Jump to content

mby_hm

Members
  • Posts

    6
  • Joined

  • Last visited

Reputation

0 Neutral
  1. After a lot of trying, I gave up and reformatted the hard drive. Thanks for your help - you can close this thread.
  2. FURTHER UPDATE: using SubInACL, I was able to reset permissions on the pernicious regkeys and delete them. Now my only remaining problem seems to be that I can't access the internet. When I try, Trend Micro bocks it with the messgae that iexplore.exe has a Program Library Injection. Attached is the HJT log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:04:06, on 2/6/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\User\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 4131 bytes
  3. UPDATE: I could not find the .sys files referenced in the cfscript.txt file on my system, so I tried deleting them and running combofix with the script file only including the reg entries. It ran that time. After I rebooted, I still could not access MB updates - the Current db information is 1/14/2009, v1654. I ran it regardless, and attached are the combofix and MBAM logs. Thanks! ComboFix 09-02-05.02 - User 2009-02-06 18:43:43.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.705 [GMT -6:00] Running from: c:\documents and settings\User\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\User\Desktop\cfscript.txt AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated) * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 ))))))))))))))))))))))))))))))) . 2009-02-03 21:44 . 2009-02-03 21:44 66,560 ---h----- c:\windows\system32\secupdat.dat 2009-01-07 08:50 . 2008-09-04 10:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2009-01-07 08:50 . 2008-10-24 05:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2009-01-07 08:50 . 2008-10-03 04:15 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-06 23:12 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-02-04 06:58 --------- d-----w c:\documents and settings\User\Application Data\MxBoost 2009-02-04 03:42 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-01-27 13:22 --------- d-----w c:\program files\World of Warcraft 2009-01-24 14:18 --------- d-----w c:\program files\SUPERAntiSpyware 2009-01-14 22:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-14 22:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-01-05 10:55 --------- d-----w c:\program files\Google 2008-12-17 04:11 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-17 04:08 61,440 ----a-w c:\windows\system32\drivers\jqnjsum.sys 2008-12-17 04:08 1,088 ----a-w c:\program files\dvvxzq.txt 2008-12-17 03:46 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-16 04:14 --------- d-----w c:\program files\Maxthon2 2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys . ------- Sigcheck ------- 2002-09-03 13:57 29696 7cdcd4f11d3bed9054a1da40b9668497 c:\windows\$NtServicePackUninstall$\svchost.exe 2004-08-04 02:56 31232 21b60f5bc1519245d587a6d0bca03fd2 c:\windows\ServicePackFiles\i386\svchost.exe 2008-04-13 18:12 31232 3d1edaa9965550238f62c7b88a12ba2b c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe 2004-08-04 02:56 31232 afbc35b52a82d7f927ea2e8243857133 c:\windows\system32\svchost.exe 2004-08-04 02:56 1049088 a8f3fdfaa52b1680aa2fe7aa12fc0985 c:\windows\explorer.exe 2002-09-03 13:37 1020928 eb08474ae5819caca2be9457295f392b c:\windows\$NtServicePackUninstall$\explorer.exe 2004-08-04 02:56 1049088 6d069a0fc30a2e7d3374ef81386ba9e2 c:\windows\ServicePackFiles\i386\explorer.exe 2008-04-13 18:12 1050624 0c3fcb3f725024cccb4a2e67878eedc1 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe 2002-09-03 13:35 30208 98e3f3e8cbcd1e5781063accaf0fe570 c:\windows\$NtServicePackUninstall$\ctfmon.exe 2004-08-04 02:56 32256 cef733a2d6df2bab6c209153b25e45ad c:\windows\ServicePackFiles\i386\ctfmon.exe 2008-04-13 18:12 32256 3d50d7ed139a991037df7e01bb24299f c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe 2004-08-04 02:56 32256 8c49f0a46851c9e3111537944c5cc3ac c:\windows\system32\ctfmon.exe 2002-09-03 13:57 68096 79a99d94fe1d87f6312ba3548f887e75 c:\windows\$NtServicePackUninstall$\spoolsv.exe 2004-08-04 02:56 74752 c5fec661b03987349c98423a78279f48 c:\windows\ServicePackFiles\i386\spoolsv.exe 2008-04-13 18:12 74752 4be76bc14f7b33fef4a3843038184dc7 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe 2004-08-04 02:56 74752 ed401ec29d24726c76b4971b06703788 c:\windows\system32\spoolsv.exe 2002-09-03 14:00 38912 ee50cb2cf65b9edd313008b3f01111f3 c:\windows\$NtServicePackUninstall$\userinit.exe 2004-08-04 02:56 41472 f52e85185c89192e3a8337c73f7869e1 c:\windows\ServicePackFiles\i386\userinit.exe 2008-04-13 18:12 43008 aef39fdc78b1b8c32e4a6bd7f7e94b6b c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe 2004-08-04 02:56 41472 636e5a0a2ba5882230e9c11f2bee561a c:\windows\system32\userinit.exe . ((((((((((((((((((((((((((((( SnapShot@2009-02-05_20.13.29.25 ))))))))))))))))))))))))))))))))))))))))) . - 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE + 2005-10-21 02:02:28 183,808 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE - 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE + 2005-10-21 02:02:28 183,808 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE - 2009-02-06 02:11:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-02-07 00:46:41 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-02-06 02:11:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-02-07 00:46:41 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2009-02-06 02:11:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-02-07 00:46:41 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-24 1850608] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32256] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-15 81920] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-08 208896] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-01-14 399504] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-01-02 09:39 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-08-30 28544] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-05-28 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-05-28 55024] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-08-29 170640] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-15 36368] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-08-29 15504] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408] S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-08-31 52240] S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-08-31 648456] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\rxtstq7s.default\ FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-06 18:47:12 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwOpenFile scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(372) c:\program files\SUPERAntiSpyware\SASWINLO.DLL . ------------------------ Other Running Processes ------------------------ . c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe . ************************************************************************** . Completion time: 2009-02-06 18:49:01 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-07 00:48:51 ComboFix2.txt 2009-02-07 00:39:55 ComboFix3.txt 2009-02-07 00:06:00 ComboFix4.txt 2009-02-06 02:14:25 Pre-Run: 11,638,607,872 bytes free Post-Run: 11,626,938,368 bytes free 141 --- E O F --- 2009-01-14 19:09:11 Malwarebytes' Anti-Malware 1.33 Database version: 1654 Windows 5.1.2600 Service Pack 2 2/6/2009 6:53:46 PM mbam-log-2009-02-06 (18-53-46).txt Scan type: Quick Scan Objects scanned: 45066 Time elapsed: 1 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  4. I followed the instructions and ComboFix is hanging. The first time it ran for about an hour, and I ended up doing a hard reboot. I double-checked that I'd copied the text exactly and that all anti-virus and anti-malware software was deactivated. I dragged the cfscript file on to ComboFix.exe about two hours ago and it's still running - never gets past saying that it typically takes 10 minutes, but scan times for infected machines may double. I can't do anything else but a hard reboot, Ctrl+Alt+Del included. I don't know if this is relevent, but the instructions said to allow the restore, which I couldn't do because I had disconnected the internet (and wouldn't have worked even if it wasn't disconnected since MSAS has blocked my access). Please let me know what I should try next. Thanks, Mike
  5. Hi, I've been battling MSAS 2009 with multiple products for several days to no avail. There are several regkeys (e.g. HKCU/Software/CrucialSoft Ltd) that I cannot delete. I have even explicitly set permissions on the keys, but I still can't remove them. I cannot access the internet. Trend Micro is also posting warnings that cftmon.exe and explorer.exe have been blocked due to "Program Library Injection." After reading posts where people had similar symptoms, I ran ComboFix.exe. I've attached the log from CF as well as HijackThis. Thanks in advance for your help. Mike ComboFix 09-02-05.01 - User 2009-02-05 20:07:50.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.665 [GMT -6:00] Running from: c:\documents and settings\User\Desktop\ComboFix.exe AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated) * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\404Fix.exe c:\windows\system32\Agent.OMZ.Fix.exe c:\windows\system32\config\systemprofile\Application Data\rhcnd4j0etdg c:\windows\system32\dumphive.exe c:\windows\system32\IEDFix.C.exe c:\windows\system32\IEDFix.exe c:\windows\system32\o4Patch.exe c:\windows\system32\Process.exe c:\windows\system32\SrchSTS.exe c:\windows\system32\tmp.reg c:\windows\system32\VACFix.exe c:\windows\system32\VCCLSID.exe c:\windows\Temp\1454879362.exe c:\windows\wiaserviv.log . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TCPSR -------\Legacy_TDSSSERV.SYS -------\Service_Passthru ((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 ))))))))))))))))))))))))))))))) . 2009-02-03 21:44 . 2009-02-03 21:44 66,560 ---h----- c:\windows\system32\secupdat.dat 2009-01-07 08:50 . 2008-09-04 10:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2009-01-07 08:50 . 2008-10-24 05:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2009-01-07 08:50 . 2008-10-03 04:15 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-05 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-02-04 06:58 --------- d-----w c:\documents and settings\User\Application Data\MxBoost 2009-02-04 03:42 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-01-27 13:22 --------- d-----w c:\program files\World of Warcraft 2009-01-24 14:18 --------- d-----w c:\program files\SUPERAntiSpyware 2009-01-14 22:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-14 22:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-01-05 10:55 --------- d-----w c:\program files\Google 2008-12-17 04:11 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-17 04:08 61,440 ----a-w c:\windows\system32\drivers\jqnjsum.sys 2008-12-17 04:08 1,088 ----a-w c:\program files\dvvxzq.txt 2008-12-17 03:46 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-16 04:14 --------- d-----w c:\program files\Maxthon2 2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys . ------- Sigcheck ------- 2002-09-03 13:57 29696 7cdcd4f11d3bed9054a1da40b9668497 c:\windows\$NtServicePackUninstall$\svchost.exe 2004-08-04 02:56 31232 21b60f5bc1519245d587a6d0bca03fd2 c:\windows\ServicePackFiles\i386\svchost.exe 2008-04-13 18:12 31232 3d1edaa9965550238f62c7b88a12ba2b c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe 2004-08-04 02:56 31232 afbc35b52a82d7f927ea2e8243857133 c:\windows\system32\svchost.exe 2004-08-04 02:56 1049088 a8f3fdfaa52b1680aa2fe7aa12fc0985 c:\windows\explorer.exe 2002-09-03 13:37 1020928 eb08474ae5819caca2be9457295f392b c:\windows\$NtServicePackUninstall$\explorer.exe 2004-08-04 02:56 1049088 6d069a0fc30a2e7d3374ef81386ba9e2 c:\windows\ServicePackFiles\i386\explorer.exe 2008-04-13 18:12 1050624 0c3fcb3f725024cccb4a2e67878eedc1 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe 2002-09-03 13:35 30208 98e3f3e8cbcd1e5781063accaf0fe570 c:\windows\$NtServicePackUninstall$\ctfmon.exe 2004-08-04 02:56 32256 cef733a2d6df2bab6c209153b25e45ad c:\windows\ServicePackFiles\i386\ctfmon.exe 2008-04-13 18:12 32256 3d50d7ed139a991037df7e01bb24299f c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe 2004-08-04 02:56 32256 8c49f0a46851c9e3111537944c5cc3ac c:\windows\system32\ctfmon.exe 2002-09-03 13:57 68096 79a99d94fe1d87f6312ba3548f887e75 c:\windows\$NtServicePackUninstall$\spoolsv.exe 2004-08-04 02:56 74752 c5fec661b03987349c98423a78279f48 c:\windows\ServicePackFiles\i386\spoolsv.exe 2008-04-13 18:12 74752 4be76bc14f7b33fef4a3843038184dc7 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe 2004-08-04 02:56 74752 ed401ec29d24726c76b4971b06703788 c:\windows\system32\spoolsv.exe 2002-09-03 14:00 38912 ee50cb2cf65b9edd313008b3f01111f3 c:\windows\$NtServicePackUninstall$\userinit.exe 2004-08-04 02:56 41472 f52e85185c89192e3a8337c73f7869e1 c:\windows\ServicePackFiles\i386\userinit.exe 2008-04-13 18:12 43008 aef39fdc78b1b8c32e4a6bd7f7e94b6b c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe 2004-08-04 02:56 41472 636e5a0a2ba5882230e9c11f2bee561a c:\windows\system32\userinit.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-24 1850608] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32256] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-15 81920] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-08 208896] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-01-14 399504] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-01-02 09:39 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cgl72.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lqu04.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mrv72.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-08-30 28544] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-05-28 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-05-28 55024] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-08-29 170640] R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-08-31 52240] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-15 36368] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-08-29 15504] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408] R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-08-31 648456] S0 Cgl72;Cgl72;c:\windows\system32\Drivers\Cgl72.sys --> c:\windows\system32\Drivers\Cgl72.sys [?] S0 Lqu04;Lqu04;c:\windows\system32\Drivers\Lqu04.sys --> c:\windows\system32\Drivers\Lqu04.sys [?] S0 Mrv72;Mrv72;c:\windows\system32\Drivers\Mrv72.sys --> c:\windows\system32\Drivers\Mrv72.sys [?] . - - - - ORPHANS REMOVED - - - - HKCU-Run-windpipe - c:\documents and settings\User\Application Data\Google\fhexj6825097.exe HKU-Default-Run-tjytqotn.exe - c:\windows\tjytqotn.exe SafeBoot-ecofdjtt.sys . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\rxtstq7s.default\ FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-05 20:12:37 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwOpenFile scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3458104535-1627790608-1016251302-1003\Software\CrucialSoft Ltd\MS AntiSpyware 2009\5.7] @DACL=(02 0000) "Start Counter"=dword:00000001 "InstallTime"=hex:a5,9d,86,a8,f1,74,e3,40 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "NoChange"="1" "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" @="" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(372) c:\program files\SUPERAntiSpyware\SASWINLO.DLL . ------------------------ Other Running Processes ------------------------ . c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe c:\program files\Trend Micro\Internet Security\SfCtlCom.exe c:\program files\Trend Micro\BM\TMBMSRV.exe . ************************************************************************** . Completion time: 2009-02-05 20:14:24 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-06 02:14:20 Pre-Run: 11,741,511,680 bytes free Post-Run: 11,737,538,560 bytes free 180 --- E O F --- 2009-01-14 19:09:11 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:18:57, on 2/5/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\User\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 4108 bytes
  6. Hi, I got the full version of MBAM, plus SuperAntiSpyware and Spybot S&D. After much trouble, I hope I've eradicate it. Attached are the MBAM, Panda, and HJT logs. Thanks in advance, Mike Malwarebytes' Anti-Malware 1.25 Database version: 1096 Windows 5.1.2600 Service Pack 2 6:05:09 PM 8/30/2008 mbam-log-08-30-2008 (18-05-09).txt Scan type: Quick Scan Objects scanned: 34729 Time elapsed: 1 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-08-30 18:46:38 PROTECTIONS: 2 MALWARE: 5 SUSPECTS: 0 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== McAfee Internet Security Suite 2007 8.1 No Yes McAfee VirusScan Plus 12.1 No No ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@com[1].txt 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@go[2].txt 00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@searchportal.information[2].txt 00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@target[1].txt 00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@did-it[1].txt ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description ;=============================================================================== ================================================================================ = =================== 184380 MEDIUM MS08-002 184379 MEDIUM MS08-001 182048 HIGH MS07-069 182046 HIGH MS07-067 182043 HIGH MS07-064 179553 HIGH MS07-061 176382 HIGH MS07-057 176383 HIGH MS07-058 170911 HIGH MS07-050 170907 HIGH MS07-046 170906 HIGH MS07-045 170904 HIGH MS07-043 164915 HIGH MS07-035 164913 HIGH MS07-033 164911 HIGH MS07-031 160623 HIGH MS07-027 157262 HIGH MS07-022 157261 HIGH MS07-021 157260 HIGH MS07-020 157259 HIGH MS07-019 156477 HIGH MS07-017 150253 HIGH MS07-016 150249 HIGH MS07-013 150248 HIGH MS07-012 150247 HIGH MS07-011 150243 HIGH MS07-008 150242 HIGH MS07-007 150241 MEDIUM MS07-006 141034 HIGH MS06-076 141033 MEDIUM MS06-075 141030 HIGH MS06-072 137571 HIGH MS06-070 137568 HIGH MS06-067 133387 MEDIUM MS06-065 133386 MEDIUM MS06-064 133385 MEDIUM MS06-063 133379 HIGH MS06-057 131654 HIGH MS06-055 129977 MEDIUM MS06-053 129976 MEDIUM MS06-052 126093 HIGH MS06-051 126092 MEDIUM MS06-050 126087 HIGH MS06-046 126086 MEDIUM MS06-045 126083 HIGH MS06-042 126082 HIGH MS06-041 126081 HIGH MS06-040 123421 HIGH MS06-036 123420 HIGH MS06-035 120825 MEDIUM MS06-032 120823 MEDIUM MS06-030 120818 HIGH MS06-025 120815 HIGH MS06-022 120814 HIGH MS06-021 117384 MEDIUM MS06-018 114666 HIGH MS06-015 114664 HIGH MS06-013 108744 MEDIUM MS06-008 108743 MEDIUM MS06-007 108742 MEDIUM MS06-006 104567 HIGH MS06-002 104237 HIGH MS06-001 96574 HIGH MS05-053 93395 HIGH MS05-051 93394 HIGH MS05-050 93454 MEDIUM MS05-049 ;=============================================================================== ================================================================================ = =================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:47:13 PM, on 8/30/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\User\My Documents\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe -- End of file - 5077 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.