Re-directing Hosts - Can't edit hosts file (Resolved)

D

Dumb74

New member
Spybot scan keeps finding these re-directing hosts on the scan, but, can't delete them - comes back with an error unable to edit the hosts file.

When I ran Hijack This, it came back with a similar error and produced a partial scan list (Excluding O1 Items).

Hijack This Errors:

1. "For some reason your system denied write access to the hosts file. If any hijacked domains are in this file, Hijack this may not be able to fix this. If that happens, you need to edit the file yourself. To do this, Click Start, Run and Type: notepad c:\windows\system32\drivers\etc\hosts and press enter.
Find the lines Hijack This reports and delete them. Save the file as 'hosts.' (with quotes), and reboot.
For Vista: simply exit Hijack This, Right click on Hijack This Icon, Choose run as Administrator."

After clicking OK on the above error, received the following error

2. "Your Hosts file has invalid linebreaks and Hijackthis is unable to fix this. O1 Items will not be displayed.
Click OK to continue the rest of the Scan."

After Clicking OK, the following Log was created:

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:15 AM, on 02/22/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Boingo\Boingo Wi-Fi\Boingo Wi-Fi.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\xxxxxx\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\xxxxxx\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://home.xxxxxx.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xxxxxx.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.xxxxxx.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxypac.xxxxxx.com/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = xxxxxx.xxxxxx.com:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mindleaders.com
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Boingo Wi-Fi] "C:\Program Files\Boingo\Boingo Wi-Fi\Boingo.lnk"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - .DEFAULT User Startup: postmsg.rtf (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://home.xxxxxx.com
O15 - Trusted Zone: http://www.accessabc.com
O15 - Trusted Zone: http://www.acessabc.com
O15 - Trusted Zone: http://irs.ustreas.gov
O15 - Trusted Zone: http://www.irs.ustreas.gov
O15 - Trusted Zone: http://www.acessabc.com (HKLM)
O15 - Trusted Zone: http://irs.ustreas.gov (HKLM)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10072 bytes

Contents of the Host File (Tried to edit manually, didn't work):

127.0.0.1 localhost
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
67.215.245.21 www.google-analytics.com
95.211.99.110 google.ae
95.211.99.110 google.as
95.211.99.110 google.at
95.211.99.110 google.az
95.211.99.110 google.ba
95.211.99.110 google.be
95.211.99.110 google.bg
95.211.99.110 google.bs
95.211.99.110 google.ca
95.211.99.110 google.cd
95.211.99.110 google.com.gh
95.211.99.110 google.com.hk
95.211.99.110 google.com.jm
95.211.99.110 google.com.mx
95.211.99.110 google.com.my
95.211.99.110 google.com.na
95.211.99.110 google.com.nf
95.211.99.110 google.com.ng
95.211.99.110 google.ch
95.211.99.110 google.com.np
95.211.99.110 google.com.pr
95.211.99.110 google.com.qa
95.211.99.110 google.com.sg
95.211.99.110 google.com.tj
95.211.99.110 google.com.tw
95.211.99.110 google.dj
95.211.99.110 google.de
95.211.99.110 google.dk
95.211.99.110 google.dm
95.211.99.110 google.ee
95.211.99.110 google.fi
95.211.99.110 google.fm
95.211.99.110 google.fr
95.211.99.110 google.ge
95.211.99.110 google.gg
95.211.99.110 google.gm
95.211.99.110 google.gr
95.211.99.110 google.ht
95.211.99.110 google.ie
95.211.99.110 google.im
95.211.99.110 google.in
95.211.99.110 google.it
95.211.99.110 google.ki
95.211.99.110 google.la
95.211.99.110 google.li
95.211.99.110 google.lv
95.211.99.110 google.ma
95.211.99.110 google.ms
95.211.99.110 google.mu
95.211.99.110 google.mw
95.211.99.110 google.nl
95.211.99.110 google.no
95.211.99.110 google.nr
95.211.99.110 google.nu
95.211.99.110 google.pl
95.211.99.110 google.pn
95.211.99.110 google.pt
95.211.99.110 google.ro
95.211.99.110 google.ru
95.211.99.110 google.rw
95.211.99.110 google.sc
95.211.99.110 google.se
95.211.99.110 google.sh
95.211.99.110 google.si
95.211.99.110 google.sm
95.211.99.110 google.sn
95.211.99.110 google.st
95.211.99.110 google.tl
95.211.99.110 google.tm
95.211.99.110 google.tt
95.211.99.110 google.us
95.211.99.110 google.vu
95.211.99.110 google.ws
95.211.99.110 google.co.ck
95.211.99.110 google.co.id
95.211.99.110 google.co.il
95.211.99.110 google.co.in
95.211.99.110 google.co.jp
95.211.99.110 google.co.kr
95.211.99.110 google.co.ls
95.211.99.110 google.co.ma
95.211.99.110 google.co.nz
95.211.99.110 google.co.tz
95.211.99.110 google.co.ug
95.211.99.110 google.co.uk
95.211.99.110 google.co.za
95.211.99.110 google.co.zm
95.211.99.110 google.com
95.211.99.110 google.com.af
95.211.99.110 google.com.ag
95.211.99.110 google.com.ar
95.211.99.110 google.com.au
95.211.99.110 google.com.bn
95.211.99.110 google.com.br
95.211.99.110 google.com.by
95.211.99.110 google.com.bz
95.211.99.110 google.com.cu
95.211.99.110 google.com.ec
95.211.99.110 google.com.fj
95.211.99.110 www.google.ae
95.211.99.110 www.google.as
95.211.99.110 www.google.at
95.211.99.110 www.google.az
95.211.99.110 www.google.ba
95.211.99.110 www.google.be
95.211.99.110 www.google.bg
95.211.99.110 www.google.bs
95.211.99.110 www.google.ca
95.211.99.110 www.google.cd
95.211.99.110 www.google.com.gh
95.211.99.110 www.google.com.hk
95.211.99.110 www.google.com.jm
95.211.99.110 www.google.com.mx
95.211.99.110 www.google.com.my
95.211.99.110 www.google.com.na
95.211.99.110 www.google.com.nf
95.211.99.110 www.google.com.ng
95.211.99.110 www.google.ch
95.211.99.110 www.google.com.np
95.211.99.110 www.google.com.pr
95.211.99.110 www.google.com.qa
95.211.99.110 www.google.com.sg
95.211.99.110 www.google.com.tj
95.211.99.110 www.google.com.tw
95.211.99.110 www.google.dj
95.211.99.110 www.google.de
95.211.99.110 www.google.dk
95.211.99.110 www.google.dm
95.211.99.110 www.google.ee
95.211.99.110 www.google.fi
95.211.99.110 www.google.fm
95.211.99.110 www.google.fr
95.211.99.110 www.google.ge
95.211.99.110 www.google.gg
95.211.99.110 www.google.gm
95.211.99.110 www.google.gr
95.211.99.110 www.google.ht
95.211.99.110 www.google.ie
95.211.99.110 www.google.im
95.211.99.110 www.google.in
95.211.99.110 www.google.it
95.211.99.110 www.google.ki
95.211.99.110 www.google.la
95.211.99.110 www.google.li
95.211.99.110 www.google.lv
95.211.99.110 www.google.ma
95.211.99.110 www.google.ms
95.211.99.110 www.google.mu
95.211.99.110 www.google.mw
95.211.99.110 www.google.nl
95.211.99.110 www.google.no
95.211.99.110 www.google.nr
95.211.99.110 www.google.nu
95.211.99.110 www.google.pl
95.211.99.110 www.google.pn
95.211.99.110 www.google.pt
95.211.99.110 www.google.ro
95.211.99.110 www.google.ru
95.211.99.110 www.google.rw
95.211.99.110 www.google.sc
95.211.99.110 www.google.se
95.211.99.110 www.google.sh
95.211.99.110 www.google.si
95.211.99.110 www.google.sm
95.211.99.110 www.google.sn
95.211.99.110 www.google.st
95.211.99.110 www.google.tl
95.211.99.110 www.google.tm
95.211.99.110 www.google.tt
95.211.99.110 www.google.us
95.211.99.110 www.google.vu
95.211.99.110 www.google.ws
95.211.99.110 www.google.co.ck
95.211.99.110 www.google.co.id
95.211.99.110 www.google.co.il
95.211.99.110 www.google.co.in
95.211.99.110 www.google.co.jp
95.211.99.110 www.google.co.kr
95.211.99.110 www.google.co.ls
95.211.99.110 www.google.co.ma
95.211.99.110 www.google.co.nz
95.211.99.110 www.google.co.tz
95.211.99.110 www.google.co.ug
95.211.99.110 www.google.co.uk
95.211.99.110 www.google.co.za
95.211.99.110 www.google.co.zm
95.211.99.110 www.google.com
95.211.99.110 www.google.com.af
95.211.99.110 www.google.com.ag
95.211.99.110 www.google.com.ar
95.211.99.110 www.google.com.au
95.211.99.110 www.google.com.bn
95.211.99.110 www.google.com.br
95.211.99.110 www.google.com.by
95.211.99.110 www.google.com.bz
95.211.99.110 www.google.com.cu
95.211.99.110 www.google.com.ec
95.211.99.110 www.google.com.fj
95.211.99.110 google.com
95.211.99.110 www.google.com
95.211.99.110 bing.com
95.211.99.110 www.bing.com
95.211.99.110 search.yahoo.com
95.211.99.110 www.search.yahoo.com
95.211.99.110 search.live.com
95.211.99.110 search.msn.com
95.211.99.110 uk.search.yahoo.com
95.211.99.110 ca.search.yahoo.com
95.211.99.110 de.search.yahoo.com
95.211.99.110 fr.search.yahoo.com
95.211.99.110 au.search.yahoo.com
 
Last edited by a moderator:
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Failure to reply within 5 days will result in the topic being closed.
  5. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly
laechel.gif


Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------
Step 1


OTMoveIt
Please download OTM by OldTimer and save it to your desktop
  • Double-click OTM.exe to run it.
  • Copy the lines in the codebox below. ( Make sure you include :Processes )
Code: 
:Files
%SystemRoot%\system32\drivers\etc\hosts
:Commands
[EmptyTemp]
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • - Close ALL open windows (especially Internet Explorer!)-
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


----------------------------------------------------------------------------------------
Step 2

Restore Host File

Download HostsXpert v4.1 and unzip it to your desktop.
  • Double click on HostsXpert.exe to launch the program.
  • Click on Restore MS Hosts File to restore your Hosts file to its default condition.
  • Click on Make ReadOnly to secure it against further infection. (unless you plan to use another host file)
  • Exit the program.
Visit the Website for more information.

----------------------------------------------------------------------------------------
Step 3

Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.
    ( They can also be found in the C:\RSIT folder )


----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • OTMove It Log
  • RSIT Logs
  • How are things running now ?
 
OTM Log

All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\WINDOWS\system32\drivers\etc\hosts moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temporary Internet Files folder emptied: 33170 bytes

User: xxxxxx
->Temp folder emptied: 78 bytes
->Temporary Internet Files folder emptied: 1684890 bytes
->Google Chrome cache emptied: 557120 bytes

User: xxxxxx
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49816 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: xxxxxx
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19528 bytes
%systemroot%\System32 .tmp files removed: 1929216 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 52216402 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 54.00 mb


OTM by OldTimer - Version 3.1.9.0 log created on 02262010_213342

Files moved on Reboot...

Registry entries deleted on Reboot...
 
RSIT Log

Logfile of random's system information tool 1.06 (written by random/random)
Run by xxxxxx at 2010-02-26 21:46:34
Microsoft Windows XP Professional Service Pack 2
System drive C: has 59 GB (78%) free of 76 GB
Total RAM: 2007 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:46:43 PM, on 02/26/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Boingo\Boingo Wi-Fi\Boingo Wi-Fi.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\xxxxxx\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\xxxxxx.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xxxxxx.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.xxxxxx.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxypac.xxxxxx.com/proxy.pac
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Boingo Wi-Fi] "C:\Program Files\Boingo\Boingo Wi-Fi\Boingo.lnk"
O4 - HKLM\..\Run: [Wfunulecu] rundll32.exe "C:\WINDOWS\ixinoxoz.dll",Startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - .DEFAULT User Startup: postmsg.rtf (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://home.xxxxxx.com
O15 - Trusted Zone: http://irs.ustreas.gov
O15 - Trusted Zone: http://www.irs.ustreas.gov
O15 - Trusted Zone: http://irs.ustreas.gov (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = svuent.xxxxxx.com
O17 - HKLM\Software\..\Telephony: DomainName = svuent.xxxxxx.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = svuent.xxxxxx.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = svuent.xxxxxx.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = svuent.xxxxxx.com
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

--
End of file - 9972 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2644624329-1907448460-3805301937-9166.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
HelperObject Class - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll [2005-01-07 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2009-06-10 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll [2005-01-07 131072]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"QlbCtrl"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2006-03-02 131072]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2005-12-12 88203]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-12-19 16062464]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2007-01-05 872448]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-05-18 138008]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-05-18 162584]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-05-18 138008]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2009-06-10 106496]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\udaterui.exe [2009-03-10 136512]
"Boingo Wi-Fi"=C:\Program Files\Boingo\Boingo Wi-Fi\Boingo.lnk [2010-02-26 2179]
"Wfunulecu"=C:\WINDOWS\ixinoxoz.dll [2007-03-08 160256]
"IntelZeroConfig"=C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe [2009-05-21 1372160]
"IntelWireless"=C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [2009-05-21 1202448]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\xxxxxx\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-06-06 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^xxxxxx^Start Menu^Programs^Startup^postmsg.rtf]
C:\Documents and Settings\xxxxxx\Start Menu\Programs\Startup\postmsg.rtf []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-05-16 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
WgaLogon.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
sclbdg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=1
"legalnoticecaption"=xxxxxx Legal Notice
"legalnoticetext"=Warning: This is a xxxxxx Inc. computer system and is for authorized personnel only. Unauthorized use is illegal and strictly prohibited. All activity on any xxxxxx Inc. system is subject to monitoring at any time. Contact your manager or Home Office Information Security for authorization.
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoWelcomeScreen"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoWelcomeScreen"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-02-26 21:46:34 ----D---- C:\rsit
2010-02-26 21:33:42 ----D---- C:\_OTM
2010-02-25 22:27:39 ----A---- C:\WINDOWS\system32\NETw5r32.dll
2010-02-25 22:27:39 ----A---- C:\WINDOWS\system32\NETw5c32.dll
2010-02-25 22:27:03 ----D---- C:\Program Files\Common Files\Intel
2010-02-25 22:23:46 ----SHD---- C:\Config.Msi
2010-02-25 22:23:12 ----D---- C:\Documents and Settings\xxxxxx\Application Data\Intel
2010-02-24 21:28:08 ----SHD---- C:\RECYCLER
2010-02-24 21:18:56 ----A---- C:\ComboFix.txt
2010-02-24 21:13:25 ----A---- C:\WINDOWS\zip.exe
2010-02-24 21:13:25 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-02-24 21:13:25 ----A---- C:\WINDOWS\SWSC.exe
2010-02-24 21:13:25 ----A---- C:\WINDOWS\SWREG.exe
2010-02-24 21:13:25 ----A---- C:\WINDOWS\sed.exe
2010-02-24 21:13:25 ----A---- C:\WINDOWS\PEV.exe
2010-02-24 21:13:25 ----A---- C:\WINDOWS\NIRCMD.exe
2010-02-24 21:13:25 ----A---- C:\WINDOWS\MBR.exe
2010-02-24 21:13:25 ----A---- C:\WINDOWS\grep.exe
2010-02-24 21:13:21 ----D---- C:\ComboFix
2010-02-24 20:29:49 ----HDC---- C:\WINDOWS\$NtUninstallKB978207$
2010-02-24 20:29:43 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-02-24 20:24:47 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2010-02-24 20:24:42 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2010-02-24 20:24:35 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2010-02-12 14:37:14 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2010-02-12 14:36:54 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2010-02-12 14:36:32 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2010-02-12 14:36:28 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2010-02-12 14:36:24 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2010-02-12 14:36:19 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2010-02-12 14:36:10 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2010-02-08 23:05:47 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$

======List of files/folders modified in the last 1 months======

2010-02-26 21:36:47 ----D---- C:\WINDOWS\temp
2010-02-26 21:36:14 ----A---- C:\WINDOWS\smscfg.ini
2010-02-26 21:35:39 ----SD---- C:\WINDOWS\Tasks
2010-02-26 21:34:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-26 21:33:44 ----D---- C:\WINDOWS\system32
2010-02-26 21:33:44 ----D---- C:\WINDOWS
2010-02-25 22:36:32 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-25 22:33:30 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-02-25 22:31:28 ----SHD---- C:\System Volume Information
2010-02-25 22:31:28 ----D---- C:\WINDOWS\system32\Restore
2010-02-25 22:29:05 ----D---- C:\WINDOWS\Prefetch
2010-02-25 22:28:53 ----D---- C:\Temp
2010-02-25 22:28:50 ----SHD---- C:\WINDOWS\Installer
2010-02-25 22:27:55 ----HD---- C:\WINDOWS\inf
2010-02-25 22:27:55 ----D---- C:\WINDOWS\system32\drivers
2010-02-25 22:27:54 ----D---- C:\WINDOWS\system32\CatRoot
2010-02-25 22:27:42 ----D---- C:\WINDOWS\system32\ReinstallBackups
2010-02-25 22:27:40 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-02-25 22:27:03 ----D---- C:\Program Files\Intel
2010-02-25 22:27:03 ----D---- C:\Program Files\Common Files
2010-02-25 22:25:22 ----A---- C:\WINDOWS\system32\results.txt
2010-02-24 23:26:55 ----D---- C:\WINDOWS\security
2010-02-24 21:18:53 ----D---- C:\Qoobox
2010-02-24 21:17:11 ----A---- C:\WINDOWS\system.ini
2010-02-24 21:15:57 ----D---- C:\WINDOWS\AppPatch
2010-02-24 20:29:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-02-24 20:29:55 ----D---- C:\Program Files\Internet Explorer
2010-02-24 20:29:47 ----HD---- C:\WINDOWS\$hf_mig$
2010-02-24 20:29:45 ----A---- C:\WINDOWS\imsins.BAK
2010-02-12 14:37:15 ----D---- C:\WINDOWS\WinSxS
2010-02-08 23:05:32 ----A---- C:\WINDOWS\win.ini
2010-02-01 22:31:05 ----SHD---- C:\WINDOWS\CSC
2010-01-30 23:52:46 ----D---- C:\Quarantine

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-27 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\Mfetdik.sys [2009-06-10 52200]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\System32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 CVPNDRVA;Cisco Systems IPsec Driver; \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys []
R2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2004-08-03 87424]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2007-05-07 12672]
R2 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2008-08-13 11904]
R2 Wpsnuio;WPS NDIS Usermode I/O Protocol; C:\WINDOWS\system32\DRIVERS\wpsnuio.sys [2009-12-17 13696]
R3 Accelerometer;Accelerometer; C:\WINDOWS\system32\DRIVERS\Accelerometer.sys [2006-01-10 22016]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2007-03-01 289792]
R3 aeaudio;AE Audio Service; C:\WINDOWS\system32\drivers\aeaudio.sys [2006-08-07 93952]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 ATSWPDRV;AuthenTec TruePrint USB Driver (AES2500); C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys [2006-03-30 130432]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2006-03-02 57096]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2003-07-24 139604]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-04-12 250776]
R3 eabfiltr;eabfiltr; C:\WINDOWS\system32\DRIVERS\eabfiltr.sys [2005-09-19 7808]
R3 HBtnKey;HBtnKey; C:\WINDOWS\system32\DRIVERS\cpqbttn.sys [2005-09-19 9344]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HECI;Intel(R) Management Engine Interface; C:\WINDOWS\system32\DRIVERS\HECI.sys [2007-04-06 44800]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2007-05-07 988032]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2007-05-07 210816]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-05-16 5707744]
R3 IFXTPM;IFXTPM; C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-10 35968]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2009-01-27 65000]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2009-01-27 73512]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2009-01-27 34408]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2009-06-10 178024]
R3 NETw5x32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw5x32.sys [2009-05-28 4203392]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 PCASp50;PCASp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\PCASp50.sys [2008-04-24 20096]
R3 prepdrvr;SMS Process Event Driver; \??\C:\WINDOWS\System32\CCM\prepdrv.sys []
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 rismc32;RICOH Smart Card Reader; C:\WINDOWS\system32\DRIVERS\rismc32.sys [2006-12-20 47616]
R3 sdbus;sdbus; C:\WINDOWS\System32\DRIVERS\sdbus.sys [2004-08-03 67584]
R3 SMCIRDA;SMSC IrCC Miniport Device Driver; C:\WINDOWS\System32\DRIVERS\smcirda.sys [2004-06-16 46080]
R3 smsmdd;smsmdd; C:\WINDOWS\system32\DRIVERS\smsmdm.sys [2008-04-08 12448]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2007-05-07 731136]
S2 pxqpkrzz;pxqpkrzz; \??\C:\WINDOWS\system32\drivers\ewftfh.sys []
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
S3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-12-12 1120352]
S3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2007-04-12 160256]
S3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\xxxxxx\LOCALS~1\Temp\catchme.sys []
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2005-02-08 5185]
S3 eabusb;eabusb; C:\WINDOWS\system32\DRIVERS\eabusb.sys [2005-09-19 5760]
S3 EntDrv51;EntDrv51; \??\C:\WINDOWS\system32\drivers\EntDrv51.sys []
S3 GTIPCI21;GTIPCI21; C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 87936]
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 idisw2km;idisw2km; C:\WINDOWS\system32\DRIVERS\idisw2km.sys []
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-12-21 4405248]
S3 kbstuff;SMS Virtual Keyboard; C:\WINDOWS\system32\DRIVERS\kbstuff5.sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NETw3x32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw3x32.sys [2006-11-06 1711104]
S3 NETw4x32;Intel(R) Wireless WiFi Link Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw4x32.sys [2007-09-26 2236032]
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-03-19 542976]
S3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-09-20 162432]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []
S3 w39n51;Intel(R) PRO/Wireless 3945ABG Adapter Driver; C:\WINDOWS\system32\DRIVERS\w39n51.sys [2006-01-19 1428096]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-03 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 CcmExec;SMS Agent Host; C:\WINDOWS\System32\CCM\CcmExec.exe [2008-05-20 757792]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [2005-02-10 1409048]
R2 EvtEng;Intel(R) PROSet/Wireless Event Log; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [2009-05-21 874768]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2006-01-12 98304]
R2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]
R2 IviRegMgr;IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [2007-01-04 112152]
R2 Lotus Notes Single Logon;Lotus Notes Single Logon; C:\WINDOWS\system32\nslsvice.exe [2005-03-28 20530]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2009-03-10 103744]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe [2009-01-27 144704]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe [2009-06-10 49152]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 RegSrvc;Intel(R) PROSet/Wireless Registry Service; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [2009-05-21 473360]
R2 S24EventMonitor;Intel(R) PROSet/Wireless WiFi Service; C:\Program Files\Intel\WiFi\bin\S24EvMon.exe [2009-05-21 909312]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-09-22 38912]
R2 WLANKEEPER;Intel(R) PROSet/Wireless SSO Service; C:\Program Files\Intel\WiFi\bin\WLKeeper.exe [2009-05-21 348160]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 OracleClientCache80;OracleClientCache80; C:\orant\BIN\ONRSD80.EXE [1998-06-10 95744]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 smstsmgr;SMS Task Sequence Agent; C:\WINDOWS\System32\CCM\TSManager.exe [2008-05-20 249888]
S4 MA;TriActive MicroAgent; C:\Program Files\TriActive\MicroAgent\bin\ma.exe [2009-02-02 1368064]

-----------------EOF-----------------
 
RSIT Info

info.txt logfile of random's system information tool 1.06 2010-02-26 21:46:45

======Uninstall list======

-->C:\Program Files\InstallShield Installation Information\{69333A04-5134-40A5-A055-9166A7AA1EC8}\setup.exe -runfromtemp -l0x0009 -removeonly
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX-->MsiExec.exe /X{786547F9-59BB-4FA3-B2D8-327FF1F14870}
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Agere Systems HDA Modem-->agrsmdel
Attachmate EXTRA! X-treme 8-->MsiExec.exe /I{8C268131-98C2-4D12-8F10-5A8C33517372}
Boingo Wi-Fi-->MsiExec.exe /X{235C31BC-BBAE-4932-9F17-15395C65907B}
Broadcom NetXtreme Ethernet Controller-->MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
CA Unicenter Output Management Document Viewer-->C:\WINDOWS\IsUninst.exe -fC:\DOCVIEW\Uninst.isu
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB896256)-->"C:\WINDOWS\$NtUninstallKB896256$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB909095)-->"C:\WINDOWS\$NtUninstallKB909095$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB912436)-->"C:\WINDOWS\$NtUninstallKB912436$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915326)-->"C:\WINDOWS\$NtUninstallKB915326$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
HP ev2200 Driver Package-->MsiExec.exe /X{65984EC6-923E-4B5A-83AB-0DF265DDB5E0}
HP Mobile Data Protection System-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{75ECB75A-522C-4312-8DE7-597CDA9D96A3}\setup.exe" -l0x9 UNINSTALL
hp OpenView service desk 4.5 client-->MsiExec.exe /I{04308080-34D6-44A7-8505-8496E7CD64F9}
HP ProtectTools Security Manager 2.00 C3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{914E1AB1-DCA0-4A7D-935F-B58C4B887A2B}\setup.exe" -l0x9 -removeonly hpquninst
HP Quick Launch Buttons 6.00 D2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\SETUP.EXE" -l0x9 -removeonly uninst
Intel PROSet Wireless-->Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
InterVideo DVD Check-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D97A4A7-C274-4B63-86D9-07A33435F505}\setup.exe" REMOVEALL
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
Interwise Participant-->C:\Program Files\Interwise\Participant\iwuninst.exe
Java 2 Runtime Environment Standard Edition v1.3.1_01-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1\Uninst.isu"
Java Web Start-->"C:\Program Files\Java Web Start\uninst-javaws.exe"
Lotus Notes 6.5.4-->MsiExec.exe /I{1AAE3976-3167-4BDF-B785-00E19C6671A3}
Macromedia Flash Player 8-->MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
Macromedia Shockwave Player-->MsiExec.exe /X{7D1D6A24-65D4-454C-8815-4F08A5FFF12C}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee Agent-->MsiExec.exe /X{F2969393-2D4D-4977-8166-B1251B08EF12}
McAfee VirusScan Enterprise-->MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Communicator 2005-->MsiExec.exe /X{BE5AD430-9E0C-4243-AB3F-593835869855}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003-->MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Viewer 2003 (English)-->MsiExec.exe /I{90520409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Word Supplemental Macros-->MsiExec.exe /I{3B8E4062-F294-11D2-A432-00C04F756128}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
PickManager-->MsiExec.exe /I{FC8A7539-5856-4D52-8DD4-5C76696A8EEE}
RDC-->"C:\WINDOWS\$UninstallRDC$\spuninst\spuninst.exe"
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB883939)-->"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB939653)-->"C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338)-->"C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958470)-->"C:\WINDOWS\$NtUninstallKB958470$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971032)-->"C:\WINDOWS\$NtUninstallKB971032$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"C:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Skyhook Wireless Wi-Fi Service-->C:\Program Files\Skyhook Wireless\Wi-Fi Service\svcsetup.exe -u
SnagIt 7-->C:\Program Files\TechSmith\SnagIt 7\SIUNINST.EXE
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2C06_hpqZ3795\UIU32m.exe -U -IhpqZ3795.inf
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
xxxxxx 1C Picking System-->MsiExec.exe /I{2368CBA5-6ED7-4A54-9A50-9DA698AEEC0E}
SwiftView Viewer-->C:\Program Files\SwiftView\svinst.exe -Uninstall
TBS WMP Plug-in-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{13515135-48BB-4184-8C1F-2FAE0138E200}
Texas Instruments PCIxx21/x515/xx12 drivers.-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A} /l1033
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB923845)-->"C:\WINDOWS\$NtUninstallKB923845$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Update for Windows XP (KB978207)-->"C:\WINDOWS\$NtUninstallKB978207$\spuninst\spuninst.exe"
VPN Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5624C000-B109-11D4-9DB4-00E0290FCAC5}\Setup.exe" -l0x9 VpnUninstall
WIMGAPI-->MsiExec.exe /I{721ABC3B-5F12-4332-9C0C-C11424EF666C}
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Hotfix - KB834707-->C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB883667-->C:\WINDOWS\$NtUninstallKB883667$\spuninst\spuninst.exe
Windows XP Hotfix - KB884575-->C:\WINDOWS\$NtUninstallKB884575$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885453-->C:\WINDOWS\$NtUninstallKB885453$\spuninst\spuninst.exe
Windows XP Hotfix - KB885464-->C:\WINDOWS\$NtUninstallKB885464$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB885855-->C:\WINDOWS\$NtUninstallKB885855$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888239-->C:\WINDOWS\$NtUninstallKB888239$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB888402-->C:\WINDOWS\$NtUninstallKB888402$\spuninst\spuninst.exe
Windows XP Hotfix - KB889673-->C:\WINDOWS\$NtUninstallKB889673$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB890923-->"C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB892559-->"C:\WINDOWS\$NtUninstallKB892559$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: McAfee VirusScan Enterprise

======System event log======

Computer Name: xxxxxx
Event Code: 40961
Message: The Security System could not establish a secured connection with the server DNS/prisoner.iana.org. No authentication protocol was available.

Record Number: 34112
Source Name: LSASRV
Time Written: 20100128220133.000000-360
Event Type: warning
User:

Computer Name: xxxxxx
Event Code: 11197
Message: The system failed to update and remove host (A) resource records (RRs)
for network adapter
with settings:


Adapter Name : {198B5BA2-573E-471C-A18D-0BC896182F42}

Host Name : xxxxxx

Primary Domain Suffix : xxxxxx.xxxxxx.com

DNS server list :

192.168.2.1

Sent update to server : <?>

IP Address(es) :

192.168.2.4


The reason the update request failed was because of a system problem.
For specific error code, see the record data displayed below.

Record Number: 34109
Source Name: DnsApi
Time Written: 20100128220054.000000-360
Event Type: warning
User:

Computer Name: xxxxxx
Event Code: 14103
Message: QoS [Adapter {B82E9CDF-700B-44E2-8A08-8F08BD97F38B}]:
The netcard driver failed the query for OID_GEN_LINK_SPEED.

Record Number: 34105
Source Name: PSched
Time Written: 20100128220049.000000-360
Event Type: error
User:

Computer Name: xxxxxx
Event Code: 40961
Message: The Security System could not establish a secured connection with the server DNS/vikings.xxxxxx.com. No authentication protocol was available.

Record Number: 34101
Source Name: LSASRV
Time Written: 20100128215109.000000-360
Event Type: warning
User:

Computer Name: xxxxxx
Event Code: 40961
Message: The Security System could not establish a secured connection with the server DNS/vikings.xxxxxx.com. No authentication protocol was available.

Record Number: 34096
Source Name: LSASRV
Time Written: 20100128205109.000000-360
Event Type: warning
User:

=====Application event log=====

Computer Name: xxxxxx
Event Code: 8
Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established


Record Number: 3636
Source Name: crypt32
Time Written: 20091231205524.000000-360
Event Type: error
User:

Computer Name: xxxxxx
Event Code: 1054
Message: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Record Number: 3632
Source Name: Userenv
Time Written: 20091231191632.000000-360
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: xxxxxx
Event Code: 1054
Message: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Record Number: 3626
Source Name: Userenv
Time Written: 20091231191537.000000-360
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: xxxxxx
Event Code: 1517
Message: Windows saved user xxxxxx\xxxxxx registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 3625
Source Name: Userenv
Time Written: 20091231191355.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: xxxxxx
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Record Number: 3624
Source Name: Userenv
Time Written: 20091231191351.000000-360
Event Type: warning
User: xxxxxx\xxxxxx

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\NOTES;C:\ORANT\BIN;C:\PROGRA~1\E!PC;C:\CA_APPSW;C:\PROGRA~1\CA\SHARED~1\OUTPUT~1;C:\Program Files\Attachmate\EXTRA!;C:\Program Files\Hewlett-Packard\OpenView\service desk 4.5\client\bin;C:\Program Files\Windows Imaging;C:\Program Files\Intel\WiFi\bin\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=0f0b
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"SD_CLIENTHOME"=C:\Program Files\Hewlett-Packard\OpenView\service desk 4.5\client\
"VSEDEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"DEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"UATDATA"=C:\WINDOWS\System32\CCM\UATData\D9F8C395-CAB8-491d-B8AC-179A1FE1BE77

-----------------EOF-----------------
 
Note:
When the infected computer in question is a company machine in the workplace (or at home with access to a company network), and you are an employee.

We can't anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

The majority of the tools used in this forum are only free for Home Users and only tested on Home machines, they may well change settings that are required for a Company network.

Another consideration is that company information may show in the logs.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.
Click to expand...
If you still wish to continue, please do the following.

----------------------------------------------------------------------------------------
Step 1

Malwarebytes' Anti-Malware
I notice that you have MBAM installed, please do the following

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • Malwarebytes log
  • Contents of C:\Combofix.txt
  • How are things running now ?



---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
Additional Notes



Your Java and Adobe is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java and Adobe components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) from HERE
  • Scroll down to where it says "Java SE Runtime Environment (JRE)".
  • Click the "Download" button to the right.
    • Platform = Windows
    • Language = Multi Language
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Update Adobe Acrobat Reader
Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

  • Please go to this link Adobe Acrobat Reader Download Link
  • Cllick Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Now close all windows, including your browser.
Double click on the Java installation that you downloaded and follow the prompts.

Remove Programs
Now click Start---Control Panel. Double click Add or Remove Programs. If any of the following programs are listed there,
click on the program to highlight it, and click on remove.
  • Java 2 Runtime Environment Standard Edition v1.3.1_01
Now close the Control Panel.

Reboot your machine.
 
MBAM Log

Thank You for your help restoring the Hosts file.

The scans are now showing Vundo/Virtumonde :(

Here is the MBAM Log:
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

02/28/2010 11:19:11 AM
mbam-log-2010-02-28 (11-19-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 167908
Time elapsed: 22 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: sclbdg.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\sclbdg.dll (Trojan.Vundo.H) -> Delete on reboot.
 
Combofix Log

ComboFix 10-02-24.01 - xxxxxx 02/24/2010 21:13:50.12.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2007.1247 [GMT -6:00]
Running from: c:\documents and settings\xxxxxx\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

.
((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.

2010-02-25 02:24 . 2010-02-25 02:24 -------- d-----w- c:\windows\LastGood
2010-02-25 02:21 . 2009-10-13 10:53 266752 -c----w- c:\windows\system32\dllcache\oakley.dll
2010-02-25 02:21 . 2009-10-12 13:41 69632 -c----w- c:\windows\system32\dllcache\raschap.dll
2010-02-25 02:21 . 2009-10-12 13:41 113664 -c----w- c:\windows\system32\dllcache\rastls.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 23:06 . 2010-01-16 23:06 -------- d-----w- c:\documents and settings\xxxxxx\Application Data\Malwarebytes
2010-01-01 01:15 . 2009-05-21 02:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-01 00:11 . 2010-01-01 00:11 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WSELD_APDM
2009-12-22 05:42 . 2010-02-25 02:28 624640 ----a-w- c:\windows\system32\SET318.tmp
2009-12-22 05:42 . 2010-02-25 02:28 662016 ------w- c:\windows\system32\SET317.tmp
2009-12-22 05:42 . 2010-02-25 02:28 1506304 ----a-w- c:\windows\system32\SET31B.tmp
2009-12-22 05:42 . 2010-02-25 02:28 3063808 ------w- c:\windows\system32\SET320.tmp
2009-12-22 05:42 . 2010-02-25 02:28 16384 ----a-w- c:\windows\system32\SET321.tmp
2009-12-22 05:42 . 2004-09-21 18:01 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-22 05:42 . 2010-02-25 02:28 1023488 ----a-w- c:\windows\system32\SET328.tmp
2009-12-18 00:35 . 2009-12-18 00:35 13696 ----a-w- c:\windows\system32\drivers\wpsnuio.sys
2009-12-16 13:33 . 2010-02-25 02:28 352768 ----a-w- c:\windows\system32\SET32A.tmp
2009-12-08 09:13 . 2010-02-25 02:28 474112 ----a-w- c:\windows\system32\SET31A.tmp
.

((((((((((((((((((((((((((((( SnapShot@2010-01-01_03.09.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-17 00:55 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2002-08-29 12:00 . 2009-06-26 16:18 39424 c:\windows\system32\pngfilt.dll
+ 2002-08-29 12:00 . 2009-12-22 05:42 39424 c:\windows\system32\pngfilt.dll
+ 2002-08-29 12:00 . 2010-01-01 04:31 41814 c:\windows\system32\perfc009.dat
- 2002-08-29 12:00 . 2009-12-05 07:05 41814 c:\windows\system32\perfc009.dat
- 2002-08-29 12:00 . 2009-06-26 16:18 96256 c:\windows\system32\inseng.dll
+ 2002-08-29 12:00 . 2009-12-22 05:42 96256 c:\windows\system32\inseng.dll
+ 2002-08-29 12:00 . 2009-10-15 17:21 82432 c:\windows\system32\fontsub.dll
- 2002-08-29 12:00 . 2009-06-16 14:55 82432 c:\windows\system32\fontsub.dll
+ 2004-09-21 18:01 . 2009-12-22 05:42 55808 c:\windows\system32\extmgr.dll
- 2004-09-21 18:01 . 2009-06-26 16:18 55808 c:\windows\system32\extmgr.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 39424 c:\windows\system32\dllcache\pngfilt.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 39424 c:\windows\system32\dllcache\pngfilt.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 16384 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 16384 c:\windows\system32\dllcache\jsproxy.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 96256 c:\windows\system32\dllcache\inseng.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 96256 c:\windows\system32\dllcache\inseng.dll
+ 2009-06-17 05:43 . 2009-12-22 05:42 81920 c:\windows\system32\dllcache\ieencode.dll
- 2009-06-17 05:43 . 2009-06-26 16:18 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2006-10-23 11:00 . 2009-12-16 12:57 18432 c:\windows\system32\dllcache\iedw.exe
- 2006-10-23 11:00 . 2009-06-22 11:38 18432 c:\windows\system32\dllcache\iedw.exe
- 2002-08-29 12:00 . 2009-06-16 14:55 82432 c:\windows\system32\dllcache\fontsub.dll
+ 2002-08-29 12:00 . 2009-10-15 17:21 82432 c:\windows\system32\dllcache\fontsub.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 55808 c:\windows\system32\dllcache\extmgr.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 55808 c:\windows\system32\dllcache\extmgr.dll
+ 2004-07-23 13:24 . 2010-02-25 02:25 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2004-07-23 13:24 . 2009-09-24 13:59 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2004-07-23 13:24 . 2010-02-25 02:25 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2004-07-23 13:24 . 2009-09-24 13:59 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2004-07-23 13:24 . 2010-02-25 02:25 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2004-07-23 13:24 . 2009-09-24 13:59 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2004-07-23 13:24 . 2010-02-25 02:25 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2004-07-23 13:24 . 2009-09-24 13:59 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2004-07-23 13:24 . 2010-02-25 02:25 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2004-07-23 13:24 . 2009-09-24 13:59 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2004-07-23 13:24 . 2010-02-25 02:25 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2004-07-23 13:24 . 2009-09-24 13:59 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2004-07-23 13:24 . 2009-09-24 13:59 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2004-07-23 13:24 . 2010-02-25 02:25 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2004-09-21 18:01 . 2009-04-10 07:01 530280 c:\windows\system32\wmspdmod.dll
- 2002-08-29 12:00 . 2009-06-17 01:25 119808 c:\windows\system32\t2embed.dll
+ 2002-08-29 12:00 . 2009-10-16 04:51 119808 c:\windows\system32\t2embed.dll
+ 2002-08-29 12:00 . 2009-08-26 08:16 247326 c:\windows\system32\strmdll.dll
- 2002-08-29 12:00 . 2009-12-05 07:05 316798 c:\windows\system32\perfh009.dat
+ 2002-08-29 12:00 . 2010-01-01 04:31 316798 c:\windows\system32\perfh009.dat
+ 2002-08-29 12:00 . 2009-10-13 10:53 266752 c:\windows\system32\oakley.dll
- 2002-08-29 12:00 . 2004-08-04 05:56 266752 c:\windows\system32\oakley.dll
- 2002-08-29 12:00 . 2009-06-26 16:18 532480 c:\windows\system32\mstime.dll
+ 2002-08-29 12:00 . 2009-12-22 05:42 532480 c:\windows\system32\mstime.dll
+ 2002-08-29 12:00 . 2009-12-22 05:42 146432 c:\windows\system32\msrating.dll
- 2002-08-29 12:00 . 2009-06-26 16:18 146432 c:\windows\system32\msrating.dll
- 2002-08-29 12:00 . 2009-06-26 16:18 449024 c:\windows\system32\mshtmled.dll
+ 2002-08-29 12:00 . 2009-12-22 05:42 449024 c:\windows\system32\mshtmled.dll
+ 2002-08-29 12:00 . 2009-12-22 05:42 251392 c:\windows\system32\iepeers.dll
- 2002-08-29 12:00 . 2009-06-26 16:18 251392 c:\windows\system32\iepeers.dll
- 2003-10-28 09:03 . 2009-08-19 15:06 300440 c:\windows\system32\FNTCACHE.DAT
+ 2003-10-28 09:03 . 2010-02-12 01:13 300440 c:\windows\system32\FNTCACHE.DAT
+ 2002-08-29 12:00 . 2009-12-22 05:42 205312 c:\windows\system32\dxtrans.dll
- 2002-08-29 12:00 . 2009-06-26 16:18 205312 c:\windows\system32\dxtrans.dll
+ 2002-08-29 12:00 . 2009-12-22 05:42 357888 c:\windows\system32\dxtmsft.dll
- 2002-08-29 12:00 . 2009-06-26 16:18 357888 c:\windows\system32\dxtmsft.dll
+ 2004-09-21 18:01 . 2009-04-10 07:01 530280 c:\windows\system32\dllcache\wmspdmod.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 662016 c:\windows\system32\dllcache\wininet.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 624640 c:\windows\system32\dllcache\urlmon.dll
- 2009-06-17 01:25 . 2009-06-17 01:25 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2009-06-17 01:25 . 2009-10-16 04:51 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2006-08-21 15:52 . 2009-08-26 08:16 247326 c:\windows\system32\dllcache\strmdll.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2006-10-23 15:17 . 2009-12-08 09:13 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 532480 c:\windows\system32\dllcache\mstime.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 532480 c:\windows\system32\dllcache\mstime.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 146432 c:\windows\system32\dllcache\msrating.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 146432 c:\windows\system32\dllcache\msrating.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 449024 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 449024 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 251392 c:\windows\system32\dllcache\iepeers.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 251392 c:\windows\system32\dllcache\iepeers.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 205312 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 205312 c:\windows\system32\dllcache\dxtrans.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 357888 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 357888 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 151040 c:\windows\system32\dllcache\cdfview.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 151040 c:\windows\system32\dllcache\cdfview.dll
- 2002-08-29 12:00 . 2009-06-26 16:18 151040 c:\windows\system32\cdfview.dll
+ 2002-08-29 12:00 . 2009-12-22 05:42 151040 c:\windows\system32\cdfview.dll
+ 2010-02-25 02:15 . 2010-01-07 11:21 609648 c:\windows\system32\CCM\Cache\e90c3f15-da6a-4462-a61a-42f3720cb8d5.1.System\WindowsXP-KB974318-x86-ENU.exe
+ 2010-02-25 02:15 . 2010-01-07 11:06 859000 c:\windows\system32\CCM\Cache\c164d225-b96e-4530-97ab-84a089cf7aa5.1.System\WindowsXP-KB973904-x86-ENU.exe
+ 2010-02-12 20:30 . 2009-10-15 16:42 498552 c:\windows\system32\CCM\Cache\b8ff9e1b-aa10-443f-ab98-dc01af6c7239.1.System\WindowsXP-KB973525-x86-ENU.exe
+ 2010-02-25 02:15 . 2010-01-15 17:36 568688 c:\windows\system32\CCM\Cache\77f72288-35b9-4e61-90c7-f88008a074b8.1.System\WindowsXP-KB972270-x86-ENU.exe
+ 2010-02-12 20:30 . 2009-10-15 16:53 605048 c:\windows\system32\CCM\Cache\539bf973-186f-40f7-9c20-737fc8330182.1.System\WindowsXP-KB974112-x86-ENU.exe
+ 2010-02-25 02:15 . 2010-01-07 11:22 596336 c:\windows\system32\CCM\Cache\26b07b8c-9ac9-42fa-8376-07bdc1d89a20.1.System\WindowsXP-KB974392-x86-ENU.exe
+ 2010-02-12 20:30 . 2009-10-15 16:54 657272 c:\windows\system32\CCM\Cache\17359cf4-f3ef-46bc-a2dc-c9ca6e52f784.1.System\WindowsXP-KB975025-x86-ENU.exe
+ 2009-09-09 21:40 . 2009-09-09 21:40 632320 c:\windows\Installer\eba65b1.msp
- 2004-07-23 13:24 . 2009-09-24 13:59 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2004-07-23 13:24 . 2010-02-25 02:25 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2004-07-23 13:24 . 2010-02-25 02:25 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2004-07-23 13:24 . 2009-09-24 13:59 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2004-07-23 13:24 . 2009-09-24 13:59 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2004-07-23 13:24 . 2010-02-25 02:25 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2004-07-23 13:24 . 2009-09-24 13:59 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2004-07-23 13:24 . 2010-02-25 02:25 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2004-07-23 13:24 . 2010-02-25 02:25 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2004-07-23 13:24 . 2009-09-24 13:59 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2004-07-23 13:24 . 2009-09-24 13:59 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2004-07-23 13:24 . 2010-02-25 02:25 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-04-19 19:53 . 2007-04-19 19:53 109408 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLCTL.DLL
+ 2007-05-10 20:35 . 2007-05-10 20:35 120160 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MSCONV97.DLL
+ 2010-02-12 20:34 . 2009-08-13 13:55 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2002-08-29 12:00 . 2009-08-14 12:19 1850112 c:\windows\system32\win32k.sys
- 2002-08-29 12:00 . 2006-06-22 05:06 1435648 c:\windows\system32\query.dll
+ 2002-08-29 12:00 . 2009-07-17 16:27 1435648 c:\windows\system32\query.dll
- 2002-08-29 12:00 . 2009-02-06 10:29 2142720 c:\windows\system32\ntoskrnl.exe
+ 2002-08-29 12:00 . 2009-08-04 12:49 2142720 c:\windows\system32\ntoskrnl.exe
- 2002-08-29 01:04 . 2009-02-06 09:49 2020864 c:\windows\system32\ntkrnlpa.exe
+ 2002-08-29 01:04 . 2009-08-04 12:02 2020864 c:\windows\system32\ntkrnlpa.exe
+ 2009-08-05 01:52 . 2009-08-05 01:52 1193832 c:\windows\system32\FM20.DLL
+ 2007-03-08 13:47 . 2009-08-14 12:19 1850112 c:\windows\system32\dllcache\win32k.sys
+ 2006-09-04 06:08 . 2009-12-22 05:42 1506304 c:\windows\system32\dllcache\shdocvw.dll
- 2006-09-04 06:08 . 2009-07-18 16:20 1506304 c:\windows\system32\dllcache\shdocvw.dll
- 2006-06-22 05:06 . 2006-06-22 05:06 1435648 c:\windows\system32\dllcache\query.dll
+ 2006-06-22 05:06 . 2009-07-17 16:27 1435648 c:\windows\system32\dllcache\query.dll
+ 2007-02-28 09:55 . 2009-08-04 12:51 2185984 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2007-02-28 09:15 . 2009-08-04 12:02 2020864 c:\windows\system32\dllcache\ntkrpamp.exe
- 2007-02-28 09:15 . 2009-02-06 09:49 2020864 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2007-02-28 09:15 . 2009-08-04 12:02 2062976 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2007-02-28 09:15 . 2009-02-06 09:49 2062976 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2007-02-28 09:53 . 2009-02-06 10:29 2142720 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2007-02-28 09:53 . 2009-08-04 12:49 2142720 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2006-10-23 15:17 . 2009-12-22 05:42 3063808 c:\windows\system32\dllcache\mshtml.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 1054208 c:\windows\system32\dllcache\danim.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 1054208 c:\windows\system32\dllcache\danim.dll
+ 2006-10-23 15:17 . 2009-12-22 05:42 1023488 c:\windows\system32\dllcache\browseui.dll
- 2006-10-23 15:17 . 2009-06-26 16:18 1023488 c:\windows\system32\dllcache\browseui.dll
+ 2002-08-29 12:00 . 2009-12-22 05:42 1054208 c:\windows\system32\danim.dll
- 2002-08-29 12:00 . 2009-06-26 16:18 1054208 c:\windows\system32\danim.dll
+ 2010-02-12 20:30 . 2009-10-15 16:19 1304952 c:\windows\system32\CCM\Cache\fdd7ffd8-dbf2-4249-876a-4a57fbe243ad.1.System\WindowsXP-KB958869-x86-ENU.exe
+ 2010-02-12 20:30 . 2009-10-15 16:40 2700664 c:\windows\system32\CCM\Cache\cf6c93c2-594e-4c43-94d3-f327702d93be.1.System\WindowsXP-KB971486-x86-ENU.exe
+ 2010-02-12 20:30 . 2009-10-15 16:53 1102216 c:\windows\system32\CCM\Cache\c4aa90e0-b01a-4fbd-9539-235c9d8edb56.1.System\WindowsXP-SP2-WindowsMedia-KB954155-x86-ENU.exe
+ 2010-02-09 04:49 . 2010-01-12 06:16 1474928 c:\windows\system32\CCM\Cache\a3d90e6f-71d4-4de3-9bbf-f0c81b9b5949.1.System\WindowsXP-KB969947-x86-ENU.exe
+ 2010-02-25 02:15 . 2010-01-28 15:51 4995448 c:\windows\system32\CCM\Cache\6bf2a4a7-2b9e-4649-8a4d-de82d6b1d762.1.System\WindowsXP-KB978207-x86-ENU.exe
+ 2010-02-12 20:30 . 2009-10-15 16:41 1062768 c:\windows\system32\CCM\Cache\5db8c55e-50e1-4601-9f63-bdd0d98c8116.1.System\WindowsXP-KB969059-x86-ENU.exe
+ 2009-08-21 16:14 . 2009-08-21 16:14 8363008 c:\windows\Installer\3c0847a.msp
+ 2009-09-29 15:08 . 2009-09-29 15:08 6747648 c:\windows\Installer\3c0845e.msp
+ 2009-08-20 11:02 . 2009-08-20 11:02 5204992 c:\windows\Installer\3c08449.msp
+ 2009-10-07 00:40 . 2009-10-07 00:40 7681024 c:\windows\Installer\14e246a4.msp
+ 2009-10-22 18:46 . 2009-10-22 18:46 6821888 c:\windows\Installer\14e2468f.msp
+ 2007-06-06 16:53 . 2007-06-06 16:53 1195888 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\FM20.DLL
+ 2005-03-02 00:59 . 2009-08-04 12:51 2185984 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2005-03-02 00:34 . 2009-08-04 12:02 2020864 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2005-03-02 00:34 . 2009-02-06 09:49 2020864 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2005-03-02 00:34 . 2009-08-04 12:02 2062976 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2005-03-02 00:34 . 2009-02-06 09:49 2062976 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2005-03-02 00:57 . 2009-08-04 12:49 2142720 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2005-03-02 00:57 . 2009-02-06 10:29 2142720 c:\windows\Driver Cache\i386\ntkrnlmp.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88203]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 16062464]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-19 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-19 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-19 138008]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-06-11 106496]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-03-10 136512]
"Boingo Wi-Fi"="c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk" [2010-02-22 2179]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-11-30 3897040]

c:\documents and settings\xxxxxx\Start Menu\Programs\Startup\
postmsg.rtf [2007-9-12 7153]

c:\documents and settings\xxxxxx\Start Menu\Programs\Startup\
postmsg.rtf [2007-9-12 7153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-2-11 1421328]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-2-11 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^xxxxxx^Start Menu^Programs^Startup^postmsg.rtf]
path=c:\documents and settings\xxxxxx\Start Menu\Programs\Startup\postmsg.rtf
backup=c:\windows\pss\postmsg.rtfStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-12-18 05:52 133104 ----atw- c:\documents and settings\xxxxxx\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-06-07 00:45 413696 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"sysldtray"=c:\windows\ld08.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"463:TCP"= 463:TCP:Systems Management Microagent
"963:TCP"= 963:TCP:Systems Management Microagent
"5901:TCP"= 5901:TCP:Systems Management Microagent

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [01/15/2007 07:59 PM 35968]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [09/12/2007 08:29 AM 47616]
S0 npkqxv;npkqxv;c:\windows\system32\drivers\edrumhhh.sys --> c:\windows\system32\drivers\edrumhhh.sys [?]
S2 pxqpkrzz;pxqpkrzz;\??\c:\windows\system32\drivers\ewftfh.sys --> c:\windows\system32\drivers\ewftfh.sys [?]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [01/16/2007 05:45 PM 87936]
S3 OracleClientCache80;OracleClientCache80;c:\orant\BIN\ONRSD80.EXE [08/23/2001 12:47 PM 95744]
S4 MA;TriActive MicroAgent;c:\program files\TriActive\MicroAgent\bin\ma.exe [02/14/2009 12:08 PM 1368064]
.
Contents of the 'Scheduled Tasks' folder

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2644624329-1907448460-3805301937-9166.job
- c:\documents and settings\horkc0\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-18 05:52]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.xxxxxx.com/
mWindow Title = Microsoft Internet Explorer
uInternet Connection Wizard,ShellNext = hxxp://www.xxxxxx.com/
uInternet Settings,ProxyServer = xxxxxx.xxxxxx.com:8081
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: accessabc.com\www
Trusted Zone: acessabc.com\www
Trusted Zone: cch.com\tax
Trusted Zone: ustreas.gov\irs
Trusted Zone: ustreas.gov\www.irs
Trusted Zone: acessabc.com\www
Trusted Zone: cch.com\tax
Trusted Zone: ustreas.gov\irs
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 21:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1364)
c:\windows\system32\IWPDGINA.DLL
c:\program files\Intel\Wireless\Bin\SsoGnENU.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-02-24 21:18:56
ComboFix-quarantined-files.txt 2010-02-25 03:18
ComboFix2.txt 2010-01-01 03:10

Pre-Run: 62,001,680,384 bytes free
Post-Run: 61,904,396,288 bytes free

- - End Of File - - B977E0E9DB05AED2C0388F0CB7632452
 
How are things running now ?


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
 
How are things running now?

I think the re-directing hosts are gone. Also, I did a Spybot Scan again and it is no longer showing Vundo / Virtumonde ... It came back clean.

Thank You for your help so far. I will try the other scan and post the log in my next post.
 
Kaspersky Scan

When I clicked on the link, it took me to their website and a minute later I got "404 NOT FOUND'.

Please let me know how to proceed.
 
It looks like they are updating it at the moment, please try this one instead.

Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan << LINK
  • Click the Scan Now button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small export to notepad button and save the report to your desktop.
  • Please post the report in your reply.
 
ActiveScan Log

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-03-01 07:44:37
PROTECTIONS: 1
MALWARE: 1
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Enterprise 8.5.0.781 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
01674996 Application/Psexec.A HackTools No 0 No No c:\documents and settings\xxxxxx\desktop\pictures\work pc\desktop\scan results\combofix.exe[32788r22fwjfw\psexec.cfexe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\documents and settings\xxxxxx\desktop\cleanup\qoobox\quarantine\c\windows\system32\xa.tmp.vir
No c:\documents and settings\xxxxxx\desktop\pictures\work pc\desktop\scan results\combofix.exe[32788r22fwjfw\nircmdc.cfexe]
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
217842 HIGH MS10-015
217839 HIGH MS10-012
217838 HIGH MS10-011
217834 HIGH MS10-008
217833 HIGH MS10-007
217832 HIGH MS10-006
217831 HIGH MS10-005
214076 HIGH MS09-059
214073 HIGH MS09-056
203505 HIGH MS08-071
202465 HIGH MS08-068
209275 HIGH MS08-049
196455 MEDIUM MS08-037
187733 HIGH MS08-008
;===================================================================================================================================================================================
 
Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up



Uninstall Combofix
  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • CFU.gif


You can also delete any logs we have produced and any other tools we have downloaded.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

  • AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

  • These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers

  • Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

  • Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
 
You must log in or register to reply here.
Back
Top