giralph
-
Posts
3 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by giralph
-
-
Thanks for the reply Mieke!
It took a few gos but found these two log files in order just in case.
The symptoms seem to have largely gone, but would rather be completely sure... I'm not sure what to make of them
1st scan
ComboFix 09-08-08.04 - myrealname 09/08/2009 13:11.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.588 [GMT 1:00]
Running from: c:\documents and settings\myrealname\Desktop\ficx.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\-2132147399
C:\avqid.exe
C:\desktop.ini
C:\jejby.exe
C:\nryuvxw.exe
C:\obhasb.exe
c:\program files\iMeshBar
c:\program files\iMeshBar\bar\History\search
C:\tmlchrx.exe
C:\ufpuc.exe
c:\windows\Installer\67f3c1.msp
c:\windows\Installer\67f3d4.msp
c:\windows\Installer\f178db.msi
c:\windows\run.log
c:\windows\system32\Data
c:\windows\system32\Drivers\mubskpu.sys
C:\yfbkr.exe
C:\yllwiq.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 )))))))))))))))))))))))))))))))
.
2009-08-06 21:06 . 2009-08-06 21:06 -------- d-sh--w- c:\documents and settings\myrealname\IECompatCache
2009-08-06 15:51 . 2009-08-06 15:52 -------- d-----w- C:\HijackThis
2009-08-06 00:27 . 2009-08-06 00:33 -------- d-----w- C:\RootRepeal
2009-08-05 21:00 . 2009-08-05 21:00 -------- d-----w- c:\documents and settings\myrealname\Application Data\Malwarebytes
2009-08-04 17:47 . 2009-08-04 17:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-04 17:09 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-04 17:09 . 2009-08-05 22:43 -------- d-----w- C:\Malwarebytes Anti-Malware
2009-08-04 17:09 . 2009-08-04 17:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-04 17:09 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-04 15:50 . 2009-08-04 15:50 0 ----a-w- C:\backup.reg
2009-08-04 12:49 . 2009-08-04 12:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-08-04 11:44 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-04 10:44 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-04 10:42 . 2009-08-04 10:42 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-04 10:42 . 2009-08-04 10:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-08-03 17:33 . 2009-08-03 17:33 -------- d-sh--w- c:\documents and settings\myrealname\PrivacIE
2009-07-28 15:05 . 2009-07-28 15:05 -------- d-sh--w- c:\documents and settings\myrealname\IETldCache
2009-07-26 11:55 . 2009-07-26 11:55 -------- d-sh--w- c:\documents and settings\otheruser\PrivacIE
2009-07-26 08:06 . 2009-07-26 08:06 -------- d-sh--w- c:\documents and settings\otheruser\IETldCache
2009-07-26 00:21 . 2009-07-26 00:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-25 22:18 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-25 22:17 . 2009-07-29 09:33 -------- d-----w- c:\windows\ie8updates
2009-07-25 22:15 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-25 22:15 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-25 22:03 . 2009-07-25 22:14 -------- dc-h--w- c:\windows\ie8
2009-07-21 19:36 . 2009-07-21 19:36 -------- d-----w- c:\documents and settings\myrealname\Application Data\$CUERoot$
2009-07-21 19:35 . 2009-07-21 19:35 -------- d-----w- c:\program files\HP
2009-07-18 18:54 . 2009-08-05 22:54 -------- d-----w- c:\documents and settings\myrealname\Local Settings\Application Data\Temp
2009-07-18 09:55 . 2009-08-05 23:06 -------- d-----w- c:\documents and settings\otheruser\Local Settings\Application Data\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-09 07:46 . 2008-12-27 15:14 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-07 08:29 . 2008-12-27 15:15 -------- d-----w- c:\program files\Spyware Doctor
2009-08-04 23:54 . 2006-07-04 23:44 -------- d-----w- c:\documents and settings\myrealname\Application Data\uT
2009-08-04 12:49 . 2005-02-07 02:13 -------- d-----w- c:\program files\Google
2009-07-31 21:33 . 2009-02-21 14:04 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-10 10:11 . 2009-01-22 03:56 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-07-10 10:01 . 2009-01-22 03:57 -------- d-----w- c:\program files\McAfee
2009-07-04 17:03 . 2009-07-04 17:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-04 17:03 . 2009-07-04 17:03 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-03 17:09 . 2004-02-06 17:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2001-08-18 07:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-18 07:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 15:17 . 2002-11-05 11:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-03 19:09 . 2003-12-21 20:38 1291264 ----a-w- c:\windows\system32\quartz.dll
2005-12-26 21:41 . 2005-12-26 21:41 2951156 ----a-w- c:\program files\bitcomet_setup.exe
2009-08-04 12:50 . 2009-08-04 12:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\nvidia\nTune\nTuneCmd.exe" [2007-07-03 81920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-09 68856]
"Google Update"="c:\documents and settings\myrealname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-08-29 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-19 45632]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"Share-to-Web Namespace Daemon"="c:\hewlett-packard psc 2115\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\quicktime\QTTask.exe" [2008-11-04 413696]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-08-04 30192]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\SYSTEM32\bthprops.cpl [2008-04-14 110592]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2007-12-05 1626112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 7.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 Detect.lnk
backup=c:\windows\pss\PCSuiteForNokia6600 Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 TS.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 TS.lnk
backup=c:\windows\pss\PCSuiteForNokia6600 TS.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk
backup=c:\windows\pss\QuickTV.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^myrealname^Start Menu^Programs^Startup^Microsoft Greetings Reminders.lnk]
path=c:\documents and settings\myrealname\Start Menu\Programs\Startup\Microsoft Greetings Reminders.lnk
backup=c:\windows\pss\Microsoft Greetings Reminders.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^myrealname^Start Menu^Programs^Startup^Wallpaper Changer.lnk]
path=c:\documents and settings\myrealname\Start Menu\Programs\Startup\Wallpaper Changer.lnk
backup=c:\windows\pss\Wallpaper Changer.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\KZLite\\Kz.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Yahoo! Messenger\\Messenger\\YServer.exe"=
"c:\\Program Files\\LW\\LW.exe"=
"f:\\downloads to sort\\ut.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\GTR 2\\GTR2.exe"=
"f:\\rFactor\\rFactor.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Steam\\SteamApps\\myname\\race07 demo\\SteamProxy.exe"=
"d:\\Steam\\SteamApps\\myname\\race07 demo\\RaceConfig_Steam.exe"=
"d:\\Steam\\SteamApps\\myname\\race 07 demo crowne plaza raceway edition\\RaceDemo_Steam.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"d:\\GT Legends\\GTL.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [04/08/2009 11:44 64160]
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [22/05/2009 12:47 130936]
R0 pnpshark;pnpshark;c:\windows\SYSTEM32\DRIVERS\pnpshark.sys [02/10/2003 04:16 119552]
R0 st3shark;st3shark;c:\windows\SYSTEM32\DRIVERS\st3shark.sys [27/09/2003 15:37 5504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\ad-aware\AAWService.exe [03/07/2009 15:49 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [23/01/2009 01:02 210216]
S2 BT848;AVerMedia, AVerTV WDM Video Capture;c:\windows\SYSTEM32\DRIVERS\BT848.sys [13/05/2002 19:40 261696]
S2 BTTUNER;AVerMedia, AVerTV WDM TvTuner;c:\windows\SYSTEM32\DRIVERS\bttuner.sys [27/01/2002 04:57 22016]
S2 BTXBAR;AVerMedia, AVerTV WDM Crossbar;c:\windows\SYSTEM32\DRIVERS\btxbar.sys [27/01/2002 05:02 13312]
S2 gupdate1c8c5cb3ead1e68;Google Update Service (gupdate1c8c5cb3ead1e68);c:\program files\Google\Update\GoogleUpdate.exe [13/07/2008 00:03 133104]
S2 UsbCom;USB -> COM Driver Service;c:\windows\SYSTEM32\DRIVERS\UsbCom.sys [02/08/2004 15:44 69575]
S3 cpuz130;cpuz130;\??\c:\docume~1\myrealname\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [04/08/2009 13:50 30192]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\SYSTEM32\DRIVERS\ImHidUsb.sys [27/11/2002 18:13 30920]
S3 jfdcd;jfdcd;\??\c:\docume~1\myrealname\LOCALS~1\Temp\jfdcd.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\jfdcd.sys [?]
S3 papycpu;papycpu;c:\windows\SYSTEM32\DRIVERS\papycpu.sys [25/12/2002 15:13 1888]
S3 RnbToken;Rainbow iKey Token Service;c:\windows\SYSTEM32\DRIVERS\RNBTOKEN.SYS [16/03/2004 03:04 18536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [27/12/2008 16:15 348752]
S3 TMHidF;Thrustmaster Force Feedback Racing Wheel HID Driver;c:\windows\SYSTEM32\DRIVERS\TMHIDF.sys [27/10/2005 17:25 63894]
S3 wi8042pr;wi8042pr;\??\c:\docume~1\myrealname\LOCALS~1\Temp\wi8042pr.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\wi8042pr.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Octoshape Streaming Services - c:\program files\Octoshape Streaming Services\myrealname\OctoshapeClient.exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
HKLM-Run-NBKeyScan - c:\nero\Nero 8\Nero BackItUp\NBKeyScan.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download with Star Downloader - c:\star downloader\sdie.htm
IE: E&xport to Microsoft Excel - c:\micros~4\OFFICE11\EXCEL.EXE/3000
IE: SYSTRAN: &Clear Translation Cache - d:\systran translator\Standard\menuClearCache.html
IE: SYSTRAN: &Options - d:\systran translator\Standard\menuConfigure.html
IE: SYSTRAN: &Register - d:\systran translator\Standard\menuRegister.html
IE: SYSTRAN: &Translate - d:\systran translator\Standard\menuTranslate.html
IE: SYSTRAN: Check for &Updates - d:\systran translator\Standard\menuUpdate.html
IE: SYSTRAN: Translate All &Frames - d:\systran translator\Standard\menuTranslateAll.html
IE: {{703436F1-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuTranslate.html
IE: {{703436F2-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuTranslateAll.html
IE: {{703436F3-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuConfigure.html
IE: {{703436F4-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuClearCache.html
IE: {{703436F5-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuRegister.html
IE: {{703436F6-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuUpdates.html
Trusted Zone: abbey.com\www
Trusted Zone: vadertrophy.com\gp4tweaker
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Yahoo! Dominoes
FF - ProfilePath - c:\docume~1\myrealname\APPLIC~1\Mozilla\Firefox\Profiles\80m4qwwn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\myrealname\Application Data\Mozilla\Firefox\Profiles\80m4qwwn.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll
FF - component: c:\documents and settings\myrealname\Application Data\Mozilla\Firefox\Profiles\80m4qwwn.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\divx player\DivX Content Uploader\npUpload.dll
FF - plugin: c:\divx player\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\divx player\DivX Web Player\npdivx32.dll
FF - plugin: c:\documents and settings\myrealname\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin2.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin3.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin4.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin5.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin6.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin7.dll
FF - plugin: c:\vlc media player\npvlc.dll
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-09 13:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(760)
c:\program files\McAfee\SiteAdvisor\saHook.dll
- - - - - - - > 'explorer.exe'(3896)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-09 13:33
ComboFix-quarantined-files.txt 2009-08-09 12:33
Pre-Run: 3,090,022,400 bytes free
Post-Run: 3,026,915,328 bytes free
303 --- E O F --- 2009-07-31 16:45
More recent scan
ComboFix 09-08-08.04 - myrealname 09/08/2009 13:11.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.588 [GMT 1:00]
Running from: c:\documents and settings\myrealname\Desktop\ficx.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\-2132147399
C:\avqid.exe
C:\desktop.ini
C:\jejby.exe
C:\nryuvxw.exe
C:\obhasb.exe
c:\program files\iMeshBar
c:\program files\iMeshBar\bar\History\search
C:\tmlchrx.exe
C:\ufpuc.exe
c:\windows\Installer\67f3c1.msp
c:\windows\Installer\67f3d4.msp
c:\windows\Installer\f178db.msi
c:\windows\run.log
c:\windows\system32\Data
c:\windows\system32\Drivers\mubskpu.sys
C:\yfbkr.exe
C:\yllwiq.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 )))))))))))))))))))))))))))))))
.
2009-08-06 21:06 . 2009-08-06 21:06 -------- d-sh--w- c:\documents and settings\myrealname\IECompatCache
2009-08-06 15:51 . 2009-08-06 15:52 -------- d-----w- C:\HijackThis
2009-08-06 00:27 . 2009-08-06 00:33 -------- d-----w- C:\RootRepeal
2009-08-05 21:00 . 2009-08-05 21:00 -------- d-----w- c:\documents and settings\myrealname\Application Data\Malwarebytes
2009-08-04 17:47 . 2009-08-04 17:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-04 17:09 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-04 17:09 . 2009-08-05 22:43 -------- d-----w- C:\Malwarebytes Anti-Malware
2009-08-04 17:09 . 2009-08-04 17:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-04 17:09 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-04 15:50 . 2009-08-04 15:50 0 ----a-w- C:\backup.reg
2009-08-04 12:49 . 2009-08-04 12:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-08-04 11:44 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-04 10:44 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-04 10:42 . 2009-08-04 10:42 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-04 10:42 . 2009-08-04 10:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-08-03 17:33 . 2009-08-03 17:33 -------- d-sh--w- c:\documents and settings\myrealname\PrivacIE
2009-07-28 15:05 . 2009-07-28 15:05 -------- d-sh--w- c:\documents and settings\myrealname\IETldCache
2009-07-26 11:55 . 2009-07-26 11:55 -------- d-sh--w- c:\documents and settings\other user\PrivacIE
2009-07-26 08:06 . 2009-07-26 08:06 -------- d-sh--w- c:\documents and settings\other user\IETldCache
2009-07-26 00:21 . 2009-07-26 00:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-25 22:18 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-25 22:17 . 2009-07-29 09:33 -------- d-----w- c:\windows\ie8updates
2009-07-25 22:15 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-25 22:15 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-25 22:03 . 2009-07-25 22:14 -------- dc-h--w- c:\windows\ie8
2009-07-21 19:36 . 2009-07-21 19:36 -------- d-----w- c:\documents and settings\myrealname\Application Data\$CUERoot$
2009-07-21 19:35 . 2009-07-21 19:35 -------- d-----w- c:\program files\HP
2009-07-18 18:54 . 2009-08-05 22:54 -------- d-----w- c:\documents and settings\myrealname\Local Settings\Application Data\Temp
2009-07-18 09:55 . 2009-08-05 23:06 -------- d-----w- c:\documents and settings\other user\Local Settings\Application Data\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-09 07:46 . 2008-12-27 15:14 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-07 08:29 . 2008-12-27 15:15 -------- d-----w- c:\program files\Spyware Doctor
2009-08-04 23:54 . 2006-07-04 23:44 -------- d-----w- c:\documents and settings\myrealname\Application Data\uTorrent
2009-08-04 12:49 . 2005-02-07 02:13 -------- d-----w- c:\program files\Google
2009-07-31 21:33 . 2009-02-21 14:04 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-10 10:11 . 2009-01-22 03:56 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-07-10 10:01 . 2009-01-22 03:57 -------- d-----w- c:\program files\McAfee
2009-07-04 17:03 . 2009-07-04 17:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-04 17:03 . 2009-07-04 17:03 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-03 17:09 . 2004-02-06 17:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2001-08-18 07:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-18 07:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 15:17 . 2002-11-05 11:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-03 19:09 . 2003-12-21 20:38 1291264 ----a-w- c:\windows\system32\quartz.dll
2005-12-26 21:41 . 2005-12-26 21:41 2951156 ----a-w- c:\program files\bitcomet_setup.exe
2009-08-04 12:50 . 2009-08-04 12:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\nvidia\nTune\nTuneCmd.exe" [2007-07-03 81920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-09 68856]
"Google Update"="c:\documents and settings\myrealname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-08-29 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-19 45632]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"Share-to-Web Namespace Daemon"="c:\hewlett-packard psc 2115\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\quicktime\QTTask.exe" [2008-11-04 413696]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-08-04 30192]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\SYSTEM32\bthprops.cpl [2008-04-14 110592]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2007-12-05 1626112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 7.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 Detect.lnk
backup=c:\windows\pss\PCSuiteForNokia6600 Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 TS.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 TS.lnk
backup=c:\windows\pss\PCSuiteForNokia6600 TS.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk
backup=c:\windows\pss\QuickTV.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^myrealname^Start Menu^Programs^Startup^Microsoft Greetings Reminders.lnk]
path=c:\documents and settings\myrealname\Start Menu\Programs\Startup\Microsoft Greetings Reminders.lnk
backup=c:\windows\pss\Microsoft Greetings Reminders.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^myrealname^Start Menu^Programs^Startup^Wallpaper Changer.lnk]
path=c:\documents and settings\myrealname\Start Menu\Programs\Startup\Wallpaper Changer.lnk
backup=c:\windows\pss\Wallpaper Changer.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\KZ Lite\\KZ.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Yahoo! Messenger\\Messenger\\YServer.exe"=
"c:\\Program Files\\LW\\LW.exe"=
"f:\\downloads to sort\\ut.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\GTR 2\\GTR2.exe"=
"f:\\rFactor\\rFactor.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Steam\\SteamApps\\myname\\race07 demo\\SteamProxy.exe"=
"d:\\Steam\\SteamApps\\myname\\race07 demo\\RaceConfig_Steam.exe"=
"d:\\Steam\\SteamApps\\myname\\race 07 demo crowne plaza raceway edition\\RaceDemo_Steam.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"d:\\GT Legends\\GTL.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [04/08/2009 11:44 64160]
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [22/05/2009 12:47 130936]
R0 pnpshark;pnpshark;c:\windows\SYSTEM32\DRIVERS\pnpshark.sys [02/10/2003 04:16 119552]
R0 st3shark;st3shark;c:\windows\SYSTEM32\DRIVERS\st3shark.sys [27/09/2003 15:37 5504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\ad-aware\AAWService.exe [03/07/2009 15:49 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [23/01/2009 01:02 210216]
S2 BT848;AVerMedia, AVerTV WDM Video Capture;c:\windows\SYSTEM32\DRIVERS\BT848.sys [13/05/2002 19:40 261696]
S2 BTTUNER;AVerMedia, AVerTV WDM TvTuner;c:\windows\SYSTEM32\DRIVERS\bttuner.sys [27/01/2002 04:57 22016]
S2 BTXBAR;AVerMedia, AVerTV WDM Crossbar;c:\windows\SYSTEM32\DRIVERS\btxbar.sys [27/01/2002 05:02 13312]
S2 gupdate1c8c5cb3ead1e68;Google Update Service (gupdate1c8c5cb3ead1e68);c:\program files\Google\Update\GoogleUpdate.exe [13/07/2008 00:03 133104]
S2 UsbCom;USB -> COM Driver Service;c:\windows\SYSTEM32\DRIVERS\UsbCom.sys [02/08/2004 15:44 69575]
S3 cpuz130;cpuz130;\??\c:\docume~1\myrealname\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [04/08/2009 13:50 30192]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\SYSTEM32\DRIVERS\ImHidUsb.sys [27/11/2002 18:13 30920]
S3 jfdcd;jfdcd;\??\c:\docume~1\myrealname\LOCALS~1\Temp\jfdcd.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\jfdcd.sys [?]
S3 papycpu;papycpu;c:\windows\SYSTEM32\DRIVERS\papycpu.sys [25/12/2002 15:13 1888]
S3 RnbToken;Rainbow iKey Token Service;c:\windows\SYSTEM32\DRIVERS\RNBTOKEN.SYS [16/03/2004 03:04 18536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [27/12/2008 16:15 348752]
S3 TMHidF;Thrustmaster Force Feedback Racing Wheel HID Driver;c:\windows\SYSTEM32\DRIVERS\TMHIDF.sys [27/10/2005 17:25 63894]
S3 wi8042pr;wi8042pr;\??\c:\docume~1\myrealname\LOCALS~1\Temp\wi8042pr.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\wi8042pr.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Octoshape Streaming Services - c:\program files\Octoshape Streaming Services\myrealname\OctoshapeClient.exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
HKLM-Run-NBKeyScan - c:\nero\Nero 8\Nero BackItUp\NBKeyScan.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download with Star Downloader - c:\star downloader\sdie.htm
IE: E&xport to Microsoft Excel - c:\micros~4\OFFICE11\EXCEL.EXE/3000
IE: SYSTRAN: &Clear Translation Cache - d:\systran translator\Standard\menuClearCache.html
IE: SYSTRAN: &Options - d:\systran translator\Standard\menuConfigure.html
IE: SYSTRAN: &Register - d:\systran translator\Standard\menuRegister.html
IE: SYSTRAN: &Translate - d:\systran translator\Standard\menuTranslate.html
IE: SYSTRAN: Check for &Updates - d:\systran translator\Standard\menuUpdate.html
IE: SYSTRAN: Translate All &Frames - d:\systran translator\Standard\menuTranslateAll.html
IE: {{703436F1-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuTranslate.html
IE: {{703436F2-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuTranslateAll.html
IE: {{703436F3-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuConfigure.html
IE: {{703436F4-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuClearCache.html
IE: {{703436F5-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuRegister.html
IE: {{703436F6-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuUpdates.html
Trusted Zone: abbey.com\www
Trusted Zone: vadertrophy.com\gp4tweaker
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Yahoo! Dominoes
FF - ProfilePath - c:\docume~1\myrealname\APPLIC~1\Mozilla\Firefox\Profiles\80m4qwwn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\myrealname\Application Data\Mozilla\Firefox\Profiles\80m4qwwn.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll
FF - component: c:\documents and settings\myrealname\Application Data\Mozilla\Firefox\Profiles\80m4qwwn.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\divx player\DivX Content Uploader\npUpload.dll
FF - plugin: c:\divx player\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\divx player\DivX Web Player\npdivx32.dll
FF - plugin: c:\documents and settings\myrealname\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin2.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin3.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin4.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin5.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin6.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin7.dll
FF - plugin: c:\vlc media player\npvlc.dll
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-09 13:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(760)
c:\program files\McAfee\SiteAdvisor\saHook.dll
- - - - - - - > 'explorer.exe'(3896)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-09 13:33
ComboFix-quarantined-files.txt 2009-08-09 12:33
Pre-Run: 3,090,022,400 bytes free
Post-Run: 3,026,915,328 bytes free
303 --- E O F --- 2009-07-31 16:45
Regards,
-GR
-
Greetings fellow geeks, I am not worthy of your malware killing powers, but will be grateful nonetheless!
I'm an advanced user, super-careful with what I let in etc. but think my little brother was duped by a fake flashy spyware warning
Main symptoms are 'google installer needs to close' popping up every 10 minutes, iexplore running audio ads in the background (I dig U2 and Blackberry, but not when a virus is involved) blocks mcafee, and a few google redirects among other things.
The Microsoft error report said it was caused by google/uacd.sys and I've been trawling this forum for solutions for days and it seemed to be the TDSS rootkit. So eventually got MBAM to scan which confirmed it and seemingly removed it, but it won't remove uacinit.dll after the reboot, so the google installer errors continue. I've also done Root Repeal, and doesn't seem to include the strings listed in this post: http://www.malwarebytes.org/forums/index.php?showtopic=12709.
The other posts seem to suggest posting logs and getting specific help with Combofix etc beyond this point, and I'm really wary of fiddling with the registry. So without further waffle here's the logs:
Latest MBAM log, post kicking TDSS ass:
Malwarebytes' Anti-Malware 1.40
Database version: 2567
Windows 5.1.2600 Service Pack 3 (Safe Mode)
06/08/2009 14:04:49
mbam-log-2009-08-06 (14-04-49).txt
Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 406154
Time elapsed: 1 hour(s), 28 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
Root Repeal log:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/06 01:33
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name:
Image Path:
Address: 0xF75FA000 Size: 96512 File Visible: No Signed: -
Status: -
Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -
Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -
Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -
Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -
Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF7660000 Size: 187776 File Visible: - Signed: -
Status: -
Name: agp440.sys
Image Path: agp440.sys
Address: 0xF772F000 Size: 42368 File Visible: - Signed: -
Status: -
Name: eeCtrl.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Address: 0xF2F00000 Size: 393216 File Visible: - Signed: -
Status: -
Name: nvoclock.sys
Image Path: C:\WINDOWS\nvoclock.sys
Address: 0xF7C59000 Size: 6912 File Visible: - Signed: -
Status: -
Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7ABF000 Size: 12288 File Visible: - Signed: -
Status: -
Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF30F6000 Size: 138496 File Visible: - Signed: -
Status: -
Name: AFS2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\AFS2K.SYS
Address: 0xF6CE5000 Size: 35840 File Visible: - Signed: -
Status: -
Name: aspi32.sys
Image Path: C:\WINDOWS\System32\drivers\aspi32.sys
Address: 0xF796F000 Size: 16512 File Visible: - Signed: -
Status: -
Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF7D0D000 Size: 3072 File Visible: - Signed: -
Status: -
Name: BANTExt.sys
Image Path: C:\WINDOWS\System32\Drivers\BANTExt.sys
Address: 0xF7D27000 Size: 2144 File Visible: - Signed: -
Status: -
Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7C2F000 Size: 4224 File Visible: - Signed: -
Status: -
Name: BthEnum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\BthEnum.sys
Address: 0xF7A77000 Size: 17024 File Visible: - Signed: -
Status: -
Name: bthmodem.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bthmodem.sys
Address: 0xF785F000 Size: 37888 File Visible: - Signed: -
Status: -
Name: bthpan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bthpan.sys
Address: 0xF2E44000 Size: 101120 File Visible: - Signed: -
Status: -
Name: bthport.sys
Image Path: C:\WINDOWS\System32\Drivers\bthport.sys
Address: 0xF323E000 Size: 274432 File Visible: - Signed: -
Status: -
Name: BTHUSB.sys
Image Path: C:\WINDOWS\System32\Drivers\BTHUSB.sys
Address: 0xF7A47000 Size: 18944 File Visible: - Signed: -
Status: -
Name: Cdr4_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS
Address: 0xF7DF9000 Size: 2432 File Visible: - Signed: -
Status: -
Name: Cdralw2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS
Address: 0xF7DFA000 Size: 2560 File Visible: - Signed: -
Status: -
Name: cdrbsvsd.SYS
Image Path: C:\WINDOWS\System32\Drivers\cdrbsvsd.SYS
Address: 0xF7B57000 Size: 12736 File Visible: - Signed: -
Status: -
Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF6CD5000 Size: 62976 File Visible: - Signed: -
Status: -
Name: cdudf_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS
Address: 0xF32F4000 Size: 241280 File Visible: - Signed: -
Status: -
Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF76FF000 Size: 53248 File Visible: - Signed: -
Status: -
Name: ctoss2k.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ctoss2k.sys
Address: 0xF630D000 Size: 178400 File Visible: - Signed: -
Status: -
Name: ctsfm2k.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ctsfm2k.sys
Address: 0xF570F000 Size: 129920 File Visible: - Signed: -
Status: -
Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF78FF000 Size: 61440 File Visible: - Signed: -
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF2E1B000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C6F000 Size: 8192 File Visible: No Signed: -
Status: -
Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF32BA000 Size: 12288 File Visible: - Signed: -
Status: -
Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -
Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7DC5000 Size: 4096 File Visible: - Signed: -
Status: -
Name: e100b325.sys
Image Path: C:\WINDOWS\System32\DRIVERS\e100b325.sys
Address: 0xF56EC000 Size: 139776 File Visible: - Signed: -
Status: -
Name: enodpl.sys
Image Path: C:\WINDOWS\System32\drivers\enodpl.sys
Address: 0xF7BF9000 Size: 7552 File Visible: - Signed: -
Status: -
Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF3281000 Size: 143744 File Visible: - Signed: -
Status: -
Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF799F000 Size: 27392 File Visible: - Signed: -
Status: -
Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF77FF000 Size: 44544 File Visible: - Signed: -
Status: -
Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF79FF000 Size: 20480 File Visible: - Signed: -
Status: -
Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7C2D000 Size: 7936 File Visible: - Signed: -
Status: -
Name: gameenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\gameenum.sys
Address: 0xF7B4F000 Size: 10624 File Visible: - Signed: -
Status: -
Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Address: 0xF7B5B000 Size: 9984 File Visible: - Signed: -
Status: -
Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF780F000 Size: 36864 File Visible: - Signed: -
Status: -
Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Address: 0xF7A0F000 Size: 28672 File Visible: - Signed: -
Status: -
Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF3353000 Size: 10368 File Visible: - Signed: -
Status: -
Name: HPZid412.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HPZid412.sys
Address: 0xF783F000 Size: 50688 File Visible: - Signed: -
Status: -
Name: HPZipr12.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HPZipr12.sys
Address: 0xF32D6000 Size: 15840 File Visible: - Signed: -
Status: -
Name: HPZius12.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HPZius12.sys
Address: 0xF7A6F000 Size: 22240 File Visible: - Signed: -
Status: -
Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys
Address: 0xF5531000 Size: 561600 File Visible: - Signed: -
Status: -
Name: HSF_DP.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_DP.sys
Address: 0xF55BB000 Size: 1090304 File Visible: - Signed: -
Status: -
Name: HSF_FALL.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys
Address: 0xBA23C000 Size: 289856 File Visible: - Signed: -
Status: -
Name: HSF_FAXX.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys
Address: 0xB9BEC000 Size: 199680 File Visible: - Signed: -
Status: -
Name: HSF_FSKS.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys
Address: 0xBA21F000 Size: 115776 File Visible: - Signed: -
Status: -
Name: HSF_K56K.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys
Address: 0xBA197000 Size: 391168 File Visible: - Signed: -
Status: -
Name: HSF_SPKP.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_SPKP.sys
Address: 0xB9BDA000 Size: 73248 File Visible: - Signed: -
Status: -
Name: HSF_TONE.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys
Address: 0xB9CCD000 Size: 50720 File Visible: - Signed: -
Status: -
Name: HSF_V124.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_V124.sys
Address: 0xB9B3A000 Size: 488352 File Visible: - Signed: -
Status: -
Name: HSFHWBS2.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys
Address: 0xF56C6000 Size: 152672 File Visible: - Signed: -
Status: -
Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB9687000 Size: 264832 File Visible: - Signed: -
Status: -
Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF7434000 Size: 8576 File Visible: - Signed: -
Status: -
Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF790F000 Size: 52480 File Visible: - Signed: -
Status: -
Name: Imapi.sys
Image Path: C:\WINDOWS\system32\drivers\Imapi.sys
Address: 0xF6CB5000 Size: 42112 File Visible: - Signed: -
Status: -
Name: intelppm.sys
Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xF78EF000 Size: 36352 File Visible: - Signed: -
Status: -
Name: ipfltdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
Address: 0xF77AF000 Size: 32896 File Visible: - Signed: -
Status: -
Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xF3140000 Size: 152832 File Visible: - Signed: -
Status: -
Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xF31E6000 Size: 75264 File Visible: - Signed: -
Status: -
Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF79A7000 Size: 24576 File Visible: - Signed: -
Status: -
Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB94E4000 Size: 172416 File Visible: - Signed: -
Status: -
Name: ks.sys
Image Path: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xF635D000 Size: 143360 File Visible: - Signed: -
Status: -
Name: MASPINT.SYS
Image Path: C:\WINDOWS\System32\Drivers\MASPINT.SYS
Address: 0xF7C09000 Size: 8096 File Visible: - Signed: -
Status: -
Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7DC1000 Size: 2560 File Visible: No Signed: -
Status: -
Name: mdmxsdk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
Address: 0xBA081000 Size: 8768 File Visible: - Signed: -
Status: -
Name: mfeavfk.sys
Image Path: C:\WINDOWS\system32\drivers\mfeavfk.sys
Address: 0xB9790000 Size: 73152 File Visible: - Signed: -
Status: -
Name: mfebopk.sys
Image Path: C:\WINDOWS\system32\drivers\mfebopk.sys
Address: 0xF7A9F000 Size: 28544 File Visible: - Signed: -
Status: -
Name: mfehidk.sys
Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys
Address: 0xF2F60000 Size: 207296 File Visible: - Signed: -
Status: -
Name: mfesmfk.sys
Image Path: C:\WINDOWS\system32\drivers\mfesmfk.sys
Address: 0xB98AA000 Size: 33824 File Visible: - Signed: -
Status: -
Name: mmc_2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\mmc_2K.SYS
Address: 0xF79F7000 Size: 22720 File Visible: - Signed: -
Status: -
Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7C31000 Size: 4224 File Visible: - Signed: -
Status: -
Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF7997000 Size: 30080 File Visible: - Signed: -
Status: -
Name: MODEMCSA.sys
Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Address: 0xF7B9F000 Size: 16128 File Visible: - Signed: -
Status: -
Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF79B7000 Size: 23040 File Visible: - Signed: -
Status: -
Name: mouhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xF32DE000 Size: 12160 File Visible: - Signed: -
Status: -
Name: Mpfp.sys
Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys
Address: 0xF3166000 Size: 159744 File Visible: - Signed: -
Status: -
Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xBA373000 Size: 180608 File Visible: - Signed: -
Status: -
Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xF2F93000 Size: 455296 File Visible: - Signed: -
Status: -
Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF7A27000 Size: 19072 File Visible: - Signed: -
Status: -
Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF6C65000 Size: 35072 File Visible: - Signed: -
Status: -
Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF7B7F000 Size: 15488 File Visible: - Signed: -
Status: -
Name: MxlW2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\MxlW2k.SYS
Address: 0xF79BF000 Size: 25600 File Visible: - Signed: -
Status: -
Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF7B67000 Size: 10112 File Visible: - Signed: -
Status: -
Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xBA6AC000 Size: 14592 File Visible: - Signed: -
Status: -
Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF54E6000 Size: 91520 File Visible: - Signed: -
Status: -
Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF775F000 Size: 40576 File Visible: - Signed: -
Status: -
Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF77BF000 Size: 34688 File Visible: - Signed: -
Status: -
Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xF3118000 Size: 162816 File Visible: - Signed: -
Status: -
Name: nlmj.sys
Image Path: C:\WINDOWS\system32\drivers\nlmj.sys
Address: 0xF3066000 Size: 61440 File Visible: No Signed: -
Status: -
Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7A2F000 Size: 30848 File Visible: - Signed: -
Status: -
Name: NuidFltr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
Address: 0xF7A5F000 Size: 28672 File Visible: - Signed: -
Status: -
Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7DFB000 Size: 2944 File Visible: - Signed: -
Status: -
Name: nv4_mini.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
Address: 0xF653D000 Size: 7435392 File Visible: - Signed: -
Status: -
Name: OMCI.SYS
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
Address: 0xF335F000 Size: 12864 File Visible: - Signed: -
Status: -
Name: P16X.sys
Image Path: C:\WINDOWS\system32\drivers\P16X.sys
Address: 0xF6380000 Size: 1330048 File Visible: - Signed: -
Status: -
Name: papycpu2.sys
Image Path: C:\WINDOWS\System32\DRIVERS\papycpu2.sys
Address: 0xF7DFC000 Size: 1984 File Visible: - Signed: -
Status: -
Name: papyjoy.sys
Image Path: C:\WINDOWS\System32\DRIVERS\papyjoy.sys
Address: 0xF7DFD000 Size: 1856 File Visible: - Signed: -
Status: -
Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF551D000 Size: 80128 File Visible: - Signed: -
Status: -
Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF7BF5000 Size: 6784 File Visible: - Signed: -
Status: -
Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF792F000 Size: 28672 File Visible: - Signed: -
Status: -
Name: point32.sys
Image Path: C:\WINDOWS\system32\DRIVERS\point32.sys
Address: 0xF79AF000 Size: 21760 File Visible: - Signed: -
Status: -
Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6339000 Size: 147456 File Visible: - Signed: -
Status: -
Name: PQNTDrv.SYS
Image Path: C:\WINDOWS\System32\Drivers\PQNTDrv.SYS
Address: 0xF7CFA000 Size: 2688 File Visible: - Signed: -
Status: -
Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF54D5000 Size: 69120 File Visible: - Signed: -
Status: -
Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF79CF000 Size: 17792 File Visible: - Signed: -
Status: -
Name: pwd_2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\pwd_2k.SYS
Address: 0xF54FD000 Size: 127360 File Visible: - Signed: -
Status: -
Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF7071000 Size: 8832 File Visible: - Signed: -
Status: -
Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF6C95000 Size: 51328 File Visible: - Signed: -
Status: -
Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF6C85000 Size: 41472 File Visible: - Signed: -
Status: -
Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF6C75000 Size: 48384 File Visible: - Signed: -
Status: -
Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF79D7000 Size: 16512 File Visible: - Signed: -
Status: -
Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xF302B000 Size: 175744 File Visible: - Signed: -
Status: -
Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7C33000 Size: 4224 File Visible: - Signed: -
Status: -
Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF6CC5000 Size: 57600 File Visible: - Signed: -
Status: -
Name: rfcomm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rfcomm.sys
Address: 0xF784F000 Size: 59136 File Visible: - Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8E88000 Size: 49152 File Visible: No Signed: -
Status: -
Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS
Address: 0xF75E2000 Size: 98304 File Visible: - Signed: -
Status: -
Name: secdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\secdrv.sys
Address: 0xB9D0D000 Size: 40960 File Visible: - Signed: -
Status: -
Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF7B53000 Size: 15744 File Visible: - Signed: -
Status: -
Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF791F000 Size: 64512 File Visible: - Signed: -
Status: -
Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xBA145000 Size: 333952 File Visible: - Signed: -
Status: -
Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF7C07000 Size: 4352 File Visible: - Signed: -
Status: -
Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB9C8D000 Size: 60800 File Visible: - Signed: -
Status: -
Name: tandpl.sys
Image Path: C:\WINDOWS\System32\drivers\tandpl.sys
Address: 0xF7C75000 Size: 4736 File Visible: - Signed: -
Status: -
Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xF318D000 Size: 361600 File Visible: - Signed: -
Status: -
Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF79C7000 Size: 20480 File Visible: - Signed: -
Status: -
Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF6C55000 Size: 40704 File Visible: - Signed: -
Status: -
Name: TMBUS.sys
Image Path: C:\WINDOWS\system32\drivers\TMBUS.sys
Address: 0xF7B6F000 Size: 11200 File Visible: - Signed: -
Status: -
Name: UdfReadr_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS
Address: 0xF320B000 Size: 206464 File Visible: - Signed: -
Status: -
Name: Udfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Udfs.SYS
Address: 0xF2E33000 Size: 66048 File Visible: - Signed: -
Status: -
Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF5477000 Size: 384768 File Visible: - Signed: -
Status: -
Name: usbccgp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbccgp.sys
Address: 0xF7A57000 Size: 32128 File Visible: - Signed: -
Status: -
Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF7C23000 Size: 8192 File Visible: - Signed: -
Status: -
Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF7987000 Size: 30208 File Visible: - Signed: -
Status: -
Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF776F000 Size: 59520 File Visible: - Signed: -
Status: -
Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF6506000 Size: 143360 File Visible: - Signed: -
Status: -
Name: usbprint.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbprint.sys
Address: 0xF7A67000 Size: 25856 File Visible: - Signed: -
Status: -
Name: usbscan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbscan.sys
Address: 0xF32DA000 Size: 15104 File Visible: - Signed: -
Status: -
Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF797F000 Size: 20608 File Visible: - Signed: -
Status: -
Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7A17000 Size: 20992 File Visible: - Signed: -
Status: -
Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6529000 Size: 81920 File Visible: - Signed: -
Status: -
Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF779F000 Size: 34560 File Visible: - Signed: -
Status: -
Name: Wdf01000.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
Address: 0xF2E5D000 Size: 503808 File Visible: - Signed: -
Status: -
Name: WDFLDR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS
Address: 0xF782F000 Size: 53248 File Visible: - Signed: -
Status: -
Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB9532000 Size: 83072 File Visible: - Signed: -
Status: -
Name: WmBEnum.sys
Image Path: C:\WINDOWS\system32\drivers\WmBEnum.sys
Address: 0xF7B83000 Size: 11136 File Visible: - Signed: -
Status: -
Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF7BB1000 Size: 8192 File Visible: - Signed: -
Status: -
Name: WmXlCore.sys
Image Path: C:\WINDOWS\system32\drivers\WmXlCore.sys
Address: 0xF774F000 Size: 46208 File Visible: - Signed: -
Status: -
Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: - Signed: -
Status: -
Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7BAF000 Size: 8192 File Visible: - Signed: -
Status: -
Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -
Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF012000 Size: 5775360 File Visible: - Signed: -
Status: -
Name: PfModNT.sys
Image Path: C:\WINDOWS\System32\PfModNT.sys
Address: 0xF7C21000 Size: 6240 File Visible: - Signed: -
Status: -
Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7A7F000 Size: 20480 File Visible: - Signed: -
Status: -
Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -
Name: disk.sys
Image Path: disk.sys
Address: 0xF76EF000 Size: 36352 File Visible: - Signed: -
Status: -
Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF75C2000 Size: 129792 File Visible: - Signed: -
Status: -
Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7612000 Size: 125056 File Visible: - Signed: -
Status: -
Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF76AF000 Size: 37248 File Visible: - Signed: -
Status: -
Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7576000 Size: 92288 File Visible: - Signed: -
Status: -
Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xF770F000 Size: 57472 File Visible: - Signed: -
Status: -
Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF76BF000 Size: 42368 File Visible: - Signed: -
Status: -
Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7469000 Size: 105344 File Visible: - Signed: -
Status: -
Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF74A9000 Size: 182656 File Visible: - Signed: -
Status: -
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF74D6000 Size: 574976 File Visible: - Signed: -
Status: -
Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF7937000 Size: 19712 File Visible: - Signed: -
Status: -
Name: pci.sys
Image Path: pci.sys
Address: 0xF764F000 Size: 68224 File Visible: - Signed: -
Status: -
Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7C77000 Size: 3328 File Visible: - Signed: -
Status: -
Name: PCTCore.sys
Image Path: PCTCore.sys
Address: 0xF758D000 Size: 143360 File Visible: - Signed: -
Status: -
Name: pnpshark.sys
Image Path: pnpshark.sys
Address: 0xF7631000 Size: 119552 File Visible: - Signed: -
Status: -
Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF771F000 Size: 36320 File Visible: - Signed: -
Status: -
Name: sfdrv01.sys
Image Path: sfdrv01.sys
Address: 0xF7483000 Size: 73728 File Visible: - Signed: -
Status: -
Name: sfhlp02.sys
Image Path: sfhlp02.sys
Address: 0xF793F000 Size: 32768 File Visible: - Signed: -
Status: -
Name: sfsync02.sys
Image Path: sfsync02.sys
Address: 0xF76CF000 Size: 36864 File Visible: - Signed: -
Status: -
Name: sfvfs02.sys
Image Path: sfvfs02.sys
Address: 0xF7495000 Size: 81920 File Visible: - Signed: -
Status: -
Name: sr.sys
Image Path: sr.sys
Address: 0xF75B0000 Size: 73472 File Visible: - Signed: -
Status: -
Name: st3shark.sys
Image Path: st3shark.sys
Address: 0xF7BB3000 Size: 5504 File Visible: - Signed: -
Status: -
Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF76DF000 Size: 52352 File Visible: - Signed: -
Status: -
Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xF7563000 Size: 77568 File Visible: - Signed: -
Status: -
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:52:19, on 06/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Ad-Aware\AAWTray.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\AVG Antivirus 8\avgssie.dll (file missing)
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\STARDO~1\SDIEInt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Hewlett-Packard PSC 2115\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Malwarebytes Anti-Malware\fugof.exe" /runcleanupscript
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\myrealname\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\NVIDIA\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\myrealname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download with Star Downloader - C:\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: SYSTRAN: &Clear Translation Cache - D:\Systran Translator\Standard\menuClearCache.html
O8 - Extra context menu item: SYSTRAN: &Options - D:\Systran Translator\Standard\menuConfigure.html
O8 - Extra context menu item: SYSTRAN: &Register - D:\Systran Translator\Standard\menuRegister.html
O8 - Extra context menu item: SYSTRAN: &Translate - D:\Systran Translator\Standard\menuTranslate.html
O8 - Extra context menu item: SYSTRAN: Check for &Updates - D:\Systran Translator\Standard\menuUpdate.html
O8 - Extra context menu item: SYSTRAN: Translate All &Frames - D:\Systran Translator\Standard\menuTranslateAll.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: @sysiecom.dll,-2100 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuTranslate.html
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2102 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuTranslate.html
O9 - Extra button: @sysiecom.dll,-2103 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuTranslateAll.html
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2105 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuTranslateAll.html
O9 - Extra button: @sysiecom.dll,-2115 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuConfigure.html
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2117 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuConfigure.html
O9 - Extra button: (no name) - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuClearCache.html
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2108 - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuClearCache.html
O9 - Extra button: (no name) - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuRegister.html
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2111 - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuRegister.html
O9 - Extra button: (no name) - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuUpdates.html (file missing)
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2114 - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuUpdates.html (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\YAHOO!~1\MESSEN~1\ypager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\YAHOO!~1\MESSEN~1\ypager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lspkwk.dll' missing
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: http://www.abbey.com
O15 - Trusted Zone: http://gp4tweaker.vadertrophy.com
O16 - DPF: Yahoo! Dominoes -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://myaccount.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c8c5cb3ead1e68) (gupdate1c8c5cb3ead1e68) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\NVIDIA\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 16483 bytes
I'd be really grateful for any help how to kill this thing once and for all, I've put the effort in and tearing my hair out here!
Cheers,
-gr
yet another uacinit.dll not removing on reboot
in Resolved Malware Removal Logs
Posted
Weird, I didn't get an email reply notification for the first one, sorry about that.
Well the Google Installer errors and background adverts have gone, seemed more or less fine until last week my Windows XP administrator login preferences and My Documents folder had wiped themselves completely for no reason! I managed to get it back with system restore, not sure if its related? Also had a locked spam popup but sadly that's the norm on the internets.
I've carried out your instructions and a DOS window flashed up very quickly for both, did it do anything?
Anyway here's the latest MBAM, it seems clean:
Malwarebytes' Anti-Malware 1.40
Database version: 2567
Windows 5.1.2600 Service Pack 3
20/08/2009 18:53:16
mbam-log-2009-08-20 (18-53-16).txt
Scan type: Quick Scan
Objects scanned: 122112
Time elapsed: 11 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Is this a sign it is fixed? If not I might just format my C: drive but it's partitioned with a D: also. Will the D: contents disappear if I do that?
Thanks for chasing this,
-GR