Jump to content

yet another uacinit.dll not removing on reboot


Recommended Posts

Greetings fellow geeks, I am not worthy of your malware killing powers, but will be grateful nonetheless!

I'm an advanced user, super-careful with what I let in etc. but think my little brother was duped by a fake flashy spyware warning :)

Main symptoms are 'google installer needs to close' popping up every 10 minutes, iexplore running audio ads in the background (I dig U2 and Blackberry, but not when a virus is involved) blocks mcafee, and a few google redirects among other things.

The Microsoft error report said it was caused by google/uacd.sys and I've been trawling this forum for solutions for days and it seemed to be the TDSS rootkit. So eventually got MBAM to scan which confirmed it and seemingly removed it, but it won't remove uacinit.dll after the reboot, so the google installer errors continue. I've also done Root Repeal, and doesn't seem to include the strings listed in this post: http://www.malwarebytes.org/forums/index.php?showtopic=12709.

The other posts seem to suggest posting logs and getting specific help with Combofix etc beyond this point, and I'm really wary of fiddling with the registry. So without further waffle here's the logs:

Latest MBAM log, post kicking TDSS ass:

Malwarebytes' Anti-Malware 1.40

Database version: 2567

Windows 5.1.2600 Service Pack 3 (Safe Mode)

06/08/2009 14:04:49

mbam-log-2009-08-06 (14-04-49).txt

Scan type: Full Scan (C:\|D:\|F:\|)

Objects scanned: 406154

Time elapsed: 1 hour(s), 28 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Root Repeal log:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/06 01:33

Program Version: Version 1.3.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name:

Image Path:

Address: 0xF75FA000 Size: 96512 File Visible: No Signed: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF7660000 Size: 187776 File Visible: - Signed: -

Status: -

Name: agp440.sys

Image Path: agp440.sys

Address: 0xF772F000 Size: 42368 File Visible: - Signed: -

Status: -

Name: eeCtrl.sys

Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

Address: 0xF2F00000 Size: 393216 File Visible: - Signed: -

Status: -

Name: nvoclock.sys

Image Path: C:\WINDOWS\nvoclock.sys

Address: 0xF7C59000 Size: 6912 File Visible: - Signed: -

Status: -

Name: BOOTVID.dll

Image Path: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xF7ABF000 Size: 12288 File Visible: - Signed: -

Status: -

Name: afd.sys

Image Path: C:\WINDOWS\System32\drivers\afd.sys

Address: 0xF30F6000 Size: 138496 File Visible: - Signed: -

Status: -

Name: AFS2K.SYS

Image Path: C:\WINDOWS\System32\Drivers\AFS2K.SYS

Address: 0xF6CE5000 Size: 35840 File Visible: - Signed: -

Status: -

Name: aspi32.sys

Image Path: C:\WINDOWS\System32\drivers\aspi32.sys

Address: 0xF796F000 Size: 16512 File Visible: - Signed: -

Status: -

Name: audstub.sys

Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys

Address: 0xF7D0D000 Size: 3072 File Visible: - Signed: -

Status: -

Name: BANTExt.sys

Image Path: C:\WINDOWS\System32\Drivers\BANTExt.sys

Address: 0xF7D27000 Size: 2144 File Visible: - Signed: -

Status: -

Name: Beep.SYS

Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF7C2F000 Size: 4224 File Visible: - Signed: -

Status: -

Name: BthEnum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\BthEnum.sys

Address: 0xF7A77000 Size: 17024 File Visible: - Signed: -

Status: -

Name: bthmodem.sys

Image Path: C:\WINDOWS\system32\DRIVERS\bthmodem.sys

Address: 0xF785F000 Size: 37888 File Visible: - Signed: -

Status: -

Name: bthpan.sys

Image Path: C:\WINDOWS\system32\DRIVERS\bthpan.sys

Address: 0xF2E44000 Size: 101120 File Visible: - Signed: -

Status: -

Name: bthport.sys

Image Path: C:\WINDOWS\System32\Drivers\bthport.sys

Address: 0xF323E000 Size: 274432 File Visible: - Signed: -

Status: -

Name: BTHUSB.sys

Image Path: C:\WINDOWS\System32\Drivers\BTHUSB.sys

Address: 0xF7A47000 Size: 18944 File Visible: - Signed: -

Status: -

Name: Cdr4_xp.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS

Address: 0xF7DF9000 Size: 2432 File Visible: - Signed: -

Status: -

Name: Cdralw2k.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS

Address: 0xF7DFA000 Size: 2560 File Visible: - Signed: -

Status: -

Name: cdrbsvsd.SYS

Image Path: C:\WINDOWS\System32\Drivers\cdrbsvsd.SYS

Address: 0xF7B57000 Size: 12736 File Visible: - Signed: -

Status: -

Name: cdrom.sys

Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Address: 0xF6CD5000 Size: 62976 File Visible: - Signed: -

Status: -

Name: cdudf_xp.SYS

Image Path: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS

Address: 0xF32F4000 Size: 241280 File Visible: - Signed: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS

Address: 0xF76FF000 Size: 53248 File Visible: - Signed: -

Status: -

Name: ctoss2k.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ctoss2k.sys

Address: 0xF630D000 Size: 178400 File Visible: - Signed: -

Status: -

Name: ctsfm2k.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ctsfm2k.sys

Address: 0xF570F000 Size: 129920 File Visible: - Signed: -

Status: -

Name: drmk.sys

Image Path: C:\WINDOWS\system32\drivers\drmk.sys

Address: 0xF78FF000 Size: 61440 File Visible: - Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF2E1B000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7C6F000 Size: 8192 File Visible: No Signed: -

Status: -

Name: Dxapi.sys

Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xF32BA000 Size: 12288 File Visible: - Signed: -

Status: -

Name: dxg.sys

Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF000000 Size: 73728 File Visible: - Signed: -

Status: -

Name: dxgthk.sys

Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF7DC5000 Size: 4096 File Visible: - Signed: -

Status: -

Name: e100b325.sys

Image Path: C:\WINDOWS\System32\DRIVERS\e100b325.sys

Address: 0xF56EC000 Size: 139776 File Visible: - Signed: -

Status: -

Name: enodpl.sys

Image Path: C:\WINDOWS\System32\drivers\enodpl.sys

Address: 0xF7BF9000 Size: 7552 File Visible: - Signed: -

Status: -

Name: Fastfat.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS

Address: 0xF3281000 Size: 143744 File Visible: - Signed: -

Status: -

Name: fdc.sys

Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys

Address: 0xF799F000 Size: 27392 File Visible: - Signed: -

Status: -

Name: Fips.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS

Address: 0xF77FF000 Size: 44544 File Visible: - Signed: -

Status: -

Name: flpydisk.sys

Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys

Address: 0xF79FF000 Size: 20480 File Visible: - Signed: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF7C2D000 Size: 7936 File Visible: - Signed: -

Status: -

Name: gameenum.sys

Image Path: C:\WINDOWS\System32\DRIVERS\gameenum.sys

Address: 0xF7B4F000 Size: 10624 File Visible: - Signed: -

Status: -

Name: GEARAspiWDM.sys

Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys

Address: 0xF7B5B000 Size: 9984 File Visible: - Signed: -

Status: -

Name: HIDCLASS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xF780F000 Size: 36864 File Visible: - Signed: -

Status: -

Name: HIDPARSE.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS

Address: 0xF7A0F000 Size: 28672 File Visible: - Signed: -

Status: -

Name: hidusb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xF3353000 Size: 10368 File Visible: - Signed: -

Status: -

Name: HPZid412.sys

Image Path: C:\WINDOWS\System32\DRIVERS\HPZid412.sys

Address: 0xF783F000 Size: 50688 File Visible: - Signed: -

Status: -

Name: HPZipr12.sys

Image Path: C:\WINDOWS\System32\DRIVERS\HPZipr12.sys

Address: 0xF32D6000 Size: 15840 File Visible: - Signed: -

Status: -

Name: HPZius12.sys

Image Path: C:\WINDOWS\System32\DRIVERS\HPZius12.sys

Address: 0xF7A6F000 Size: 22240 File Visible: - Signed: -

Status: -

Name: HSF_CNXT.sys

Image Path: C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys

Address: 0xF5531000 Size: 561600 File Visible: - Signed: -

Status: -

Name: HSF_DP.sys

Image Path: C:\WINDOWS\System32\DRIVERS\HSF_DP.sys

Address: 0xF55BB000 Size: 1090304 File Visible: - Signed: -

Status: -

Name: HSF_FALL.sys

Image Path: C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys

Address: 0xBA23C000 Size: 289856 File Visible: - Signed: -

Status: -

Name: HSF_FAXX.sys

Image Path: C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys

Address: 0xB9BEC000 Size: 199680 File Visible: - Signed: -

Status: -

Name: HSF_FSKS.sys

Image Path: C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys

Address: 0xBA21F000 Size: 115776 File Visible: - Signed: -

Status: -

Name: HSF_K56K.sys

Image Path: C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys

Address: 0xBA197000 Size: 391168 File Visible: - Signed: -

Status: -

Name: HSF_SPKP.sys

Image Path: C:\WINDOWS\System32\DRIVERS\HSF_SPKP.sys

Address: 0xB9BDA000 Size: 73248 File Visible: - Signed: -

Status: -

Name: HSF_TONE.sys

Image Path: C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys

Address: 0xB9CCD000 Size: 50720 File Visible: - Signed: -

Status: -

Name: HSF_V124.sys

Image Path: C:\WINDOWS\System32\DRIVERS\HSF_V124.sys

Address: 0xB9B3A000 Size: 488352 File Visible: - Signed: -

Status: -

Name: HSFHWBS2.sys

Image Path: C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys

Address: 0xF56C6000 Size: 152672 File Visible: - Signed: -

Status: -

Name: HTTP.sys

Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys

Address: 0xB9687000 Size: 264832 File Visible: - Signed: -

Status: -

Name: i2omgmt.SYS

Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS

Address: 0xF7434000 Size: 8576 File Visible: - Signed: -

Status: -

Name: i8042prt.sys

Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys

Address: 0xF790F000 Size: 52480 File Visible: - Signed: -

Status: -

Name: Imapi.sys

Image Path: C:\WINDOWS\system32\drivers\Imapi.sys

Address: 0xF6CB5000 Size: 42112 File Visible: - Signed: -

Status: -

Name: intelppm.sys

Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys

Address: 0xF78EF000 Size: 36352 File Visible: - Signed: -

Status: -

Name: ipfltdrv.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys

Address: 0xF77AF000 Size: 32896 File Visible: - Signed: -

Status: -

Name: ipnat.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys

Address: 0xF3140000 Size: 152832 File Visible: - Signed: -

Status: -

Name: ipsec.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys

Address: 0xF31E6000 Size: 75264 File Visible: - Signed: -

Status: -

Name: kbdclass.sys

Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys

Address: 0xF79A7000 Size: 24576 File Visible: - Signed: -

Status: -

Name: kmixer.sys

Image Path: C:\WINDOWS\system32\drivers\kmixer.sys

Address: 0xB94E4000 Size: 172416 File Visible: - Signed: -

Status: -

Name: ks.sys

Image Path: C:\WINDOWS\system32\drivers\ks.sys

Address: 0xF635D000 Size: 143360 File Visible: - Signed: -

Status: -

Name: MASPINT.SYS

Image Path: C:\WINDOWS\System32\Drivers\MASPINT.SYS

Address: 0xF7C09000 Size: 8096 File Visible: - Signed: -

Status: -

Name: mchInjDrv.sys

Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys

Address: 0xF7DC1000 Size: 2560 File Visible: No Signed: -

Status: -

Name: mdmxsdk.sys

Image Path: C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys

Address: 0xBA081000 Size: 8768 File Visible: - Signed: -

Status: -

Name: mfeavfk.sys

Image Path: C:\WINDOWS\system32\drivers\mfeavfk.sys

Address: 0xB9790000 Size: 73152 File Visible: - Signed: -

Status: -

Name: mfebopk.sys

Image Path: C:\WINDOWS\system32\drivers\mfebopk.sys

Address: 0xF7A9F000 Size: 28544 File Visible: - Signed: -

Status: -

Name: mfehidk.sys

Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys

Address: 0xF2F60000 Size: 207296 File Visible: - Signed: -

Status: -

Name: mfesmfk.sys

Image Path: C:\WINDOWS\system32\drivers\mfesmfk.sys

Address: 0xB98AA000 Size: 33824 File Visible: - Signed: -

Status: -

Name: mmc_2K.SYS

Image Path: C:\WINDOWS\System32\Drivers\mmc_2K.SYS

Address: 0xF79F7000 Size: 22720 File Visible: - Signed: -

Status: -

Name: mnmdd.SYS

Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Address: 0xF7C31000 Size: 4224 File Visible: - Signed: -

Status: -

Name: Modem.SYS

Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS

Address: 0xF7997000 Size: 30080 File Visible: - Signed: -

Status: -

Name: MODEMCSA.sys

Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys

Address: 0xF7B9F000 Size: 16128 File Visible: - Signed: -

Status: -

Name: mouclass.sys

Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys

Address: 0xF79B7000 Size: 23040 File Visible: - Signed: -

Status: -

Name: mouhid.sys

Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys

Address: 0xF32DE000 Size: 12160 File Visible: - Signed: -

Status: -

Name: Mpfp.sys

Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys

Address: 0xF3166000 Size: 159744 File Visible: - Signed: -

Status: -

Name: mrxdav.sys

Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys

Address: 0xBA373000 Size: 180608 File Visible: - Signed: -

Status: -

Name: mrxsmb.sys

Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys

Address: 0xF2F93000 Size: 455296 File Visible: - Signed: -

Status: -

Name: Msfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF7A27000 Size: 19072 File Visible: - Signed: -

Status: -

Name: msgpc.sys

Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys

Address: 0xF6C65000 Size: 35072 File Visible: - Signed: -

Status: -

Name: mssmbios.sys

Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys

Address: 0xF7B7F000 Size: 15488 File Visible: - Signed: -

Status: -

Name: MxlW2k.SYS

Image Path: C:\WINDOWS\System32\Drivers\MxlW2k.SYS

Address: 0xF79BF000 Size: 25600 File Visible: - Signed: -

Status: -

Name: ndistapi.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys

Address: 0xF7B67000 Size: 10112 File Visible: - Signed: -

Status: -

Name: ndisuio.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys

Address: 0xBA6AC000 Size: 14592 File Visible: - Signed: -

Status: -

Name: ndiswan.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys

Address: 0xF54E6000 Size: 91520 File Visible: - Signed: -

Status: -

Name: NDProxy.SYS

Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xF775F000 Size: 40576 File Visible: - Signed: -

Status: -

Name: netbios.sys

Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys

Address: 0xF77BF000 Size: 34688 File Visible: - Signed: -

Status: -

Name: netbt.sys

Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys

Address: 0xF3118000 Size: 162816 File Visible: - Signed: -

Status: -

Name: nlmj.sys

Image Path: C:\WINDOWS\system32\drivers\nlmj.sys

Address: 0xF3066000 Size: 61440 File Visible: No Signed: -

Status: -

Name: Npfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xF7A2F000 Size: 30848 File Visible: - Signed: -

Status: -

Name: NuidFltr.sys

Image Path: C:\WINDOWS\system32\DRIVERS\NuidFltr.sys

Address: 0xF7A5F000 Size: 28672 File Visible: - Signed: -

Status: -

Name: Null.SYS

Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xF7DFB000 Size: 2944 File Visible: - Signed: -

Status: -

Name: nv4_mini.sys

Image Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys

Address: 0xF653D000 Size: 7435392 File Visible: - Signed: -

Status: -

Name: OMCI.SYS

Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS

Address: 0xF335F000 Size: 12864 File Visible: - Signed: -

Status: -

Name: P16X.sys

Image Path: C:\WINDOWS\system32\drivers\P16X.sys

Address: 0xF6380000 Size: 1330048 File Visible: - Signed: -

Status: -

Name: papycpu2.sys

Image Path: C:\WINDOWS\System32\DRIVERS\papycpu2.sys

Address: 0xF7DFC000 Size: 1984 File Visible: - Signed: -

Status: -

Name: papyjoy.sys

Image Path: C:\WINDOWS\System32\DRIVERS\papyjoy.sys

Address: 0xF7DFD000 Size: 1856 File Visible: - Signed: -

Status: -

Name: parport.sys

Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys

Address: 0xF551D000 Size: 80128 File Visible: - Signed: -

Status: -

Name: ParVdm.SYS

Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS

Address: 0xF7BF5000 Size: 6784 File Visible: - Signed: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS

Address: 0xF792F000 Size: 28672 File Visible: - Signed: -

Status: -

Name: point32.sys

Image Path: C:\WINDOWS\system32\DRIVERS\point32.sys

Address: 0xF79AF000 Size: 21760 File Visible: - Signed: -

Status: -

Name: portcls.sys

Image Path: C:\WINDOWS\system32\drivers\portcls.sys

Address: 0xF6339000 Size: 147456 File Visible: - Signed: -

Status: -

Name: PQNTDrv.SYS

Image Path: C:\WINDOWS\System32\Drivers\PQNTDrv.SYS

Address: 0xF7CFA000 Size: 2688 File Visible: - Signed: -

Status: -

Name: psched.sys

Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys

Address: 0xF54D5000 Size: 69120 File Visible: - Signed: -

Status: -

Name: ptilink.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys

Address: 0xF79CF000 Size: 17792 File Visible: - Signed: -

Status: -

Name: pwd_2k.SYS

Image Path: C:\WINDOWS\System32\Drivers\pwd_2k.SYS

Address: 0xF54FD000 Size: 127360 File Visible: - Signed: -

Status: -

Name: rasacd.sys

Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys

Address: 0xF7071000 Size: 8832 File Visible: - Signed: -

Status: -

Name: rasl2tp.sys

Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys

Address: 0xF6C95000 Size: 51328 File Visible: - Signed: -

Status: -

Name: raspppoe.sys

Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys

Address: 0xF6C85000 Size: 41472 File Visible: - Signed: -

Status: -

Name: raspptp.sys

Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys

Address: 0xF6C75000 Size: 48384 File Visible: - Signed: -

Status: -

Name: raspti.sys

Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys

Address: 0xF79D7000 Size: 16512 File Visible: - Signed: -

Status: -

Name: rdbss.sys

Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys

Address: 0xF302B000 Size: 175744 File Visible: - Signed: -

Status: -

Name: RDPCDD.sys

Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xF7C33000 Size: 4224 File Visible: - Signed: -

Status: -

Name: redbook.sys

Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys

Address: 0xF6CC5000 Size: 57600 File Visible: - Signed: -

Status: -

Name: rfcomm.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rfcomm.sys

Address: 0xF784F000 Size: 59136 File Visible: - Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB8E88000 Size: 49152 File Visible: No Signed: -

Status: -

Name: SCSIPORT.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS

Address: 0xF75E2000 Size: 98304 File Visible: - Signed: -

Status: -

Name: secdrv.sys

Image Path: C:\WINDOWS\System32\DRIVERS\secdrv.sys

Address: 0xB9D0D000 Size: 40960 File Visible: - Signed: -

Status: -

Name: serenum.sys

Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys

Address: 0xF7B53000 Size: 15744 File Visible: - Signed: -

Status: -

Name: serial.sys

Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys

Address: 0xF791F000 Size: 64512 File Visible: - Signed: -

Status: -

Name: srv.sys

Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys

Address: 0xBA145000 Size: 333952 File Visible: - Signed: -

Status: -

Name: swenum.sys

Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys

Address: 0xF7C07000 Size: 4352 File Visible: - Signed: -

Status: -

Name: sysaudio.sys

Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys

Address: 0xB9C8D000 Size: 60800 File Visible: - Signed: -

Status: -

Name: tandpl.sys

Image Path: C:\WINDOWS\System32\drivers\tandpl.sys

Address: 0xF7C75000 Size: 4736 File Visible: - Signed: -

Status: -

Name: tcpip.sys

Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys

Address: 0xF318D000 Size: 361600 File Visible: - Signed: -

Status: -

Name: TDI.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS

Address: 0xF79C7000 Size: 20480 File Visible: - Signed: -

Status: -

Name: termdd.sys

Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys

Address: 0xF6C55000 Size: 40704 File Visible: - Signed: -

Status: -

Name: TMBUS.sys

Image Path: C:\WINDOWS\system32\drivers\TMBUS.sys

Address: 0xF7B6F000 Size: 11200 File Visible: - Signed: -

Status: -

Name: UdfReadr_xp.SYS

Image Path: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS

Address: 0xF320B000 Size: 206464 File Visible: - Signed: -

Status: -

Name: Udfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Udfs.SYS

Address: 0xF2E33000 Size: 66048 File Visible: - Signed: -

Status: -

Name: update.sys

Image Path: C:\WINDOWS\System32\DRIVERS\update.sys

Address: 0xF5477000 Size: 384768 File Visible: - Signed: -

Status: -

Name: usbccgp.sys

Image Path: C:\WINDOWS\System32\DRIVERS\usbccgp.sys

Address: 0xF7A57000 Size: 32128 File Visible: - Signed: -

Status: -

Name: USBD.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS

Address: 0xF7C23000 Size: 8192 File Visible: - Signed: -

Status: -

Name: usbehci.sys

Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys

Address: 0xF7987000 Size: 30208 File Visible: - Signed: -

Status: -

Name: usbhub.sys

Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys

Address: 0xF776F000 Size: 59520 File Visible: - Signed: -

Status: -

Name: USBPORT.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS

Address: 0xF6506000 Size: 143360 File Visible: - Signed: -

Status: -

Name: usbprint.sys

Image Path: C:\WINDOWS\System32\DRIVERS\usbprint.sys

Address: 0xF7A67000 Size: 25856 File Visible: - Signed: -

Status: -

Name: usbscan.sys

Image Path: C:\WINDOWS\System32\DRIVERS\usbscan.sys

Address: 0xF32DA000 Size: 15104 File Visible: - Signed: -

Status: -

Name: usbuhci.sys

Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys

Address: 0xF797F000 Size: 20608 File Visible: - Signed: -

Status: -

Name: vga.sys

Image Path: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xF7A17000 Size: 20992 File Visible: - Signed: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS

Address: 0xF6529000 Size: 81920 File Visible: - Signed: -

Status: -

Name: wanarp.sys

Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys

Address: 0xF779F000 Size: 34560 File Visible: - Signed: -

Status: -

Name: Wdf01000.sys

Image Path: C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

Address: 0xF2E5D000 Size: 503808 File Visible: - Signed: -

Status: -

Name: WDFLDR.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS

Address: 0xF782F000 Size: 53248 File Visible: - Signed: -

Status: -

Name: wdmaud.sys

Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys

Address: 0xB9532000 Size: 83072 File Visible: - Signed: -

Status: -

Name: WmBEnum.sys

Image Path: C:\WINDOWS\system32\drivers\WmBEnum.sys

Address: 0xF7B83000 Size: 11136 File Visible: - Signed: -

Status: -

Name: WMILIB.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS

Address: 0xF7BB1000 Size: 8192 File Visible: - Signed: -

Status: -

Name: WmXlCore.sys

Image Path: C:\WINDOWS\system32\drivers\WmXlCore.sys

Address: 0xF774F000 Size: 46208 File Visible: - Signed: -

Status: -

Name: hal.dll

Image Path: C:\WINDOWS\system32\hal.dll

Address: 0x806EE000 Size: 131840 File Visible: - Signed: -

Status: -

Name: KDCOM.DLL

Image Path: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xF7BAF000 Size: 8192 File Visible: - Signed: -

Status: -

Name: ntoskrnl.exe

Image Path: C:\WINDOWS\system32\ntoskrnl.exe

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Name: nv4_disp.dll

Image Path: C:\WINDOWS\System32\nv4_disp.dll

Address: 0xBF012000 Size: 5775360 File Visible: - Signed: -

Status: -

Name: PfModNT.sys

Image Path: C:\WINDOWS\System32\PfModNT.sys

Address: 0xF7C21000 Size: 6240 File Visible: - Signed: -

Status: -

Name: watchdog.sys

Image Path: C:\WINDOWS\System32\watchdog.sys

Address: 0xF7A7F000 Size: 20480 File Visible: - Signed: -

Status: -

Name: win32k.sys

Image Path: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF76EF000 Size: 36352 File Visible: - Signed: -

Status: -

Name: fltmgr.sys

Image Path: fltmgr.sys

Address: 0xF75C2000 Size: 129792 File Visible: - Signed: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF7612000 Size: 125056 File Visible: - Signed: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF76AF000 Size: 37248 File Visible: - Signed: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF7576000 Size: 92288 File Visible: - Signed: -

Status: -

Name: Lbd.sys

Image Path: Lbd.sys

Address: 0xF770F000 Size: 57472 File Visible: - Signed: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF76BF000 Size: 42368 File Visible: - Signed: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xF7469000 Size: 105344 File Visible: - Signed: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF74A9000 Size: 182656 File Visible: - Signed: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF74D6000 Size: 574976 File Visible: - Signed: -

Status: -

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF7937000 Size: 19712 File Visible: - Signed: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF764F000 Size: 68224 File Visible: - Signed: -

Status: -

Name: pciide.sys

Image Path: pciide.sys

Address: 0xF7C77000 Size: 3328 File Visible: - Signed: -

Status: -

Name: PCTCore.sys

Image Path: PCTCore.sys

Address: 0xF758D000 Size: 143360 File Visible: - Signed: -

Status: -

Name: pnpshark.sys

Image Path: pnpshark.sys

Address: 0xF7631000 Size: 119552 File Visible: - Signed: -

Status: -

Name: PxHelp20.sys

Image Path: PxHelp20.sys

Address: 0xF771F000 Size: 36320 File Visible: - Signed: -

Status: -

Name: sfdrv01.sys

Image Path: sfdrv01.sys

Address: 0xF7483000 Size: 73728 File Visible: - Signed: -

Status: -

Name: sfhlp02.sys

Image Path: sfhlp02.sys

Address: 0xF793F000 Size: 32768 File Visible: - Signed: -

Status: -

Name: sfsync02.sys

Image Path: sfsync02.sys

Address: 0xF76CF000 Size: 36864 File Visible: - Signed: -

Status: -

Name: sfvfs02.sys

Image Path: sfvfs02.sys

Address: 0xF7495000 Size: 81920 File Visible: - Signed: -

Status: -

Name: sr.sys

Image Path: sr.sys

Address: 0xF75B0000 Size: 73472 File Visible: - Signed: -

Status: -

Name: st3shark.sys

Image Path: st3shark.sys

Address: 0xF7BB3000 Size: 5504 File Visible: - Signed: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF76DF000 Size: 52352 File Visible: - Signed: -

Status: -

Name: WudfPf.sys

Image Path: WudfPf.sys

Address: 0xF7563000 Size: 77568 File Visible: - Signed: -

Status: -

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:52:19, on 06/08/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\wbem\unsecapp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Ad-Aware\AAWTray.exe

C:\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\AVG Antivirus 8\avgssie.dll (file missing)

O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\STARDO~1\SDIEInt.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Hewlett-Packard PSC 2115\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Malwarebytes Anti-Malware\fugof.exe" /runcleanupscript

O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\myrealname\OctoshapeClient.exe" -inv:bootrun

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\NVIDIA\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\myrealname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Download with Star Downloader - C:\Star Downloader\sdie.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: SYSTRAN: &Clear Translation Cache - D:\Systran Translator\Standard\menuClearCache.html

O8 - Extra context menu item: SYSTRAN: &Options - D:\Systran Translator\Standard\menuConfigure.html

O8 - Extra context menu item: SYSTRAN: &Register - D:\Systran Translator\Standard\menuRegister.html

O8 - Extra context menu item: SYSTRAN: &Translate - D:\Systran Translator\Standard\menuTranslate.html

O8 - Extra context menu item: SYSTRAN: Check for &Updates - D:\Systran Translator\Standard\menuUpdate.html

O8 - Extra context menu item: SYSTRAN: Translate All &Frames - D:\Systran Translator\Standard\menuTranslateAll.html

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: @sysiecom.dll,-2100 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuTranslate.html

O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2102 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuTranslate.html

O9 - Extra button: @sysiecom.dll,-2103 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuTranslateAll.html

O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2105 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuTranslateAll.html

O9 - Extra button: @sysiecom.dll,-2115 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuConfigure.html

O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2117 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuConfigure.html

O9 - Extra button: (no name) - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuClearCache.html

O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2108 - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuClearCache.html

O9 - Extra button: (no name) - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuRegister.html

O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2111 - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuRegister.html

O9 - Extra button: (no name) - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuUpdates.html (file missing)

O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2114 - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - D:\Systran Translator\Standard\MenuUpdates.html (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\YAHOO!~1\MESSEN~1\ypager.exe (file missing)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\YAHOO!~1\MESSEN~1\ypager.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lspkwk.dll' missing

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O15 - Trusted Zone: http://www.abbey.com

O15 - Trusted Zone: http://gp4tweaker.vadertrophy.com

O16 - DPF: Yahoo! Dominoes -

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} -

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://myaccount.spaces.live.com/PhotoUpload/MsnPUpld.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate1c8c5cb3ead1e68) (gupdate1c8c5cb3ead1e68) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Ad-Aware\AAWService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\NVIDIA\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--

End of file - 16483 bytes

I'd be really grateful for any help how to kill this thing once and for all, I've put the effort in and tearing my hair out here!

Cheers,

-gr

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.

Link to post
Share on other sites

Thanks for the reply Mieke!

It took a few gos but found these two log files in order just in case.

The symptoms seem to have largely gone, but would rather be completely sure... I'm not sure what to make of them

1st scan

ComboFix 09-08-08.04 - myrealname 09/08/2009 13:11.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.588 [GMT 1:00]

Running from: c:\documents and settings\myrealname\Desktop\ficx.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\-2132147399

C:\avqid.exe

C:\desktop.ini

C:\jejby.exe

C:\nryuvxw.exe

C:\obhasb.exe

c:\program files\iMeshBar

c:\program files\iMeshBar\bar\History\search

C:\tmlchrx.exe

C:\ufpuc.exe

c:\windows\Installer\67f3c1.msp

c:\windows\Installer\67f3d4.msp

c:\windows\Installer\f178db.msi

c:\windows\run.log

c:\windows\system32\Data

c:\windows\system32\Drivers\mubskpu.sys

C:\yfbkr.exe

C:\yllwiq.exe

.

((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 )))))))))))))))))))))))))))))))

.

2009-08-06 21:06 . 2009-08-06 21:06 -------- d-sh--w- c:\documents and settings\myrealname\IECompatCache

2009-08-06 15:51 . 2009-08-06 15:52 -------- d-----w- C:\HijackThis

2009-08-06 00:27 . 2009-08-06 00:33 -------- d-----w- C:\RootRepeal

2009-08-05 21:00 . 2009-08-05 21:00 -------- d-----w- c:\documents and settings\myrealname\Application Data\Malwarebytes

2009-08-04 17:47 . 2009-08-04 17:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-04 17:09 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-04 17:09 . 2009-08-05 22:43 -------- d-----w- C:\Malwarebytes Anti-Malware

2009-08-04 17:09 . 2009-08-04 17:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes

2009-08-04 17:09 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-04 15:50 . 2009-08-04 15:50 0 ----a-w- C:\backup.reg

2009-08-04 12:49 . 2009-08-04 12:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater

2009-08-04 11:44 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-08-04 10:44 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-08-04 10:42 . 2009-08-04 10:42 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}

2009-08-04 10:42 . 2009-08-04 10:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft

2009-08-03 17:33 . 2009-08-03 17:33 -------- d-sh--w- c:\documents and settings\myrealname\PrivacIE

2009-07-28 15:05 . 2009-07-28 15:05 -------- d-sh--w- c:\documents and settings\myrealname\IETldCache

2009-07-26 11:55 . 2009-07-26 11:55 -------- d-sh--w- c:\documents and settings\otheruser\PrivacIE

2009-07-26 08:06 . 2009-07-26 08:06 -------- d-sh--w- c:\documents and settings\otheruser\IETldCache

2009-07-26 00:21 . 2009-07-26 00:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-07-25 22:18 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-07-25 22:17 . 2009-07-29 09:33 -------- d-----w- c:\windows\ie8updates

2009-07-25 22:15 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-07-25 22:15 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-07-25 22:03 . 2009-07-25 22:14 -------- dc-h--w- c:\windows\ie8

2009-07-21 19:36 . 2009-07-21 19:36 -------- d-----w- c:\documents and settings\myrealname\Application Data\$CUERoot$

2009-07-21 19:35 . 2009-07-21 19:35 -------- d-----w- c:\program files\HP

2009-07-18 18:54 . 2009-08-05 22:54 -------- d-----w- c:\documents and settings\myrealname\Local Settings\Application Data\Temp

2009-07-18 09:55 . 2009-08-05 23:06 -------- d-----w- c:\documents and settings\otheruser\Local Settings\Application Data\Temp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-09 07:46 . 2008-12-27 15:14 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP

2009-08-07 08:29 . 2008-12-27 15:15 -------- d-----w- c:\program files\Spyware Doctor

2009-08-04 23:54 . 2006-07-04 23:44 -------- d-----w- c:\documents and settings\myrealname\Application Data\uT

2009-08-04 12:49 . 2005-02-07 02:13 -------- d-----w- c:\program files\Google

2009-07-31 21:33 . 2009-02-21 14:04 -------- d-----w- c:\program files\Microsoft Silverlight

2009-07-10 10:11 . 2009-01-22 03:56 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee

2009-07-10 10:01 . 2009-01-22 03:57 -------- d-----w- c:\program files\McAfee

2009-07-04 17:03 . 2009-07-04 17:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-07-04 17:03 . 2009-07-04 17:03 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-07-03 17:09 . 2004-02-06 17:05 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-16 14:36 . 2001-08-18 07:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2001-08-18 07:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 15:17 . 2002-11-05 11:04 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-03 19:09 . 2003-12-21 20:38 1291264 ----a-w- c:\windows\system32\quartz.dll

2005-12-26 21:41 . 2005-12-26 21:41 2951156 ----a-w- c:\program files\bitcomet_setup.exe

2009-08-04 12:50 . 2009-08-04 12:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVIDIA nTune"="c:\nvidia\nTune\nTuneCmd.exe" [2007-07-03 81920]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-09 68856]

"Google Update"="c:\documents and settings\myrealname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-08-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-19 45632]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]

"Share-to-Web Namespace Daemon"="c:\hewlett-packard psc 2115\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]

"QuickTime Task"="c:\quicktime\QTTask.exe" [2008-11-04 413696]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-08-04 30192]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\SYSTEM32\bthprops.cpl [2008-04-14 110592]

"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk

backup=c:\windows\pss\AOL 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk

backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 Detect.lnk

backup=c:\windows\pss\PCSuiteForNokia6600 Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 TS.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 TS.lnk

backup=c:\windows\pss\PCSuiteForNokia6600 TS.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk

backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk

backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk

backup=c:\windows\pss\QuickTV.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^myrealname^Start Menu^Programs^Startup^Microsoft Greetings Reminders.lnk]

path=c:\documents and settings\myrealname\Start Menu\Programs\Startup\Microsoft Greetings Reminders.lnk

backup=c:\windows\pss\Microsoft Greetings Reminders.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^myrealname^Start Menu^Programs^Startup^Wallpaper Changer.lnk]

path=c:\documents and settings\myrealname\Start Menu\Programs\Startup\Wallpaper Changer.lnk

backup=c:\windows\pss\Wallpaper Changer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\KZLite\\Kz.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=

"c:\\Yahoo! Messenger\\Messenger\\YServer.exe"=

"c:\\Program Files\\LW\\LW.exe"=

"f:\\downloads to sort\\ut.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\GTR 2\\GTR2.exe"=

"f:\\rFactor\\rFactor.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"d:\\Steam\\SteamApps\\myname\\race07 demo\\SteamProxy.exe"=

"d:\\Steam\\SteamApps\\myname\\race07 demo\\RaceConfig_Steam.exe"=

"d:\\Steam\\SteamApps\\myname\\race 07 demo crowne plaza raceway edition\\RaceDemo_Steam.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"d:\\GT Legends\\GTL.exe"=

"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

"c:\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [04/08/2009 11:44 64160]

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [22/05/2009 12:47 130936]

R0 pnpshark;pnpshark;c:\windows\SYSTEM32\DRIVERS\pnpshark.sys [02/10/2003 04:16 119552]

R0 st3shark;st3shark;c:\windows\SYSTEM32\DRIVERS\st3shark.sys [27/09/2003 15:37 5504]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\ad-aware\AAWService.exe [03/07/2009 15:49 1029456]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [23/01/2009 01:02 210216]

S2 BT848;AVerMedia, AVerTV WDM Video Capture;c:\windows\SYSTEM32\DRIVERS\BT848.sys [13/05/2002 19:40 261696]

S2 BTTUNER;AVerMedia, AVerTV WDM TvTuner;c:\windows\SYSTEM32\DRIVERS\bttuner.sys [27/01/2002 04:57 22016]

S2 BTXBAR;AVerMedia, AVerTV WDM Crossbar;c:\windows\SYSTEM32\DRIVERS\btxbar.sys [27/01/2002 05:02 13312]

S2 gupdate1c8c5cb3ead1e68;Google Update Service (gupdate1c8c5cb3ead1e68);c:\program files\Google\Update\GoogleUpdate.exe [13/07/2008 00:03 133104]

S2 UsbCom;USB -> COM Driver Service;c:\windows\SYSTEM32\DRIVERS\UsbCom.sys [02/08/2004 15:44 69575]

S3 cpuz130;cpuz130;\??\c:\docume~1\myrealname\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [04/08/2009 13:50 30192]

S3 imhidusb;Immersion's HID USB Driver;c:\windows\SYSTEM32\DRIVERS\ImHidUsb.sys [27/11/2002 18:13 30920]

S3 jfdcd;jfdcd;\??\c:\docume~1\myrealname\LOCALS~1\Temp\jfdcd.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\jfdcd.sys [?]

S3 papycpu;papycpu;c:\windows\SYSTEM32\DRIVERS\papycpu.sys [25/12/2002 15:13 1888]

S3 RnbToken;Rainbow iKey Token Service;c:\windows\SYSTEM32\DRIVERS\RNBTOKEN.SYS [16/03/2004 03:04 18536]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [27/12/2008 16:15 348752]

S3 TMHidF;Thrustmaster Force Feedback Racing Wheel HID Driver;c:\windows\SYSTEM32\DRIVERS\TMHIDF.sys [27/10/2005 17:25 63894]

S3 wi8042pr;wi8042pr;\??\c:\docume~1\myrealname\LOCALS~1\Temp\wi8042pr.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\wi8042pr.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Octoshape Streaming Services - c:\program files\Octoshape Streaming Services\myrealname\OctoshapeClient.exe

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

HKLM-Run-NBKeyScan - c:\nero\Nero 8\Nero BackItUp\NBKeyScan.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download with Star Downloader - c:\star downloader\sdie.htm

IE: E&xport to Microsoft Excel - c:\micros~4\OFFICE11\EXCEL.EXE/3000

IE: SYSTRAN: &Clear Translation Cache - d:\systran translator\Standard\menuClearCache.html

IE: SYSTRAN: &Options - d:\systran translator\Standard\menuConfigure.html

IE: SYSTRAN: &Register - d:\systran translator\Standard\menuRegister.html

IE: SYSTRAN: &Translate - d:\systran translator\Standard\menuTranslate.html

IE: SYSTRAN: Check for &Updates - d:\systran translator\Standard\menuUpdate.html

IE: SYSTRAN: Translate All &Frames - d:\systran translator\Standard\menuTranslateAll.html

IE: {{703436F1-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuTranslate.html

IE: {{703436F2-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuTranslateAll.html

IE: {{703436F3-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuConfigure.html

IE: {{703436F4-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuClearCache.html

IE: {{703436F5-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuRegister.html

IE: {{703436F6-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuUpdates.html

Trusted Zone: abbey.com\www

Trusted Zone: vadertrophy.com\gp4tweaker

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: Yahoo! Dominoes

FF - ProfilePath - c:\docume~1\myrealname\APPLIC~1\Mozilla\Firefox\Profiles\80m4qwwn.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - component: c:\documents and settings\myrealname\Application Data\Mozilla\Firefox\Profiles\80m4qwwn.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll

FF - component: c:\documents and settings\myrealname\Application Data\Mozilla\Firefox\Profiles\80m4qwwn.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\divx player\DivX Content Uploader\npUpload.dll

FF - plugin: c:\divx player\DivX Player\npDivxPlayerPlugin.dll

FF - plugin: c:\divx player\DivX Web Player\npdivx32.dll

FF - plugin: c:\documents and settings\myrealname\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin2.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin3.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin4.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin5.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin6.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin7.dll

FF - plugin: c:\vlc media player\npvlc.dll

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-09 13:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)

c:\program files\McAfee\SiteAdvisor\saHook.dll

- - - - - - - > 'explorer.exe'(3896)

c:\windows\system32\WININET.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\progra~1\WINDOW~3\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-08-09 13:33

ComboFix-quarantined-files.txt 2009-08-09 12:33

Pre-Run: 3,090,022,400 bytes free

Post-Run: 3,026,915,328 bytes free

303 --- E O F --- 2009-07-31 16:45

More recent scan

ComboFix 09-08-08.04 - myrealname 09/08/2009 13:11.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.588 [GMT 1:00]

Running from: c:\documents and settings\myrealname\Desktop\ficx.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\-2132147399

C:\avqid.exe

C:\desktop.ini

C:\jejby.exe

C:\nryuvxw.exe

C:\obhasb.exe

c:\program files\iMeshBar

c:\program files\iMeshBar\bar\History\search

C:\tmlchrx.exe

C:\ufpuc.exe

c:\windows\Installer\67f3c1.msp

c:\windows\Installer\67f3d4.msp

c:\windows\Installer\f178db.msi

c:\windows\run.log

c:\windows\system32\Data

c:\windows\system32\Drivers\mubskpu.sys

C:\yfbkr.exe

C:\yllwiq.exe

.

((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 )))))))))))))))))))))))))))))))

.

2009-08-06 21:06 . 2009-08-06 21:06 -------- d-sh--w- c:\documents and settings\myrealname\IECompatCache

2009-08-06 15:51 . 2009-08-06 15:52 -------- d-----w- C:\HijackThis

2009-08-06 00:27 . 2009-08-06 00:33 -------- d-----w- C:\RootRepeal

2009-08-05 21:00 . 2009-08-05 21:00 -------- d-----w- c:\documents and settings\myrealname\Application Data\Malwarebytes

2009-08-04 17:47 . 2009-08-04 17:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-04 17:09 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-04 17:09 . 2009-08-05 22:43 -------- d-----w- C:\Malwarebytes Anti-Malware

2009-08-04 17:09 . 2009-08-04 17:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes

2009-08-04 17:09 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-04 15:50 . 2009-08-04 15:50 0 ----a-w- C:\backup.reg

2009-08-04 12:49 . 2009-08-04 12:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater

2009-08-04 11:44 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-08-04 10:44 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-08-04 10:42 . 2009-08-04 10:42 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}

2009-08-04 10:42 . 2009-08-04 10:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft

2009-08-03 17:33 . 2009-08-03 17:33 -------- d-sh--w- c:\documents and settings\myrealname\PrivacIE

2009-07-28 15:05 . 2009-07-28 15:05 -------- d-sh--w- c:\documents and settings\myrealname\IETldCache

2009-07-26 11:55 . 2009-07-26 11:55 -------- d-sh--w- c:\documents and settings\other user\PrivacIE

2009-07-26 08:06 . 2009-07-26 08:06 -------- d-sh--w- c:\documents and settings\other user\IETldCache

2009-07-26 00:21 . 2009-07-26 00:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-07-25 22:18 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-07-25 22:17 . 2009-07-29 09:33 -------- d-----w- c:\windows\ie8updates

2009-07-25 22:15 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-07-25 22:15 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-07-25 22:03 . 2009-07-25 22:14 -------- dc-h--w- c:\windows\ie8

2009-07-21 19:36 . 2009-07-21 19:36 -------- d-----w- c:\documents and settings\myrealname\Application Data\$CUERoot$

2009-07-21 19:35 . 2009-07-21 19:35 -------- d-----w- c:\program files\HP

2009-07-18 18:54 . 2009-08-05 22:54 -------- d-----w- c:\documents and settings\myrealname\Local Settings\Application Data\Temp

2009-07-18 09:55 . 2009-08-05 23:06 -------- d-----w- c:\documents and settings\other user\Local Settings\Application Data\Temp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-09 07:46 . 2008-12-27 15:14 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP

2009-08-07 08:29 . 2008-12-27 15:15 -------- d-----w- c:\program files\Spyware Doctor

2009-08-04 23:54 . 2006-07-04 23:44 -------- d-----w- c:\documents and settings\myrealname\Application Data\uTorrent

2009-08-04 12:49 . 2005-02-07 02:13 -------- d-----w- c:\program files\Google

2009-07-31 21:33 . 2009-02-21 14:04 -------- d-----w- c:\program files\Microsoft Silverlight

2009-07-10 10:11 . 2009-01-22 03:56 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee

2009-07-10 10:01 . 2009-01-22 03:57 -------- d-----w- c:\program files\McAfee

2009-07-04 17:03 . 2009-07-04 17:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-07-04 17:03 . 2009-07-04 17:03 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-07-03 17:09 . 2004-02-06 17:05 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-16 14:36 . 2001-08-18 07:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2001-08-18 07:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 15:17 . 2002-11-05 11:04 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-03 19:09 . 2003-12-21 20:38 1291264 ----a-w- c:\windows\system32\quartz.dll

2005-12-26 21:41 . 2005-12-26 21:41 2951156 ----a-w- c:\program files\bitcomet_setup.exe

2009-08-04 12:50 . 2009-08-04 12:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVIDIA nTune"="c:\nvidia\nTune\nTuneCmd.exe" [2007-07-03 81920]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-09 68856]

"Google Update"="c:\documents and settings\myrealname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-08-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-19 45632]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]

"Share-to-Web Namespace Daemon"="c:\hewlett-packard psc 2115\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]

"QuickTime Task"="c:\quicktime\QTTask.exe" [2008-11-04 413696]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-08-04 30192]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\SYSTEM32\bthprops.cpl [2008-04-14 110592]

"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk

backup=c:\windows\pss\AOL 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk

backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 Detect.lnk

backup=c:\windows\pss\PCSuiteForNokia6600 Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 TS.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 TS.lnk

backup=c:\windows\pss\PCSuiteForNokia6600 TS.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk

backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk

backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk

backup=c:\windows\pss\QuickTV.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^myrealname^Start Menu^Programs^Startup^Microsoft Greetings Reminders.lnk]

path=c:\documents and settings\myrealname\Start Menu\Programs\Startup\Microsoft Greetings Reminders.lnk

backup=c:\windows\pss\Microsoft Greetings Reminders.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^myrealname^Start Menu^Programs^Startup^Wallpaper Changer.lnk]

path=c:\documents and settings\myrealname\Start Menu\Programs\Startup\Wallpaper Changer.lnk

backup=c:\windows\pss\Wallpaper Changer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\KZ Lite\\KZ.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=

"c:\\Yahoo! Messenger\\Messenger\\YServer.exe"=

"c:\\Program Files\\LW\\LW.exe"=

"f:\\downloads to sort\\ut.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\GTR 2\\GTR2.exe"=

"f:\\rFactor\\rFactor.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"d:\\Steam\\SteamApps\\myname\\race07 demo\\SteamProxy.exe"=

"d:\\Steam\\SteamApps\\myname\\race07 demo\\RaceConfig_Steam.exe"=

"d:\\Steam\\SteamApps\\myname\\race 07 demo crowne plaza raceway edition\\RaceDemo_Steam.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"d:\\GT Legends\\GTL.exe"=

"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

"c:\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [04/08/2009 11:44 64160]

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [22/05/2009 12:47 130936]

R0 pnpshark;pnpshark;c:\windows\SYSTEM32\DRIVERS\pnpshark.sys [02/10/2003 04:16 119552]

R0 st3shark;st3shark;c:\windows\SYSTEM32\DRIVERS\st3shark.sys [27/09/2003 15:37 5504]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\ad-aware\AAWService.exe [03/07/2009 15:49 1029456]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [23/01/2009 01:02 210216]

S2 BT848;AVerMedia, AVerTV WDM Video Capture;c:\windows\SYSTEM32\DRIVERS\BT848.sys [13/05/2002 19:40 261696]

S2 BTTUNER;AVerMedia, AVerTV WDM TvTuner;c:\windows\SYSTEM32\DRIVERS\bttuner.sys [27/01/2002 04:57 22016]

S2 BTXBAR;AVerMedia, AVerTV WDM Crossbar;c:\windows\SYSTEM32\DRIVERS\btxbar.sys [27/01/2002 05:02 13312]

S2 gupdate1c8c5cb3ead1e68;Google Update Service (gupdate1c8c5cb3ead1e68);c:\program files\Google\Update\GoogleUpdate.exe [13/07/2008 00:03 133104]

S2 UsbCom;USB -> COM Driver Service;c:\windows\SYSTEM32\DRIVERS\UsbCom.sys [02/08/2004 15:44 69575]

S3 cpuz130;cpuz130;\??\c:\docume~1\myrealname\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [04/08/2009 13:50 30192]

S3 imhidusb;Immersion's HID USB Driver;c:\windows\SYSTEM32\DRIVERS\ImHidUsb.sys [27/11/2002 18:13 30920]

S3 jfdcd;jfdcd;\??\c:\docume~1\myrealname\LOCALS~1\Temp\jfdcd.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\jfdcd.sys [?]

S3 papycpu;papycpu;c:\windows\SYSTEM32\DRIVERS\papycpu.sys [25/12/2002 15:13 1888]

S3 RnbToken;Rainbow iKey Token Service;c:\windows\SYSTEM32\DRIVERS\RNBTOKEN.SYS [16/03/2004 03:04 18536]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [27/12/2008 16:15 348752]

S3 TMHidF;Thrustmaster Force Feedback Racing Wheel HID Driver;c:\windows\SYSTEM32\DRIVERS\TMHIDF.sys [27/10/2005 17:25 63894]

S3 wi8042pr;wi8042pr;\??\c:\docume~1\myrealname\LOCALS~1\Temp\wi8042pr.sys --> c:\docume~1\myrealname\LOCALS~1\Temp\wi8042pr.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Octoshape Streaming Services - c:\program files\Octoshape Streaming Services\myrealname\OctoshapeClient.exe

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

HKLM-Run-NBKeyScan - c:\nero\Nero 8\Nero BackItUp\NBKeyScan.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download with Star Downloader - c:\star downloader\sdie.htm

IE: E&xport to Microsoft Excel - c:\micros~4\OFFICE11\EXCEL.EXE/3000

IE: SYSTRAN: &Clear Translation Cache - d:\systran translator\Standard\menuClearCache.html

IE: SYSTRAN: &Options - d:\systran translator\Standard\menuConfigure.html

IE: SYSTRAN: &Register - d:\systran translator\Standard\menuRegister.html

IE: SYSTRAN: &Translate - d:\systran translator\Standard\menuTranslate.html

IE: SYSTRAN: Check for &Updates - d:\systran translator\Standard\menuUpdate.html

IE: SYSTRAN: Translate All &Frames - d:\systran translator\Standard\menuTranslateAll.html

IE: {{703436F1-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuTranslate.html

IE: {{703436F2-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuTranslateAll.html

IE: {{703436F3-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuConfigure.html

IE: {{703436F4-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuClearCache.html

IE: {{703436F5-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuRegister.html

IE: {{703436F6-3E1F-11d3-8F6B-00105A2A1D59} - d:\systran translator\Standard\MenuUpdates.html

Trusted Zone: abbey.com\www

Trusted Zone: vadertrophy.com\gp4tweaker

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: Yahoo! Dominoes

FF - ProfilePath - c:\docume~1\myrealname\APPLIC~1\Mozilla\Firefox\Profiles\80m4qwwn.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - component: c:\documents and settings\myrealname\Application Data\Mozilla\Firefox\Profiles\80m4qwwn.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll

FF - component: c:\documents and settings\myrealname\Application Data\Mozilla\Firefox\Profiles\80m4qwwn.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\divx player\DivX Content Uploader\npUpload.dll

FF - plugin: c:\divx player\DivX Player\npDivxPlayerPlugin.dll

FF - plugin: c:\divx player\DivX Web Player\npdivx32.dll

FF - plugin: c:\documents and settings\myrealname\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin2.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin3.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin4.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin5.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin6.dll

FF - plugin: c:\quicktime\Plugins\npqtplugin7.dll

FF - plugin: c:\vlc media player\npvlc.dll

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-09 13:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)

c:\program files\McAfee\SiteAdvisor\saHook.dll

- - - - - - - > 'explorer.exe'(3896)

c:\windows\system32\WININET.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\progra~1\WINDOW~3\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-08-09 13:33

ComboFix-quarantined-files.txt 2009-08-09 12:33

Pre-Run: 3,090,022,400 bytes free

Post-Run: 3,026,915,328 bytes free

303 --- E O F --- 2009-07-31 16:45

Regards,

-GR

Link to post
Share on other sites

  • Staff

Hi,

Go to start > run and copy and paste + enter the following commands one by one in the field:

sc delete wi8042pr

sc delete jfdcd

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • 2 weeks later...
Still with us?

Weird, I didn't get an email reply notification for the first one, sorry about that.

Well the Google Installer errors and background adverts have gone, seemed more or less fine until last week my Windows XP administrator login preferences and My Documents folder had wiped themselves completely for no reason! I managed to get it back with system restore, not sure if its related? Also had a locked spam popup but sadly that's the norm on the internets.

I've carried out your instructions and a DOS window flashed up very quickly for both, did it do anything?

Anyway here's the latest MBAM, it seems clean:

Malwarebytes' Anti-Malware 1.40

Database version: 2567

Windows 5.1.2600 Service Pack 3

20/08/2009 18:53:16

mbam-log-2009-08-20 (18-53-16).txt

Scan type: Quick Scan

Objects scanned: 122112

Time elapsed: 11 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Is this a sign it is fixed? If not I might just format my C: drive but it's partitioned with a D: also. Will the D: contents disappear if I do that?

Thanks for chasing this,

-GR

Link to post
Share on other sites

  • Staff
seemed more or less fine until last week my Windows XP administrator login preferences and My Documents folder had wiped themselves completely for no reason!
It didn't wipe itself here though. I guess it was just an improper reboot somewhere which may cause the userprofile temporary corrupt. Normally a next reboot resolves this as well.

Anyway, your log looks clean here, so everything should be OK now.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.