giralph

Members

View Profile See their activity

Posts
3
Joined
August 6, 2009
Last visited
November 21, 2014

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by giralph

yet another uacinit.dll not removing on reboot

giralph replied to giralph's topic in Resolved Malware Removal Logs

Weird, I didn't get an email reply notification for the first one, sorry about that. Well the Google Installer errors and background adverts have gone, seemed more or less fine until last week my Windows XP administrator login preferences and My Documents folder had wiped themselves completely for no reason! I managed to get it back with system restore, not sure if its related? Also had a locked spam popup but sadly that's the norm on the internets. I've carried out your instructions and a DOS window flashed up very quickly for both, did it do anything? Anyway here's the latest MBAM, it seems clean: Malwarebytes' Anti-Malware 1.40 Database version: 2567 Windows 5.1.2600 Service Pack 3 20/08/2009 18:53:16 mbam-log-2009-08-20 (18-53-16).txt Scan type: Quick Scan Objects scanned: 122112 Time elapsed: 11 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Is this a sign it is fixed? If not I might just format my C: drive but it's partitioned with a D: also. Will the D: contents disappear if I do that? Thanks for chasing this, -GR
- August 20, 2009
- 7 replies
yet another uacinit.dll not removing on reboot

giralph replied to giralph's topic in Resolved Malware Removal Logs

Thanks for the reply Mieke! It took a few gos but found these two log files in order just in case. The symptoms seem to have largely gone, but would rather be completely sure... I'm not sure what to make of them 1st scan ComboFix 09-08-08.04 - myrealname 09/08/2009 13:11.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.588 [GMT 1:00] Running from: c:\documents and settings\myrealname\Desktop\ficx.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\-2132147399 C:\avqid.exe C:\desktop.ini C:\jejby.exe C:\nryuvxw.exe C:\obhasb.exe c:\program files\iMeshBar c:\program files\iMeshBar\bar\History\search C:\tmlchrx.exe C:\ufpuc.exe c:\windows\Installer\67f3c1.msp c:\windows\Installer\67f3d4.msp c:\windows\Installer\f178db.msi c:\windows\run.log c:\windows\system32\Data c:\windows\system32\Drivers\mubskpu.sys C:\yfbkr.exe C:\yllwiq.exe . ((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 ))))))))))))))))))))))))))))))) . 2009-08-06 21:06 . 2009-08-06 21:06 -------- d-sh--w- c:\documents and settings\myrealname\IECompatCache 2009-08-06 15:51 . 2009-08-06 15:52 -------- d-----w- C:\HijackThis 2009-08-06 00:27 . 2009-08-06 00:33 -------- d-----w- C:\RootRepeal 2009-08-05 21:00 . 2009-08-05 21:00 -------- d-----w- c:\documents and settings\myrealname\Application Data\Malwarebytes 2009-08-04 17:47 . 2009-08-04 17:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-04 17:09 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-04 17:09 . 2009-08-05 22:43 -------- d-----w- C:\Malwarebytes Anti-Malware 2009-08-04 17:09 . 2009-08-04 17:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes 2009-08-04 17:09 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-04 15:50 . 2009-08-04 15:50 0 ----a-w- C:\backup.reg 2009-08-04 12:49 . 2009-08-04 12:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater 2009-08-04 11:44 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-08-04 10:44 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-08-04 10:42 . 2009-08-04 10:42 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864} 2009-08-04 10:42 . 2009-08-04 10:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft 2009-08-03 17:33 . 2009-08-03 17:33 -------- d-sh--w- c:\documents and settings\myrealname\PrivacIE 2009-07-28 15:05 . 2009-07-28 15:05 -------- d-sh--w- c:\documents and settings\myrealname\IETldCache 2009-07-26 11:55 . 2009-07-26 11:55 -------- d-sh--w- c:\documents and settings\otheruser\PrivacIE 2009-07-26 08:06 . 2009-07-26 08:06 -------- d-sh--w- c:\documents and settings\otheruser\IETldCache 2009-07-26 00:21 . 2009-07-26 00:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-07-25 22:18 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll 2009-07-25 22:17 . 2009-07-29 09:33 -------- d-----w- c:\windows\ie8updates 2009-07-25 22:15 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2009-07-25 22:15 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll 2009-07-25 22:03 . 2009-07-25 22:14 -------- dc-h--w- c:\windows\ie8 2009-07-21 19:36 . 2009-07-21 19:36 -------- d-----w- c:\documents and settings\myrealname\Application Data\$CUERoot$ 2009-07-21 19:35 . 2009-07-21 19:35 -------- d-----w- c:\program files\HP 2009-07-18 18:54 . 2009-08-05 22:54 -------- d-----w- c:\documents and settings\myrealname\Local Settings\Application Data\Temp 2009-07-18 09:55 . 2009-08-05 23:06 -------- d-----w- c:\documents and settings\otheruser\Local Settings\Application Data\Temp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-09 07:46 . 2008-12-27 15:14 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP 2009-08-07 08:29 . 2008-12-27 15:15 -------- d-----w- c:\program files\Spyware Doctor 2009-08-04 23:54 . 2006-07-04 23:44 -------- d-----w- c:\documents and settings\myrealname\Application Data\uT 2009-08-04 12:49 . 2005-02-07 02:13 -------- d-----w- c:\program files\Google 2009-07-31 21:33 . 2009-02-21 14:04 -------- d-----w- c:\program files\Microsoft Silverlight 2009-07-10 10:11 . 2009-01-22 03:56 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee 2009-07-10 10:01 . 2009-01-22 03:57 -------- d-----w- c:\program files\McAfee 2009-07-04 17:03 . 2009-07-04 17:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf 2009-07-04 17:03 . 2009-07-04 17:03 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2009-07-03 17:09 . 2004-02-06 17:05 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-16 14:36 . 2001-08-18 07:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2001-08-18 07:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-12 15:17 . 2002-11-05 11:04 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-03 19:09 . 2003-12-21 20:38 1291264 ----a-w- c:\windows\system32\quartz.dll 2005-12-26 21:41 . 2005-12-26 21:41 2951156 ----a-w- c:\program files\bitcomet_setup.exe 2009-08-04 12:50 . 2009-08-04 12:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIDIA nTune"="c:\nvidia\nTune\nTuneCmd.exe" [2007-07-03 81920] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-09 68856] "Google Update"="c:\documents and settings\myrealname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-08-29 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-19 45632] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328] "Share-to-Web Namespace Daemon"="c:\hewlett-packard psc 2115\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632] "QuickTime Task"="c:\quicktime\QTTask.exe" [2008-11-04 413696] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-08-04 30192] "BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\SYSTEM32\bthprops.cpl [2008-04-14 110592] "nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2007-12-05 1626112] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk backup=c:\windows\pss\AOL 7.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk backup=c:\windows\pss\Exif Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 Detect.lnk backup=c:\windows\pss\PCSuiteForNokia6600 Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 TS.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 TS.lnk backup=c:\windows\pss\PCSuiteForNokia6600 TS.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk backup=c:\windows\pss\QuickTV.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^myrealname^Start Menu^Programs^Startup^Microsoft Greetings Reminders.lnk] path=c:\documents and settings\myrealname\Start Menu\Programs\Startup\Microsoft Greetings Reminders.lnk backup=c:\windows\pss\Microsoft Greetings Reminders.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^myrealname^Start Menu^Programs^Startup^Wallpaper Changer.lnk] path=c:\documents and settings\myrealname\Start Menu\Programs\Startup\Wallpaper Changer.lnk backup=c:\windows\pss\Wallpaper Changer.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\KZLite\\Kz.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"= "c:\\Yahoo! Messenger\\Messenger\\YServer.exe"= "c:\\Program Files\\LW\\LW.exe"= "f:\\downloads to sort\\ut.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\\GTR 2\\GTR2.exe"= "f:\\rFactor\\rFactor.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "d:\\Steam\\SteamApps\\myname\\race07 demo\\SteamProxy.exe"= "d:\\Steam\\SteamApps\\myname\\race07 demo\\RaceConfig_Steam.exe"= "d:\\Steam\\SteamApps\\myname\\race 07 demo crowne plaza raceway edition\\RaceDemo_Steam.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "d:\\GT Legends\\GTL.exe"= "c:\\Program Files\\SightSpeed\\SightSpeed.exe"= "c:\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [04/08/2009 11:44 64160] R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [22/05/2009 12:47 130936] R0 pnpshark;pnpshark;c:\windows\SYSTEM32\DRIVERS\pnpshark.sys [02/10/2003 04:16 119552] R0 st3shark;st3shark;c:\windows\SYSTEM32\DRIVERS\st3shark.sys [27/09/2003 15:37 5504] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\ad-aware\AAWService.exe [03/07/2009 15:49 1029456] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [23/01/2009 01:02 210216] S2 BT848;AVerMedia, AVerTV WDM Video Capture;c:\windows\SYSTEM32\DRIVERS\BT848.sys [13/05/2002 19:40 261696] S2 BTTUNER;AVerMedia, AVerTV WDM TvTuner;c:\windows\SYSTEM32\DRIVERS\bttuner.sys [27/01/2002 04:57 22016] S2 BTXBAR;AVerMedia, AVerTV WDM Crossbar;c:\windows\SYSTEM32\DRIVERS\btxbar.sys [27/01/2002 05:02 13312] S2 gupdate1c8c5cb3ead1e68;Google Update Service (gupdate1c8c5cb3ead1e68);c:\program files\Google\Update\GoogleUpdate.exe [13/07/2008 00:03 133104] S2 UsbCom;USB -> COM Driver Service;c:\windows\SYSTEM32\DRIVERS\UsbCom.sys [02/08/2004 15:44 69575] S3 cpuz130;cpuz130;\??\c:\docume~1\myrealname\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?] S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [04/08/2009 13:50 30192] S3 imhidusb;Immersion's HID USB Driver;c:\windows\SYSTEM32\DRIVERS\ImHidUsb.sys [27/11/2002 18:13 30920] S3 jfdcd;jfdcd;\??\c:\docume~1\myrealname\LOCALS~1\Temp\jfdcd.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\jfdcd.sys [?] S3 papycpu;papycpu;c:\windows\SYSTEM32\DRIVERS\papycpu.sys [25/12/2002 15:13 1888] S3 RnbToken;Rainbow iKey Token Service;c:\windows\SYSTEM32\DRIVERS\RNBTOKEN.SYS [16/03/2004 03:04 18536] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [27/12/2008 16:15 348752] S3 TMHidF;Thrustmaster Force Feedback Racing Wheel HID Driver;c:\windows\SYSTEM32\DRIVERS\TMHIDF.sys [27/10/2005 17:25 63894] S3 wi8042pr;wi8042pr;\??\c:\docume~1\myrealname\LOCALS~1\Temp\wi8042pr.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\wi8042pr.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . - - - - ORPHANS REMOVED - - - - HKCU-Run-Octoshape Streaming Services - c:\program files\Octoshape Streaming Services\myrealname\OctoshapeClient.exe HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe HKLM-Run-NBKeyScan - c:\nero\Nero 8\Nero BackItUp\NBKeyScan.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Download with Star Downloader - c:\star downloader\sdie.htm IE: E&xport to Microsoft Excel - c:\micros~4\OFFICE11\EXCEL.EXE/3000 IE: SYSTRAN: &Clear Translation Cache - d:\systran translator\Standard\menuClearCache.html IE: SYSTRAN: &Options - d:\systran translator\Standard\menuConfigure.html IE: SYSTRAN: &Register - d:\systran translator\Standard\menuRegister.html IE: SYSTRAN: &Translate - d:\systran translator\Standard\menuTranslate.html IE: SYSTRAN: Check for &Updates - d:\systran translator\Standard\menuUpdate.html IE: SYSTRAN: Translate All &Frames - d:\systran translator\Standard\menuTranslateAll.html IE: {{703436F1-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuTranslate.html IE: {{703436F2-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuTranslateAll.html IE: {{703436F3-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuConfigure.html IE: {{703436F4-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuClearCache.html IE: {{703436F5-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuRegister.html IE: {{703436F6-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuUpdates.html Trusted Zone: abbey.com\www Trusted Zone: vadertrophy.com\gp4tweaker DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: Yahoo! Dominoes FF - ProfilePath - c:\docume~1\myrealname\APPLIC~1\Mozilla\Firefox\Profiles\80m4qwwn.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Wikipedia (en) FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - component: c:\documents and settings\myrealname\Application Data\Mozilla\Firefox\Profiles\80m4qwwn.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll FF - component: c:\documents and settings\myrealname\Application Data\Mozilla\Firefox\Profiles\80m4qwwn.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\divx player\DivX Content Uploader\npUpload.dll FF - plugin: c:\divx player\DivX Player\npDivxPlayerPlugin.dll FF - plugin: c:\divx player\DivX Web Player\npdivx32.dll FF - plugin: c:\documents and settings\myrealname\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - plugin: c:\quicktime\Plugins\npqtplugin.dll FF - plugin: c:\quicktime\Plugins\npqtplugin2.dll FF - plugin: c:\quicktime\Plugins\npqtplugin3.dll FF - plugin: c:\quicktime\Plugins\npqtplugin4.dll FF - plugin: c:\quicktime\Plugins\npqtplugin5.dll FF - plugin: c:\quicktime\Plugins\npqtplugin6.dll FF - plugin: c:\quicktime\Plugins\npqtplugin7.dll FF - plugin: c:\vlc media player\npvlc.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-09 13:25 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(760) c:\program files\McAfee\SiteAdvisor\saHook.dll - - - - - - - > 'explorer.exe'(3896) c:\windows\system32\WININET.dll c:\program files\McAfee\SiteAdvisor\saHook.dll c:\progra~1\WINDOW~3\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-08-09 13:33 ComboFix-quarantined-files.txt 2009-08-09 12:33 Pre-Run: 3,090,022,400 bytes free Post-Run: 3,026,915,328 bytes free 303 --- E O F --- 2009-07-31 16:45 More recent scan ComboFix 09-08-08.04 - myrealname 09/08/2009 13:11.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.588 [GMT 1:00] Running from: c:\documents and settings\myrealname\Desktop\ficx.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\-2132147399 C:\avqid.exe C:\desktop.ini C:\jejby.exe C:\nryuvxw.exe C:\obhasb.exe c:\program files\iMeshBar c:\program files\iMeshBar\bar\History\search C:\tmlchrx.exe C:\ufpuc.exe c:\windows\Installer\67f3c1.msp c:\windows\Installer\67f3d4.msp c:\windows\Installer\f178db.msi c:\windows\run.log c:\windows\system32\Data c:\windows\system32\Drivers\mubskpu.sys C:\yfbkr.exe C:\yllwiq.exe . ((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 ))))))))))))))))))))))))))))))) . 2009-08-06 21:06 . 2009-08-06 21:06 -------- d-sh--w- c:\documents and settings\myrealname\IECompatCache 2009-08-06 15:51 . 2009-08-06 15:52 -------- d-----w- C:\HijackThis 2009-08-06 00:27 . 2009-08-06 00:33 -------- d-----w- C:\RootRepeal 2009-08-05 21:00 . 2009-08-05 21:00 -------- d-----w- c:\documents and settings\myrealname\Application Data\Malwarebytes 2009-08-04 17:47 . 2009-08-04 17:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-04 17:09 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-04 17:09 . 2009-08-05 22:43 -------- d-----w- C:\Malwarebytes Anti-Malware 2009-08-04 17:09 . 2009-08-04 17:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes 2009-08-04 17:09 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-04 15:50 . 2009-08-04 15:50 0 ----a-w- C:\backup.reg 2009-08-04 12:49 . 2009-08-04 12:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater 2009-08-04 11:44 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-08-04 10:44 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-08-04 10:42 . 2009-08-04 10:42 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864} 2009-08-04 10:42 . 2009-08-04 10:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft 2009-08-03 17:33 . 2009-08-03 17:33 -------- d-sh--w- c:\documents and settings\myrealname\PrivacIE 2009-07-28 15:05 . 2009-07-28 15:05 -------- d-sh--w- c:\documents and settings\myrealname\IETldCache 2009-07-26 11:55 . 2009-07-26 11:55 -------- d-sh--w- c:\documents and settings\other user\PrivacIE 2009-07-26 08:06 . 2009-07-26 08:06 -------- d-sh--w- c:\documents and settings\other user\IETldCache 2009-07-26 00:21 . 2009-07-26 00:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-07-25 22:18 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll 2009-07-25 22:17 . 2009-07-29 09:33 -------- d-----w- c:\windows\ie8updates 2009-07-25 22:15 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2009-07-25 22:15 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll 2009-07-25 22:03 . 2009-07-25 22:14 -------- dc-h--w- c:\windows\ie8 2009-07-21 19:36 . 2009-07-21 19:36 -------- d-----w- c:\documents and settings\myrealname\Application Data\$CUERoot$ 2009-07-21 19:35 . 2009-07-21 19:35 -------- d-----w- c:\program files\HP 2009-07-18 18:54 . 2009-08-05 22:54 -------- d-----w- c:\documents and settings\myrealname\Local Settings\Application Data\Temp 2009-07-18 09:55 . 2009-08-05 23:06 -------- d-----w- c:\documents and settings\other user\Local Settings\Application Data\Temp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-09 07:46 . 2008-12-27 15:14 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP 2009-08-07 08:29 . 2008-12-27 15:15 -------- d-----w- c:\program files\Spyware Doctor 2009-08-04 23:54 . 2006-07-04 23:44 -------- d-----w- c:\documents and settings\myrealname\Application Data\uTorrent 2009-08-04 12:49 . 2005-02-07 02:13 -------- d-----w- c:\program files\Google 2009-07-31 21:33 . 2009-02-21 14:04 -------- d-----w- c:\program files\Microsoft Silverlight 2009-07-10 10:11 . 2009-01-22 03:56 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee 2009-07-10 10:01 . 2009-01-22 03:57 -------- d-----w- c:\program files\McAfee 2009-07-04 17:03 . 2009-07-04 17:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf 2009-07-04 17:03 . 2009-07-04 17:03 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2009-07-03 17:09 . 2004-02-06 17:05 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-16 14:36 . 2001-08-18 07:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2001-08-18 07:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-12 15:17 . 2002-11-05 11:04 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-03 19:09 . 2003-12-21 20:38 1291264 ----a-w- c:\windows\system32\quartz.dll 2005-12-26 21:41 . 2005-12-26 21:41 2951156 ----a-w- c:\program files\bitcomet_setup.exe 2009-08-04 12:50 . 2009-08-04 12:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIDIA nTune"="c:\nvidia\nTune\nTuneCmd.exe" [2007-07-03 81920] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-09 68856] "Google Update"="c:\documents and settings\myrealname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-08-29 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-19 45632] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328] "Share-to-Web Namespace Daemon"="c:\hewlett-packard psc 2115\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632] "QuickTime Task"="c:\quicktime\QTTask.exe" [2008-11-04 413696] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-08-04 30192] "BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\SYSTEM32\bthprops.cpl [2008-04-14 110592] "nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2007-12-05 1626112] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk backup=c:\windows\pss\AOL 7.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk backup=c:\windows\pss\Exif Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 Detect.lnk backup=c:\windows\pss\PCSuiteForNokia6600 Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 TS.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 TS.lnk backup=c:\windows\pss\PCSuiteForNokia6600 TS.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk backup=c:\windows\pss\QuickTV.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^myrealname^Start Menu^Programs^Startup^Microsoft Greetings Reminders.lnk] path=c:\documents and settings\myrealname\Start Menu\Programs\Startup\Microsoft Greetings Reminders.lnk backup=c:\windows\pss\Microsoft Greetings Reminders.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^myrealname^Start Menu^Programs^Startup^Wallpaper Changer.lnk] path=c:\documents and settings\myrealname\Start Menu\Programs\Startup\Wallpaper Changer.lnk backup=c:\windows\pss\Wallpaper Changer.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\KZ Lite\\KZ.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"= "c:\\Yahoo! Messenger\\Messenger\\YServer.exe"= "c:\\Program Files\\LW\\LW.exe"= "f:\\downloads to sort\\ut.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\\GTR 2\\GTR2.exe"= "f:\\rFactor\\rFactor.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "d:\\Steam\\SteamApps\\myname\\race07 demo\\SteamProxy.exe"= "d:\\Steam\\SteamApps\\myname\\race07 demo\\RaceConfig_Steam.exe"= "d:\\Steam\\SteamApps\\myname\\race 07 demo crowne plaza raceway edition\\RaceDemo_Steam.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "d:\\GT Legends\\GTL.exe"= "c:\\Program Files\\SightSpeed\\SightSpeed.exe"= "c:\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [04/08/2009 11:44 64160] R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [22/05/2009 12:47 130936] R0 pnpshark;pnpshark;c:\windows\SYSTEM32\DRIVERS\pnpshark.sys [02/10/2003 04:16 119552] R0 st3shark;st3shark;c:\windows\SYSTEM32\DRIVERS\st3shark.sys [27/09/2003 15:37 5504] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\ad-aware\AAWService.exe [03/07/2009 15:49 1029456] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [23/01/2009 01:02 210216] S2 BT848;AVerMedia, AVerTV WDM Video Capture;c:\windows\SYSTEM32\DRIVERS\BT848.sys [13/05/2002 19:40 261696] S2 BTTUNER;AVerMedia, AVerTV WDM TvTuner;c:\windows\SYSTEM32\DRIVERS\bttuner.sys [27/01/2002 04:57 22016] S2 BTXBAR;AVerMedia, AVerTV WDM Crossbar;c:\windows\SYSTEM32\DRIVERS\btxbar.sys [27/01/2002 05:02 13312] S2 gupdate1c8c5cb3ead1e68;Google Update Service (gupdate1c8c5cb3ead1e68);c:\program files\Google\Update\GoogleUpdate.exe [13/07/2008 00:03 133104] S2 UsbCom;USB -> COM Driver Service;c:\windows\SYSTEM32\DRIVERS\UsbCom.sys [02/08/2004 15:44 69575] S3 cpuz130;cpuz130;\??\c:\docume~1\myrealname\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?] S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [04/08/2009 13:50 30192] S3 imhidusb;Immersion's HID USB Driver;c:\windows\SYSTEM32\DRIVERS\ImHidUsb.sys [27/11/2002 18:13 30920] S3 jfdcd;jfdcd;\??\c:\docume~1\myrealname\LOCALS~1\Temp\jfdcd.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\jfdcd.sys [?] S3 papycpu;papycpu;c:\windows\SYSTEM32\DRIVERS\papycpu.sys [25/12/2002 15:13 1888] S3 RnbToken;Rainbow iKey Token Service;c:\windows\SYSTEM32\DRIVERS\RNBTOKEN.SYS [16/03/2004 03:04 18536] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [27/12/2008 16:15 348752] S3 TMHidF;Thrustmaster Force Feedback Racing Wheel HID Driver;c:\windows\SYSTEM32\DRIVERS\TMHIDF.sys [27/10/2005 17:25 63894] S3 wi8042pr;wi8042pr;\??\c:\docume~1\myrealname\LOCALS~1\Temp\wi8042pr.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\wi8042pr.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . - - - - ORPHANS REMOVED - - - - HKCU-Run-Octoshape Streaming Services - c:\program files\Octoshape Streaming Services\myrealname\OctoshapeClient.exe HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe HKLM-Run-NBKeyScan - c:\nero\Nero 8\Nero BackItUp\NBKeyScan.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Download with Star Downloader - c:\star downloader\sdie.htm IE: E&xport to Microsoft Excel - c:\micros~4\OFFICE11\EXCEL.EXE/3000 IE: SYSTRAN: &Clear Translation Cache - d:\systran translator\Standard\menuClearCache.html IE: SYSTRAN: &Options - d:\systran translator\Standard\menuConfigure.html IE: SYSTRAN: &Register - d:\systran translator\Standard\menuRegister.html IE: SYSTRAN: &Translate - d:\systran translator\Standard\menuTranslate.html IE: SYSTRAN: Check for &Updates - d:\systran translator\Standard\menuUpdate.html IE: SYSTRAN: Translate All &Frames - d:\systran translator\Standard\menuTranslateAll.html IE: {{703436F1-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuTranslate.html IE: {{703436F2-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuTranslateAll.html IE: {{703436F3-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuConfigure.html IE: {{703436F4-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuClearCache.html IE: {{703436F5-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuRegister.html IE: {{703436F6-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuUpdates.html Trusted Zone: abbey.com\www Trusted Zone: vadertrophy.com\gp4tweaker DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: Yahoo! Dominoes FF - ProfilePath - c:\docume~1\myrealname\APPLIC~1\Mozilla\Firefox\Profiles\80m4qwwn.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Wikipedia (en) FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - component: c:\documents and settings\myrealname\Application Data\Mozilla\Firefox\Profiles\80m4qwwn.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll FF - component: c:\documents and settings\myrealname\Application Data\Mozilla\Firefox\Profiles\80m4qwwn.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\divx player\DivX Content Uploader\npUpload.dll FF - plugin: c:\divx player\DivX Player\npDivxPlayerPlugin.dll FF - plugin: c:\divx player\DivX Web Player\npdivx32.dll FF - plugin: c:\documents and settings\myrealname\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - plugin: c:\quicktime\Plugins\npqtplugin.dll FF - plugin: c:\quicktime\Plugins\npqtplugin2.dll FF - plugin: c:\quicktime\Plugins\npqtplugin3.dll FF - plugin: c:\quicktime\Plugins\npqtplugin4.dll FF - plugin: c:\quicktime\Plugins\npqtplugin5.dll FF - plugin: c:\quicktime\Plugins\npqtplugin6.dll FF - plugin: c:\quicktime\Plugins\npqtplugin7.dll FF - plugin: c:\vlc media player\npvlc.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-09 13:25 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(760) c:\program files\McAfee\SiteAdvisor\saHook.dll - - - - - - - > 'explorer.exe'(3896) c:\windows\system32\WININET.dll c:\program files\McAfee\SiteAdvisor\saHook.dll c:\progra~1\WINDOW~3\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-08-09 13:33 ComboFix-quarantined-files.txt 2009-08-09 12:33 Pre-Run: 3,090,022,400 bytes free Post-Run: 3,026,915,328 bytes free 303 --- E O F --- 2009-07-31 16:45 Regards, -GR
- August 9, 2009
- 7 replies
yet another uacinit.dll not removing on reboot

giralph posted a topic in Resolved Malware Removal Logs

Greetings fellow geeks, I am not worthy of your malware killing powers, but will be grateful nonetheless! I'm an advanced user, super-careful with what I let in etc. but think my little brother was duped by a fake flashy spyware warning Main symptoms are 'google installer needs to close' popping up every 10 minutes, iexplore running audio ads in the background (I dig U2 and Blackberry, but not when a virus is involved) blocks mcafee, and a few google redirects among other things. The Microsoft error report said it was caused by google/uacd.sys and I've been trawling this forum for solutions for days and it seemed to be the TDSS rootkit. So eventually got MBAM to scan which confirmed it and seemingly removed it, but it won't remove uacinit.dll after the reboot, so the google installer errors continue. I've also done Root Repeal, and doesn't seem to include the strings listed in this post: http://www.malwarebytes.org/forums/index.php?showtopic=12709. The other posts seem to suggest posting logs and getting specific help with Combofix etc beyond this point, and I'm really wary of fiddling with the registry. So without further waffle here's the logs: Latest MBAM log, post kicking TDSS ass: Malwarebytes' Anti-Malware 1.40 Database version: 2567 Windows 5.1.2600 Service Pack 3 (Safe Mode) 06/08/2009 14:04:49 mbam-log-2009-08-06 (14-04-49).txt Scan type: Full Scan (C:\|D:\|F:\|) Objects scanned: 406154 Time elapsed: 1 hour(s), 28 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot. Root Repeal log: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/08/06 01:33 Program Version: Version 1.3.3.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: Image Path: Address: 0xF75FA000 Size: 96512 File Visible: No Signed: - Status: - Name: ACPI_HAL Image Path: \Driver\ACPI_HAL Address: 0x804D7000 Size: 2189056 File Visible: - Signed: - Status: - Name: PnpManager Image Path: \Driver\PnpManager Address: 0x804D7000 Size: 2189056 File Visible: - Signed: - Status: - Name: Win32k Image Path: \Driver\Win32k Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: WMIxWDM Image Path: \Driver\WMIxWDM Address: 0x804D7000 Size: 2189056 File Visible: - Signed: - Status: - Name: RAW Image Path: \FileSystem\RAW Address: 0x804D7000 Size: 2189056 File Visible: - Signed: - Status: - Name: ACPI.sys Image Path: ACPI.sys Address: 0xF7660000 Size: 187776 File Visible: - Signed: - Status: - Name: agp440.sys Image Path: agp440.sys Address: 0xF772F000 Size: 42368 File Visible: - Signed: - Status: - Name: eeCtrl.sys Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys Address: 0xF2F00000 Size: 393216 File Visible: - Signed: - Status: - Name: nvoclock.sys Image Path: C:\WINDOWS\nvoclock.sys Address: 0xF7C59000 Size: 6912 File Visible: - Signed: - Status: - Name: BOOTVID.dll Image Path: C:\WINDOWS\system32\BOOTVID.dll Address: 0xF7ABF000 Size: 12288 File Visible: - Signed: - Status: - Name: afd.sys Image Path: C:\WINDOWS\System32\drivers\afd.sys Address: 0xF30F6000 Size: 138496 File Visible: - Signed: - Status: - Name: AFS2K.SYS Image Path: C:\WINDOWS\System32\Drivers\AFS2K.SYS Address: 0xF6CE5000 Size: 35840 File Visible: - Signed: - Status: - Name: aspi32.sys Image Path: C:\WINDOWS\System32\drivers\aspi32.sys Address: 0xF796F000 Size: 16512 File Visible: - Signed: - Status: - Name: audstub.sys Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys Address: 0xF7D0D000 Size: 3072 File Visible: - Signed: - Status: - Name: BANTExt.sys Image Path: C:\WINDOWS\System32\Drivers\BANTExt.sys Address: 0xF7D27000 Size: 2144 File Visible: - Signed: - Status: - Name: Beep.SYS Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS Address: 0xF7C2F000 Size: 4224 File Visible: - Signed: - Status: - Name: BthEnum.sys Image Path: C:\WINDOWS\system32\DRIVERS\BthEnum.sys Address: 0xF7A77000 Size: 17024 File Visible: - Signed: - Status: - Name: bthmodem.sys Image Path: C:\WINDOWS\system32\DRIVERS\bthmodem.sys Address: 0xF785F000 Size: 37888 File Visible: - Signed: - Status: - Name: bthpan.sys Image Path: C:\WINDOWS\system32\DRIVERS\bthpan.sys Address: 0xF2E44000 Size: 101120 File Visible: - Signed: - Status: - Name: bthport.sys Image Path: C:\WINDOWS\System32\Drivers\bthport.sys Address: 0xF323E000 Size: 274432 File Visible: - Signed: - Status: - Name: BTHUSB.sys Image Path: C:\WINDOWS\System32\Drivers\BTHUSB.sys Address: 0xF7A47000 Size: 18944 File Visible: - Signed: - Status: - Name: Cdr4_xp.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS Address: 0xF7DF9000 Size: 2432 File Visible: - Signed: - Status: - Name: Cdralw2k.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS Address: 0xF7DFA000 Size: 2560 File Visible: - Signed: - Status: - Name: cdrbsvsd.SYS Image Path: C:\WINDOWS\System32\Drivers\cdrbsvsd.SYS Address: 0xF7B57000 Size: 12736 File Visible: - Signed: - Status: - Name: cdrom.sys Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys Address: 0xF6CD5000 Size: 62976 File Visible: - Signed: - Status: - Name: cdudf_xp.SYS Image Path: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS Address: 0xF32F4000 Size: 241280 File Visible: - Signed: - Status: - Name: CLASSPNP.SYS Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS Address: 0xF76FF000 Size: 53248 File Visible: - Signed: - Status: - Name: ctoss2k.sys Image Path: C:\WINDOWS\System32\DRIVERS\ctoss2k.sys Address: 0xF630D000 Size: 178400 File Visible: - Signed: - Status: - Name: ctsfm2k.sys Image Path: C:\WINDOWS\System32\DRIVERS\ctsfm2k.sys Address: 0xF570F000 Size: 129920 File Visible: - Signed: - Status: - Name: drmk.sys Image Path: C:\WINDOWS\system32\drivers\drmk.sys Address: 0xF78FF000 Size: 61440 File Visible: - Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF2E1B000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7C6F000 Size: 8192 File Visible: No Signed: - Status: - Name: Dxapi.sys Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xF32BA000 Size: 12288 File Visible: - Signed: - Status: - Name: dxg.sys Image Path: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBF000000 Size: 73728 File Visible: - Signed: - Status: - Name: dxgthk.sys Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xF7DC5000 Size: 4096 File Visible: - Signed: - Status: - Name: e100b325.sys Image Path: C:\WINDOWS\System32\DRIVERS\e100b325.sys Address: 0xF56EC000 Size: 139776 File Visible: - Signed: - Status: - Name: enodpl.sys Image Path: C:\WINDOWS\System32\drivers\enodpl.sys Address: 0xF7BF9000 Size: 7552 File Visible: - Signed: - Status: - Name: Fastfat.SYS Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS Address: 0xF3281000 Size: 143744 File Visible: - Signed: - Status: - Name: fdc.sys Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys Address: 0xF799F000 Size: 27392 File Visible: - Signed: - Status: - Name: Fips.SYS Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS Address: 0xF77FF000 Size: 44544 File Visible: - Signed: - Status: - Name: flpydisk.sys Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys Address: 0xF79FF000 Size: 20480 File Visible: - Signed: - Status: - Name: Fs_Rec.SYS Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xF7C2D000 Size: 7936 File Visible: - Signed: - Status: - Name: gameenum.sys Image Path: C:\WINDOWS\System32\DRIVERS\gameenum.sys Address: 0xF7B4F000 Size: 10624 File Visible: - Signed: - Status: - Name: GEARAspiWDM.sys Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys Address: 0xF7B5B000 Size: 9984 File Visible: - Signed: - Status: - Name: HIDCLASS.SYS Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS Address: 0xF780F000 Size: 36864 File Visible: - Signed: - Status: - Name: HIDPARSE.SYS Image Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS Address: 0xF7A0F000 Size: 28672 File Visible: - Signed: - Status: - Name: hidusb.sys Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys Address: 0xF3353000 Size: 10368 File Visible: - Signed: - Status: - Name: HPZid412.sys Image Path: C:\WINDOWS\System32\DRIVERS\HPZid412.sys Address: 0xF783F000 Size: 50688 File Visible: - Signed: - Status: - Name: HPZipr12.sys Image Path: C:\WINDOWS\System32\DRIVERS\HPZipr12.sys Address: 0xF32D6000 Size: 15840 File Visible: - Signed: - Status: - Name: HPZius12.sys Image Path: C:\WINDOWS\System32\DRIVERS\HPZius12.sys Address: 0xF7A6F000 Size: 22240 File Visible: - Signed: - Status: - Name: HSF_CNXT.sys Image Path: C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys Address: 0xF5531000 Size: 561600 File Visible: - Signed: - Status: - Name: HSF_DP.sys Image Path: C:\WINDOWS\System32\DRIVERS\HSF_DP.sys Address: 0xF55BB000 Size: 1090304 File Visible: - Signed: - Status: - Name: HSF_FALL.sys Image Path: C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys Address: 0xBA23C000 Size: 289856 File Visible: - Signed: - Status: - Name: HSF_FAXX.sys Image Path: C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys Address: 0xB9BEC000 Size: 199680 File Visible: - Signed: - Status: - Name: HSF_FSKS.sys Image Path: C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys Address: 0xBA21F000 Size: 115776 File Visible: - Signed: - Status: - Name: HSF_K56K.sys Image Path: C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys Address: 0xBA197000 Size: 391168 File Visible: - Signed: - Status: - Name: HSF_SPKP.sys Image Path: C:\WINDOWS\System32\DRIVERS\HSF_SPKP.sys Address: 0xB9BDA000 Size: 73248 File Visible: - Signed: - Status: - Name: HSF_TONE.sys Image Path: C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys Address: 0xB9CCD000 Size: 50720 File Visible: - Signed: - Status: - Name: HSF_V124.sys Image Path: C:\WINDOWS\System32\DRIVERS\HSF_V124.sys Address: 0xB9B3A000 Size: 488352 File Visible: - Signed: - Status: - Name: HSFHWBS2.sys Image Path: C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys Address: 0xF56C6000 Size: 152672 File Visible: - Signed: - Status: - Name: HTTP.sys Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys Address: 0xB9687000 Size: 264832 File Visible: - Signed: - Status: - Name: i2omgmt.SYS Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS Address: 0xF7434000 Size: 8576 File Visible: - Signed: - Status: - Name: i8042prt.sys Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys Address: 0xF790F000 Size: 52480 File Visible: - Signed: - Status: - Name: Imapi.sys Image Path: C:\WINDOWS\system32\drivers\Imapi.sys Address: 0xF6CB5000 Size: 42112 File Visible: - Signed: - Status: - Name: intelppm.sys Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys Address: 0xF78EF000 Size: 36352 File Visible: - Signed: - Status: - Name: ipfltdrv.sys Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys Address: 0xF77AF000 Size: 32896 File Visible: - Signed: - Status: - Name: ipnat.sys Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys Address: 0xF3140000 Size: 152832 File Visible: - Signed: - Status: - Name: ipsec.sys Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys Address: 0xF31E6000 Size: 75264 File Visible: - Signed: - Status: - Name: kbdclass.sys Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys Address: 0xF79A7000 Size: 24576 File Visible: - Signed: - Status: - Name: kmixer.sys Image Path: C:\WINDOWS\system32\drivers\kmixer.sys Address: 0xB94E4000 Size: 172416 File Visible: - Signed: - Status: - Name: ks.sys Image Path: C:\WINDOWS\system32\drivers\ks.sys Address: 0xF635D000 Size: 143360 File Visible: - Signed: - Status: - Name: MASPINT.SYS Image Path: C:\WINDOWS\System32\Drivers\MASPINT.SYS Address: 0xF7C09000 Size: 8096 File Visible: - Signed: - Status: - Name: mchInjDrv.sys Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys Address: 0xF7DC1000 Size: 2560 File Visible: No Signed: - Status: - Name: mdmxsdk.sys Image Path: C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys Address: 0xBA081000 Size: 8768 File Visible: - Signed: - Status: - Name: mfeavfk.sys Image Path: C:\WINDOWS\system32\drivers\mfeavfk.sys Address: 0xB9790000 Size: 73152 File Visible: - Signed: - Status: - Name: mfebopk.sys Image Path: C:\WINDOWS\system32\drivers\mfebopk.sys Address: 0xF7A9F000 Size: 28544 File Visible: - Signed: - Status: - Name: mfehidk.sys Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys Address: 0xF2F60000 Size: 207296 File Visible: - Signed: - Status: - Name: mfesmfk.sys Image Path: C:\WINDOWS\system32\drivers\mfesmfk.sys Address: 0xB98AA000 Size: 33824 File Visible: - Signed: - Status: - Name: mmc_2K.SYS Image Path: C:\WINDOWS\System32\Drivers\mmc_2K.SYS Address: 0xF79F7000 Size: 22720 File Visible: - Signed: - Status: - Name: mnmdd.SYS Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS Address: 0xF7C31000 Size: 4224 File Visible: - Signed: - Status: - Name: Modem.SYS Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS Address: 0xF7997000 Size: 30080 File Visible: - Signed: - Status: - Name: MODEMCSA.sys Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys Address: 0xF7B9F000 Size: 16128 File Visible: - Signed: - Status: - Name: mouclass.sys Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys Address: 0xF79B7000 Size: 23040 File Visible: - Signed: - Status: - Name: mouhid.sys Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys Address: 0xF32DE000 Size: 12160 File Visible: - Signed: - Status: - Name: Mpfp.sys Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys Address: 0xF3166000 Size: 159744 File Visible: - Signed: - Status: - Name: mrxdav.sys Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys Address: 0xBA373000 Size: 180608 File Visible: - Signed: - Status: - Name: mrxsmb.sys Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys Address: 0xF2F93000 Size: 455296 File Visible: - Signed: - Status: - Name: Msfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xF7A27000 Size: 19072 File Visible: - Signed: - Status: - Name: msgpc.sys Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys Address: 0xF6C65000 Size: 35072 File Visible: - Signed: - Status: - Name: mssmbios.sys Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys Address: 0xF7B7F000 Size: 15488 File Visible: - Signed: - Status: - Name: MxlW2k.SYS Image Path: C:\WINDOWS\System32\Drivers\MxlW2k.SYS Address: 0xF79BF000 Size: 25600 File Visible: - Signed: - Status: - Name: ndistapi.sys Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys Address: 0xF7B67000 Size: 10112 File Visible: - Signed: - Status: - Name: ndisuio.sys Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys Address: 0xBA6AC000 Size: 14592 File Visible: - Signed: - Status: - Name: ndiswan.sys Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys Address: 0xF54E6000 Size: 91520 File Visible: - Signed: - Status: - Name: NDProxy.SYS Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xF775F000 Size: 40576 File Visible: - Signed: - Status: - Name: netbios.sys Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys Address: 0xF77BF000 Size: 34688 File Visible: - Signed: - Status: - Name: netbt.sys Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys Address: 0xF3118000 Size: 162816 File Visible: - Signed: - Status: - Name: nlmj.sys Image Path: C:\WINDOWS\system32\drivers\nlmj.sys Address: 0xF3066000 Size: 61440 File Visible: No Signed: - Status: - Name: Npfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xF7A2F000 Size: 30848 File Visible: - Signed: - Status: - Name: NuidFltr.sys Image Path: C:\WINDOWS\system32\DRIVERS\NuidFltr.sys Address: 0xF7A5F000 Size: 28672 File Visible: - Signed: - Status: - Name: Null.SYS Image Path: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xF7DFB000 Size: 2944 File Visible: - Signed: - Status: - Name: nv4_mini.sys Image Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys Address: 0xF653D000 Size: 7435392 File Visible: - Signed: - Status: - Name: OMCI.SYS Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS Address: 0xF335F000 Size: 12864 File Visible: - Signed: - Status: - Name: P16X.sys Image Path: C:\WINDOWS\system32\drivers\P16X.sys Address: 0xF6380000 Size: 1330048 File Visible: - Signed: - Status: - Name: papycpu2.sys Image Path: C:\WINDOWS\System32\DRIVERS\papycpu2.sys Address: 0xF7DFC000 Size: 1984 File Visible: - Signed: - Status: - Name: papyjoy.sys Image Path: C:\WINDOWS\System32\DRIVERS\papyjoy.sys Address: 0xF7DFD000 Size: 1856 File Visible: - Signed: - Status: - Name: parport.sys Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys Address: 0xF551D000 Size: 80128 File Visible: - Signed: - Status: - Name: ParVdm.SYS Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS Address: 0xF7BF5000 Size: 6784 File Visible: - Signed: - Status: - Name: PCIIDEX.SYS Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS Address: 0xF792F000 Size: 28672 File Visible: - Signed: - Status: - Name: point32.sys Image Path: C:\WINDOWS\system32\DRIVERS\point32.sys Address: 0xF79AF000 Size: 21760 File Visible: - Signed: - Status: - Name: portcls.sys Image Path: C:\WINDOWS\system32\drivers\portcls.sys Address: 0xF6339000 Size: 147456 File Visible: - Signed: - Status: - Name: PQNTDrv.SYS Image Path: C:\WINDOWS\System32\Drivers\PQNTDrv.SYS Address: 0xF7CFA000 Size: 2688 File Visible: - Signed: - Status: - Name: psched.sys Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys Address: 0xF54D5000 Size: 69120 File Visible: - Signed: - Status: - Name: ptilink.sys Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys Address: 0xF79CF000 Size: 17792 File Visible: - Signed: - Status: - Name: pwd_2k.SYS Image Path: C:\WINDOWS\System32\Drivers\pwd_2k.SYS Address: 0xF54FD000 Size: 127360 File Visible: - Signed: - Status: - Name: rasacd.sys Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys Address: 0xF7071000 Size: 8832 File Visible: - Signed: - Status: - Name: rasl2tp.sys Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys Address: 0xF6C95000 Size: 51328 File Visible: - Signed: - Status: - Name: raspppoe.sys Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys Address: 0xF6C85000 Size: 41472 File Visible: - Signed: - Status: - Name: raspptp.sys Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys Address: 0xF6C75000 Size: 48384 File Visible: - Signed: - Status: - Name: raspti.sys Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys Address: 0xF79D7000 Size: 16512 File Visible: - Signed: - Status: - Name: rdbss.sys Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys Address: 0xF302B000 Size: 175744 File Visible: - Signed: - Status: - Name: RDPCDD.sys Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xF7C33000 Size: 4224 File Visible: - Signed: - Status: - Name: redbook.sys Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys Address: 0xF6CC5000 Size: 57600 File Visible: - Signed: - Status: - Name: rfcomm.sys Image Path: C:\WINDOWS\system32\DRIVERS\rfcomm.sys Address: 0xF784F000 Size: 59136 File Visible: - Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB8E88000 Size: 49152 File Visible: No Signed: - Status: - Name: SCSIPORT.SYS Image Path: C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS Address: 0xF75E2000 Size: 98304 File Visible: - Signed: - Status: - Name: secdrv.sys Image Path: C:\WINDOWS\System32\DRIVERS\secdrv.sys Address: 0xB9D0D000 Size: 40960 File Visible: - Signed: - Status: - Name: serenum.sys Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys Address: 0xF7B53000 Size: 15744 File Visible: - Signed: - Status: - Name: serial.sys Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys Address: 0xF791F000 Size: 64512 File Visible: - Signed: - Status: - Name: srv.sys Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys Address: 0xBA145000 Size: 333952 File Visible: - Signed: - Status: - Name: swenum.sys Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys Address: 0xF7C07000 Size: 4352 File Visible: - Signed: - Status: - Name: sysaudio.sys Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys Address: 0xB9C8D000 Size: 60800 File Visible: - Signed: - Status: - Name: tandpl.sys Image Path: C:\WINDOWS\System32\drivers\tandpl.sys Address: 0xF7C75000 Size: 4736 File Visible: - Signed: - Status: - Name: tcpip.sys Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys Address: 0xF318D000 Size: 361600 File Visible: - Signed: - Status: - Name: TDI.SYS Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS Address: 0xF79C7000 Size: 20480 File Visible: - Signed: - Status: - Name: termdd.sys Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys Address: 0xF6C55000 Size: 40704 File Visible: - Signed: - Status: - Name: TMBUS.sys Image Path: C:\WINDOWS\system32\drivers\TMBUS.sys Address: 0xF7B6F000 Size: 11200 File Visible: - Signed: - Status: - Name: UdfReadr_xp.SYS Image Path: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS Address: 0xF320B000 Size: 206464 File Visible: - Signed: - Status: - Name: Udfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Udfs.SYS Address: 0xF2E33000 Size: 66048 File Visible: - Signed: - Status: - Name: update.sys Image Path: C:\WINDOWS\System32\DRIVERS\update.sys Address: 0xF5477000 Size: 384768 File Visible: - Signed: - Status: - Name: usbccgp.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbccgp.sys Address: 0xF7A57000 Size: 32128 File Visible: - Signed: - Status: - Name: USBD.SYS Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS Address: 0xF7C23000 Size: 8192 File Visible: - Signed: - Status: - Name: usbehci.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys Address: 0xF7987000 Size: 30208 File Visible: - Signed: - Status: - Name: usbhub.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys Address: 0xF776F000 Size: 59520 File Visible: - Signed: - Status: - Name: USBPORT.SYS Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS Address: 0xF6506000 Size: 143360 File Visible: - Signed: - Status: - Name: usbprint.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbprint.sys Address: 0xF7A67000 Size: 25856 File Visible: - Signed: - Status: - Name: usbscan.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbscan.sys Address: 0xF32DA000 Size: 15104 File Visible: - Signed: - Status: - Name: usbuhci.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys Address: 0xF797F000 Size: 20608 File Visible: - Signed: - Status: - Name: vga.sys Image Path: C:\WINDOWS\System32\drivers\vga.sys Address: 0xF7A17000 Size: 20992 File Visible: - Signed: - Status: - Name: VIDEOPRT.SYS Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS Address: 0xF6529000 Size: 81920 File Visible: - Signed: - Status: - Name: wanarp.sys Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys Address: 0xF779F000 Size: 34560 File Visible: - Signed: - Status: - Name: Wdf01000.sys Image Path: C:\WINDOWS\system32\DRIVERS\Wdf01000.sys Address: 0xF2E5D000 Size: 503808 File Visible: - Signed: - Status: - Name: WDFLDR.SYS Image Path: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS Address: 0xF782F000 Size: 53248 File Visible: - Signed: - Status: - Name: wdmaud.sys Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys Address: 0xB9532000 Size: 83072 File Visible: - Signed: - Status: - Name: WmBEnum.sys Image Path: C:\WINDOWS\system32\drivers\WmBEnum.sys Address: 0xF7B83000 Size: 11136 File Visible: - Signed: - Status: - Name: WMILIB.SYS Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS Address: 0xF7BB1000 Size: 8192 File Visible: - Signed: - Status: - Name: WmXlCore.sys Image Path: C:\WINDOWS\system32\drivers\WmXlCore.sys Address: 0xF774F000 Size: 46208 File Visible: - Signed: - Status: - Name: hal.dll Image Path: C:\WINDOWS\system32\hal.dll Address: 0x806EE000 Size: 131840 File Visible: - Signed: - Status: - Name: KDCOM.DLL Image Path: C:\WINDOWS\system32\KDCOM.DLL Address: 0xF7BAF000 Size: 8192 File Visible: - Signed: - Status: - Name: ntoskrnl.exe Image Path: C:\WINDOWS\system32\ntoskrnl.exe Address: 0x804D7000 Size: 2189056 File Visible: - Signed: - Status: - Name: nv4_disp.dll Image Path: C:\WINDOWS\System32\nv4_disp.dll Address: 0xBF012000 Size: 5775360 File Visible: - Signed: - Status: - Name: PfModNT.sys Image Path: C:\WINDOWS\System32\PfModNT.sys Address: 0xF7C21000 Size: 6240 File Visible: - Signed: - Status: - Name: watchdog.sys Image Path: C:\WINDOWS\System32\watchdog.sys Address: 0xF7A7F000 Size: 20480 File Visible: - Signed: - Status: - Name: win32k.sys Image Path: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: disk.sys Image Path: disk.sys Address: 0xF76EF000 Size: 36352 File Visible: - Signed: - Status: - Name: fltmgr.sys Image Path: fltmgr.sys Address: 0xF75C2000 Size: 129792 File Visible: - Signed: - Status: - Name: ftdisk.sys Image Path: ftdisk.sys Address: 0xF7612000 Size: 125056 File Visible: - Signed: - Status: - Name: isapnp.sys Image Path: isapnp.sys Address: 0xF76AF000 Size: 37248 File Visible: - Signed: - Status: - Name: KSecDD.sys Image Path: KSecDD.sys Address: 0xF7576000 Size: 92288 File Visible: - Signed: - Status: - Name: Lbd.sys Image Path: Lbd.sys Address: 0xF770F000 Size: 57472 File Visible: - Signed: - Status: - Name: MountMgr.sys Image Path: MountMgr.sys Address: 0xF76BF000 Size: 42368 File Visible: - Signed: - Status: - Name: Mup.sys Image Path: Mup.sys Address: 0xF7469000 Size: 105344 File Visible: - Signed: - Status: - Name: NDIS.sys Image Path: NDIS.sys Address: 0xF74A9000 Size: 182656 File Visible: - Signed: - Status: - Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xF74D6000 Size: 574976 File Visible: - Signed: - Status: - Name: PartMgr.sys Image Path: PartMgr.sys Address: 0xF7937000 Size: 19712 File Visible: - Signed: - Status: - Name: pci.sys Image Path: pci.sys Address: 0xF764F000 Size: 68224 File Visible: - Signed: - Status: - Name: pciide.sys Image Path: pciide.sys Address: 0xF7C77000 Size: 3328 File Visible: - Signed: - Status: - Name: PCTCore.sys Image Path: PCTCore.sys Address: 0xF758D000 Size: 143360 File Visible: - Signed: - Status: - Name: pnpshark.sys Image Path: pnpshark.sys Address: 0xF7631000 Size: 119552 File Visible: - Signed: - Status: - Name: PxHelp20.sys Image Path: PxHelp20.sys Address: 0xF771F000 Size: 36320 File Visible: - Signed: - Status: - Name: sfdrv01.sys Image Path: sfdrv01.sys Address: 0xF7483000 Size: 73728 File Visible: - Signed: - Status: - Name: sfhlp02.sys Image Path: sfhlp02.sys Address: 0xF793F000 Size: 32768 File Visible: - Signed: - Status: - Name: sfsync02.sys Image Path: sfsync02.sys Address: 0xF76CF000 Size: 36864 File Visible: - Signed: - Status: - Name: sfvfs02.sys Image Path: sfvfs02.sys Address: 0xF7495000 Size: 81920 File Visible: - Signed: - Status: - Name: sr.sys Image Path: sr.sys Address: 0xF75B0000 Size: 73472 File Visible: - Signed: - Status: - Name: st3shark.sys Image Path: st3shark.sys Address: 0xF7BB3000 Size: 5504 File Visible: - Signed: - Status: - Name: VolSnap.sys Image Path: VolSnap.sys Address: 0xF76DF000 Size: 52352 File Visible: - Signed: - Status: - Name: WudfPf.sys Image Path: WudfPf.sys Address: 0xF7563000 Size: 77568 File Visible: - Signed: - Status: - HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:52:19, on 06/08/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Ad-Aware\AAWService.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Spyware Doctor\pctsTray.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\System32\wbem\unsecapp.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Ad-Aware\AAWTray.exe C:\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\AVG Antivirus 8\avgssie.dll (file missing) O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\STARDO~1\SDIEInt.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Hewlett-Packard PSC 2115\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Malwarebytes Anti-Malware\fugof.exe" /runcleanupscript O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\myrealname\OctoshapeClient.exe" -inv:bootrun O4 - HKCU\..\Run: [NVIDIA nTune] "C:\NVIDIA\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\myrealname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: Download with Star Downloader - C:\Star Downloader\sdie.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: SYSTRAN: &Clear Translation Cache - D:\Systran Translator\Standard\menuClearCache.html O8 - Extra context menu item: SYSTRAN: &Options - D:\Systran Translator\Standard\menuConfigure.html O8 - Extra context menu item: SYSTRAN: &Register - D:\Systran Translator\Standard\menuRegister.html O8 - Extra context menu item: SYSTRAN: &Translate - D:\Systran Translator\Standard\menuTranslate.html O8 - Extra context menu item: SYSTRAN: Check for &Updates - D:\Systran Translator\Standard\menuUpdate.html O8 - Extra context menu item: SYSTRAN: Translate All &Frames - D:\Systran Translator\Standard\menuTranslateAll.html O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: @sysiecom.dll,-2100 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuTranslate.html O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2102 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuTranslate.html O9 - Extra button: @sysiecom.dll,-2103 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuTranslateAll.html O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2105 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuTranslateAll.html O9 - Extra button: @sysiecom.dll,-2115 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuConfigure.html O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2117 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuConfigure.html O9 - Extra button: (no name) - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuClearCache.html O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2108 - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuClearCache.html O9 - Extra button: (no name) - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuRegister.html O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2111 - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuRegister.html O9 - Extra button: (no name) - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuUpdates.html (file missing) O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2114 - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuUpdates.html (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\YAHOO!~1\MESSEN~1\ypager.exe (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\YAHOO!~1\MESSEN~1\ypager.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lspkwk.dll' missing O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O15 - Trusted Zone: http://www.abbey.com O15 - Trusted Zone: http://gp4tweaker.vadertrophy.com O16 - DPF: Yahoo! Dominoes - O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://myaccount.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - AppInit_DLLs: C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Update Service (gupdate1c8c5cb3ead1e68) (gupdate1c8c5cb3ead1e68) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Ad-Aware\AAWService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\NVIDIA\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe -- End of file - 16483 bytes I'd be really grateful for any help how to kill this thing once and for all, I've put the effort in and tearing my hair out here! Cheers, -gr
- August 6, 2009
- 7 replies

Sign In

giralph

Posts

Joined

Last visited

Content Type

Events

Profiles

Forums

Everything posted by giralph

yet another uacinit.dll not removing on reboot

yet another uacinit.dll not removing on reboot

yet another uacinit.dll not removing on reboot

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information