Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: remote attack

  1. #1
    Junior Member
    Join Date
    Mar 2010
    Posts
    12

    Default remote attack

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 12:20:15 PM, on 3/16/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files (x86)\Domain Tools\ProjectWhois\ProjectWhois.exe
    C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Users\my\Desktop\TrendMicro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.as...4z1m5r48l23265
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.as...4z1m5r48l23265
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.as...4z1m5r48l23265
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.as...4z1m5r48l23265
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Startup: ProjectWhois.lnk = C:\Program Files (x86)\Domain Tools\ProjectWhois\ProjectWhois.exe
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O13 - Gopher Prefix:
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
    O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\eMachines Games\eMachines Game Console\GameConsoleService.exe
    O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
    O23 - Service: McciCMService64 - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
    O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
    O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\Partner.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: Updater Service - Acer - C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 9851 bytes

    -------------------
    http://forums.spybot.info/showthread.php?t=56202
    Last edited by tashi; 2010-03-16 at 18:53. Reason: Added link to info :-)

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi currentlybeingspyedon

    Your log looks pretty ok to me. OS is windows 7 64bit which many tools don't support though.

    Having asp.net account is normal as well.

    Can you give me details why you think you are being spyed?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Junior Member
    Join Date
    Mar 2010
    Posts
    12

    Default

    this may be in part to me running spybot & comodo registry cleaner a couple days ago (when doing so the scan had trouble with something called helloworld & I might have deleted some files in a stupid attempt trying to get rid of the thing and regain ownership to my computer) but my old computer had a backdoor, circus ride & bumphump type virus i could never figure out and so i bought this one but upon inserting our sd card i think it jumped into this computer (all the sudden my brand new computer was being tracked)... i have a folder called perflogs and also in my network map there's a folder remote administrator called admin$ that is shared with all my personal files & i don't use .net framework for anything and it seems someone now owns my computer because im being denied permission to folders im administrator to & have a smart card user account (i've never owned or used a smart card) also getting igoogle redirect & redirected at other times also..... should i try to restore this pc to default factory setting then scan again? (did this before & went great until about 30 sec into start up it launched & i tried eliminating the process but dont think it did any good because my security threat log in norton is riddled with unauthorized thread data logged & security modifications to my system config that i did not do) should i try to run a hjt log on my old computer to get an idea of what jumped into this one?

    sorry for the trouble & thank you for the help!

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    So then we continue with this:

    Download gmer.zip and save to your desktop.
    alternate download site
    • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
    • When you have done this, disconnect from the Internet and close all running programs.
      There is a small chance this application may crash your computer so save any work you have open.
    • Double-click on Gmer.exe to start the program.
    • Allow the gmer.sys driver to load if asked.
    • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
    • Click on the Rootkit tab.
    • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
    • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
    • Click on the "Scan" and wait for the scan to finish.
      Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
    • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
    • Note: If you have any problems, try running GMER in SAFE MODE"

    Important! Please do not select the "Show all" checkbox during the scan..
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Junior Member
    Join Date
    Mar 2010
    Posts
    12

    Default

    I did what you asked & under rootkit the only options im allowed to check are services, registry, files, ADS, & c:\ in normal mode & safe mode, the rest of the options are ghost in appearance & will not allow me to check them (including show all)... i scanned any way while disconnected from internet in both normal & safe mode which resulted in nothing found, but under modules i happened to notice that \systemroot\system32\drivers/mountmgr.sys size was 106496. Is that abnormal in size? If I restore system settings will this fix my problem of my files not being supported? (seen in my hjt log) I deleted some files that seemed to be suspicious & lost powerpoint & other programs previous to finding out about spybot & I'm wondering if starting over from factory default will restore my old files & i know whatever invaded my computer will re launch itself because I already tried this once when i called the manufacter of this new laptop i have, thats what there instructions were when i told them about the tracking device that installed when the sd card was put in.... (it didnt work as far as eliminating the remote administrator, unauthorized access & igoogle redirect)

    Im sorry for my inexperience on these issues & really appreciate the help.

    Thank you

  6. #6
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Files are supported, it is about HJT and your windows version.

    You never should delete anything which you are unsure about.

    In this case, factory reset sounds best alternative.

    You shouldn't use that sd card either or you will end up in similar situation soon.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #7
    Junior Member
    Join Date
    Mar 2010
    Posts
    12

    Exclamation ?????

    okay, i have restored system to factory default settings & once again upon start up something called alaunchx intsalled 15 updates or some programs or something & shutdown then restarted automatically where i notice my date & time are not reading correctly. the perflogs file and many others are still there. when i downloaded spybot i disabled teatimer & ran a scan (nothing found) when i downloaded hjt & tried to run a scan to save on log it says: for some reason your system denied write access to the host file. if any hijacked domains are in this file hjt may not be able to fix this. if that happens you need to edit the file yourself.

    Q: should alunchx be installing anything upon default restoration then rebooting?
    Q: what is GAIA alaunchx?
    Q: can this affect my date/time?
    Q: what is perflogs?
    Q: what is remote admin$
    Q: could the files i deleted previously have allowed me to run hjt scan before & if so was this possibly hampering someones attempt to track me?
    Q: since restoration attempt, do you think whatever has attacked me reinstalled its program/s successfully?
    Q: do you think im hijacked (from this post & previous posts)
    Q: can someone act as me (using my information) to attack or steal from others?

    so far since THIS (TRIED 2 TIMES PREVIOUSLY & SAME RESULT) restoration attempt, i have installed spybot, ran scan, nothing found(unable to immunize)hijack this (tried scan & save to log unsuccessfully), & firefox.... that is all so far since i am awaiting what to do from this point.
    Q: any suggestions on what to do from here?

    please help- i hope i'm wrong, but i am afraid my identity is compromised & others are at risk!!!

  8. #8
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    "okay, i have restored system to factory default settings & once again upon start up something called alaunchx intsalled 15 updates or some programs or something & shutdown then restarted automatically where i notice my date & time are not reading correctly. the perflogs file and many others are still there."

    Alaunch is program by Acer and legit. Perflogs are part of operating system and should be left alone.

    "Q: should alunchx be installing anything upon default restoration then rebooting?
    "Q: what is GAIA alaunchx?"

    Please see above.

    "Q: what is remote admin$"

    Ability to use windows remotely, can be disabled within operating system.

    "Q: what is perflogs?"

    Part of windows 7, please leave alone.

    "Q: could the files i deleted previously have allowed me to run hjt scan before & if so was this possibly hampering someones attempt to track me?"

    No, user account control is on and/or you are not running HJT as admin.

    "Q: since restoration attempt, do you think whatever has attacked me reinstalled its program/s successfully?"

    No, I don't.

    "Q: do you think im hijacked (from this post & previous posts)
    Q: can someone act as me (using my information) to attack or steal from others?"

    Sounds very unlikely.

    "so far since THIS (TRIED 2 TIMES PREVIOUSLY & SAME RESULT) restoration attempt, i have installed spybot, ran scan, nothing found(unable to immunize)hijack this (tried scan & save to log unsuccessfully), & firefox.... that is all so far since i am awaiting what to do from this point.
    Q: any suggestions on what to do from here?"

    You are not apparently running those programs as admin.

    As most of tools don't support 64bit OS and researching your situation would be very difficult, I recommend to take computer to some store for checkup.
    Not much can be done without physically being at the computer.

    Best regards.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  9. #9
    Junior Member
    Join Date
    Mar 2010
    Posts
    12

    Default

    DOES THIS SHED ANY LIGHT ON THE SITUATION?
    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SDWinSec.exe (1.0.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-01-26 TeaTimer.exe (1.6.4.26)
    2010-03-21 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-01-26 advcheck.dll (1.6.2.15)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2010-02-17 Includes\Adware.sbi
    2010-03-16 Includes\AdwareC.sbi
    2010-01-25 Includes\Cookies.sbi
    2009-11-03 Includes\Dialer.sbi
    2010-03-16 Includes\DialerC.sbi
    2010-01-25 Includes\HeavyDuty.sbi
    2009-05-26 Includes\Hijackers.sbi
    2010-03-16 Includes\HijackersC.sbi
    2010-01-20 Includes\Keyloggers.sbi
    2010-03-16 Includes\KeyloggersC.sbi
    2004-11-29 Includes\LSP.sbi
    2010-03-02 Includes\Malware.sbi
    2010-03-17 Includes\MalwareC.sbi
    2009-03-25 Includes\PUPS.sbi
    2010-03-16 Includes\PUPSC.sbi
    2010-01-25 Includes\Revision.sbi
    2009-01-13 Includes\Security.sbi
    2010-03-16 Includes\SecurityC.sbi
    2008-06-03 Includes\Spybots.sbi
    2008-06-03 Includes\SpybotsC.sbi
    2010-03-02 Includes\Spyware.sbi
    2010-03-16 Includes\SpywareC.sbi
    2010-03-08 Includes\Tracks.uti
    2010-03-03 Includes\Trojans.sbi
    2010-03-16 Includes\TrojansC-02.sbi
    2010-03-16 Includes\TrojansC-03.sbi
    2010-03-16 Includes\TrojansC-04.sbi
    2010-03-17 Includes\TrojansC-05.sbi
    2010-03-16 Includes\TrojansC.sbi
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

    Protocol 0: MSAFD Tcpip [TCP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 1: MSAFD Tcpip [UDP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 2: MSAFD Tcpip [RAW/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 3: MSAFD Tcpip [TCP/IPv6]
    GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IPv6 protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 4: MSAFD Tcpip [UDP/IPv6]
    GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IPv6 protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 5: MSAFD Tcpip [RAW/IPv6]
    GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IPv6 protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 6: RSVP TCPv6 Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 7: RSVP TCP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 8: RSVP UDPv6 Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 9: RSVP UDP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Namespace Provider 0: Network Location Awareness Legacy (NLAv1) Namespace
    GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
    Filename:
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: NLA-Namespace

    Namespace Provider 1: Tcpip
    GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
    Filename:
    Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: TCP/IP

    Namespace Provider 2: NTDS
    GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
    Filename: %SystemRoot%\System32\winrnr.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\winrnr.dll
    DB protocol: NTDS

    Namespace Provider 3: E-mail Naming Shim Provider
    GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
    Filename:

    Namespace Provider 4: PNRP Cloud Namespace Provider
    GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
    Filename:

    Namespace Provider 5: PNRP Name Namespace Provider
    GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
    Filename:

    OR THIS?


    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SDWinSec.exe (1.0.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-01-26 TeaTimer.exe (1.6.4.26)
    2010-03-21 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-01-26 advcheck.dll (1.6.2.15)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2010-02-17 Includes\Adware.sbi
    2010-03-16 Includes\AdwareC.sbi
    2010-01-25 Includes\Cookies.sbi
    2009-11-03 Includes\Dialer.sbi
    2010-03-16 Includes\DialerC.sbi
    2010-01-25 Includes\HeavyDuty.sbi
    2009-05-26 Includes\Hijackers.sbi
    2010-03-16 Includes\HijackersC.sbi
    2010-01-20 Includes\Keyloggers.sbi
    2010-03-16 Includes\KeyloggersC.sbi
    2004-11-29 Includes\LSP.sbi
    2010-03-02 Includes\Malware.sbi
    2010-03-17 Includes\MalwareC.sbi
    2009-03-25 Includes\PUPS.sbi
    2010-03-16 Includes\PUPSC.sbi
    2010-01-25 Includes\Revision.sbi
    2009-01-13 Includes\Security.sbi
    2010-03-16 Includes\SecurityC.sbi
    2008-06-03 Includes\Spybots.sbi
    2008-06-03 Includes\SpybotsC.sbi
    2010-03-02 Includes\Spyware.sbi
    2010-03-16 Includes\SpywareC.sbi
    2010-03-08 Includes\Tracks.uti
    2010-03-03 Includes\Trojans.sbi
    2010-03-16 Includes\TrojansC-02.sbi
    2010-03-16 Includes\TrojansC-03.sbi
    2010-03-16 Includes\TrojansC-04.sbi
    2010-03-17 Includes\TrojansC-05.sbi
    2010-03-16 Includes\TrojansC.sbi
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

    Located: HK_LM:Run, Adobe Reader Speed Launcher
    command: "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    file: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe
    size: 35696
    MD5: 452FA961163EF4AEE4815796A13AB2CF

    Located: HK_LM:Run, LManager
    command: C:\Program Files (x86)\Launch Manager\LManager.exe
    file: C:\Program Files (x86)\Launch Manager\LManager.exe
    size: 1157128
    MD5: 34BC222864CEF86DABB5032DA36485DA

    Located: HK_LM:Run, NortonOnlineBackupReminder
    command: "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
    file: C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe
    size: 588648
    MD5: 40AEF61000935C93C144E537AC990786

    Located: HK_LM:Run, StartCCC
    command: "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    file: C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    size: 98304
    MD5: EF5C94E3EFC691D1EE862044505F6345

    Located: HK_LM:RunOnce, Uninstall Adobe Download Manager
    command: "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
    file: C:\Windows\system32\rundll32.exe
    size: 44544
    MD5: 51138BEEA3E2C21EC44D0932C71762A8

    Located: HK_CU:Run, Sidebar
    where: S-1-5-19...
    command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
    file: C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
    size: 1173504
    MD5: EA6EADF6314E43783BA8EEE79F93F73C

    Located: HK_CU:RunOnce, mctadmin
    where: S-1-5-19...
    command: C:\Windows\System32\mctadmin.exe
    file: C:\Windows\System32\mctadmin.exe
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!

    Located: HK_CU:Run, Sidebar
    where: S-1-5-20...
    command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
    file: C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
    size: 1173504
    MD5: EA6EADF6314E43783BA8EEE79F93F73C

    Located: HK_CU:RunOnce, mctadmin
    where: S-1-5-20...
    command: C:\Windows\System32\mctadmin.exe
    file: C:\Windows\System32\mctadmin.exe
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!

    Located: HK_CU:Run, Global Registration
    where: S-1-5-21-204940859-3958103151-4137569969-1002...
    command: "C:\Program Files (x86)\eMachines\Registration\GREG.exe" BOOT
    file: C:\Program Files (x86)\eMachines\Registration\GREG.exe
    size: 2844704
    MD5: E379EB6B78739BA5273E880DE1216FEB

    Located: HK_CU:Run, swg
    where: S-1-5-21-204940859-3958103151-4137569969-1002...
    command: "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    file: C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    size: 39408
    MD5: 5D61BE7DB55B026A5D61A3EED09D0EAD

    OR THIS?

    pybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SDWinSec.exe (1.0.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-01-26 TeaTimer.exe (1.6.4.26)
    2010-03-21 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-01-26 advcheck.dll (1.6.2.15)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2010-02-17 Includes\Adware.sbi
    2010-03-16 Includes\AdwareC.sbi
    2010-01-25 Includes\Cookies.sbi
    2009-11-03 Includes\Dialer.sbi
    2010-03-16 Includes\DialerC.sbi
    2010-01-25 Includes\HeavyDuty.sbi
    2009-05-26 Includes\Hijackers.sbi
    2010-03-16 Includes\HijackersC.sbi
    2010-01-20 Includes\Keyloggers.sbi
    2010-03-16 Includes\KeyloggersC.sbi
    2004-11-29 Includes\LSP.sbi
    2010-03-02 Includes\Malware.sbi
    2010-03-17 Includes\MalwareC.sbi
    2009-03-25 Includes\PUPS.sbi
    2010-03-16 Includes\PUPSC.sbi
    2010-01-25 Includes\Revision.sbi
    2009-01-13 Includes\Security.sbi
    2010-03-16 Includes\SecurityC.sbi
    2008-06-03 Includes\Spybots.sbi
    2008-06-03 Includes\SpybotsC.sbi
    2010-03-02 Includes\Spyware.sbi
    2010-03-16 Includes\SpywareC.sbi
    2010-03-08 Includes\Tracks.uti
    2010-03-03 Includes\Trojans.sbi
    2010-03-16 Includes\TrojansC-02.sbi
    2010-03-16 Includes\TrojansC-03.sbi
    2010-03-16 Includes\TrojansC-04.sbi
    2010-03-17 Includes\TrojansC-05.sbi
    2010-03-16 Includes\TrojansC.sbi
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

    PID: 0 ( 0) [System]
    PID: 2168 (1600) C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe
    size: 117640
    MD5: EE215321E83BE72AB77B6627FD149EAE
    PID: 3216 (2308) C:\Program Files (x86)\Launch Manager\LManager.exe
    size: 1157128
    MD5: 34BC222864CEF86DABB5032DA36485DA
    PID: 3236 ( 708) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    size: 39408
    MD5: 5D61BE7DB55B026A5D61A3EED09D0EAD
    PID: 5036 (3372) C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
    size: 2521464
    MD5: 7CFD590987D2BB33D5D56D98093D2E76
    PID: 4216 (1084) C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
    size: 5365592
    MD5: 0477C2F9171599CA5BC3307FDFBA8D89
    PID: 4 ( 0) System
    PID: 256 ( 4) smss.exe
    PID: 400 ( 332) csrss.exe
    PID: 472 ( 332) wininit.exe
    size: 96256
    PID: 480 ( 464) csrss.exe
    PID: 512 ( 464) winlogon.exe
    PID: 572 ( 472) services.exe
    PID: 584 ( 472) lsass.exe
    PID: 592 ( 472) lsm.exe
    PID: 708 ( 572) svchost.exe
    size: 20992
    PID: 780 ( 572) svchost.exe
    size: 20992
    PID: 820 ( 572) atiesrxx.exe
    PID: 904 ( 572) svchost.exe
    size: 20992
    PID: 940 ( 572) svchost.exe
    size: 20992
    PID: 968 ( 572) svchost.exe
    size: 20992
    PID: 396 ( 572) svchost.exe
    size: 20992
    PID: 1008 ( 572) svchost.exe
    size: 20992
    PID: 1192 ( 820) atieclxx.exe
    PID: 1328 ( 572) spoolsv.exe
    PID: 1364 ( 572) svchost.exe
    size: 20992
    PID: 1468 ( 572) ePowerSvc.exe
    PID: 1496 ( 572) svchost.exe
    size: 20992
    PID: 1536 ( 572) GregHSRW.exe
    PID: 1600 ( 572) ccSvcHst.exe
    PID: 1688 ( 572) SchedulerSvc.exe
    PID: 1800 ( 572) UpdaterService.exe
    PID: 1184 ( 572) SearchIndexer.exe
    size: 428032
    PID: 1776 ( 572) svchost.exe
    size: 20992
    PID: 1732 ( 708) WmiPrvSE.exe
    PID: 1292 ( 572) C:\Windows\System32\taskhost.exe
    PID: 1808 ( 940) C:\Windows\System32\dwm.exe
    PID: 1084 (1944) C:\Windows\explorer.exe
    size: 2868224
    MD5: C235A51CB740E45FFA0EBFB9BAFCDA64
    PID: 268 (1084) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    size: 7982112
    MD5: 910AFE116ADE17C93E892C38452075F9
    PID: 1256 (1084) C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
    size: 828960
    MD5: 0C4F4CFFA3A613D175BB25728514C0C4
    PID: 2728 (1084) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    size: 1808168
    MD5: FD217F6DDBB90D84A46B36E17E99CA0C
    PID: 860 ( 708) C:\Windows\System32\wbem\unsecapp.exe
    PID: 2976 (1468) ePowerEvent.exe
    PID: 3516 ( 572) wmpnetwk.exe
    PID: 3604 (2728) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    size: 120616
    MD5: C6BE59AE498497F78EC46DADB5335766
    PID: 3744 ( 572) svchost.exe
    size: 20992
    PID: 3376 (3732) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    size: 65536
    MD5: E7704CBF568815C1CAA6E513387BD3F2
    PID: 144 (3376) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    size: 65536
    MD5: 74EF310FAC89341CE2897B7F2C4A7B0F
    PID: 2460 ( 572) C:\Windows\System32\taskhost.exe
    PID: 1940 ( 940) WUDFHost.exe
    PID: 3088 ( 572) svchost.exe
    size: 20992
    PID: 4612 ( 968) C:\Windows\System32\wuauclt.exe
    PID: 4844 ( 904) audiodg.exe


    PLEASE KEEP IN MIND THIS IS A NEW COMPUTER THAT WAS FACTORY CLEAN WITHOUT ANY INSTALLS & RAN PERFECT BEFORE INSERTING AN SD CARD THAT WAS EXPOSED TO A VIRUSED COMPUTER.... Q: WHAT IS MOM.EXE & CCC.EXE & SHOULD THEY BE COMMANDING ACCESS TO SHARED FILES OR EVEN BE INSTALLED FROM FACTORY? (I NEVER INSTALLED)
    Q: COULD THIS BE A ROOT KIT?

  10. #10
    Junior Member
    Join Date
    Mar 2010
    Posts
    12

    Default

    OR THIS?


    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SDWinSec.exe (1.0.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-01-26 TeaTimer.exe (1.6.4.26)
    2010-03-21 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-01-26 advcheck.dll (1.6.2.15)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2010-02-17 Includes\Adware.sbi
    2010-03-16 Includes\AdwareC.sbi
    2010-01-25 Includes\Cookies.sbi
    2009-11-03 Includes\Dialer.sbi
    2010-03-16 Includes\DialerC.sbi
    2010-01-25 Includes\HeavyDuty.sbi
    2009-05-26 Includes\Hijackers.sbi
    2010-03-16 Includes\HijackersC.sbi
    2010-01-20 Includes\Keyloggers.sbi
    2010-03-16 Includes\KeyloggersC.sbi
    2004-11-29 Includes\LSP.sbi
    2010-03-02 Includes\Malware.sbi
    2010-03-17 Includes\MalwareC.sbi
    2009-03-25 Includes\PUPS.sbi
    2010-03-16 Includes\PUPSC.sbi
    2010-01-25 Includes\Revision.sbi
    2009-01-13 Includes\Security.sbi
    2010-03-16 Includes\SecurityC.sbi
    2008-06-03 Includes\Spybots.sbi
    2008-06-03 Includes\SpybotsC.sbi
    2010-03-02 Includes\Spyware.sbi
    2010-03-16 Includes\SpywareC.sbi
    2010-03-08 Includes\Tracks.uti
    2010-03-03 Includes\Trojans.sbi
    2010-03-16 Includes\TrojansC-02.sbi
    2010-03-16 Includes\TrojansC-03.sbi
    2010-03-16 Includes\TrojansC-04.sbi
    2010-03-17 Includes\TrojansC-05.sbi
    2010-03-16 Includes\TrojansC.sbi
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

    Located: HK_LM:Run, Adobe Reader Speed Launcher
    command: "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    file: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe
    size: 35696
    MD5: 452FA961163EF4AEE4815796A13AB2CF

    Located: HK_LM:Run, LManager
    command: C:\Program Files (x86)\Launch Manager\LManager.exe
    file: C:\Program Files (x86)\Launch Manager\LManager.exe
    size: 1157128
    MD5: 34BC222864CEF86DABB5032DA36485DA

    Located: HK_LM:Run, NortonOnlineBackupReminder
    command: "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
    file: C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe
    size: 588648
    MD5: 40AEF61000935C93C144E537AC990786

    Located: HK_LM:Run, StartCCC
    command: "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    file: C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    size: 98304
    MD5: EF5C94E3EFC691D1EE862044505F6345

    Located: HK_LM:RunOnce, Uninstall Adobe Download Manager
    command: "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
    file: C:\Windows\system32\rundll32.exe
    size: 44544
    MD5: 51138BEEA3E2C21EC44D0932C71762A8

    Located: HK_CU:Run, Sidebar
    where: S-1-5-19...
    command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
    file: C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
    size: 1173504
    MD5: EA6EADF6314E43783BA8EEE79F93F73C

    Located: HK_CU:RunOnce, mctadmin
    where: S-1-5-19...
    command: C:\Windows\System32\mctadmin.exe
    file: C:\Windows\System32\mctadmin.exe
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!

    Located: HK_CU:Run, Sidebar
    where: S-1-5-20...
    command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
    file: C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
    size: 1173504
    MD5: EA6EADF6314E43783BA8EEE79F93F73C

    Located: HK_CU:RunOnce, mctadmin
    where: S-1-5-20...
    command: C:\Windows\System32\mctadmin.exe
    file: C:\Windows\System32\mctadmin.exe
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!

    Located: HK_CU:Run, Global Registration
    where: S-1-5-21-204940859-3958103151-4137569969-1002...
    command: "C:\Program Files (x86)\eMachines\Registration\GREG.exe" BOOT
    file: C:\Program Files (x86)\eMachines\Registration\GREG.exe
    size: 2844704
    MD5: E379EB6B78739BA5273E880DE1216FEB

    Located: HK_CU:Run, swg
    where: S-1-5-21-204940859-3958103151-4137569969-1002...
    command: "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    file: C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    size: 39408
    MD5: 5D61BE7DB55B026A5D61A3EED09D0EAD


    AGAIN, THIS IS A NEW HOME COMPUTER USED FOR HOME USE (EMAILS ETC NOTHING FOR BUSINESS USE OR MONITORING ANY OTHER COMPUTER/S.

    Q: DOES ANYTHING OF THE SLIGHTEST HINT LOOK GOOFY OR OUT OF PLACE UPON START UP? *NOTE NEW EMACHINES E627 WITHOUT ANY MODS (TO MY KNOWLEDGE)

    THANK YOU FOR YOUR INSIGHT

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •