix3.txt 2008-01-20 21:33
Pre-Run: 50,530,721,792 bytes free
Post-Run: 50,482,663,424 bytes free
- - End Of File - - 9E33888C08FB669883E4D1BC7D746566
==========DDS log ==========
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-10-26.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 01/21/04 11:01:35 AM
System Uptime: 11/07/09 2:07:32 PM (9 hours ago)
Motherboard: Dell Computer Corp. | | 0F4491
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz | Microprocessor | 2593/800mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 47.501 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\3529D80C5042A1
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\3529D80C5042A1
Service: NIC1394
==== System Restore Points ===================
RP1949: 08/25/09 4:32:38 PM - System Checkpoint
RP1950: 08/26/09 3:00:17 AM - Software Distribution Service 3.0
RP1951: 08/27/09 3:32:46 AM - System Checkpoint
RP1952: 08/28/09 8:56:44 AM - System Checkpoint
RP1953: 08/29/09 9:56:34 AM - System Checkpoint
RP1954: 08/30/09 8:23:21 PM - System Checkpoint
RP1955: 08/31/09 8:27:38 PM - System Checkpoint
RP1956: 09/01/09 8:32:43 PM - System Checkpoint
RP1957: 09/02/09 3:00:23 AM - Software Distribution Service 3.0
RP1958: 09/03/09 3:09:05 AM - System Checkpoint
RP1959: 09/04/09 3:32:37 AM - System Checkpoint
RP1960: 09/05/09 4:08:40 AM - System Checkpoint
RP1961: 09/06/09 4:32:42 AM - System Checkpoint
RP1962: 09/07/09 5:32:39 AM - System Checkpoint
RP1963: 09/08/09 10:26:22 AM - System Checkpoint
RP1964: 09/09/09 1:45:23 PM - System Checkpoint
RP1965: 09/10/09 3:00:33 AM - Software Distribution Service 3.0
RP1966: 09/11/09 7:47:44 AM - System Checkpoint
RP1967: 09/12/09 8:38:13 AM - System Checkpoint
RP1968: 09/13/09 9:17:13 AM - System Checkpoint
RP1969: 09/14/09 12:18:28 PM - System Checkpoint
RP1970: 09/15/09 1:29:11 PM - System Checkpoint
RP1971: 09/16/09 2:17:06 PM - System Checkpoint
RP1972: 09/17/09 4:28:35 PM - System Checkpoint
RP1973: 09/18/09 5:09:18 PM - System Checkpoint
RP1974: 09/19/09 6:08:33 PM - System Checkpoint
RP1975: 09/20/09 10:17:36 PM - System Checkpoint
RP1976: 09/21/09 11:08:43 PM - System Checkpoint
RP1977: 09/23/09 12:08:29 AM - System Checkpoint
RP1978: 09/24/09 1:08:33 AM - System Checkpoint
RP1979: 09/25/09 1:44:18 AM - System Checkpoint
RP1980: 09/26/09 2:08:24 AM - System Checkpoint
RP1981: 09/27/09 2:14:04 AM - System Checkpoint
RP1982: 09/28/09 2:20:24 AM - System Checkpoint
RP1983: 09/29/09 2:32:22 AM - System Checkpoint
RP1984: 09/30/09 3:08:20 AM - System Checkpoint
RP1985: 10/01/09 3:14:29 AM - System Checkpoint
RP1986: 10/02/09 3:20:12 AM - System Checkpoint
RP1987: 10/03/09 5:33:26 AM - System Checkpoint
RP1988: 10/04/09 6:56:19 AM - System Checkpoint
RP1989: 10/05/09 7:08:18 AM - System Checkpoint
RP1990: 10/06/09 9:56:23 AM - System Checkpoint
RP1991: 10/07/09 10:25:11 AM - System Checkpoint
RP1992: 10/08/09 11:08:14 AM - System Checkpoint
RP1993: 10/09/09 12:09:43 PM - System Checkpoint
RP1994: 10/10/09 12:16:09 PM - System Checkpoint
RP1995: 10/11/09 6:10:34 PM - System Checkpoint
RP1996: 10/12/09 10:26:25 PM - System Checkpoint
RP1997: 10/14/09 12:58:23 AM - System Checkpoint
RP1998: 10/15/09 1:35:42 AM - System Checkpoint
RP1999: 10/16/09 3:00:37 AM - Software Distribution Service 3.0
RP2000: 10/17/09 3:23:22 AM - System Checkpoint
RP2001: 10/18/09 12:44:39 PM - System Checkpoint
RP2002: 10/19/09 7:50:22 PM - System Checkpoint
RP2003: 10/20/09 8:40:03 PM - System Checkpoint
RP2004: 10/21/09 8:56:02 PM - System Checkpoint
RP2005: 10/22/09 10:06:53 PM - System Checkpoint
RP2006: 10/23/09 10:08:31 PM - System Checkpoint
RP2007: 10/24/09 10:14:55 PM - System Checkpoint
RP2008: 10/25/09 10:54:54 PM - System Checkpoint
RP2009: 10/26/09 11:16:56 PM - System Checkpoint
RP2010: 10/28/09 8:29:32 AM - System Checkpoint
RP2011: 10/29/09 9:08:31 AM - System Checkpoint
RP2012: 10/30/09 11:33:26 AM - System Checkpoint
RP2013: 10/31/09 12:11:10 PM - System Checkpoint
RP2014: 10/31/09 3:03:38 PM - ADVANCED REGISTRY OPTIMIZER - FIRST RUN
RP2015: 11/01/09 6:53:03 PM - Restore Operation
RP2016: 11/01/09 7:11:07 PM - Restore Operation
RP2017: 11/01/09 7:24:12 PM - Restore Operation
RP2018: 11/01/09 7:37:33 PM - Restore Operation
RP2019: 11/02/09 7:48:25 PM - System Checkpoint
RP2020: 11/04/09 12:25:11 AM - System Checkpoint
RP2021: 11/04/09 4:00:35 AM - Software Distribution Service 3.0
RP2022: 11/05/09 4:19:05 AM - System Checkpoint
RP2023: 11/06/09 8:31:42 AM - System Checkpoint
RP2024: 11/07/09 9:19:04 AM - System Checkpoint
RP2025: 11/07/09 8:05:19 PM - Removed Java 2 Runtime Environment, SE v1.4.1_02
RP2026: 11/07/09 8:07:00 PM - Removed Java 2 Runtime Environment, SE v1.4.2
RP2027: 11/07/09 8:09:49 PM - Removed Java(TM) 6 Update 14
RP2028: 11/07/09 8:16:46 PM - Installed Java(TM) 6 Update 17
==== Installed Programs ======================
2000 Lacerte Tax
2001 Lacerte Tax
2002 Lacerte Tax
2003 Lacerte Tax
2004 Lacerte Tax
2005 Lacerte Tax
5600
5600_Help
5600Trb
Ad-Aware
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Professional
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
AiO_Scan
AiOSoftware
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
ATX / Kleinrock Tax Products 2006 (Remove Only)
ATX XML Printer
Banctec Service Agreement
BCM V.92 56K Modem
BufferChm
Business Complete Care Services Agreement
Client Write-Up Suite
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CustomerResearchQFolder
Dell Digital Jukebox Driver
Dell Inkjet Printer J740
Dell Media Experience
Dell Networking Guide
Dell Printer Software Uninstall
Dell Solution Center
Dell Support 5.0.0 (766)
Destinations
DeviceManagementQFolder
DJ740EN
DocProc
DS21Patch
ERUNT 1.1j
eSupportQFolder
Fax
FlashPath
Google Toolbar for Internet Explorer
GoToMyPC
Help and Support Customization
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP LaserJet 2200 Uninstaller
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet
Internet Explorer Default Page
Jasc Paint Shop Pro 8
Java(TM) 6 Update 17
Learn2 Player (Uninstall Only)
Linsys IPSec Tool
Malwarebytes' Anti-Malware
MarketResearch
Maryland 2003 Property Tax
Maryland 2004 Property Tax
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Windows Journal Viewer
Modem Helper
Mozilla Firefox (3.5.4)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MUSICMATCH® Jukebox
NewCopy
NVIDIA Windows 2000/XP Display Drivers
palmOne
ProductContext
ProSeries 2005
ProSeries 2006
QuickBooks Premier: Accountant Edition 2003
QuickBooks Premier: Accountant Edition 2004
QuickBooks Premier: Accountant Edition 2006
QuickBooks Pro 2000
QuickBooks Pro 2001
QuickTime
Readme
RealPlayer
Roxio VideoWave Movie Creator
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SolutionCenter
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Live!
Spybot - Search & Destroy
Status
TextPad
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebEx
WebFldrs XP
WebReg
WexTech AnswerWorks
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WordPerfect Office 11
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Messenger
==== Event Viewer Messages From Past Week ========
11/07/09 1:32:52 PM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/02/09 6:28:36 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8292eda0, parameter3 8292ef14, parameter4 8060567e.
11/02/09 10:31:59 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The DynDNS Updater Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/09 10:31:59 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/09 10:31:42 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/01/09 8:38:12 PM, error: Service Control Manager [7034] - The QuickBooksDB service terminated unexpectedly. It has done this 1 time(s).
11/01/09 8:27:26 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
11/01/09 8:15:17 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
11/01/09 8:14:50 PM, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
11/01/09 8:14:50 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
11/01/09 8:14:50 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
11/01/09 8:14:31 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
11/01/09 8:14:25 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
11/01/09 8:14:24 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
11/01/09 8:04:47 PM, error: Service Control Manager [7000] - The WinPPPoverEthernet service failed to start due to the following error: The system cannot find the file specified.
11/01/09 8:04:47 PM, error: Service Control Manager [7000] - The DynDNS Updater Service service failed to start due to the following error: The system cannot find the file specified.
11/01/09 7:38:25 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SystemGuards service to connect.
11/01/09 7:38:25 PM, error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/01/09 6:52:58 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/01/09 6:52:50 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.
11/01/09 6:52:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
11/01/09 6:36:17 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/01/09 6:24:15 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McAfee Real-time Scanner service, but this action failed with the following error: An instance of the service is already running.
11/01/09 6:23:15 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/01/09 6:11:34 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/01/09 12:22:11 AM, error: Service Control Manager [7000] - The WMI Performance Adapter service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/01/09 12:22:10 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the WMI Performance Adapter service to connect.
11/01/09 10:00:10 PM, error: Service Control Manager [7000] - The McAfee Real-time Scanner service failed to start due to the following error: Waiting for a process to open the other end of the pipe.
11/01/09 1:15:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
11/01/09 1:15:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
11/01/09 1:12:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm mfehidk
11/01/09 1:12:07 PM, error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service which failed to start because of the following error: The dependency service or group failed to start.
11/01/09 1:11:41 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 000CF19264D3 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/31/09 9:05:34 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
10/31/09 12:28:49 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/31/09 12:28:48 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
==== End Of File ===========================
DDS (Ver_09-10-26.01) - NTFSx86
Run by Art at 23:07:15.78 on 11/07/09
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.129 [GMT -5:00]
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.comcast.net/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [Updates Notifier] c:\program files\common files\lacerte shared\updnotif\UpdNotif.EXE
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - c:\program files\verizon voyager\high speed internet service\controlpad\misc\a_menu.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124161126531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38007.3574074074
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\art\applic~1\mozilla\firefox\profiles\wt2jk9e0.avenger9002\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - plugin: c:\documents and settings\art\application data\mozilla\firefox\profiles\wt2jk9e0.avenger9002\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
============= SERVICES / DRIVERS ===============
R? getPlusHelper;getPlus(R) Helper
R? Intuit Fuse Service;Intuit Fuse Service
R? VisorUsb;Handspring USB
R? WrKPoET2000;WrKPoET2000
S? FlashNT;FlashNT
S? Sdselect;Sdselect
=============== Created Last 30 ================
2009-11-08 00:18:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-08 00:01:52 0 d-----w- c:\windows\system32\Adobe
2009-11-07 16:56:36 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-07 16:56:36 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-07 16:04:10 0 d-sha-r- C:\cmdcons
2009-11-07 16:01:41 77312 ----a-w- c:\windows\MBR.exe
2009-11-07 16:01:40 98816 ----a-w- c:\windows\sed.exe
2009-11-07 16:01:40 267264 ----a-w- c:\windows\PEV.exe
2009-11-07 16:01:40 161792 ----a-w- c:\windows\SWREG.exe
2009-11-04 14:00:11 0 d-----w- c:\program files\Trend Micro
2009-11-03 04:02:46 0 d-----w- C:\VundoFix Backups
2009-11-03 04:02:19 0 d-----w- c:\docume~1\art\applic~1\Malwarebytes
2009-11-03 04:02:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 04:01:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-03 04:01:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 04:01:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 19:38:12 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-31 19:34:19 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
==================== Find3M ====================
2009-11-08 00:17:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-21 04:08:54 3598336 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-16 14:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-13 15:16:05 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2006-12-27 04:58:51 2008 ----a-w- c:\program files\common files\cfgbak.tgb
2008-10-28 13:22:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029\index.dat
============= FINISH: 23:11:53.10 ===============
==========MBAM log ==========
Malwarebytes' Anti-Malware 1.41
Database version: 3119
Windows 5.1.2600 Service Pack 3
11/07/09 7:50:20 PM
mbam-log-2009-11-07 (19-50-20).txt
Scan type: Quick Scan
Objects scanned: 136945
Time elapsed: 13 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
bhendrick
2009-11-08, 16:08
12 hours to complete that scan. Hopefully not to be done again!!! :bigthumb:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, November 8, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, November 07, 2009 23:54:12
Records in database: 3172970
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
Scan statistics:
Objects scanned: 199556
Threats found: 6
Infected objects found: 9
Suspicious objects found: 0
Scan duration: 12:33:33
File name / Threat / Threats count
C:\Documents and Settings\Art\.jpi_cache\jar\1.0\archive.jar-487b52a0-19ba9e3c.zip Infected: Trojan-Dropper.Java.Beyond.g 1
C:\Documents and Settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\36\d4e61e4-1dcb592e Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\Documents and Settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\36\d4e61e4-70c996b2 Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\Documents and Settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-17851fbb Infected: Trojan-Downloader.Java.OpenStream.ab 1
C:\Documents and Settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-4326402a Infected: Trojan-Downloader.Java.OpenStream.ab 1
C:\Documents and Settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-19d2e9d3 Infected: Trojan-Downloader.Java.Agent.a 1
C:\Documents and Settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-296a49bb Infected: Trojan-Downloader.Java.Agent.a 1
C:\Documents and Settings\Art\Local Settings\Application Data\Microsoft\Outlook\Outlook2.pst Infected: Trojan-Downloader.Win32.Bagle.r 1
C:\Documents and Settings\Art\Local Settings\Application Data\Microsoft\Outlook\Outlook2.pst Infected: Trojan-Downloader.Win32.Bagle.at 1
Selected area has been scanned.
12 hours to complete that scan. Hopefully not to be done again!!! :bigthumb:
Let's hope so :laugh:
You missed this question on last run:
Do you use Adobe Acrobat for other stuff than just converting files to pdfs?
Check emails in C:\Documents and Settings\Art\Local Settings\Application Data\Microsoft\Outlook\Outlook2.pst archive and delete suspicious looking ones.
Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\program files\common files\cfgbak.tgb
C:\Documents and Settings\Art\.jpi_cache\jar\1.0\archive.jar-487b52a0-19ba9e3c.zip
C:\Documents and Settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\36\d4e61e4-1dcb592e
C:\Documents and Settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\36\d4e61e4-70c996b2
C:\Documents and Settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-17851fbb
C:\Documents and Settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-4326402a
C:\Documents and Settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-19d2e9d3
C:\Documents and Settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-296a49bb
DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh dds.txt log. How's the system running?
bhendrick
2009-11-08, 17:56
PDF just used for pdf generation.
Running Combofix. Will post results in about 2 hours. Gotta run for a bit.
Seems to be running better. Ran spybot. Nothing found. MBAM found nothing.
How do I prevent this from happening. Have the Comcast McAfee Security Suite running which has AV, firewall, spyware, etc. Should I keep Spybot running also with TeaTimer?
I have a friends pc that is a mess. Starting to run some of this on that. Will post separate thread later. If you have time and can work on that with me, I would be very appreciative!! Will post HJT and DDS logs...will run combofix, and clean up some of the other stuff also and will post all fresh logs to start off with on that one.
Thanks so much again.
PDF just used for pdf generation.
In that case, I recommend to uninstall Adobe Acrobat and get one of the free alternatives here (http://pdfwriters.org/). Adobe version is badly vulnerable and if you want to keep using their products you have to upgrade to newer version.
How do I prevent this from happening. Have the Comcast McAfee Security Suite running which has AV, firewall, spyware, etc. Should I keep Spybot running also with TeaTimer?
I'll give some instructions on that in closing post after we've got the process finished :)
I have a friends pc that is a mess. Starting to run some of this on that. Will post separate thread later. If you have time and can work on that with me, I would be very appreciative!! Will post HJT and DDS logs...will run combofix, and clean up some of the other stuff also and will post all fresh logs to start off with on that one.
Post hjt log to that new topic only. Especially ComboFix or other fixes should not be run unless helper asks to do so.
bhendrick
2009-11-08, 19:47
here is combofix log
removing all of the adobe professional v6 program and updates.
Installing pdfcreator. And will install latest adobe reader and keep that updated
==========================
ComboFix 09-11-07.02 - Art 11/08/09 12:00.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.217 [GMT -5:00]
Running from: c:\documents and settings\Art\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Art\Desktop\CFScript..txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FILE ::
"c:\documents and settings\Art\.jpi_cache\jar\1.0\archive.jar-487b52a0-19ba9e3c.zip"
"c:\documents and settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\36\d4e61e4-1dcb592e"
"c:\documents and settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\36\d4e61e4-70c996b2"
"c:\documents and settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-17851fbb"
"c:\documents and settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-4326402a"
"c:\documents and settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-19d2e9d3"
"c:\documents and settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-296a49bb"
"c:\program files\common files\cfgbak.tgb"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Art\.jpi_cache\jar\1.0\archive.jar-487b52a0-19ba9e3c.zip
c:\documents and settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\36\d4e61e4-1dcb592e
c:\documents and settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\36\d4e61e4-70c996b2
c:\documents and settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-17851fbb
c:\documents and settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-4326402a
c:\documents and settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-19d2e9d3
c:\documents and settings\Art\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-296a49bb
c:\program files\common files\cfgbak.tgb
.
((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.
2009-11-08 00:01 . 2009-11-08 00:01 -------- d-----w- c:\windows\system32\Adobe
2009-11-07 16:56 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-07 16:56 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-04 14:00 . 2009-11-04 14:00 -------- d-----w- c:\program files\Trend Micro
2009-11-04 13:58 . 2009-11-04 13:59 -------- d-----w- c:\program files\ERUNT
2009-11-03 04:02 . 2009-11-03 04:02 -------- d-----w- C:\VundoFix Backups
2009-11-03 04:02 . 2009-11-03 04:02 -------- d-----w- c:\documents and settings\Art\Application Data\Malwarebytes
2009-11-03 04:02 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 04:01 . 2009-11-03 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-03 04:01 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 04:01 . 2009-11-03 04:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 19:38 . 2009-11-02 00:26 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-31 19:38 . 2009-10-31 19:37 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-31 19:34 . 2009-11-02 00:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-31 19:34 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-10-31 19:33 . 2009-11-02 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 00:17 . 2009-06-24 20:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-08 00:14 . 2004-01-25 04:27 -------- d-----w- c:\program files\Yahoo!
2009-11-08 00:13 . 2006-07-14 20:25 -------- d-----w- c:\documents and settings\Art\Application Data\Yahoo!
2009-11-08 00:13 . 2005-09-26 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-11-08 00:05 . 2004-01-15 02:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-08 00:05 . 2004-01-15 01:33 -------- d-----w- c:\program files\Java
2009-11-02 02:57 . 2007-05-19 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-02 00:35 . 2007-05-19 18:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-02 00:29 . 2007-05-19 20:07 -------- d-----w- c:\program files\Lavasoft
2009-10-28 19:57 . 2009-07-15 03:10 -------- d-----w- c:\program files\McAfee
2009-10-10 04:00 . 2004-04-20 10:17 -------- d-----w- c:\documents and settings\Art\Application Data\AdobeUM
2009-09-17 12:01 . 2009-07-24 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-17 09:06 . 2004-01-21 16:01 83128 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 14:22 . 2009-07-15 03:13 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-07-15 03:13 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-07-15 03:13 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-07-15 03:13 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-07-15 03:06 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2002-08-29 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-02-06 22:05 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-08-29 11:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 16:58 . 2009-08-20 16:58 152576 ----a-w- c:\documents and settings\Art\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-01-09 18:58 . 2009-01-09 18:58 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-01-09 18:58 . 2009-01-09 18:58 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-01-09 18:58 . 2009-01-09 18:58 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-07_17.09.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-07 18:13 . 2009-11-07 18:13 16384 c:\windows\Temp\Perflib_Perfdata_7c4.dat
+ 2009-11-08 00:18 . 2009-11-08 00:18 16384 c:\windows\Temp\Perflib_Perfdata_13a4.dat
+ 2009-11-08 00:04 . 2009-11-08 00:04 84661 c:\windows\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
- 2007-11-20 12:23 . 2009-07-05 16:43 84661 c:\windows\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
+ 2003-10-16 21:50 . 2009-11-08 16:20 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2003-10-16 21:50 . 2009-11-07 17:24 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-11-08 02:18 . 2009-11-08 16:20 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2009-11-08 00:01 . 2009-11-08 00:01 87618 c:\windows\SYSTEM32\Adobe\Shockwave 11\uninstaller.exe
+ 2009-10-29 05:27 . 2009-10-29 05:27 94208 c:\windows\SYSTEM32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-10-29 04:55 . 2009-10-29 04:55 79488 c:\windows\SYSTEM32\Adobe\Shockwave 11\gtapi.dll
+ 2009-10-29 05:29 . 2009-10-29 05:29 9216 c:\windows\SYSTEM32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2009-08-20 17:02 . 2009-07-25 09:23 149280 c:\windows\SYSTEM32\javaws.exe
+ 2009-11-08 00:18 . 2009-11-08 00:17 149280 c:\windows\SYSTEM32\javaws.exe
+ 2009-11-08 00:18 . 2009-11-08 00:17 145184 c:\windows\SYSTEM32\javaw.exe
- 2009-08-20 17:02 . 2009-07-25 09:23 145184 c:\windows\SYSTEM32\javaw.exe
+ 2009-11-08 00:18 . 2009-11-08 00:17 145184 c:\windows\SYSTEM32\java.exe
- 2009-08-20 17:02 . 2009-07-25 09:23 145184 c:\windows\SYSTEM32\java.exe
+ 2009-10-29 04:55 . 2009-10-29 04:55 132472 c:\windows\SYSTEM32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 2009-10-29 05:27 . 2009-10-29 05:27 114688 c:\windows\SYSTEM32\Adobe\Shockwave 11\SwInit.exe
+ 2009-10-29 05:43 . 2009-10-29 05:43 464312 c:\windows\SYSTEM32\Adobe\Shockwave 11\SwHelper_1152602.exe
+ 2009-10-29 05:29 . 2009-10-29 05:29 446464 c:\windows\SYSTEM32\Adobe\Shockwave 11\Proj.dll
+ 2009-10-29 05:28 . 2009-10-29 05:28 372736 c:\windows\SYSTEM32\Adobe\Shockwave 11\Plugin.dll
+ 2009-10-29 04:55 . 2009-10-29 04:55 713216 c:\windows\SYSTEM32\Adobe\Shockwave 11\gi.dll
+ 2009-10-29 05:26 . 2009-10-29 05:26 503808 c:\windows\SYSTEM32\Adobe\Shockwave 11\Control.dll
+ 2009-10-29 05:44 . 2009-10-29 05:44 210360 c:\windows\SYSTEM32\Adobe\Director\SwDir.dll
+ 2009-10-29 05:28 . 2009-10-29 05:28 131072 c:\windows\SYSTEM32\Adobe\Director\np32dsw.dll
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2009-10-29 05:01 . 2009-10-29 05:01 1011712 c:\windows\SYSTEM32\Adobe\Shockwave 11\iml32.dll
+ 2009-10-29 04:55 . 2009-10-29 04:55 1886320 c:\windows\SYSTEM32\Adobe\Shockwave 11\gt.exe
+ 2009-10-29 05:05 . 2009-10-29 05:05 1798144 c:\windows\SYSTEM32\Adobe\Shockwave 11\dirapi.dll
+ 2009-11-08 00:17 . 2009-11-08 00:17 1757696 c:\windows\Installer\1489d11.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Updates Notifier"="c:\program files\Common Files\Lacerte Shared\UpdNotif\UpdNotif.EXE" [2006-06-22 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-10 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-30 4800512]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-08 149280]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
FlashPath Monitor.lnk - c:\program files\SmartDisk\FlashPath\sdstat.exe [2005-4-3 184320]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 20:04 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Art^Start Menu^Programs^Startup^Palm Registration.lnk]
path=c:\documents and settings\Art\Start Menu\Programs\Startup\Palm Registration.lnk
backup=c:\windows\pss\Palm Registration.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpsvc.exe"=
"c:\\WINDOWS\\SYSTEM32\\wscntfy.exe"=
"c:\\WINDOWS\\SYSTEM32\\wuauclt.exe"=
"c:\\Program Files\\SmartDisk\\FlashPath\\sdstat.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
R2 FlashNT;FlashNT;c:\windows\SYSTEM32\DRIVERS\FLASHNT.SYS [04/03/05 3:53 PM 72784]
R2 Sdselect;Sdselect;c:\windows\SYSTEM32\DRIVERS\sdselect.sys [04/03/05 3:53 PM 73296]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [12/08/06 9:37 AM 72704]
S3 VisorUsb;Handspring USB;c:\windows\SYSTEM32\DRIVERS\VisorUsb.sys [05/01/04 2:22 PM 19968]
S3 WrKPoET2000;WrKPoET2000;\??\c:\program files\Verizon Voyager\High Speed Internet Service\WinPoET\WrKPoET2000.sys --> c:\program files\Verizon Voyager\High Speed Internet Service\WinPoET\WrKPoET2000.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder
2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-15 16:22]
2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-15 16:22]
2009-11-02 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-11-02 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: {{28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - c:\program files\Verizon Voyager\High Speed Internet Service\ControlPad\Misc\a_menu.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Art\Application Data\Mozilla\Firefox\Profiles\wt2jk9e0.avenger9002\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 12:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(684)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
Completion time: 2009-11-08 12:42
ComboFix-quarantined-files.txt 2009-11-08 17:42
ComboFix2.txt 2009-11-07 23:42
ComboFix3.txt 2009-11-07 18:00
ComboFix4.txt 2008-01-20 21:33
Pre-Run: 50,909,667,328 bytes free
Post-Run: 50,867,904,512 bytes free
- - End Of File - - 059042EEFBBB1B574FD6031743DE20B4
Good. If nothing bad shows up then I have some final steps to follow next :)
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html)
Good commercial ones are from:
Kaspersky (http://www.kaspersky.com/homeuser) and
ESET (http://www.eset.com/products/index.php)
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
bhendrick
2009-11-09, 00:14
finished all remaining steps. Will see how it behaves. If any issues, should I post to this? If you dont hear from me.....thanks again for all your help!!!!!!!
bhendrick
2009-11-09, 01:14
well....its back. Rebooted...ran spybot to make sure....virtumonde.prx is found
here is the spybot log....
--- Search result list ---
Virtumonde.prx: [SBI $F7D0370B] Autorun settings (vizuhadud) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vizuhadud
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2009-11-01 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-09-07 advcheck.dll (1.6.4.18)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-10-08 Includes\Adware.sbi (*)
2009-10-20 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2009-10-13 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-10-27 Includes\HijackersC.sbi (*)
2009-10-20 Includes\Keyloggers.sbi (*)
2009-10-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-11-03 Includes\Malware.sbi (*)
2009-11-03 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-10-20 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-11-04 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-11-03 Includes\Spyware.sbi (*)
2009-11-03 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-11-03 Includes\Trojans.sbi (*)
2009-11-03 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Security Update (KB953297)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB923723)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Player: Windows Media Player Hotfix [See KB837272 for more information]
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows Media Player: Security Update for Windows Media Player (KB954155)
/ Windows Media Player: Security Update for Windows Media Player (KB968816)
/ Windows Media Player: Security Update for Windows Media Player (KB973540)
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 828026
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB911565)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB936782)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB958215)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB960714)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB961260)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB963027)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB969897)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB972260)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB974455)
/ Windows XP / SP0: Update for Windows Internet Explorer 7 (KB976749)
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB923561)
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Security Update for Windows XP (KB938464-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Security Update for Windows XP (KB952004)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB953839)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB954459)
/ Windows XP / SP4: Hotfix for Windows XP (KB954550-v5)
/ Windows XP / SP4: Security Update for Windows XP (KB954600)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Update for Windows XP (KB955839)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956572)
/ Windows XP / SP4: Security Update for Windows XP (KB956744)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB956844)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB958687)
/ Windows XP / SP4: Security Update for Windows XP (KB958690)
/ Windows XP / SP4: Security Update for Windows XP (KB958869)
/ Windows XP / SP4: Security Update for Windows XP (KB959426)
/ Windows XP / SP4: Security Update for Windows XP (KB960225)
/ Windows XP / SP4: Security Update for Windows XP (KB960715)
/ Windows XP / SP4: Security Update for Windows XP (KB960803)
/ Windows XP / SP4: Security Update for Windows XP (KB960859)
/ Windows XP / SP4: Hotfix for Windows XP (KB961118)
/ Windows XP / SP4: Security Update for Windows XP (KB961371)
/ Windows XP / SP4: Security Update for Windows XP (KB961373)
/ Windows XP / SP4: Security Update for Windows XP (KB961501)
/ Windows XP / SP4: Update for Windows XP (KB967715)
/ Windows XP / SP4: Update for Windows XP (KB968389)
/ Windows XP / SP4: Security Update for Windows XP (KB968537)
/ Windows XP / SP4: Security Update for Windows XP (KB969059)
/ Windows XP / SP4: Security Update for Windows XP (KB969898)
/ Windows XP / SP4: Security Update for Windows XP (KB970238)
/ Windows XP / SP4: Hotfix for Windows XP (KB970653-v3)
/ Windows XP / SP4: Security Update for Windows XP (KB971486)
/ Windows XP / SP4: Security Update for Windows XP (KB971557)
/ Windows XP / SP4: Security Update for Windows XP (KB971633)
/ Windows XP / SP4: Security Update for Windows XP (KB971657)
/ Windows XP / SP4: Security Update for Windows XP (KB971961)
/ Windows XP / SP4: Security Update for Windows XP (KB973346)
/ Windows XP / SP4: Security Update for Windows XP (KB973354)
/ Windows XP / SP4: Security Update for Windows XP (KB973507)
/ Windows XP / SP4: Security Update for Windows XP (KB973525)
/ Windows XP / SP4: Update for Windows XP (KB973815)
/ Windows XP / SP4: Security Update for Windows XP (KB973869)
/ Windows XP / SP4: Security Update for Windows XP (KB974112)
/ Windows XP / SP4: Security Update for Windows XP (KB974571)
/ Windows XP / SP4: Security Update for Windows XP (KB975025)
/ Windows XP / SP4: Security Update for Windows XP (KB975467)
--- Startup entries list ---
Located: HK_LM:Run, BCMSMMSG
command: BCMSMMSG.exe
file: C:\WINDOWS\BCMSMMSG.exe
size: 122880
MD5: 2D99607F21FF368C0E335A2D91A052A1
Located: HK_LM:Run, dla
command: C:\WINDOWS\system32\dla\tfswctrl.exe
file: C:\WINDOWS\system32\dla\tfswctrl.exe
size: 114741
MD5: 2BFF8A443334A034DF73D2C8D808D2A7
Located: HK_LM:Run, GoToMyPC
command: "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
file: C:\Program Files\Citrix\GoToMyPC\g2svc.exe
size: 258856
MD5: 5DC8BD56381285EBF778724983E05B33
Located: HK_LM:Run, McAfee Backup
command: "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
file: C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
size: 5134864
MD5: B00C78ECE1D0442CA3DE709492AA3C9B
Located: HK_LM:Run, mcagent_exe
command: "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
file: C:\Program Files\McAfee.com\Agent\mcagent.exe
size: 645328
MD5: F751C546A9A586A09AD64274529F8E9C
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
file: C:\WINDOWS\System32\NvCpl.dll
size: 4800512
MD5: E0963D6997BAAB1F30BAA52C41B9E455
Located: HK_LM:Run, SearchSettings
command: C:\Program Files\pdfforge Toolbar\SearchSettings.exe
file: C:\Program Files\pdfforge Toolbar\SearchSettings.exe
size: 1024512
MD5: 099353D3B19A2B9FA4664E04872AC49A
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre6\bin\jusched.exe"
file: C:\Program Files\Java\jre6\bin\jusched.exe
size: 149280
MD5: 3A0647BDED81DBE0BCBB51D70B22C9E0
Located: HK_LM:Run, UpdReg
command: C:\WINDOWS\UpdReg.EXE
file: C:\WINDOWS\UpdReg.EXE
size: 90112
MD5: C419DF63E0121D72411285780C2FC6CC
Located: HK_LM:Run, vizuhadud
command: Rundll32.exe "c:\windows\system32\bolizude.dll",a
file: c:\windows\system32\bolizude.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-2985599247-3525398264-376927324-1011...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-2985599247-3525398264-376927324-1011...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1
Located: HK_CU:Run, swg
where: S-1-5-21-2985599247-3525398264-376927324-1011...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
Located: HK_CU:Run, Updates Notifier
where: S-1-5-21-2985599247-3525398264-376927324-1011...
command: C:\Program Files\Common Files\Lacerte Shared\UpdNotif\UpdNotif.EXE
file: C:\Program Files\Common Files\Lacerte Shared\UpdNotif\UpdNotif.EXE
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (common), FlashPath Monitor.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\SmartDisk\FlashPath\sdstat.exe
file: C:\Program Files\SmartDisk\FlashPath\sdstat.exe
size: 184320
MD5: BB33761A29BF3ADBF15048F056DD6BCC
Located: Startup (common), HOTSYNCSHORTCUTNAME.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Palm\Hotsync.exe
file: C:\Program Files\Palm\Hotsync.exe
size: 471040
MD5: F8FB2CA91F25D3EAA2CAE2F0B55FEC54
Located: Startup (common), HP Digital Imaging Monitor.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
file: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
size: 282624
MD5: 5597D0075861CB0A6E6087752D205C0D
Located: Startup (common), Microsoft Office.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5BC65464354A9FD3BEAA28E18839734A
Located: Startup (disabled), Acrobat Assistant (DISABLED)
command: C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrotray.exe
file: C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrotray.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (disabled), America Online 9.0 Tray Icon (DISABLED)
command: C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
file: C:\PROGRA~1\AMERIC~1.0\aoltray.exe
size: 36953
MD5: 6C56AF320E0C65B14B3B36F655A5C68E
Located: Startup (disabled), Palm Registration (DISABLED)
command: C:\PROGRA~1\Palm\register.exe /remind /language=EN /INTL="true" /_NBL="true" /PRNM="Palm"
file: C:\PROGRA~1\Palm\register.exe
size: 2494464
MD5: 533773CC598066297984DCAE9788639A
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, GoToMyPC
command: C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
file: C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
size: 10536
MD5: 1992995541F0368730E66C0784A6D874
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{02478D38-C3F9-4efb-9B51-7695ECA05670} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
description: Yahoo Companion!
classification: Legitimate
known filename: Ycomp*_*_*_*.dll
info link: http://companion.yahoo.com/
info source: TonyKlein
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
{5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: DriveLetterAccess
description: Hewlett-Packard's DLA software
classification: Unknown
known filename: tfswshx.dll
info link:
info source: TonyKlein
Path: C:\WINDOWS\system32\dla\
Long name: tfswshx.dll
Short name:
Date (created): 01/14/04 9:05:08 PM
Date (last access): 11/08/09 6:54:22 PM
Date (last write): 08/06/03 2:04:00 AM
Filesize: 106548
Attributes: archive
MD5: 15F6F27916A2D2AF3ABF029F6CF3037B
CRC32: 808FB6C8
Version: 1.4.5.1
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: scriptproxy
CLSID name: scriptproxy
Path: c:\PROGRA~1\mcafee\VIRUSS~1\
Long name: scriptsn.dll
Short name:
Date (created): 07/14/09 10:13:12 PM
Date (last access): 11/08/09 6:54:22 PM
Date (last write): 09/16/09 9:22:16 AM
Filesize: 62784
Attributes: archive
MD5: 2F2D790D560CE6B8C7BC4DD6CA766A0E
CRC32: 2A4384A9
Version: 14.0.0.435
{9c51076b-4847-4376-9a81-3e4539fdf8ea} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 12/14/07 1:47:04 PM
Date (last access): 11/08/09 6:18:54 PM
Date (last write): 12/14/07 1:47:04 PM
Filesize: 2403392
Attributes: readonly archive
MD5: 6319F2D4708DBCAE37CFA03DA10782C0
CRC32: D51D8296
Version: 4.0.1601.4978
{AE7CD045-E861-484f-8273-0445EE161910} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
description: Adobe Acrobat
classification: Legitimate
known filename: AcroIEFavClient.dll
info link: http://www.adobe.com/products/acrobatpro/main.html
info source: TonyKlein
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\
Long name: swg.dll
Short name:
Date (created): 04/09/09 7:22:24 PM
Date (last access): 11/08/09 7:05:14 PM
Date (last write): 04/09/09 7:22:24 PM
Filesize: 737776
Attributes: archive
MD5: AB32387A8F8C696A0739768B6B913714
CRC32: F4E76414
Version: 3.1.807.1746
{B922D405-6D13-4A2B-AE89-08A030DA4402} (pdfforge Toolbar)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: pdfforge Toolbar
Path: C:\Program Files\pdfforge Toolbar\
Long name: pdfforgeToolbarIE.dll
Short name: PDFFOR~1.DLL
Date (created): 07/31/09 2:00:24 AM
Date (last access): 11/08/09 7:05:14 PM
Date (last write): 07/31/09 2:00:24 AM
Filesize: 698880
Attributes: archive
MD5: 48914AF735808EC7FAD5B0452A77590B
CRC32: 611BC193
Version: 1.0.2.1
{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 11/07/09 7:17:30 PM
Date (last access): 11/08/09 7:01:42 PM
Date (last write): 11/07/09 7:17:30 PM
Filesize: 41760
Attributes: archive
MD5: C9EDE29F223A27873E187D9FB6045EA6
CRC32: 5951C3E0
Version: 6.0.170.4
{E312764E-7706-43F1-8DAB-FCDD2B1E416D} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\Program Files\pdfforge Toolbar\
Long name: SearchSettings.dll
Short name: SEARCH~1.DLL
Date (created): 07/29/09 3:39:38 PM
Date (last access): 11/08/09 6:42:12 PM
Date (last write): 07/29/09 3:39:38 PM
Filesize: 1153024
Attributes: archive
MD5: D35BE77297797F2DC4D08B7B04137E21
CRC32: B6B830DC
Version: 1.2.2.2
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: JQSIEStartDetectorImpl
CLSID name: JQSIEStartDetectorImpl Class
Path: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\
Long name: jqs_plugin.dll
Short name: JQS_PL~1.DLL
Date (created): 11/07/09 7:17:40 PM
Date (last access): 11/08/09 7:01:42 PM
Date (last write): 11/07/09 7:17:40 PM
Filesize: 73728
Attributes: archive
MD5: DEE8F03D1EACE0C8F914A2C76568EA32
CRC32: 53F8F67C
Version: 6.0.170.4
--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\setup.inf
Codebase: http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Adobe\Director\
Long name: SwDir.dll
Short name:
Date (created): 10/29/09 12:44:46 AM
Date (last access): 11/08/09 9:54:40 AM
Date (last write): 10/29/09 12:44:46 AM
Filesize: 210360
Attributes: archive
MD5: 435EA0E65D591E9F1DAC1C586C28745B
CRC32: 7CED2E73
Version: 11.5.2.602
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support)
DPF name:
CLSID name: Installation Support
Installer:
Codebase: C:\Program Files\Yahoo!\Common\Yinsthelper.dll
description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Yahoo!\Common\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 03/15/07 9:13:06 PM
Date (last access): 11/08/09 6:48:04 AM
Date (last write): 03/15/07 9:13:06 PM
Filesize: 209448
Attributes: archive
MD5: 4380A4799E826AF03FD975B4A71E9268
CRC32: 423BF1F7
Version: 2007.3.15.1
{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124161126531
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 05/26/05 3:19:32 AM
Date (last access): 11/08/09 6:05:40 PM
Date (last write): 08/06/09 6:24:18 PM
Filesize: 209632
Attributes: archive
MD5: 033AF4CE25B6D871F0DE2C982658E049
CRC32: 2C204902
Version: 7.4.7600.226
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_17
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_17.dll
Short name: NPJPI1~1.DLL
Date (created): 11/07/09 7:17:34 PM
Date (last access): 11/08/09 1:55:50 AM
Date (last write): 11/07/09 7:17:34 PM
Filesize: 136992
Attributes: archive
MD5: 3D58770680F268A23A8CE1F14B49AA2F
CRC32: 6091A816
Version: 6.0.170.4
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.
{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38007.3574074074
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla
{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} ()
DPF name:
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: npjpi142.dll
info link:
info source: Safer Networking Ltd.
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ()
DPF name:
CLSID name:
Installer:
Codebase:
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_17
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_17.dll
Short name: NPJPI1~1.DLL
Date (created): 11/07/09 7:17:34 PM
Date (last access): 11/08/09 7:13:16 PM
Date (last write): 11/07/09 7:17:34 PM
Filesize: 136992
Attributes: archive
MD5: 3D58770680F268A23A8CE1F14B49AA2F
CRC32: 6091A816
Version: 6.0.170.4
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_17
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_17.dll
Short name: NPJPI1~1.DLL
Date (created): 11/07/09 7:17:34 PM
Date (last ac
bhendrick
2009-11-09, 01:16
noticed that every time I rebooted, mcafee was disabled. I would re-enable, and all would be fine.....but then it would disable. PC running slow again. Unbelievable.
Hi,
It's the old fixed registry entry that got itself back (probably after TeaTimer was re-enabled).
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vizuhadud]
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
What it comes to McAfee problem, I recommend to reinstall the app. Infection may have harmed some of its components.
bhendrick
2009-11-09, 14:32
Disabled TT
rebooted
deleted reg key
rebooted
re-enabled TT
did NOT get any prompts to allow/deny reg changes
rebooted
the key is back again
Hi,
Uninstall Spybot, run registry fix and then reinstall Spybot.
bhendrick
2009-11-10, 03:57
done. did not reinstall spybot yet. rebooted several times, looks good so far. registry key not reappearing. Will let him use the PC for a day to see how it performs. Will let you know tomorrow. Will reinstall spybot later if it is necessary to keep running.
thanks again!!!
bhendrick
2009-11-11, 02:27
all set. You can close the thread!
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.