Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: Prunnet + BHOs = My computer is suffering - Help!

  1. #1
    Junior Member
    Join Date
    Feb 2009
    Location
    Hendersonville, NC
    Posts
    15

    Default

    How it started:
    McAfee warned me that some file (I forget what it was called) was requesting internet access, I googled the file name, it was a "normal windows file" so i said OK. Then another warning, this time it was ping.exe, again, normal, but I said NO, because it seemed odd that all the sudden these would need to ask. Then again, Prunnet.exe, I googled it, BAD NEWS! Denied it. I though I had it beat. Nope...

    Description of current problem:
    Now I have several things going on: Upon startup I have the message "Found New Hardware: Ethernet Controller",
    I have browser re-directs in Firefox (haven't tried IE),
    I have had one full screen pop up that was ie when ie wasn't running.
    I have a constant message: "Generic Host Process for Win32 Services encountered a problem and needed to close"
    and lastly, after about 20 mins or so, I get a message that something like NT AUTHORITY/?? is shutting down the computer in 50 seconds or what have you. I don't recall the exact message.

    Additional Notes:
    generally, things are running poorly and crashing. I tried to run Malwarebytes, but a shut down occurred during the scan. I don't know if it helped or not at this point.
    I shut down teatimer and unplugged that ethernet cable (note: the found hardware message was already happening before I did that).

    The following log was made after all the above. I hope you can help me, thank you:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:42:17 AM, on 2/7/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\EloSrvce.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\EloDkMon.exe
    C:\WINDOWS\system32\EloTTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Documents and Settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = I love Katie ; -) From David
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {05C844A9-D000-45C3-971F-F7909E4E75AB} - C:\WINDOWS\system32\khfEWNhi.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ssqqpQkH.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [] C:\Program Files\EloTouchSystems\EloTTray.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKLM\..\Policies\Explorer\Run: [application] C:\Program Files\AKProg\AKProg.exe hs
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: Acrobat Assistant.lnk.disabled
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
    O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: Device Detector 2.lnk.disabled
    O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: ssqqpQkH - C:\WINDOWS\SYSTEM32\ssqqpQkH.dll
    O23 - Service: McAfee Application Installer Cleanup (0171901233147914) (0171901233147914mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\017190~1.EXE (file missing)
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
    O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 11879 bytes

    I am not getting any replies so I am going to try something. I have an idea of what needs to be deleted: there are two dlls in system32 that were created at the same time as prunnet.exe and I can not delete them with any tool tried yet. So I am planning to pop out my HD and pop it into another computer, as a secondary drive, then go in and erase them. Presumably, if the OS is using the C drive, these DLLs will no longer reside on the C drive in another comp so the files will not be being used by another program and therefore should be deletable. Does anyone know if this will work? Or am I just infecting another innocent computer!
    Last edited by tashi; 2009-02-08 at 06:47. Reason: Merged two posts as per stickied faq, "Before You Post"

  2. #2
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hello and welcome to Safer Networking.

    My name is peku006 and I will be helping you to remove any infection(s) that you may have.
    I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

    Please observe these rules while we work:
    • If you don't know, stop and ask! Don't keep going on.
    • Please reply to this thread. Do not start a new topic.
    • Please continue to respond until I give you the "All Clear"


    If you follow these instructions, everything should go smoothly.

    1 - Scan With ComboFix

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    How to Temporarily Disable Anti-virus

    Please include the C:\ComboFix.txt in your next reply for further review.

    2 - Run Hijackthis
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

    3 - Status Check
    Please reply with


    1. the ComboFix log(C:\ComboFix.txt)
    2. a fresh HijackThis log

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  3. #3
    Junior Member
    Join Date
    Feb 2009
    Location
    Hendersonville, NC
    Posts
    15

    Default ComboFix and HijackThis Logs

    Thank you for the help!
    Just so you know, before I received your reply I ran MalwareBytes in both normal and safe mode. It found a number of problems, mostly Trojan.Vundo.h . Even though Malwarebytes now says i am clean, I still have almost constant browser redirects when I click on search results.

    As directed, I ran combo and hijack, here are my logs.

    ComboFix 09-02-10.01 - David 2009-02-10 22:53:35.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1532 [GMT -5:00]
    Running from: c:\documents and settings\David\Desktop\Malware Detection\ComboFix.exe
    AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
    AV: McAfee VirusScan *On-access scanning disabled* (Updated)
    FW: McAfee Personal Firewall *disabled*
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\MorpheusBar\bar\1.bin\M0PLUGIN.DLL
    c:\program files\MorpheusBar\bar\1.bin\M0POPSWT.DLL
    c:\program files\MorpheusBar\bar\1.bin\NPMORPBR.DLL
    c:\program files\Mozilla Firefox\plugins\NPMorpBr.dll
    c:\windows\system32\winlogon2.exe
    c:\windows\Tasks\vryroguf.job

    .
    ((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
    .

    2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\program files\x73_lut.dat
    2100-02-08 15:03 . 2001-05-11 10:39 53,248 --a------ c:\program files\ACMonitor_X73.exe
    2009-02-10 19:46 . 2009-02-10 19:46 <DIR> d-------- c:\program files\Avira
    2009-02-10 19:46 . 2009-02-10 19:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
    2009-02-10 19:37 . 2009-02-10 19:38 <DIR> d-------- c:\program files\SpywareBlaster
    2009-02-10 19:37 . 2009-02-10 22:39 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
    2009-02-09 15:03 . 2009-02-09 15:03 <DIR> d-------- c:\documents and settings\Mrs. Richards\Application Data\Malwarebytes
    2009-02-08 10:56 . 2009-02-10 21:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
    2009-02-08 02:16 . 2009-02-10 19:37 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
    2009-02-08 01:29 . 2009-02-08 01:29 61,440 --a------ c:\windows\system32\drivers\oueg.sys
    2009-02-07 22:01 . 2009-02-07 22:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2009-02-07 01:48 . 2009-02-07 01:49 <DIR> d-------- c:\program files\ERUNT
    2009-02-07 01:05 . 2009-02-07 01:05 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2009-02-07 01:05 . 2009-02-07 01:05 <DIR> d-------- c:\documents and settings\David\Application Data\Malwarebytes
    2009-02-07 01:05 . 2009-02-07 01:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-02-07 01:05 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2009-02-07 01:05 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2009-02-07 01:00 . 2009-02-07 01:00 <DIR> d-------- c:\program files\Trend Micro
    2009-02-06 19:19 . 2009-02-06 19:20 <DIR> d-------- c:\windows\system32\DLLs Removed 2-6-2009
    2009-02-04 22:23 . 2009-02-05 01:57 <DIR> d-------- c:\windows\system32\delete this crap
    2009-02-04 21:57 . 2009-02-08 13:13 2,204 --a------ c:\windows\kgunefqc
    2009-01-31 20:39 . 2009-01-31 21:04 <DIR> d-------- C:\xampp
    2009-01-21 02:10 . 2009-01-21 02:10 268 --ah----- C:\sqmdata15.sqm
    2009-01-21 02:10 . 2009-01-21 02:10 244 --ah----- C:\sqmnoopt15.sqm
    2009-01-13 17:24 . 2009-01-13 17:24 268 --ah----- C:\sqmdata14.sqm
    2009-01-13 17:24 . 2009-01-13 17:24 244 --ah----- C:\sqmnoopt14.sqm

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-02-11 04:07 --------- d-----w c:\documents and settings\David\Application Data\OpenOffice.org2
    2009-02-11 02:46 --------- d-----w c:\program files\Real
    2009-02-11 02:46 --------- d-----w c:\program files\Common Files\Real
    2009-02-11 02:28 --------- d-----w c:\program files\Google
    2009-02-11 01:11 --------- d-----w c:\program files\Opera
    2009-02-10 07:59 --------- d-----w c:\program files\LogMeIn
    2009-02-09 20:15 499,712 ----a-w c:\windows\system32\msvcp71.dll
    2009-02-09 20:15 348,160 ----a-w c:\windows\system32\msvcr71.dll
    2009-02-09 20:07 --------- d-----w c:\program files\Picasa2
    2009-02-08 14:40 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
    2009-02-08 06:29 636 ----a-w c:\program files\ombk.txt
    2009-02-08 05:30 85,120 ----a-w c:\documents and settings\David\Application Data\GDIPFONTCACHEV1.DAT
    2009-02-05 02:34 --------- d-----w c:\program files\CCleaner
    2009-02-02 05:17 --------- d-----w c:\program files\McAfee
    2009-01-31 05:13 85,120 ----a-w c:\documents and settings\Mrs. Richards\Application Data\GDIPFONTCACHEV1.DAT
    2009-01-22 21:37 --------- d-----w c:\documents and settings\Mrs. Richards\Application Data\ZoomBrowser EX
    2009-01-22 21:36 --------- d-----w c:\documents and settings\Mrs. Richards\Application Data\CameraWindowDC
    2009-01-17 17:09 --------- d-----w c:\documents and settings\Mrs. Richards\Application Data\WebAssist
    2009-01-08 15:59 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
    2008-12-31 07:20 --------- d-----w c:\documents and settings\David\Application Data\ZoomBrowser EX
    2008-12-31 07:20 --------- d-----w c:\documents and settings\David\Application Data\CameraWindowDC
    2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
    2008-09-18 20:27 5,632 --sha-w c:\program files\Thumbs.db
    2008-01-15 16:53 79,648 ----a-w c:\documents and settings\Katherine\Application Data\GDIPFONTCACHEV1.DAT
    2001-07-26 21:58 47 ----a-w c:\program files\ACMonitor_X73.ini
    2001-07-05 17:46 8,116 ----a-w c:\program files\OSLO3071b2.USB
    2001-06-12 19:28 8,154 ----a-w c:\program files\OsloD3069.usb
    2001-05-08 20:36 114,688 ----a-w c:\program files\lxarscan.dll
    2001-04-23 19:22 1,437 ----a-w c:\program files\gtx73.ini
    2008-06-19 09:16 118,784 ----a-w c:\program files\mozilla firefox\plugins\MyCamera.dll
    2007-05-23 00:14 8,784 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
    2007-05-23 00:17 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll
    2009-02-11 02:43 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
    "Google Update"="c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-10 30192]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
    "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
    "nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]
    "nForce Tray Options"="sstray.exe" [2003-10-23 c:\windows\system32\sstray.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

    c:\documents and settings\Ellie\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

    c:\documents and settings\Katherine\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

    c:\documents and settings\Mrs. Richards\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

    c:\documents and settings\David\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
    OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk.disabled [2004-07-30 910]
    Adobe Gamma Loader.exe.lnk.disabled [2004-08-02 890]
    Adobe Gamma Loader.lnk.disabled [2004-07-30 890]
    Adobe Reader Speed Launch.lnk.disabled [2007-03-31 1757]
    Device Detector 2.lnk.disabled [2004-11-17 1650]
    Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2004-11-17 118784]
    HP Digital Imaging Monitor.lnk.disabled [2006-12-05 1808]
    Microsoft Office.lnk.disabled [2004-08-04 1730]
    Microsoft Works Calendar Reminders.lnk.disabled [2004-07-25 875]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2008-10-17 14:07 87352 c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.iv31"= c:\windows\system32\ir32_32.dll
    "vidc.iv32"= c:\windows\system32\ir32_32.dll
    "vidc.ir41"= c:\windows\System32\ir41_32.ax
    "VIDC.SP53"= SP5X_32.DLL
    "VIDC.SP54"= SP5X_32.DLL
    "VIDC.SP55"= SP5X_32.DLL
    "VIDC.SP56"= SP5X_32.DLL
    "VIDC.SP57"= SP5X_32.DLL
    "VIDC.SP58"= SP5X_32.DLL
    "VIDC.SP59"= SP5X_32.DLL
    "midi1"= KORGUMDD.DRV

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AloPort.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
    @="Driver Group"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
    "ATI Launchpad"=
    "Yahoo! Pager"=c:\program files\Yahoo!\Messenger\ypager.exe -quiet
    "WebCamRT.exe"=
    "ctfmon.exe"=c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "InCD"=c:\program files\Ahead\InCD\InCD.exe
    "NeroCheck"=c:\windows\system32\NeroCheck.exe
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
    "PrinTray"=c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
    "HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"=c:\program files\Google\Gmail Notifier\gnotify.exe
    "PicasaNet"="c:\program files\Hello\Hello.exe" -b
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "LogitechGalleryRepair"=c:\program files\Logitech\ImageStudio\ISStart.exe
    "LogitechImageStudioTray"=c:\program files\Logitech\ImageStudio\LogiTray.exe
    "LVCOMS"=c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    "tgcmd"="c:\program files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
    "DropBoxUtility"="c:\program files\DropBox\DropBox\DropBox.exe" /s
    "NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
    "ABIT uGuru"=c:\program files\ABIT\ABIT uGuru\uGuru.exe
    "HydraVisionDesktopManager"=c:\program files\ATI Technologies\HydraVision\HydraDM.exe
    "ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    "BJCFD"=c:\program files\BroadJump\Client Foundation\CFD.exe
    "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe"
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    "Picasa Media Detector"=c:\program files\Picasa2\PicasaMediaDetector.exe
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    "PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Morpheus\\Morpheus.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\DropBox\\DropBox\\DropBox.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "c:\\Documents and Settings\\Mrs. Richards\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\Mrs. Richards\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

    R0 AC2003;AC2003;c:\windows\system32\drivers\AC2003.sys [2004-07-25 3584]
    R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2004-05-12 97408]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2007-08-03 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-11-29 47640]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-08-28 206096]
    R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2005-12-26 33792]
    R3 EloBus;Elobus Filter Driver;c:\windows\system32\drivers\EloBus.sys [2007-01-20 14848]
    R3 EloSer;Elo Serial Driver;c:\windows\system32\drivers\EloSer.Sys [2007-01-20 45568]
    R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-08-09 33800]
    R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-07-11 23153]
    S1 MMstub;MMstub Driver;c:\windows\system32\DRIVERS\MMstub.sys --> c:\windows\system32\DRIVERS\MMstub.sys [?]
    S2 0171901233147914mcinstcleanup;McAfee Application Installer Cleanup (0171901233147914);c:\windows\TEMP\017190~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\017190~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
    S2 gupdate1c98bee6cb9fb98;Google Update Service (gupdate1c98bee6cb9fb98);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 133104]
    S2 monmouse;Monmouse Driver;c:\windows\system32\DRIVERS\monmouse.sys --> c:\windows\system32\DRIVERS\monmouse.sys [?]
    S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2005-05-06 30192]
    S3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;c:\windows\system32\drivers\KORGUMDS.SYS [2004-07-11 12544]
    S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys --> c:\windows\system32\DRIVERS\radpms.sys [?]
    S4 AloPort;AloPort;c:\windows\system32\drivers\AloPort.sys [2004-07-25 3087]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - GOOGLEDESKTOPMANAGER-110408-113106

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2fd84b48-4ab8-11dd-a45e-0010b565f1d5}]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2008-01-01 c:\windows\Tasks\Backup.job
    - c:\windows\system32\ntbackup.exe [2001-08-17 22:36]

    2009-02-11 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-08 10:56]

    2009-02-11 c:\windows\Tasks\GoogleUpdateTaskMachine.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 21:28]

    2009-02-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-796845957-839522115-1004.job
    - c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 23:12]

    2009-02-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-796845957-839522115-1010.job
    - c:\documents and settings\Mrs. Richards\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 18:37]

    2009-01-15 c:\windows\Tasks\McDefragTask.job
    - c:\windows\system32\defrag.exe [2008-04-13 19:12]

    2009-02-01 c:\windows\Tasks\McQcTask.job
    - c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

    2009-02-05 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 13:45]

    2009-02-11 c:\windows\Tasks\User_Feed_Synchronization-{262578A8-0CC7-4369-953F-800F1B773610}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]

    2009-02-11 c:\windows\Tasks\User_Feed_Synchronization-{2A50439D-5D8A-4C95-B940-18961C5CA924}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]

    2009-02-11 c:\windows\Tasks\User_Feed_Synchronization-{9D5DE8E1-A15F-4186-BFF7-B3EC781BA0FD}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{815DA7A2-230F-4F5E-B783-1F13341DEA79} - (no file)
    BHO-{A397DAB5-063F-4105-83DB-1BFE56D3816D} - (no file)
    BHO-{D38232E4-644C-4B95-B446-130B686E6EB8} - (no file)
    HKLM-Explorer_Run-application - c:\program files\AKProg\AKProg.exe
    Notify-AtiExtEvent - (no file)


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/webhp
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mWindow Title = I love Katie ; -) From David
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\default.jy3\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?rls=ig
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
    FF - plugin: c:\documents and settings\David\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
    FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
    FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1487.6512\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
    FF - plugin: c:\program files\Picasa2\npPicasa2.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-02-10 23:03:45
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,f4,d5,c3,9e,d0,
    f8,20,05,e2,63,26,f1,3f,c8,ff,68,63,0c,64,0c,3a,2d,bd,8d,e2,63,26,f1,3f,c8,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,4b,33,6e,58,b6,
    f1,c4,48,6a,9c,d6,61,af,45,84,18,b5,60,d8,0c,62,bd,19,a4,6a,9c,d6,61,af,45,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,bf,59,d1,1e,c1,
    64,4f,5f,ff,7c,85,e0,43,d4,0e,fe,93,00,e7,4e,25,ec,54,b5,ff,7c,85,e0,43,d4,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,38,a5,fb,87,80,
    25,b0,f3,86,8c,21,01,be,91,eb,e7,59,69,0e,4c,9d,af,bb,eb,86,8c,21,01,be,91,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,f9,50,20,72,39,
    76,0e,f7,f5,1d,4d,73,a8,13,5c,05,52,11,95,b9,cf,f4,47,f5,f5,1d,4d,73,a8,13,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,f5,bd,bb,ee,51,
    c8,17,e1,df,20,58,62,78,6b,cf,c8,73,c9,6b,ae,14,42,10,55,df,20,58,62,78,6b,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,da,c8,a2,f9,29,
    f9,24,b0,fb,a7,78,e6,12,2f,9a,ea,14,5a,fc,f0,1f,dc,fa,c7,fb,a7,78,e6,12,2f,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,7e,92,f1,4b,9b,
    c5,15,28,01,3a,48,fc,e8,04,4a,f1,80,6c,51,cd,47,42,e3,36,01,3a,48,fc,e8,04,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,30,69,45,31,47,
    d0,c3,ef,f6,0f,4e,58,98,5b,89,c9,39,09,08,7b,9a,f4,db,73,f6,0f,4e,58,98,5b,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,25,b4,dd,ca,95,
    58,88,c9,3d,ce,ea,26,2d,45,aa,78,5b,df,2d,06,3c,15,b7,5e,3d,ce,ea,26,2d,45,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,b5,ff,b6,b9,42,
    da,19,99,2a,b7,cc,b5,b9,7f,41,e7,d2,69,ac,3e,9a,7d,a4,36,2a,b7,cc,b5,b9,7f,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,13,51,60,11,12,
    67,ca,84,6c,43,2d,1e,aa,22,2f,9c,07,4c,11,9f,c1,dd,a1,a0,6c,43,2d,1e,aa,22,\

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\ØP*]
    "DisplayName"="?\13?\13"
    "DeviceDesc"="?\13?\13"
    "ProviderName"=""
    "MFG"="???\\"
    "ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
    "DeviceInstanceIds"=multi:"09236.inf\00"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(560)
    c:\windows\system32\LMIinit.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Ahead\InCD\InCDsrv.exe
    c:\windows\system32\LEXBCES.EXE
    c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
    c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    c:\windows\system32\EloSrvce.exe
    c:\program files\LogMeIn\x86\ramaint.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\program files\LogMeIn\x86\LMIGuardian.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\Common Files\McAfee\MNA\McNASvc.exe
    c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
    c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
    c:\program files\Microsoft LifeCam\MSCamS32.exe
    c:\program files\McAfee\MSK\msksrver.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\pctspk.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\system32\UAService7.exe
    c:\progra~1\McAfee.com\Agent\mcagent.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\system32\EloDkMon.exe
    c:\windows\system32\EloTTray.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\LogMeIn\x86\LMIGuardian.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\OpenOffice.org 2.4\program\soffice.exe
    c:\program files\OpenOffice.org 2.4\program\soffice.bin
    c:\program files\McAfee\MPF\MpfSrv.exe
    .
    **************************************************************************
    .
    Completion time: 2009-02-10 23:17:48 - machine was rebooted [David]
    ComboFix-quarantined-files.txt 2009-02-11 04:17:44

    Pre-Run: 8,847,671,296 bytes free
    Post-Run: 10,840,858,624 bytes free

    Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=2,3,4,5
    404 --- E O F --- 2009-01-15 08:05:17


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:20:44 PM, on 2/10/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\system32\EloSrvce.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\EloDkMon.exe
    C:\WINDOWS\system32\EloTTray.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Documents and Settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
    O4 - Global Startup: Acrobat Assistant.lnk.disabled
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
    O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: Device Detector 2.lnk.disabled
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O23 - Service: McAfee Application Installer Cleanup (0171901233147914) (0171901233147914mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\017190~1.EXE (file missing)
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
    O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Update Service (gupdate1c98bee6cb9fb98) (gupdate1c98bee6cb9fb98) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 11784 bytes

  4. #4
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi drrchrds

    Thanks for returning your information, let's proceed like this and in the numbered order.

    • It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:

      Avira AntiVir PersonalEdition
      McAfee VirusScan


      Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

      Please remove one of them.


    1 - Download anf Run OTMoveIt3

    Download OTMoveIt3 by Old Timer and save it to your Desktop.
    • Double-click OTMoveIt3.exe.
    • Copy the lines in the codebox below.

    Code:
    :files
    c:\windows\kgunefqc
    • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.
    • Close OTMoveIt3


    2 - Download and Run GooredFix

    Please download GooredFix and save it to your Desktop.

    • Double-click Goored.exe to run it.
    • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
    • A log will open, please post the contents of that log in your next reply
      • (it can also be found on your desktop, called Goored.txt).

    Note: Do not run Option #2 yet.

    3 - Status Check
    Please reply with

    1. the OTMoveIt3 log
    2. the report from Goored

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  5. #5
    Junior Member
    Join Date
    Feb 2009
    Location
    Hendersonville, NC
    Posts
    15

    Default OT and Goored results

    OK, FYI: after ComboFix, I no longer had redirects, but when I got up this morning the comp had restared overnight and they were back.

    Here are the results of OT and Goored:

    ========== FILES ==========
    c:\windows\kgunefqc moved successfully.

    OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02112009_113654


    GooredFix v1.9 by jpshortstuff
    Log created at 11:39 on 11/02/2009 running Option #1 (David)
    Firefox version 3.0.6 (en-US)

    =====Suspect Goored Entries=====

    =====Dumping Registry Values=====

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
    "Plugins"="C:\Program Files\Mozilla Firefox\plugins"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
    "Components"="C:\Program Files\Mozilla Firefox\components"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"


    Lastly, let me know if it is not OK for me to be running these things remotely via LogMeIn. I am at work, the comp is at home, so I am logging in to do this stuff.

    Thanks

  6. #6
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi drrchrds
    Yes you can use LogMeIn

    1 - Run Malwarebytes' Anti-Malware
    • Open Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Check for Updates
    • After the update have been completed, Select the Scanner tab.


    • Make sure the "Perform full scan" option is selected.
    • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.

    Back at the main Scanner screen:
    • Click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found here:

      C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    • Copy and paste the contents of that report in your next reply and exit MBAM.


    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


    2 - Run Hijackthis
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

    3 - Status Check
    Please reply with


    1. the Malwarebytes' Anti-Malware Log
    2. a fresh HijackThis log

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  7. #7
    Junior Member
    Join Date
    Feb 2009
    Location
    Hendersonville, NC
    Posts
    15

    Default MB and HJT Logs

    Malwarebytes' Anti-Malware 1.34
    Database version: 1750
    Windows 5.1.2600 Service Pack 3

    2/11/2009 8:00:27 PM
    mbam-log-2009-02-11 (20-00-27).txt

    Scan type: Full Scan (C:\|E:\|H:\|)
    Objects scanned: 363723
    Time elapsed: 2 hour(s), 29 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:02:07 PM, on 2/11/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\system32\EloSrvce.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\EloDkMon.exe
    C:\WINDOWS\system32\EloTTray.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Documents and Settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {815DA7A2-230F-4F5E-B783-1F13341DEA79} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {A397DAB5-063F-4105-83DB-1BFE56D3816D} - (no file)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
    O2 - BHO: (no name) - {D38232E4-644C-4B95-B446-130B686E6EB8} - (no file)
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKUS\S-1-5-21-1275210071-796845957-839522115-1010\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Mrs. Richards')
    O4 - HKUS\S-1-5-21-1275210071-796845957-839522115-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Mrs. Richards')
    O4 - HKUS\S-1-5-21-1275210071-796845957-839522115-1010\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Mrs. Richards')
    O4 - HKUS\S-1-5-21-1275210071-796845957-839522115-1010\..\Run: [Elo Touch Systems] C:\Program Files\EloTouchSystems\EloTTray.exe (User 'Mrs. Richards')
    O4 - HKUS\S-1-5-21-1275210071-796845957-839522115-1010\..\Run: [Google Update] "C:\Documents and Settings\Mrs. Richards\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User 'Mrs. Richards')
    O4 - HKUS\S-1-5-21-1275210071-796845957-839522115-1010\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" (User 'Mrs. Richards')
    O4 - HKUS\S-1-5-21-1275210071-796845957-839522115-1010\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Mrs. Richards')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - S-1-5-21-1275210071-796845957-839522115-1010 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Mrs. Richards')
    O4 - S-1-5-21-1275210071-796845957-839522115-1010 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Mrs. Richards')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
    O4 - Global Startup: Acrobat Assistant.lnk.disabled
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
    O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: Device Detector 2.lnk.disabled
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: McAfee Application Installer Cleanup (0171901233147914) (0171901233147914mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\017190~1.EXE (file missing)
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
    O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Update Service (gupdate1c98bee6cb9fb98) (gupdate1c98bee6cb9fb98) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 13769 bytes

  8. #8
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi drrchrds

    1 - Remove bad HijackThis entries
    • Run HijackThis
    • Click on the Scan button
    • Put a check beside all of the items listed below (if present):

      • O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
        O2 - BHO: (no name) - {815DA7A2-230F-4F5E-B783-1F13341DEA79} - (no file)
        O2 - BHO: (no name) - {A397DAB5-063F-4105-83DB-1BFE56D3816D} - (no file)
        O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
        O2 - BHO: (no name) - {D38232E4-644C-4B95-B446-130B686E6EB8} - (no file)

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.


    2 - Update Java

    Please download JavaRa and unzip it to your desktop.

    • Double-click on JavaRa.exe to start the program.
    • Click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that a log file has been produced. Click OK.
    • A log file will pop up. Please save it to a convenient location.


    Download the latest version of Java Runtime Environment (JRE) 6 Update 12.

    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
    • Click on Continue.
    • Click on the link to download Windows Offline Installation and save it to your desktop. Do NOT use the Sun Download Manager..
    • Close any programs you may have running - especially your web browser.
    • Then from your desktop double-click on the download to install the newest version.


    3 - Clean temp files

    • Download and Run ATF Cleaner
      Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

      Under Main choose:
      • Windows Temp
        Current User Temp
        All Users Temp
        Temporary Internet Files
        Prefetch
        Java Cache

        *The other boxes are optional*
        Then click the Empty Selected button.

      if you use Firefox:
      • Click Firefox at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      if you use Opera:
      • Click Opera at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


      Click Exit on the Main menu to close the program


    4 - Kaspersky Online Scan

    Please go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    9. Please post this log in your next reply.


    5 - Run Hijackthis
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

    6 - Status Check
    Please reply with

    1. the Kaspersky online scanner report
    2. a fresh HijackThis log
    How's the computer running now? Any problems?

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  9. #9
    Junior Member
    Join Date
    Feb 2009
    Location
    Hendersonville, NC
    Posts
    15

    Default Java?

    I removed old versions of Java and then I followed the link to: http://java.sun.com/javase/downloads/index.jsp#jre
    I did not find the text "The J2SE Runtime Environment (JRE) allows end-users to run Java applications" on that page. Is it the first download on the top of the page that I want? The JRE 6 Update 12?

  10. #10
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi

    Yes it´s JRE 6 Update 12
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •