View Full Version : Help please eliminating WUAUDIT.EXE
drcurious
2013-01-04, 17:19
I have run current updates of Spybot, Malwarebytes, and have McAfee anti-virus running but I still have WUAUDIT.EXE showing in task manager. Where do I start? Thanks in advance.
Hello drcurious and :welcome:
My name is JonTom
Malware Logs can sometimes take a lot of time to research and interpret.
Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
PLEASE NOTE: If you do not reply after 3 days your thread will be closed.
Lets take a look at your machine with the following scans:
Please perform the following scan
Please download DDS from here (http://download.bleepingcomputer.com/sUBs/dds.com) and save it to your desktop.
Disable any script blocking protection (How to Disable your Security Programs (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html))
Double click on the DDS icon to run the tool (may take up to 3 minutes to run). If you are running Vista or Windows 7 right click on DDS and select "Run as Admnistrator" to run the tool.
When done, DDS.txt will open.
After a few moments, attach.txt will open in a second window.
Save both reports to your desktop.
Please post the contents of the DDS.txt and Attach.txt logs in your next reply.
aswMBR
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.
Double click the aswMBR.exe to run it.
When asked if you want to download Avast's virus definitions please select Yes.
Click the "Scan" button to start scan.
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply.
http://public.avast.com/~gmerek/aswMBR2.png
Please post both DDS logs and the aswMBR log in your next reply.
drcurious
2013-01-04, 21:11
Thanks, JonTom. Here are the logs you requested:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by Owner at 12:27:40 on 2013-01-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.344 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Calibrize\CalibrizeResume.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {3CBF8DC3-0BC1-4D44-9CBF-6A13B96934C3} - <orphaned>
BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120808213631.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
BHO: {C43430DE-3D8C-4C94-8D1B-EEE9BF1EE745} - <orphaned>
BHO: FDMIECookiesBHO Class: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: &RoboForm Toolbar: {724D43A0-0D85-11D4-9908-00400523E39A} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner.a-1storage\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [cdloader] "c:\documents and settings\owner.a-1storage\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [CGFLoader] c:\program files\calibrize\CalibrizeLoader.exe
uRun: [CalibrizeResume] c:\program files\calibrize\CalibrizeResume.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [CHotkey] zHotkey.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner~1.a-1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:0
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Customize Menu - c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download all with Free Download Manager - c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - c:\program files\free download manager\dllink.htm
IE: Fill Forms - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Free YouTube Download - c:\documents and settings\owner.a-1storage\application data\dvdvideosoftiehelpers\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\owner.a-1storage\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: Save Forms - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Show RoboForm Toolbar - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - c:\program files\amazon\add to wish list ie extension\run.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://chil.solidworks.com/htdocs/pdownload/edrawings/e2007sp03/cab/eModelsStandard.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158264384363
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{C1ACEBC7-1070-497B-B702-67F4BEB7519C} : DHCPNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner.a-1storage\application data\mozilla\firefox\profiles\ggz2ycl5.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1|http://my.ebay.com/ws/eBayISAPI.dll?MyeBay&CurrentPage=MyeBayAllSelling&ssPageName=STRK:ME:LNLK|http://showcount.vendio.com/cgi-bin/mycounters.cgi?view=10|http://toad3.inkfrog.com/dashboard.php?init=1
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 61980
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\owner.a-1storage\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\owner.a-1storage\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\owner.a-1storage\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2012-2-22 565352]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2012-8-8 91168]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-8-8 203400]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2012-8-8 168880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-8-8 167344]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-8-8 60480]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2012-8-8 234824]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-8-8 362640]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2012-12-19 84432]
R3 SNXPCARD;SNXPCARD;c:\windows\system32\drivers\snxpcard.sys [2007-3-10 23040]
R3 SNXPSERX;SNXPSERX;c:\windows\system32\drivers\snxpserx.sys [2007-3-10 56320]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-9-27 10664]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-11-14 146872]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2012-8-8 65488]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2012-12-19 84432]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-8-8 92192]
S3 snxcard;SUNIX Industrial Multiport Serial Card Driver;c:\windows\system32\drivers\snxcard.sys [2007-1-5 14976]
S3 snxport;SUNIX Industrial Port Driver;c:\windows\system32\drivers\snxport.sys [2007-1-5 54912]
.
=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" %*
ShellExec: MRSIDV~1.EXE: Open="c:\progra~1\lizard~1\mrsidv~1\MRSIDV~1.EXE""" %1""
ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"
.
=============== Created Last 30 ================
.
2013-01-01 00:04:18 388096 ----a-r- c:\documents and settings\owner.a-1storage\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2013-01-01 00:04:15 -------- d-----w- c:\program files\Trend Micro
2012-12-19 14:51:27 84432 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-12-12 09:47:19 16363960 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
==================== Find3M ====================
.
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-12 09:47:22 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-12 09:47:22 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-28 02:31:15 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-28 02:31:13 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-28 02:31:13 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-28 02:31:13 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-27 19:41:44 1101436 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-11-27 19:41:44 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-11-27 19:41:37 1101436 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-09 12:56:16 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-11-09 12:53:22 167344 ----a-w- c:\windows\system32\mfevtps.exe
2012-11-09 12:53:02 91168 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-11-09 12:52:22 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-11-09 12:52:12 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-11-09 12:51:12 565352 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-11-09 12:50:20 362640 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-11-09 12:50:00 65488 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-11-09 12:49:40 234824 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-11-09 12:49:10 132912 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 12:28:47.43 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/7/2006 2:05:09 PM
System Uptime: 1/4/2013 9:10:32 AM (3 hours ago)
.
Motherboard: To be filled by O.E.M. | | MS-7207G
Processor: AMD Athlon(tm) 64 Processor 3400+ | CPU 1 | 2209/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 182 GiB total, 136.309 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 2.412 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP2237: 10/8/2012 10:57:46 AM - System Checkpoint
RP2238: 10/9/2012 12:05:27 PM - System Checkpoint
RP2239: 10/10/2012 3:00:17 AM - Software Distribution Service 3.0
RP2240: 10/11/2012 3:28:23 AM - System Checkpoint
RP2241: 10/12/2012 3:30:22 AM - System Checkpoint
RP2242: 10/13/2012 11:19:37 PM - System Checkpoint
RP2243: 10/14/2012 11:28:12 PM - System Checkpoint
RP2244: 10/16/2012 1:34:42 AM - System Checkpoint
RP2245: 10/17/2012 2:19:41 AM - System Checkpoint
RP2246: 10/17/2012 11:53:23 AM - Installed Java(TM) 6 Update 37
RP2247: 10/18/2012 1:01:47 PM - System Checkpoint
RP2248: 10/19/2012 7:06:09 PM - System Checkpoint
RP2249: 10/21/2012 2:37:59 AM - System Checkpoint
RP2250: 10/22/2012 3:35:25 AM - System Checkpoint
RP2251: 10/23/2012 3:57:23 AM - System Checkpoint
RP2252: 10/24/2012 4:57:24 AM - System Checkpoint
RP2253: 10/25/2012 5:17:08 AM - System Checkpoint
RP2254: 10/26/2012 5:40:30 AM - System Checkpoint
RP2255: 10/27/2012 6:37:31 AM - System Checkpoint
RP2256: 10/28/2012 6:40:27 AM - System Checkpoint
RP2257: 10/29/2012 7:00:44 AM - System Checkpoint
RP2258: 10/29/2012 3:33:33 PM - Removed RealDownloader
RP2259: 10/30/2012 5:00:16 PM - System Checkpoint
RP2260: 10/31/2012 7:35:19 PM - System Checkpoint
RP2261: 11/1/2012 8:33:40 PM - System Checkpoint
RP2262: 11/2/2012 10:00:40 PM - System Checkpoint
RP2263: 11/3/2012 10:41:51 PM - System Checkpoint
RP2264: 11/5/2012 7:17:49 PM - System Checkpoint
RP2265: 11/6/2012 10:49:49 PM - System Checkpoint
RP2266: 11/7/2012 11:25:09 PM - System Checkpoint
RP2267: 11/9/2012 12:00:16 AM - System Checkpoint
RP2268: 11/10/2012 12:31:40 AM - System Checkpoint
RP2269: 11/11/2012 12:38:08 AM - System Checkpoint
RP2270: 11/12/2012 12:48:48 AM - System Checkpoint
RP2271: 11/13/2012 2:13:44 AM - System Checkpoint
RP2272: 11/14/2012 2:34:12 AM - System Checkpoint
RP2273: 11/14/2012 3:00:16 AM - Software Distribution Service 3.0
RP2274: 11/15/2012 3:34:29 AM - System Checkpoint
RP2275: 11/16/2012 9:36:33 AM - System Checkpoint
RP2276: 11/17/2012 10:04:34 AM - System Checkpoint
RP2277: 11/18/2012 11:05:40 AM - System Checkpoint
RP2278: 11/19/2012 4:42:57 PM - System Checkpoint
RP2279: 11/20/2012 8:45:49 PM - System Checkpoint
RP2280: 11/21/2012 9:04:34 PM - System Checkpoint
RP2281: 11/22/2012 10:04:31 PM - System Checkpoint
RP2282: 11/23/2012 11:04:29 PM - System Checkpoint
RP2283: 11/25/2012 12:04:29 AM - System Checkpoint
RP2284: 11/26/2012 4:58:52 PM - System Checkpoint
RP2285: 11/27/2012 7:15:35 PM - System Checkpoint
RP2286: 11/27/2012 8:25:57 PM - Removed J2SE Runtime Environment 5.0 Update 2
RP2287: 11/27/2012 8:31:07 PM - Installed Java 7 Update 9
RP2288: 11/28/2012 8:44:46 PM - System Checkpoint
RP2289: 11/29/2012 8:45:57 PM - System Checkpoint
RP2290: 11/30/2012 9:45:59 PM - System Checkpoint
RP2291: 12/1/2012 10:45:56 PM - System Checkpoint
RP2292: 12/2/2012 11:10:00 PM - System Checkpoint
RP2293: 12/3/2012 11:45:58 PM - System Checkpoint
RP2294: 12/5/2012 12:46:07 AM - System Checkpoint
RP2295: 12/6/2012 12:50:28 AM - System Checkpoint
RP2296: 12/7/2012 1:50:46 AM - System Checkpoint
RP2297: 12/8/2012 2:50:26 AM - System Checkpoint
RP2298: 12/9/2012 3:03:48 AM - System Checkpoint
RP2299: 12/10/2012 4:03:48 AM - System Checkpoint
RP2300: 12/11/2012 5:03:50 AM - System Checkpoint
RP2301: 12/12/2012 6:03:50 AM - System Checkpoint
RP2302: 12/13/2012 6:08:54 AM - System Checkpoint
RP2303: 12/14/2012 3:00:28 AM - Software Distribution Service 3.0
RP2304: 12/15/2012 3:31:03 AM - System Checkpoint
RP2305: 12/16/2012 4:31:02 AM - System Checkpoint
RP2306: 12/17/2012 5:31:00 AM - System Checkpoint
RP2307: 12/18/2012 6:30:59 AM - System Checkpoint
RP2308: 12/19/2012 7:31:02 AM - System Checkpoint
RP2309: 12/20/2012 8:34:17 AM - System Checkpoint
RP2310: 12/21/2012 8:36:08 AM - System Checkpoint
RP2311: 12/22/2012 3:00:24 AM - Software Distribution Service 3.0
RP2312: 12/23/2012 3:45:07 AM - System Checkpoint
RP2313: 12/24/2012 3:49:39 AM - System Checkpoint
RP2314: 12/25/2012 4:00:50 AM - System Checkpoint
RP2315: 12/26/2012 5:25:58 AM - System Checkpoint
RP2316: 12/27/2012 5:57:21 AM - System Checkpoint
RP2317: 12/28/2012 6:57:25 AM - System Checkpoint
RP2318: 12/29/2012 8:19:48 AM - System Checkpoint
RP2319: 12/30/2012 9:57:06 AM - System Checkpoint
RP2320: 12/31/2012 9:57:26 AM - System Checkpoint
RP2321: 12/31/2012 6:04:14 PM - Installed HiJackThis
RP2322: 1/1/2013 6:54:58 PM - System Checkpoint
RP2323: 1/2/2013 7:00:12 PM - System Checkpoint
RP2324: 1/3/2013 7:13:08 PM - System Checkpoint
RP2325: 1/4/2013 8:27:15 AM - Software Distribution Service 3.0
RP2326: 1/4/2013 8:50:52 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
3D Billiards 1.42
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4)
Adobe Shockwave Player 11.6
Amazon Add to Wish List IE Extension 1.1
Apple Application Support
Apple Software Update
Beach Tranquility Screen Saver
Belarc Advisor 7.2
Belarc Advisor 8.3
Belkin SOHO Networking Utilities
BigFix
Boilsoft Video Joiner 6.0
BonusPack
BPD_HPSU
BPD_Scan
BPDfax
BPDSoftware
BPDSoftware_Ini
BufferChm
Calibrize 2.0
CCleaner
Chinese Simplified Fonts Support For Adobe Reader 9
Corel WordPerfect Suite 8
Coupon Printer for Windows
CustomerResearchQFolder
Defraggler
Destinations
DeviceManagementQFolder
DigiGate for Windows
Digital Media Reader
Disk Investigator 1.5
DivX Web Player
DocProc
DocProcQFolder
DVD Flick 1.3.0.7
DVD Player 1.0
DVDStyler v2.2
EasyCleaner
EPSON Printer Software
eSupportQFolder
Free Download Manager 2.5
Free Studio version 5.5.0
getPlus(R) for Adobe
Google Earth
Google Talk Plugin
Google Toolbar for Internet Explorer
Google Update Helper
GoToAssist Corporate
Hewlett-Packard ACLM.NET v1.1.0.0
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Officejet Pro All-In-One Series
HP Photosmart Essential
HP Product Assistant
HP Product Detection
HP Solution Center 7.0
HP Update
HPPhotoSmartExpress
HPProductAssistant
InstantShareAlert
InstantShareDevicesMFC
Java 7 Update 9
Java Auto Updater
Java(TM) 6 Update 17
Java(TM) 6 Update 37
Listing Factory 2009 v3.5
Logitech MouseWare 9.79.1
Lost Fractal Screen Saver
magicJack
Malwarebytes Anti-Malware version 1.65.1.1000
MarketResearch
MBSS Fireworks 3.1
McAfee AntiVirus Plus
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB2604042)
Microsoft .NET Framework 1.0 Hotfix (KB2656378)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.0 Security Update (KB2698035)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Automated Troubleshooting Services Shim
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Fix it Center
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Move Networks Media Player for Internet Explorer
Mozilla Firefox 17.0.1 (x86 en-US)
Mozilla Maintenance Service
MPM
MrSID Viewer
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Multi-IO Adapter PCI Multi-I/O Driver V6.000
Multimedia Keyboard Driver
Napster Burn Engine
Nero BurnRights
Nero OEM
Norton Security Scan
NVIDIA Control Panel 306.81
NVIDIA Drivers
NVIDIA Graphics Driver 306.81
NVIDIA Install Application
NVIDIA nView 136.28
NVIDIA Update 1.10.8
NVIDIA Update Components
OCR Software by I.R.I.S 7.0
OpenOffice.org 3.2
PanoStandAlone
QuickTime
RealArcade
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Recovery Software Suite eMachines
RoboForm 7-8-5-7 (All Users)
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Serif PhotoPlus 6.0
Shared C Run-time for x86
Snood for Windows version 3.52-W
SNV Demo
SolutionCenter
Spybot - Search & Destroy
Status
Sunix PCI Multi-I/O Driver V6.001
swMSM
Toolbox
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
VLC media player 2.0.4
WD Diagnostics
WebFldrs XP
WebReg
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Safety Scanner
Windows Media Format Runtime
Windows PowerShell(TM) 1.0
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
WinZip
Xiph.Org Open Codecs 0.84.17315
.
==== Event Viewer Messages From Past Week ========
.
12/31/2012 5:53:36 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
.
==== End Of File ===========================
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-01-04 12:32:52
-----------------------------
12:32:52.734 OS Version: Windows 5.1.2600 Service Pack 3
12:32:52.734 Number of processors: 1 586 0x2F02
12:32:52.734 ComputerName: A-1STORAGE UserName: Owner
12:32:53.453 Initialize success
12:41:16.468 AVAST engine defs: 13010400
12:41:41.718 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:41:41.718 Disk 0 Vendor: WDC_WD2000BB-22GUC0 08.02D08 Size: 190782MB BusType: 3
12:41:41.781 Disk 0 MBR read successfully
12:41:41.781 Disk 0 MBR scan
12:41:41.937 Disk 0 unknown MBR code
12:41:41.953 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 186206 MB offset 9349830
12:41:41.968 Disk 0 Partition 2 00 0B FAT32 RECOVERY 4565 MB offset 63
12:41:41.984 Disk 0 scanning sectors +390700800
12:41:42.203 Disk 0 scanning C:\WINDOWS\system32\drivers
12:41:56.765 Service scanning
12:42:21.250 Modules scanning
12:42:34.781 Disk 0 trace - called modules:
12:42:34.828 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:42:35.203 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85745030]
12:42:35.218 3 CLASSPNP.SYS[f765cfd7] -> nt!IofCallDriver -> \Device\00000095[0x85753f18]
12:42:35.234 5 ACPI.sys[f7473620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8578cd98]
12:42:36.968 AVAST engine scan C:\WINDOWS
12:42:48.171 AVAST engine scan C:\WINDOWS\system32
12:46:20.140 AVAST engine scan C:\WINDOWS\system32\drivers
12:46:46.078 AVAST engine scan C:\Documents and Settings\Owner.A-1STORAGE
12:49:11.406 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner.A-1STORAGE\Desktop\MBR.dat"
12:49:11.421 The log file has been saved successfully to "C:\Documents and Settings\Owner.A-1STORAGE\Desktop\aswMBR.txt"
Hello drcurious
Thank you for the logs.
Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216).
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Should there be issues with internet afterward:
In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.
Post the Combofix log in your next reply.
drcurious
2013-01-05, 02:28
Hello JonTom. Here is the ComboFix log:
ComboFix 13-01-04.03 - Owner 01/04/2013 18:12:11.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.132 [GMT -6:00]
Running from: c:\documents and settings\Owner.A-1STORAGE\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\13a53668vloc03ui5e6cw01804e58xbx7gapik1vnl57
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner.A-1STORAGE\GoToAssistDownloadHelper.exe
c:\documents and settings\Owner.A-1STORAGE\WINDOWS
c:\documents and settings\UpdatusUser\WINDOWS
c:\program files\AutocompletePro
c:\program files\AutocompletePro\FireFoxExtension.exe
c:\program files\AutocompletePro\InstTracker.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-12-05 to 2013-01-05 )))))))))))))))))))))))))))))))
.
.
2013-01-01 00:04 . 2013-01-01 00:04 388096 ----a-r- c:\documents and settings\Owner.A-1STORAGE\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-01-01 00:04 . 2013-01-01 00:04 -------- d-----w- c:\program files\Trend Micro
2012-12-27 22:37 . 2012-12-27 22:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
2012-12-19 14:51 . 2012-11-09 12:50 84432 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-12-12 09:47 . 2012-12-12 09:47 16363960 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2005-04-13 16:55 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-12 09:47 . 2012-04-09 22:23 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-12 09:47 . 2011-06-10 01:35 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-28 02:31 . 2012-11-28 02:31 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-28 02:31 . 2012-06-30 16:21 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-28 02:31 . 2011-10-17 02:15 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-28 02:31 . 2010-02-11 16:59 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-13 01:25 . 2005-04-13 16:56 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-09 12:56 . 2012-08-09 02:36 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-11-09 12:53 . 2012-08-09 02:08 167344 ----a-w- c:\windows\system32\mfevtps.exe
2012-11-09 12:53 . 2012-08-09 02:36 91168 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-11-09 12:52 . 2012-08-09 02:36 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-11-09 12:52 . 2012-08-09 02:36 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-11-09 12:51 . 2012-02-22 18:29 565352 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-11-09 12:50 . 2012-08-09 02:36 362640 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-11-09 12:50 . 2012-08-09 02:36 65488 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-11-09 12:49 . 2012-08-09 02:36 234824 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-11-09 12:49 . 2012-02-22 18:29 132912 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-11-02 02:02 . 2005-04-13 16:55 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2005-04-13 16:56 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2005-04-13 16:55 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2005-04-13 16:55 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2005-04-13 16:55 385024 ------w- c:\windows\system32\html.iec
2012-12-05 02:03 . 2012-12-05 02:03 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Owner.A-1STORAGE\Application Data\mjusbsp\cdloader2.exe" [2012-02-01 50592]
"CGFLoader"="c:\program files\Calibrize\CalibrizeLoader.exe" [2007-11-26 1961984]
"CalibrizeResume"="c:\program files\Calibrize\CalibrizeResume.exe" [2007-11-26 413696]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2012-12-21 109336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"CHotkey"="zHotkey.exe" [2005-05-03 543232]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-09-12 1278648]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-10-29 296096]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-09-23 15512424]
"NvMediaCenter"="NvMCTray.dll" [2012-09-23 108392]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-09-23 1634112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\documents and settings\Owner.A-1STORAGE\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-3-28 2168360]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2012-08-15 17:46 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Documents and Settings\\Owner.A-1STORAGE\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Documents and Settings\\Owner.A-1STORAGE\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/8/2012 8:36 PM 91168]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/8/2012 8:36 PM 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/8/2012 8:36 PM 167784]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [8/8/2012 8:36 PM 168880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/8/2012 8:08 PM 167344]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/8/2012 8:36 PM 60480]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/8/2012 8:36 PM 362640]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/19/2012 8:51 AM 84432]
R3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\drivers\Pcouffin.sys [10/31/2006 12:48 PM 47360]
R3 SNXPCARD;SNXPCARD;c:\windows\system32\drivers\snxpcard.sys [3/10/2007 6:41 PM 23040]
R3 SNXPSERX;SNXPSERX;c:\windows\system32\drivers\snxpserx.sys [3/10/2007 6:41 PM 56320]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/8/2012 8:36 PM 167784]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [9/27/2006 4:12 PM 10664]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [11/14/2012 7:38 AM 146872]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 9:09 PM 267568]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/19/2012 8:51 AM 84432]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/8/2012 8:36 PM 92192]
S3 snxcard;SUNIX Industrial Multiport Serial Card Driver;c:\windows\system32\drivers\snxcard.sys [1/5/2007 10:18 AM 14976]
S3 snxport;SUNIX Industrial Port Driver;c:\windows\system32\drivers\snxport.sys [1/5/2007 10:19 AM 54912]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 09:47]
.
2013-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-01-04 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09]
.
2013-01-04 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09]
.
2013-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-11 06:04]
.
2013-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-11 06:04]
.
2013-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-607317455-4106850741-3124670952-1006Core.job
- c:\documents and settings\Owner.A-1STORAGE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-03 02:14]
.
2013-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-607317455-4106850741-3124670952-1006UA.job
- c:\documents and settings\Owner.A-1STORAGE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-03 02:14]
.
2013-01-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-607317455-4106850741-3124670952-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 19:27]
.
2013-01-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-607317455-4106850741-3124670952-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 19:27]
.
2013-01-04 c:\windows\Tasks\ReclaimerUpdateFiles_Owner.job
- c:\documents and settings\Owner.A-1STORAGE\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-14 03:01]
.
2013-01-04 c:\windows\Tasks\ReclaimerUpdateXML_Owner.job
- c:\documents and settings\Owner.A-1STORAGE\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-14 03:01]
.
2013-01-04 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Owner.job
- c:\documents and settings\Owner.A-1STORAGE\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-14 03:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Free YouTube Download - c:\documents and settings\Owner.A-1STORAGE\Application Data\DVDVideoSoftIEHelpers\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\Owner.A-1STORAGE\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Show RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner.A-1STORAGE\Application Data\Mozilla\Firefox\Profiles\ggz2ycl5.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1|http://my.ebay.com/ws/eBayISAPI.dll?MyeBay&CurrentPage=MyeBayAllSelling&ssPageName=STRK:ME:LNLK|http://showcount.vendio.com/cgi-bin/mycounters.cgi?view=10|http://toad3.inkfrog.com/dashboard.php?init=1
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 61980
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{3CBF8DC3-0BC1-4D44-9CBF-6A13B96934C3} - (no file)
BHO-{C43430DE-3D8C-4C94-8D1B-EEE9BF1EE745} - (no file)
Toolbar-Locked - (no file)
AddRemove-O Driver V6.000 Setup - c:\program files\Multi-IO Adapter\PCI_MultiIO_Driver\uninst.exe Software\Multi-IO Adapter\PCI_MultiIO_Driver\Setup
AddRemove-O Driver V6.001 Setup - c:\program files\Sunix\PCI_MultiIO_Driver\uninst.exe Software\Sunix\PCI_MultiIO_Driver\Setup
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-04 18:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1060)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
.
Completion time: 2013-01-04 18:26:37
ComboFix-quarantined-files.txt 2013-01-05 00:26
.
Pre-Run: 146,236,710,912 bytes free
Post-Run: 146,734,661,632 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - C1DF8C49CC81FC9D52B6E268F4F4FA62
Hello drcurious
Thank you for the log.
Is WUAUDIT.EXE still showing in your task manager?
Lets take a look for it with the following:
Please download SystemLook by JPShortstuff
Please download SystemLook by JPShortstuff by clicking here (http://jpshortstuff.247fixes.com/SystemLook.exe) or here (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe) and save the file (called SystemLook.exe) to your desktop.
Double click SystemLook.exe to run the program.
Copy the content of the following codebox into the main textfield:
:filefind
*WUAUDIT.EXE
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Do you recognise the following proxy set in your firefox browser?
FF - prefs.js: network.proxy.http_port - 61980
FF - prefs.js: network.proxy.type - 4 Is this something that you set yourself?
Please post the Systemlook log in your next reply.
drcurious
2013-01-05, 20:20
Good Morning JonTom,
Oddly, when I began this session WUAUDIT.EXE was listed in the task manager. As of right now it does not appear. SystemLook result was "no files found." It will likely reappear if I reboot. Should I do this?
I have no knowledge of proxy settings in Firefox. I have never changed any settings myself.
Chris
drcurious
2013-01-05, 22:38
Dear JonTom,
When I started the session with you, WUAUDIT.EXE was in the Task Manager list. When I downloaded DDS, it finished downloading and when I tried to open the program my machine locked. I had to power off and reboot and WUAUDIT.EXE was on the Task Manager list again. I then ran the diagnostics and posted the results. When you asked me to run SystemLook, WUAUDIT.EXE no longer appeared on the Task Manager list, and SystemLook said "No files found."
I have rebooted once again and WUAUDIT.EXE appeared on the Task Manager list. I ran SystemLook again immediately after looking at the Task Manageer list and it came back with "No files found." I checked the Task Manager and WUAUDIT.EXE had disappeared!
I am perplexed.
Chris
Hello drcurious
I am perplexed. Me too :) the file does not appear in your DDS logs, nor was it removed by Combofix and as you mentioned it was not picked up by systemlook.
How is the machine running in general? Are there any symptoms being displayed that are out of the ordinary? (Redirects, popups, error messages etc).
Lets continue with the following:
Please work through the following steps
Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
Copy and Paste the text in the quotebox below into the open Notepad window:
Firefox::
FF - ProfilePath - c:\documents and settings\Owner.A-1STORAGE\Application Data\Mozilla\Firefox\Profiles\ggz2ycl5.default\
FF - prefs.js: network.proxy.http_port - 61980
FF - prefs.js: network.proxy.type - 4
Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
Close any open browsers.
Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Refering to the picture below, drag CFScript.txt into ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Once the log is produced, re-engage your resident anti virus.
Temporary File Cleaner
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Close any open windows.
Double click the TFC icon to run the program.
TFC will close all open programs itself in order to run.
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish.
Once complete it should automatically reboot your machine.
If your machine does not reboot automatically, manually reboot to ensure a complete clean.
Note: After running TFC your machine may take slightly longer to boot the first time. This is normal.
MalwareBytes AntiMalware:
I can see that you have MBAM installed.
Double click on your MalwareBytes AntiMalware icon to launch the program.
Click on the "Update" tab and then on "Check for Updates".
The program will now install the latest Malware definition files.
Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
Once the program has scanned your computer, a log file will be created in Notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
Come back here to this thread and Paste the log in your next reply.
Please post the Combofix log and the MBAM log in your next reply.
drcurious
2013-01-06, 15:45
Dear JonTom,
Thanks for continuing your investigation of the mysterious disappearing WUAUDIT.EXE. As far as my machine's performance, it has been normal, but occasionaly it will slow down so I check Task Manager to see what is using CPU. Sometimes a McAfee process is slowing things down for no apparent reason. It was when checking Task Manager that I discovered the unrecognized WUAUDIT.EXE but now I can't remember if it was using CPU or not.
Here are the logs that you requested:
ComboFix 13-01-05.01 - Owner 01/05/2013 22:33:28.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.513 [GMT -6:00]
Running from: c:\documents and settings\Owner.A-1STORAGE\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.A-1STORAGE\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-06 to 2013-01-06 )))))))))))))))))))))))))))))))
.
.
2013-01-01 00:04 . 2013-01-01 00:04 388096 ----a-r- c:\documents and settings\Owner.A-1STORAGE\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-01-01 00:04 . 2013-01-01 00:04 -------- d-----w- c:\program files\Trend Micro
2012-12-27 22:37 . 2012-12-27 22:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
2012-12-19 14:51 . 2012-11-09 12:50 84432 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-12-12 09:47 . 2012-12-12 09:47 16363960 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2005-04-13 16:55 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-12 09:47 . 2012-04-09 22:23 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-12 09:47 . 2011-06-10 01:35 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-28 02:31 . 2012-11-28 02:31 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-28 02:31 . 2012-06-30 16:21 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-28 02:31 . 2011-10-17 02:15 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-28 02:31 . 2010-02-11 16:59 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-13 01:25 . 2005-04-13 16:56 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-09 12:56 . 2012-08-09 02:36 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-11-09 12:53 . 2012-08-09 02:08 167344 ----a-w- c:\windows\system32\mfevtps.exe
2012-11-09 12:53 . 2012-08-09 02:36 91168 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-11-09 12:52 . 2012-08-09 02:36 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-11-09 12:52 . 2012-08-09 02:36 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-11-09 12:51 . 2012-02-22 18:29 565352 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-11-09 12:50 . 2012-08-09 02:36 362640 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-11-09 12:50 . 2012-08-09 02:36 65488 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-11-09 12:49 . 2012-08-09 02:36 234824 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-11-09 12:49 . 2012-02-22 18:29 132912 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-11-02 02:02 . 2005-04-13 16:55 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2005-04-13 16:56 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2005-04-13 16:55 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2005-04-13 16:55 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2005-04-13 16:55 385024 ------w- c:\windows\system32\html.iec
2012-12-05 02:03 . 2012-12-05 02:03 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Owner.A-1STORAGE\Application Data\mjusbsp\cdloader2.exe" [2012-02-01 50592]
"CGFLoader"="c:\program files\Calibrize\CalibrizeLoader.exe" [2007-11-26 1961984]
"CalibrizeResume"="c:\program files\Calibrize\CalibrizeResume.exe" [2007-11-26 413696]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2012-12-21 109336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"CHotkey"="zHotkey.exe" [2005-05-03 543232]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-09-12 1278648]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-10-29 296096]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-09-23 15512424]
"NvMediaCenter"="NvMCTray.dll" [2012-09-23 108392]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-09-23 1634112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\documents and settings\Owner.A-1STORAGE\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-3-28 2168360]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2012-08-15 17:46 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Documents and Settings\\Owner.A-1STORAGE\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Documents and Settings\\Owner.A-1STORAGE\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/8/2012 8:36 PM 91168]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/8/2012 8:36 PM 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/8/2012 8:36 PM 167784]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [8/8/2012 8:36 PM 168880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/8/2012 8:08 PM 167344]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/8/2012 8:36 PM 60480]
R3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 9:09 PM 267568]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/8/2012 8:36 PM 362640]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/19/2012 8:51 AM 84432]
R3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\drivers\Pcouffin.sys [10/31/2006 12:48 PM 47360]
R3 SNXPCARD;SNXPCARD;c:\windows\system32\drivers\snxpcard.sys [3/10/2007 6:41 PM 23040]
R3 SNXPSERX;SNXPSERX;c:\windows\system32\drivers\snxpserx.sys [3/10/2007 6:41 PM 56320]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/8/2012 8:36 PM 167784]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [9/27/2006 4:12 PM 10664]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [11/14/2012 7:38 AM 146872]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/19/2012 8:51 AM 84432]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/8/2012 8:36 PM 92192]
S3 snxcard;SUNIX Industrial Multiport Serial Card Driver;c:\windows\system32\drivers\snxcard.sys [1/5/2007 10:18 AM 14976]
S3 snxport;SUNIX Industrial Port Driver;c:\windows\system32\drivers\snxport.sys [1/5/2007 10:19 AM 54912]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 09:47]
.
2013-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-01-05 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09]
.
2013-01-06 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09]
.
2013-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-11 06:04]
.
2013-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-11 06:04]
.
2013-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-607317455-4106850741-3124670952-1006Core.job
- c:\documents and settings\Owner.A-1STORAGE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-03 02:14]
.
2013-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-607317455-4106850741-3124670952-1006UA.job
- c:\documents and settings\Owner.A-1STORAGE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-03 02:14]
.
2013-01-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-607317455-4106850741-3124670952-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 19:27]
.
2013-01-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-607317455-4106850741-3124670952-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 19:27]
.
2013-01-04 c:\windows\Tasks\ReclaimerUpdateFiles_Owner.job
- c:\documents and settings\Owner.A-1STORAGE\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-14 03:01]
.
2013-01-05 c:\windows\Tasks\ReclaimerUpdateXML_Owner.job
- c:\documents and settings\Owner.A-1STORAGE\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-14 03:01]
.
2013-01-05 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Owner.job
- c:\documents and settings\Owner.A-1STORAGE\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-14 03:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Free YouTube Download - c:\documents and settings\Owner.A-1STORAGE\Application Data\DVDVideoSoftIEHelpers\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\Owner.A-1STORAGE\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Show RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner.A-1STORAGE\Application Data\Mozilla\Firefox\Profiles\ggz2ycl5.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1|http://my.ebay.com/ws/eBayISAPI.dll?MyeBay&CurrentPage=MyeBayAllSelling&ssPageName=STRK:ME:LNLK|http://showcount.vendio.com/cgi-bin/mycounters.cgi?view=10|http://toad3.inkfrog.com/dashboard.php?init=1
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-05 22:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1060)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(1896)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2013-01-05 22:46:50
ComboFix-quarantined-files.txt 2013-01-06 04:46
ComboFix2.txt 2013-01-05 00:26
.
Pre-Run: 146,561,130,496 bytes free
Post-Run: 146,545,369,088 bytes free
.
- - End Of File - - 64FC26C648E05E83D47CFF51A1AEC625
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.01.06.02
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: A-1STORAGE [administrator]
1/6/2013 12:52:33 AM
mbam-log-2013-01-06 (00-52-33).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 362498
Time elapsed: 2 hour(s), 17 minute(s), 20 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
drcurious
2013-01-06, 16:20
Dear JonTom,
I was able to get WUAUDIT.EXE to appear in the Task Manager list on a reboot with McAfee virus and firewall off, and ran a DDS right away. After the log appeared, WUAUDIT.EXE still showed in Task Manager. I opened FireFox to send this post and now WUAUDIT.EXE has disappeared.
Here is the DDS log:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by Owner at 8:12:24 on 2013-01-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.445 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Calibrize\CalibrizeResume.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120808213631.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
BHO: FDMIECookiesBHO Class: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: &RoboForm Toolbar: {724D43A0-0D85-11D4-9908-00400523E39A} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
uRun: [cdloader] "c:\documents and settings\owner.a-1storage\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [CGFLoader] c:\program files\calibrize\CalibrizeLoader.exe
uRun: [CalibrizeResume] c:\program files\calibrize\CalibrizeResume.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [CHotkey] zHotkey.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner~1.a-1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Customize Menu - c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download all with Free Download Manager - c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - c:\program files\free download manager\dllink.htm
IE: Fill Forms - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Free YouTube Download - c:\documents and settings\owner.a-1storage\application data\dvdvideosoftiehelpers\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\owner.a-1storage\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: Save Forms - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Show RoboForm Toolbar - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - c:\program files\amazon\add to wish list ie extension\run.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://chil.solidworks.com/htdocs/pdownload/edrawings/e2007sp03/cab/eModelsStandard.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158264384363
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{C1ACEBC7-1070-497B-B702-67F4BEB7519C} : DHCPNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner.a-1storage\application data\mozilla\firefox\profiles\ggz2ycl5.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1|http://my.ebay.com/ws/eBayISAPI.dll?MyeBay&CurrentPage=MyeBayAllSelling&ssPageName=STRK:ME:LNLK|http://showcount.vendio.com/cgi-bin/mycounters.cgi?view=10|http://toad3.inkfrog.com/dashboard.php?init=1
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\owner.a-1storage\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\owner.a-1storage\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\owner.a-1storage\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2012-2-22 565352]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2012-8-8 91168]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-8-8 203400]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2012-8-8 168880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-8-8 167344]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-8-8 60480]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2012-8-8 234824]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-8-8 362640]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2012-12-19 84432]
R3 SNXPCARD;SNXPCARD;c:\windows\system32\drivers\snxpcard.sys [2007-3-10 23040]
R3 SNXPSERX;SNXPSERX;c:\windows\system32\drivers\snxpserx.sys [2007-3-10 56320]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-9-27 10664]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-11-14 146872]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2012-8-8 65488]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2012-12-19 84432]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-8-8 92192]
S3 snxcard;SUNIX Industrial Multiport Serial Card Driver;c:\windows\system32\drivers\snxcard.sys [2007-1-5 14976]
S3 snxport;SUNIX Industrial Port Driver;c:\windows\system32\drivers\snxport.sys [2007-1-5 54912]
.
=============== File Associations ===============
.
ShellExec: MRSIDV~1.EXE: Open="c:\progra~1\lizard~1\mrsidv~1\MRSIDV~1.EXE""" %1""
ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"
.
=============== Created Last 30 ================
.
2013-01-04 23:52:00 -------- d-sha-r- C:\cmdcons
2013-01-04 23:43:53 98816 ----a-w- c:\windows\sed.exe
2013-01-04 23:43:53 256000 ----a-w- c:\windows\PEV.exe
2013-01-04 23:43:53 208896 ----a-w- c:\windows\MBR.exe
2013-01-01 00:04:18 388096 ----a-r- c:\documents and settings\owner.a-1storage\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2013-01-01 00:04:15 -------- d-----w- c:\program files\Trend Micro
2012-12-19 14:51:27 84432 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-12-12 09:47:19 16363960 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
==================== Find3M ====================
.
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 22:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-12 09:47:22 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-12 09:47:22 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-28 02:31:15 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-28 02:31:13 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-28 02:31:13 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-28 02:31:13 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-27 19:41:44 1101436 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-11-27 19:41:44 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-11-27 19:41:37 1101436 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-09 12:56:16 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-11-09 12:53:22 167344 ----a-w- c:\windows\system32\mfevtps.exe
2012-11-09 12:53:02 91168 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-11-09 12:52:22 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-11-09 12:52:12 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-11-09 12:51:12 565352 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-11-09 12:50:20 362640 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-11-09 12:50:00 65488 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-11-09 12:49:40 234824 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-11-09 12:49:10 132912 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 8:14:07.96 ===============
Hello drcurious
Sometimes a McAfee process is slowing things down for no apparent reason.
It was when checking Task Manager that I discovered the unrecognized WUAUDIT.EXE but now I can't remember if it was using CPU or not.McAfee is known to draw heavily on system resources so thats why your system may be slowing. Your system logs indicate that you presently have around 500 MB of free RAM available. If you run any resource intensive applications that draw heavily on the remaining RAM, you may very well notice an impact on system speed/performance.
Your MBAM log looks good.
I was able to get WUAUDIT.EXE to appear in the Task Manager list on a reboot with McAfee virus and firewall off, and ran a DDS right away. After the log appeared, WUAUDIT.EXE still showed in Task Manager. I opened FireFox to send this post and now WUAUDIT.EXE has disappeared. Please make sure that you keep your security engaged. This problem appears to be intermittent in nature. The file in question, while present in your task manager does not appear to reside on you machine long enough for us to detect or remove it (or at all). Unless we can get a path to the file and investigate it further we are stuck.
Lets continue with the following:
Please run the following scan
Note:Internet Explorer is preferred for this scan, although it will run with other browsers.
Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
Please disable your real time security programs before performing the scan.
Scan your system with Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use.
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option to "Remove Found Threats" is UN checked.
Push the "Start" button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please post the ESET log in your next reply.
drcurious
2013-01-07, 20:32
Dear JonTom,
I have not seen WUAUDIT.EXE appear since my last post.
Here is the ESET log:
C:\Downloads\Software\CouponPrinter.exe probably a variant of Win32/Adware.Softomate.AD application
C:\Downloads\Software\freefireworks.exe multiple threats
Hello drcurious
Lets take care of those detections:
Please make all files and folders Visible:
Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
Choose to "Show hidden files and folders".
Uncheck the "Hide protected operating system files" and the "Hide extensions for known file types" boxes.
Close the window with "OK".
Please search for and delete the following files
NOTE: DO NOT double click on ANY executable (.exe) files in the next step!!!
Right-click your "Start" button and select "Explore".
Navigate to and delete the following files in bold.
C:\Downloads\Software\CouponPrinter.exe <==== Delete this file.
C:\Downloads\Software\freefireworks.exe <==== Delete this file.
Once deleted, empty your recycle bin and let me know how the machine is running.
drcurious
2013-01-08, 01:19
Hi JonTom,
I have removed those two entries. My computer seems to be running smoothly at this time.
Chris
Hello drcurious
I have removed those two entries. My computer seems to be running smoothly at this time. Thats good news :) Provided you are no longer having any problems we can remove our tools.
Before we do so:
Foistware
I can see from your log that you have Viewpoint Media Player installed.
Viewpoint Media Player is considered as foistware rather than malware since it is installed without user's approval but doesn't spy or do anything "bad".
It is recommended that you remove Viewpoint products. However, this choice is up to you.
To remove these programs, click "Start" and then on "Control Panel" and then on "Add or Remove Programs".
Select Viewpoint Media Player and click on "Remove".
If you are prompted to restart your machine to complete the uninstall please do so.
Please Uninstall Combofix
Click on "Start" and then on "Run".
Now type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.
Removal of Tools
You no longer need aswMBR, DDS or Systemlook. Please delete them from your machine.
Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.
Finally, please take the time to read through the information provided below:
Enhance your System Security
For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here. (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)
IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
Once complete, remember to re-engage your resident security before going online.
Web Browsers and Browser Security
Firefox
You can download Firefox from here. (http://www.mozilla.com/en-US/firefox/)
No-Script
If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
You can download No-Script by clicking here. (https://addons.mozilla.org/en-US/firefox/addon/722)
Internet Explorer
The newest version of Internet Explorer is available from here. (http://www.microsoft.com/windows/internet-explorer/?ocid=ie8_s_94735d11-65d1-4bb8-bf6f-72d7b059a928)
Please Note: IE9 is not configured to run on XP machines.
SpywareBlaster
If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
You can download SpywareBlaster by clicking here. (http://www.javacoolsoftware.com/sbdownload.html)
Web of Trust
When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
You can download Web of Trust by clicking here. (http://www.mywot.com/)
Keep your Software Updated
Outdated software can sometimes have vulnerabilities that are exploitable by malware.
Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here. (http://secunia.com/vulnerability_scanning/online/)
Passwords
Learn how to create strong passwords by clicking here (http://www.microsoft.com/protect/yourself/password/create.mspx) and test the strength of the passwords you already use by clicking here. (http://www.microsoft.com/protect/yourself/password/checker.mspx)
General Reading
PC Safety and Security - What do I need? (http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html)
How to prevent Malware (by Miekiemoes) (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
Learn How To Combat Malware
Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here. (http://forums.whatthetech.com/What_Tech_Classroom_t80368.html)
drcurious
2013-01-11, 02:02
Dear JonTom,
Thanks so much for your help! I will get back to you if I have other questions.
Chris
Thanks so much for your help!You are Very Welcome :)
As this problem appears to be resolved this topic is now closed.
Best wishes,
JonTom