Jump to content

TheRaptor

Members
 View Profile  See their activity

  • Posts

    11

  • Joined

  • Last visited

Reputation

0 Neutral
  1. TheRaptor
    Done - the last run of your program found a DNS changer, but I think it's valid. I use FreeDNS for DDNS. Also - I changed my passwords when this stuff 1st hit. Are any of these remnants serious enough that I need to worry about changing those again? Malwarebytes' Anti-Malware 1.44 Database version: 3761 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 2/19/2010 1:24:17 PM mbam-log-2010-02-19 (13-24-17).txt Scan type: Full Scan (C:\|) Objects scanned: 500350 Time elapsed: 2 hour(s), 25 minute(s), 51 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fb492367-eafb-42d8-b37c-080e2554d8d6}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.60,93.188.161.31 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  2. TheRaptor
    Oops - when combofix kept crashing my system I deleted the exe. Guess I'll need to reinstall / uninstall to do it right.
  3. TheRaptor
    Apparently you are correct. TDSS rootkit removing tool, Kaspersky Lab, 2010 version 2.2.4 Feb 15 2010 19:38:31 Scanning Services ... Scanning Kernel memory ... Driver "atapi" Irp handler infected by TDSS rootkit ... cured File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... will be cured on next reboot Completed Results: Memory objects infected / cured / cured on reboot: 1 / 1 / 0 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 File objects infected / cured / cured on reboot: 1 / 0 / 1 To finalize removal of infection and avoid loosing of data program will reboot your PC now. Close all programs and choose Y to restart or N to continue
  4. TheRaptor
    I'm not having much luck with that one either - it went into please wait - initializing mode for about an hour and chewed up all my virtual memory.
  5. TheRaptor
    I'm having a lot of trouble running this. I left it with its default settings, and it runs about 2 hours and then my system crashes. I've turned off my virus programs and disconnected from the internet. No other programs are running. What am I doing wrong?
  6. TheRaptor
    I went ahead and took the chance that there was not really a trojan in that code. Here's the log: ComboFix 10-02-16.03 - Dave 02/17/2010 19:33:57.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.473 [GMT -6:00] Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: F-Secure Anti-Virus 2007 7.01 *disabled* {D4747503-0346-49EB-9262-997542F79BF4} FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\Dave\Application Data\inst.exe C:\hzUu.exe c:\program files\WinPCap c:\program files\WinPCap\daemon_mgm.exe c:\program files\WinPCap\INSTALL.LOG c:\program files\WinPCap\NetMonInstaller.exe c:\program files\WinPCap\npf_mgm.exe c:\program files\WinPCap\rpcapd.exe c:\program files\WinPCap\Uninstall.exe c:\windows\EventSystem.log c:\windows\patch.exe c:\windows\system32\_000228_.tmp.dll c:\windows\system32\_005182_.tmp.dll c:\windows\system32\_005183_.tmp.dll c:\windows\system32\_005184_.tmp.dll c:\windows\system32\_005185_.tmp.dll c:\windows\system32\_005192_.tmp.dll c:\windows\system32\_005193_.tmp.dll c:\windows\system32\_005194_.tmp.dll c:\windows\system32\_005195_.tmp.dll c:\windows\system32\_005197_.tmp.dll c:\windows\system32\_005198_.tmp.dll c:\windows\system32\_005201_.tmp.dll c:\windows\system32\_005202_.tmp.dll c:\windows\system32\_005204_.tmp.dll c:\windows\system32\_005205_.tmp.dll c:\windows\system32\_005206_.tmp.dll c:\windows\system32\_005208_.tmp.dll c:\windows\system32\_005210_.tmp.dll c:\windows\system32\_005211_.tmp.dll c:\windows\system32\_005212_.tmp.dll c:\windows\system32\_005216_.tmp.dll c:\windows\system32\_005217_.tmp.dll c:\windows\system32\_005219_.tmp.dll c:\windows\system32\_005222_.tmp.dll c:\windows\system32\_005224_.tmp.dll c:\windows\system32\_005225_.tmp.dll c:\windows\system32\_005226_.tmp.dll c:\windows\system32\_005227_.tmp.dll c:\windows\system32\_005228_.tmp.dll c:\windows\system32\_005231_.tmp.dll c:\windows\system32\_005232_.tmp.dll c:\windows\system32\_005233_.tmp.dll c:\windows\system32\_005234_.tmp.dll c:\windows\system32\_005235_.tmp.dll c:\windows\system32\_005240_.tmp.dll c:\windows\system32\_005242_.tmp.dll c:\windows\system32\_005243_.tmp.dll c:\windows\system32\Cache c:\windows\system32\drivers\npf.sys c:\windows\system32\drivers\shfqgdqi.sys c:\windows\system32\pthreadVC.dll c:\windows\system32\server.log c:\windows\system32\spool\prtprocs\w32x86\000034da.tmp c:\windows\system32\spool\prtprocs\w32x86\00003ecd.tmp c:\windows\system32\vbzlib1.dll c:\windows\system32\WanPacket.dll c:\windows\system32\wpcap.dll c:\windows\Tasks\fdnjcpec.job c:\windows\Temp\0220841266453456mcinst.exe ----- BITS: Possible infected sites ----- hxxp://85.12.18.119 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF -------\Service_NPF -------\Legacy_shfqgdqi -------\Service_shfqgdqi ((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 ))))))))))))))))))))))))))))))) . 2010-02-16 12:12 . 2010-02-16 12:12 -------- d-----w- c:\program files\TrendMicro 2010-02-14 13:32 . 2010-02-14 13:34 -------- d-----w- c:\documents and settings\MaryJo\Local Settings\Application Data\TSVNCache 2010-02-14 13:32 . 2010-02-14 13:32 -------- d-sh--w- c:\documents and settings\MaryJo\IETldCache 2010-02-14 05:16 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-14 05:16 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-14 03:32 . 2010-02-14 03:32 -------- d-----w- c:\documents and settings\Dave\Application Data\Malwarebytes 2010-02-14 03:19 . 2010-02-14 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-14 03:19 . 2010-02-14 14:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-13 17:43 . 2010-02-14 05:10 -------- d-----w- c:\program files\NoAdware 2010-01-30 21:55 . 2010-01-30 21:55 -------- d-----w- c:\program files\Teratrax 2010-01-28 23:24 . 2010-01-28 23:24 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\AnjLab 2010-01-25 19:23 . 2010-01-25 19:23 -------- d-----w- c:\program files\Gizmox . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-18 00:58 . 2009-07-03 05:16 -------- d-----w- c:\program files\McAfee 2010-02-16 12:12 . 2010-02-16 12:12 388096 ----a-r- c:\documents and settings\Dave\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe 2010-02-14 14:45 . 2010-02-14 14:45 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-02-14 13:32 . 2007-02-11 00:53 58624 ----a-w- c:\documents and settings\MaryJo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-14 02:45 . 2010-02-14 02:45 52224 ----a-w- c:\documents and settings\Dave\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-02-14 02:45 . 2010-02-14 02:45 117760 ----a-w- c:\documents and settings\Dave\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-02-14 02:44 . 2007-10-30 23:20 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-02-14 02:44 . 2007-10-30 23:20 -------- d-----w- c:\documents and settings\Dave\Application Data\SUPERAntiSpyware.com 2010-02-14 02:44 . 2007-10-30 23:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-02-12 21:15 . 2007-02-13 21:22 -------- d-----w- c:\documents and settings\Dave\Application Data\uTorrent 2010-02-12 03:41 . 2009-10-22 02:16 -------- d-----w- c:\program files\FeltStars 2010-02-10 17:53 . 2004-08-20 12:57 -------- d-----w- c:\documents and settings\Dave\Application Data\WeatherBug 2010-02-06 22:03 . 2009-01-17 16:39 -------- d-----w- c:\program files\Full Tilt Poker 2010-02-06 01:47 . 2009-05-09 19:40 -------- d-----w- c:\program files\PokerStars 2010-02-05 22:17 . 2009-01-29 23:34 -------- d-----w- c:\program files\DoylesRoom 2010-02-05 16:42 . 2006-07-07 22:34 -------- d-----w- c:\documents and settings\Dave\Application Data\AdobeUM 2010-02-05 16:42 . 2004-02-14 06:20 -------- d-----w- c:\program files\Common Files\Adobe 2010-02-05 02:44 . 2010-01-07 21:25 -------- d-----w- c:\program files\BigBetPoker.com 2010-02-05 02:43 . 2009-01-17 18:04 -------- d-----w- c:\program files\ReeferPoker 2010-02-05 02:41 . 2009-10-06 16:52 -------- d-----w- c:\program files\PowerPoker 2010-02-05 02:41 . 2009-03-20 11:51 -------- d-----w- c:\program files\Cake Poker 2010-02-05 02:40 . 2008-11-30 15:04 -------- d-----w- c:\program files\UltimateBet 2010-02-05 00:17 . 2009-06-10 21:21 -------- d-----w- c:\program files\Absolute Poker 2010-02-02 21:47 . 2008-10-14 21:38 -------- d-----w- c:\program files\YCN Group 2010-02-02 21:43 . 2004-02-19 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-01-25 19:25 . 2008-07-05 12:10 1360064 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\visualstudio\9.0\1033\ResourceCache.dll 2010-01-25 19:22 . 2008-06-16 20:57 176384 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\9.0\1033\ResourceCache.dll 2010-01-25 19:22 . 2008-06-16 19:50 -------- d-----w- c:\program files\MSBuild 2010-01-18 18:19 . 2009-06-18 13:59 -------- d-----w- c:\program files\PowerPokerClub 2010-01-14 17:12 . 2009-10-03 06:34 181120 ------w- c:\windows\system32\MpSigStub.exe 2010-01-13 14:42 . 2010-01-13 14:42 -------- d-----w- c:\program files\IIS 2010-01-13 14:37 . 2010-01-13 14:37 -------- d-----w- c:\program files\Microsoft 2009-12-31 16:50 . 2009-12-15 01:23 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-30 18:18 . 2009-12-30 18:18 49152 ----a-r- c:\documents and settings\Dave\Application Data\Microsoft\Installer\{49FA793C-785E-47E9-93DF-BD442B0B45D1}\Icon49FA793C.exe 2009-12-24 22:23 . 2008-07-05 12:10 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll 2009-12-24 22:15 . 2004-09-21 00:18 -------- d-----w- c:\program files\Common Files\Merge Modules 2009-12-24 22:08 . 2008-06-16 19:57 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0 2009-12-24 16:17 . 2009-09-26 23:58 -------- d-----w- c:\documents and settings\Dave\Application Data\BitTorrent 2009-12-21 19:14 . 2004-08-03 13:56 916480 ----a-w- c:\windows\system32\wininet.dll 2009-12-16 18:43 . 2004-02-14 06:03 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-15 13:09 . 2004-02-14 06:51 58624 ----a-w- c:\documents and settings\Dave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-15 12:37 . 2004-02-14 06:06 86327 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat 2009-12-15 02:15 . 2009-12-15 02:15 529 ----a-w- C:\resetreg.cmd 2009-12-14 07:08 . 2009-12-15 01:23 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-13 04:08 . 2004-02-14 06:04 27872 ----a-w- c:\windows\system32\emptyregdb.dat 2009-12-11 17:28 . 2009-12-11 17:28 0 ----a-w- c:\windows\SET4C.tmp 2009-12-08 19:27 . 2009-12-15 01:23 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-12-08 18:43 . 2009-12-15 01:23 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-12-04 18:22 . 2009-12-15 01:23 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll 2009-11-27 17:11 . 2004-08-03 13:56 1291776 ----a-w- c:\windows\system32\quartz.dll 2009-11-27 16:07 . 2001-08-18 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll 2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll 2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll 2009-11-27 16:07 . 2004-08-03 13:56 11264 ----a-w- c:\windows\system32\msrle32.dll 2009-11-27 16:07 . 2004-08-03 13:56 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-11-21 15:51 . 2004-08-03 13:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2006-05-05 11:14 . 2006-05-05 11:14 28672 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll 2006-05-05 11:14 . 2006-05-05 11:14 98304 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll 2004-06-26 04:20 . 2004-06-26 04:20 13 --sha-w- c:\windows\CPSYSDLG.SYS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3e6685db-8c0a-4a37-9ac9-9574e97c4e0b}] 2008-07-25 17:16 282112 ----a-w- c:\windows\system32\mscoree.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal] @="{C5994560-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}] 2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified] @="{C5994561-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}] 2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict] @="{C5994562-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}] 2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked] @="{C5994563-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}] 2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly] @="{C5994564-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}] 2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted] @="{C5994565-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}] 2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded] @="{C5994566-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}] 2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored] @="{C5994567-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}] 2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned] @="{C5994568-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}] 2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-07-30 1593344] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMONTRAY"="c:\program files\Intel\Intel® Active Monitor\imontray.exe" [2003-01-10 32768] "ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456] "Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016] "Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768] "IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304] "2wSysTray"="c:\program files\2Wire\2PortalMon.exe" [2003-10-10 393216] "WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2003-08-01 474624] "Dimension4"="c:\program files\D4\D4.exe" [2004-02-04 200704] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2006-11-06 200704] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-12-06 163840] "AutoMate6"="c:\program files\AutoMate 6\AMEM.exe" [2008-05-16 3325320] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008] "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] DynDNS Updater.lnk - c:\program files\DynDNS Updater\DynDNS.exe [2005-6-5 1353216] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588] Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2004-11-01 16:50 8704 ----a-w- c:\windows\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt\0sprestrt [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\D4\\D4.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Common Files\\XPressUpdate\\XPressUpdate.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\uTorrent\\utorrent.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\McAfee\\MSC\\mcupdmgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "51139:TCP"= 51139:TCP:@xpsp2res.dll,-22005 "28990:TCP"= 28990:TCP:@xpsp2res.dll,-22005 "12925:TCP"= 12925:TCP:@xpsp2res.dll,-22005 "56384:TCP"= 56384:TCP:@xpsp2res.dll,-22005 "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480] R2 DisplayLinkService;DisplayLink Service;c:\program files\DisplayLink Core Software\DisplayLinkService.exe [12/18/2008 10:27 AM 447848] R2 FreeDNSUpdate;FreeDNS Update;c:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate --> c:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate [?] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/2/2009 11:20 PM 93320] R2 UltiDev Cassini Web Server for ASP.NET 2.0;UltiDev Cassini Web Server for ASP.NET 2.0;c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe [2/7/2007 11:06 PM 49152] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2009 7:43 PM 24652] R2 VWG_ENTERPRISE_SERVICE;Visual WebGui Scalable Server;c:\program files\Gizmox\Visual WebGUI\Scalable Server Service\Gizmox.WebGUI.Enterprise.Services.exe [12/4/2008 2:18 PM 16384] R3 DisplayLinkGA;DisplayLinkGA;c:\windows\system32\drivers\DisplayLinkGAport.sys [12/18/2008 10:27 AM 20736] R3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\drivers\DisplayLinkmirrorport.sys [12/18/2008 10:27 AM 18944] R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [1/5/2006 3:11 PM 17136] S2 0220841266453456mcinstcleanup;McAfee Application Installer Cleanup (0220841266453456);c:\windows\TEMP\022084~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\022084~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?] S2 BrowserHawk_BDF;BrowserHawk BDF;"c:\program files\cyScape\BrowserHawk\BrowserHawk.exe" --> c:\program files\cyScape\BrowserHawk\BrowserHawk.exe [?] S2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\DRIVERS\nvtvsnd.sys --> c:\windows\system32\DRIVERS\nvtvsnd.sys [?] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592] S3 ACE Client Service;ACE Client Service;c:\program files\YCN Group\Ace Client\AceClient.exe [4/7/2009 3:50 PM 20992] S3 ACE Server Service;ACE Server Service;c:\program files\YCN Group\Ace Server\AceServer.exe [4/21/2009 12:05 PM 20992] S3 Advc1394f1 Filter;Advc1394f1 Filter;c:\windows\system32\drivers\advc1394f1.sys [6/22/2004 5:25 PM 23424] S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\Dave\LOCALS~1\Temp\ATICDSDr.sys --> c:\docume~1\Dave\LOCALS~1\Temp\ATICDSDr.sys [?] S3 auditOL Notification Service;auditOL Notification Service;c:\program files\YCN Group\auditOL Notification Service\auditOLNotices.exe [2/2/2010 4:50 PM 12800] S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort.sys [12/18/2008 3:30 PM 20992] S3 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [9/9/2009 12:13 PM 55176] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408] S3 XMail;XMail Server;d:\installsets\xmail-1.20\MailRoot\bin\XMail.exe --> d:\installsets\xmail-1.20\MailRoot\bin\XMail.exe [?] S4 FixIP;FixIP;d:\radagast\tix21\scheduler.net\output\fixip.service.exe --> d:\radagast\tix21\scheduler.net\output\fixip.service.exe [?] S4 LumiSoft Mail Server;LumiSoft Mail Server;d:\radagast\rct\lumisoft\mailserver\application\release\lsmailserver.exe --> d:\radagast\rct\lumisoft\mailserver\application\release\lsmailserver.exe [?] --- Other Services/Drivers In Memory --- *Deregistered* - IPVNMon . Contents of the 'Scheduled Tasks' folder 2010-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2010-02-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-03 17:22] 2010-02-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-03 17:22] 2010-02-17 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-02-14 22:24] . . ------- Supplementary Scan ------- . uLocal Page = \blank.htm uStart Page = hxxp://www.google.com uInternet Settings,ProxyServer = 82.66.124.146:8081 uInternet Settings,ProxyOverride = <local> IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe IE: {{C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - {F5FC01C8-9039-45E1-8AB2-7D04D4D72197} - c:\progra~1\HTTPAN~1\IEHTTP~1.DLL Trusted Zone: dyndns.biz\radagast Trusted Zone: internet Trusted Zone: localhost Trusted Zone: mcafee.com Trusted Zone: strategicsoftware.net\screensafe TCP: {FB492367-EAFB-42D8-B37C-080E2554D8D6} = 93.188.164.60,93.188.161.31 DPF: {50580095-16DB-4B28-BCFC-70989E09AA5F} - hxxps://206.81.55.237/XTunnel.cab FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\q3xo1rdh.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - Ask.com FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - prefs.js: keyword.URL - FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) HKCU-Run-Sonic RecordNow! - (no file) HKLM-Run-SoundMAXPnP - c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe HKLM-Run-Mirabilis ICQ - c:\program files\ICQ\NDetect.exe AddRemove-SBC Yahoo! UMUninstaller - c:\program files\SBC Yahoo!\umuninst.exe AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-17 19:58 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8676A8C8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf78c7f28 \Driver\ACPI -> ACPI.sys @ 0xf781acb8 \Driver\atapi -> atapi.sys @ 0xf7681b3a IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 user & kernel MBR OK copy of MBR has been found in sector 0x00 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MsDepSvc] "ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2] "ImagePath"="\"\"" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL] "ImagePath"="c:\mysql\bin\mysqld-max-nt MySQL" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,97,a8,df,9a,d5,64,46,a9,01,46,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,97,a8,df,9a,d5,64,46,a9,01,46,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(672) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(1892) c:\windows\system32\WININET.dll c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll c:\program files\TortoiseSVN\bin\TortoiseStub.dll c:\program files\TortoiseSVN\bin\TortoiseSVN.dll c:\program files\TortoiseSVN\bin\intl3_tsvn.dll c:\program files\TortoiseCVS\TrtseShl.dll c:\program files\Iomega\DriveIcons\IMGHOOK.DLL c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\FreeDNS Update\FDNSUSVC.exe c:\program files\FreeDNS Update\freednsupdate.exe c:\windows\system32\inetsrv\inetinfo.exe c:\progra~1\Iomega\System32\AppServices.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\progra~1\McAfee\VIRUSS~1\mcshield.exe c:\program files\DisplayLink Core Software\DisplayLinkManager.exe c:\program files\DisplayLink Core Software\DisplayLinkUI.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\McAfee\MPF\MPFSrv.exe c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe c:\progra~1\mcafee.com\agent\mcagent.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\Iomega\AutoDisk\ADService.exe c:\program files\TortoiseSVN\bin\TSVNCache.exe c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe . ************************************************************************** . Completion time: 2010-02-17 20:09:28 - machine was rebooted ComboFix-quarantined-files.txt 2010-02-18 02:09 Pre-Run: 1,418,058,952,704 bytes free Post-Run: 1,419,718,365,184 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin - - End Of File - - C8C10178BB40A4798677565AF11F9E63
  7. TheRaptor
    I spoke too soon - the remnant rundll32.exe for fizisoya.dll is also back. Also, when I attempt to download combofix from either of the sites listed on bleepingcomputer my anti-virus program blocks the download claiming the file contains an Artemis trojan.
  8. TheRaptor
    That got rid of the rundll32 problem but the 3DO thing is still happening. I suspended the process again. Malwarebytes' Anti-Malware 1.44 Database version: 3751 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 2/17/2010 1:39:38 PM mbam-log-2010-02-17 (13-39-38).txt Scan type: Full Scan (C:\|) Objects scanned: 552384 Time elapsed: 2 hour(s), 7 minute(s), 45 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.60,93.188.161.31 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fb492367-eafb-42d8-b37c-080e2554d8d6}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.60,93.188.161.31 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\spool\prtprocs\w32x86\000026ef.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\00003a7e.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\00006715 (Rootkit.TDSS) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 1:49:09 PM, on 2/17/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\FreeDNS Update\FDNSUSVC.exe C:\Program Files\FreeDNS Update\freednsupdate.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe C:\WINDOWS\Explorer.EXE C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Gizmox\Visual WebGUI\Scalable Server Service\Gizmox.WebGUI.Enterprise.Services.exe C:\Program Files\TightVNC\WinVNC.exe C:\Program Files\Iomega\AutoDisk\ADService.exe C:\Program Files\Iomega\AutoDisk\ADUserMon.exe C:\Program Files\Iomega\DriveIcons\ImgIcon.exe C:\Program Files\2Wire\2PortalMon.exe C:\Program Files\D4\D4.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\DynDNS Updater\DynDNS.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\InstallSets\ProcessExplorer\procexp.exe C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\TEMP\dba899e6.tmp C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.66.124.146:8081 R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll O1 - Hosts: 63.171.25.73 ASP3 O2 - BHO: RCTPlugin.BHO - {3e6685db-8c0a-4a37-9ac9-9574e97c4e0b} - c:\windows\system32\mscoree.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" O4 - HKLM\..\Run: [AutoMate6] C:\Program Files\AutoMate 6\AMEM.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: DynDNS Updater.lnk = C:\Program Files\DynDNS Updater\DynDNS.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: Open/Close CC dialog - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - c:\windows\system32\mscoree.dll O9 - Extra 'Tools' menuitem: Open/Close CC dialog - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - c:\windows\system32\mscoree.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL O9 - Extra 'Tools' menuitem: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dave\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU) O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dave\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU) O9 - Extra button: Easy Play Poker - {16f4ad81-6455-4924-87fb-f77a7d5b7601} - C:\Documents and Settings\Dave\Start Menu\Programs\Easy Play Poker\Easy Play Poker.lnk (HKCU) O9 - Extra button: BigBetPoker.com - {1ca24684-a693-418e-a430-79d070271843} - C:\Documents and Settings\Dave\Start Menu\Programs\BigBetPoker.com\BigBetPoker.com.lnk (HKCU) O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU) O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU) O9 - Extra button: WassPoker - {4053ebe6-a54d-4bb9-b118-ce1d8f99a548} - C:\Documents and Settings\Dave\Start Menu\Programs\WassPoker\WassPoker.lnk (HKCU) O9 - Extra button: ReeferPoker - {60a501e4-a078-4cb2-8728-3fab4264f3c1} - C:\Documents and Settings\Dave\Start Menu\Programs\ReeferPoker\ReeferPoker.lnk (HKCU) O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O9 - Extra button: FeltStars - {fbd780d2-c26b-46dd-9002-fdf30465c9d2} - C:\Documents and Settings\Dave\Start Menu\Programs\FeltStars\FeltStars.lnk (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://radagast.dyndns.biz O15 - Trusted Zone: http://*.mcafee.com O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll O16 - DPF: {50580095-16DB-4B28-BCFC-70989E09AA5F} (XTunnelCtrl Class) - https://206.81.55.237/XTunnel.cab O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.cushioneer.com/Remote/msrdp.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Dave\Local Settings\Temp\EI40_\msxml4.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...410/mcfscan.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O17 - HKLM\System\CCS\Services\Tcpip\..\{FB492367-EAFB-42D8-B37C-080E2554D8D6}: NameServer = 93.188.164.60,93.188.161.31 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.60,93.188.161.31 O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: ACE Client Service - YCN Group - C:\Program Files\YCN Group\Ace Client\AceClient.exe O23 - Service: ACE Server Service - YCN Group - C:\Program Files\YCN Group\Ace Server\AceServer.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: auditOL Notification Service - Radagast Systems Corp - C:\Program Files\YCN Group\auditOL Notification Service\auditOLNotices.exe O23 - Service: AutoMate 6 (AutoMate6) - Network Automation, Inc. - C:\Program Files\AutoMate 6\AMTS.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: BrowserHawk BDF (BrowserHawk_BDF) - Unknown owner - C:\Program Files\cyScape\BrowserHawk\BrowserHawk.exe (file missing) O23 - Service: DisplayLink Service (DisplayLinkService) - DisplayLink Corp. - C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe O23 - Service: FreeDNS Update (FreeDNSUpdate) - TechKnow Professional Services - C:\Program Files\FreeDNS Update\FDNSUSVC.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing) O23 - Service: UltiDev Cassini Web Server for ASP.NET 2.0 - UltiDev LLC - C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Visual WebGui Scalable Server (VWG_ENTERPRISE_SERVICE) - Gizmox - C:\Program Files\Gizmox\Visual WebGUI\Scalable Server Service\Gizmox.WebGUI.Enterprise.Services.exe O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe O23 - Service: XMail Server (XMail) - Unknown owner - D:\InstallSets\xmail-1.20\MailRoot\bin\XMail.exe (file missing) O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe -- End of file - 18320 bytes
  9. TheRaptor
    Yes - I still get the rogue process. I've been using procexp to watch what's going on. If I kill the process it resurrects itself anywhere from 5 minutes to an hour later. I decided to try something else - I fired up procexp immediately after my system booted instead of waiting for everything else to finish loading. When I did that I also noticed a weird process with a random name followed by .tmp. I suspended it. In the description it says Heroes of Might and Magic III and claims to be from the 3DO Company. I've never downloaded that (at least not on purpose). That process apparently does not run very long since I've never seen it until I ran procexp very early in a reboot. I also checked the directory it claimed to load from (c:\windows\temp) and that file does not exist. I did notice 1 other very suspicious looking entry in the Hijack log: O22 - SharedTaskScheduler: jugezatag - {c4f68668-fa4d-48db-90db-15d14d99a96a} - (no file) I removed it and rebooted - no difference.
  10. TheRaptor
    Thanks for your quick reply. I ran a few Hijack logs with an earlier version. Here's the one I just ran from the version I downloaded from the link. Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 6:13:20 AM, on 2/16/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\FreeDNS Update\FDNSUSVC.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\FreeDNS Update\freednsupdate.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\McAfee\MPF\MPFSrv.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Gizmox\Visual WebGUI\Scalable Server Service\Gizmox.WebGUI.Enterprise.Services.exe C:\Program Files\TightVNC\WinVNC.exe C:\Program Files\Iomega\AutoDisk\ADService.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe C:\Program Files\Iomega\AutoDisk\ADUserMon.exe C:\Program Files\Iomega\DriveIcons\ImgIcon.exe C:\Program Files\2Wire\2PortalMon.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\DynDNS Updater\DynDNS.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\Program Files\Outlook Express\msimn.exe C:\Radagast\Personal\CalTrack\bin\Debug\CalTrack.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\msiexec.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.66.124.146:8081 R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll O1 - Hosts: 63.171.25.73 ASP3 O2 - BHO: RCTPlugin.BHO - {3e6685db-8c0a-4a37-9ac9-9574e97c4e0b} - c:\windows\system32\mscoree.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" O4 - HKLM\..\Run: [AutoMate6] C:\Program Files\AutoMate 6\AMEM.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: DynDNS Updater.lnk = C:\Program Files\DynDNS Updater\DynDNS.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: Open/Close CC dialog - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - c:\windows\system32\mscoree.dll O9 - Extra 'Tools' menuitem: Open/Close CC dialog - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - c:\windows\system32\mscoree.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL O9 - Extra 'Tools' menuitem: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dave\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU) O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dave\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU) O9 - Extra button: Easy Play Poker - {16f4ad81-6455-4924-87fb-f77a7d5b7601} - C:\Documents and Settings\Dave\Start Menu\Programs\Easy Play Poker\Easy Play Poker.lnk (HKCU) O9 - Extra button: BigBetPoker.com - {1ca24684-a693-418e-a430-79d070271843} - C:\Documents and Settings\Dave\Start Menu\Programs\BigBetPoker.com\BigBetPoker.com.lnk (HKCU) O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU) O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU) O9 - Extra button: WassPoker - {4053ebe6-a54d-4bb9-b118-ce1d8f99a548} - C:\Documents and Settings\Dave\Start Menu\Programs\WassPoker\WassPoker.lnk (HKCU) O9 - Extra button: ReeferPoker - {60a501e4-a078-4cb2-8728-3fab4264f3c1} - C:\Documents and Settings\Dave\Start Menu\Programs\ReeferPoker\ReeferPoker.lnk (HKCU) O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O9 - Extra button: FeltStars - {fbd780d2-c26b-46dd-9002-fdf30465c9d2} - C:\Documents and Settings\Dave\Start Menu\Programs\FeltStars\FeltStars.lnk (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://radagast.dyndns.biz O15 - Trusted Zone: http://*.mcafee.com O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll O16 - DPF: {50580095-16DB-4B28-BCFC-70989E09AA5F} (XTunnelCtrl Class) - https://206.81.55.237/XTunnel.cab O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.cushioneer.com/Remote/msrdp.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Dave\Local Settings\Temp\EI40_\msxml4.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...410/mcfscan.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: jugezatag - {c4f68668-fa4d-48db-90db-15d14d99a96a} - (no file) O23 - Service: ACE Client Service - YCN Group - C:\Program Files\YCN Group\Ace Client\AceClient.exe O23 - Service: ACE Server Service - YCN Group - C:\Program Files\YCN Group\Ace Server\AceServer.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: auditOL Notification Service - Radagast Systems Corp - C:\Program Files\YCN Group\auditOL Notification Service\auditOLNotices.exe O23 - Service: AutoMate 6 (AutoMate6) - Network Automation, Inc. - C:\Program Files\AutoMate 6\AMTS.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: BrowserHawk BDF (BrowserHawk_BDF) - Unknown owner - C:\Program Files\cyScape\BrowserHawk\BrowserHawk.exe (file missing) O23 - Service: DisplayLink Service (DisplayLinkService) - DisplayLink Corp. - C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe O23 - Service: FreeDNS Update (FreeDNSUpdate) - TechKnow Professional Services - C:\Program Files\FreeDNS Update\FDNSUSVC.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing) O23 - Service: UltiDev Cassini Web Server for ASP.NET 2.0 - UltiDev LLC - C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Visual WebGui Scalable Server (VWG_ENTERPRISE_SERVICE) - Gizmox - C:\Program Files\Gizmox\Visual WebGUI\Scalable Server Service\Gizmox.WebGUI.Enterprise.Services.exe O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe O23 - Service: XMail Server (XMail) - Unknown owner - D:\InstallSets\xmail-1.20\MailRoot\bin\XMail.exe (file missing) O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe -- End of file - 18723 bytes
  11. TheRaptor
    I got hit by the fake Anti-virus 2010 program a few days ago. I tried several cleanup programs and yours was the one that finally got rid of it. Thanks for a great product - my group will very likely be purchasing several licenses. There is one thing that your program did not clean. I am still getting a rogue rundll32.exe process that is apparently being launched from an svchost routine. I've downloaded and run procexp.exe and the command line from the svchost execution is: C:\WINDOWS\System32\svchost.exe -k netsvcs The rundll32.exe process launched under that one has this command line: C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\fizisoyi.dll",d I've searched my XP SP3 system for that file and it does not exist. I've noticed that if I clobber the rundll32 process it restarts a few minutes later, and when it does the system emits a loud deep bell tone which I'm pretty sure means rundll32 was unable to find the fizisoyi.dll routine. I don't think the rundll32 launch is causing any real problems but I'd still like to clean that up just to be safe. Any ideas what I can do? What other info do you need from me?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.