Rootkit TDDS

jkal · July 8, 2010

My routine Malwarebytes Scan uncovered two ROOTKIT TDDS entries. Although they were removed and I ran another scan in safe mode - I'm still suspicious. The PC is slower and I am unable to change my security settings. Sometimes IE won't even connect.

I ran McAfee and SUPER ANTI-SPYWARE and uncovered nothing.

Any help would be greatly appreciated.

Here's the HIJACK LOG

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:40:04 PM, on 7/7/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Norton Ghost\Agent\VProTray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\program files\steam\steam.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"

O4 - HKLM\..\Run: [uSB2Check] "C:\WINDOWS\system32\RUNDLL32.EXE" "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController

O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [sUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-1935655697-602162358-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} (SysInfo Class) - http://content.systemrequirementslab.com.s...ri_4.1.71.0.cab

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} (System Requirements Lab Class) - http://srtest-cdn.systemrequirementslab.co...eqlabdetect.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194645270687

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Futuremark SystemInfo) - http://service.futuremark.com/openapi/receivers/FMSI.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: McAfee Application Installer Cleanup (0311831276621050) (0311831276621050mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\031183~1.EXE (file missing)

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe

O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe

O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 14069 bytes

Thanks,

J

Maniac · July 8, 2010

Hello jkal! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Follow my instructions step by step if there is a problem somewhere, stop and tell me.
Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install or uninstall any software or hardware, while work on.
Keep me informed about any changes.

Follow these instructions and post all logs if you can:

http://forums.malwarebytes.org/index.php?showtopic=9573

jkal · July 9, 2010

Thanks for your help, however, I've run into a snag.

GMER won't run...it gets stuck and I lose control of the mouse. I ran it again and it got stuck, once again, and then blue screen. I ran Malwarebytes and show no problems. I also ran my virus software (McAfee) and again, show nothing.

Don't know if the HIJACK logs reveal anything, but is it possible I'm clean?

I've attached the ATTACH file and the DDS along with the MWB log.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Jim at 20:18:51.49 on Thu 07/08/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2812 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Norton Ghost\Agent\VProTray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\program files\steam\steam.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\Documents and Settings\Jim\Desktop\Defogger.exe

C:\Documents and Settings\Jim\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [steam] "c:\program files\steam\steam.exe" -silent

uRun: [sUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [NeroFilterCheck] "c:\program files\common files\ahead\lib\NeroCheck.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"

mRun: [Norton Ghost 12.0] "c:\program files\norton ghost\agent\VProTray.exe"

mRun: [uSB2Check] "c:\windows\system32\rundll32.exe" "c:\windows\system32\PCLECoInst.dll",CheckUSBController

mRun: [RTHDCPL] "c:\windows\RTHDCPL.EXE"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194645270687

DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://service.futuremark.com/openapi/receivers/FMSI.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jim\applic~1\mozilla\firefox\profiles\uckq9agm.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\jim\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\jim\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-4-28 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 67656]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-10-15 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-10-15 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-10-15 144704]

R2 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-30 30152]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-10-15 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-13 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-13 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-13 40552]

S1 aaaAaaa;aaaAaaa;c:\windows\system32\drivers\aaaAaaa.sys [2008-8-25 295168]

S2 0311831276621050mcinstcleanup;McAfee Application Installer Cleanup (0311831276621050);c:\windows\temp\031183~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\031183~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S3 cpuz130;cpuz130;\??\c:\docume~1\jim\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\jim\locals~1\temp\cpuz130\cpuz_x32.sys [?]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-9 25832]

S3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\turbine\turbine download manager\TurbineMessageService.exe [2009-5-11 267760]

S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\turbine\turbine download manager\TurbineNetworkService.exe [2009-5-11 218608]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-13 34248]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 12872]

=============== Created Last 30 ================

2010-07-09 01:17:41 0 ----a-w- c:\documents and settings\jim\defogger_reenable

2010-06-23 01:24:20 0 d--h--w- c:\windows\msdownld.tmp

2010-06-13 21:35:46 0 d-----w- c:\program files\3ivx

2010-06-13 21:35:37 0 d-----w- c:\program files\Flip Video

2010-06-11 08:08:18 221 ----a-w- c:\windows\system32\MRT.INI

==================== Find3M ====================

2010-07-08 05:12:00 215152 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20:34 78336 ------w- c:\windows\system32\ieencode.dll

2010-05-04 17:20:32 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:13:34 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-04-26 20:58:12 256512 ----a-w- c:\windows\PEV.exe

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-12 22:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

2009-11-26 04:43:27 1312080 ----a-w- c:\program files\59B770ebQ.exe

2009-06-27 03:08:13 17408 --sha-w- c:\program files\Thumbs.db

2008-10-13 23:25:50 9679360 ----a-w- c:\program files\TomTomHOMEwinlatest.exe

2008-10-13 23:16:15 19411496 ----a-w- c:\program files\TomTomHOME2winlatest.exe

2008-05-19 06:37:12 4846342 ----a-w- c:\program files\REVISED BACK ART.bmp

2008-03-22 04:46:49 41392 ----a-w- c:\program files\coverart3xb3.jpg

2008-03-22 03:59:37 93218 ----a-w- c:\program files\untitled444.PNG

2008-03-22 03:54:15 113997 ----a-w- c:\program files\untitled333.PNG

2008-03-22 01:47:28 142749 ----a-w- c:\program files\morebackcover3ix0.jpg

2008-03-20 22:57:25 102447 ----a-w- c:\program files\untitled222.PNG

2008-03-20 21:38:05 129823 ----a-w- c:\program files\untitled.bmp

2008-03-15 05:29:34 135318 ----a-w- c:\program files\cdstomperew5.png

2008-03-08 08:21:53 498870 ----a-w- c:\program files\cd3.bmp

2008-03-08 08:07:40 498870 ----a-w- c:\program files\cd sticker2.bmp

2008-03-08 08:04:17 1562706 ----a-w- c:\program files\cd2.bmp

2008-02-27 21:35:46 26166770 ----a-w- c:\program files\NAV05ENG.exe

2007-11-26 01:53:10 9479520 ----a-w- c:\program files\winzip111.exe

2007-11-23 04:18:13 585257 ----a-w- c:\program files\tabled32.exe

2007-11-21 01:03:21 3469976 ----a-w- c:\program files\DivXCodec.exe

1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL

1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL

1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL

1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL

1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL

1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

2009-04-27 22:41:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2009-04-27 22:41:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009042720090428\index.dat

2009-05-01 00:14:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009043020090501\index.dat

============= FINISH: 20:19:28.22 ===============

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4290

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

7/8/2010 6:59:36 PM

mbam-log-2010-07-08 (18-59-36).txt

Scan type: Quick scan

Objects scanned: 139983

Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

THanks again,

J

Attach.zip

Maniac · July 9, 2010

Step 1

Please, uninstall the following applications:

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)

You can read, how to do this here:

Step 2

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location and post it back when you reply
Then look for the following Java folders and if found delete them.
C:\Program Files\Java
C:\Program Files\Common Files\Java
C:\Windows\Sun
C:\Documents and Settings\All Users\Application Data\Java
C:\Documents and Settings\All Users\Application Data\Sun\Java
C:\Documents and Settings\username\Application Data\Java
C:\Documents and Settings\username\Application Data\Sun\Java

Step 3

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player

Step 4

Please read the following through carefully so that you understand what to do.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
It may ask you to reboot the computer to complete the process. Allow it to do so.
When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

In your next reply, please include these log(s):

JavaRa log
TDSSKiller log

jkal · July 9, 2010

I'll be out of town through the weekend, but will get to it when I return on Monday.

Just a few questions, and please forgive my ignorance: What effects will deleting Java and Adobe Acrobat have on my ability to use the PC? I take it we will re-install more up-to-date versions, once we're clean?

Also - just curious - since it wouldn't run, was I doing something wrong with GMER? And lastly, do the logs I provided, so far, look good? Or, should I shut down and not have anyone do anything until we're sure there's no trace of a ROOTKIT?

Many thanks for your assistance.

J

Maniac · July 9, 2010

I'll be out of town through the weekend, but will get to it when I return on Monday.

Thanks for update!!

I take it we will re-install more up-to-date versions, once we're clean?

That's right!

since it wouldn't run, was I doing something wrong with GMER?

Nope, it's not your fault.

And lastly, do the logs I provided, so far, look good?

Reasonably well.

Or, should I shut down and not have anyone do anything until we're sure there's no trace of a ROOTKIT?

Yeah, you should.

Have a nice holiday!

jkal · July 12, 2010

Borislav -

Back from my weekend and wanted to provide you with an update.

After MALWAREBYTES initially detected and removed the ROOTKIT AGENT, all scans thereafter showed nothing - including those performed by SUPER ANTI-SPYWARE.

Although I instructed him to shut down for the weekend, before doing so, my son ran a full scan of SUPER ANTI-SPYWARE again (he meant well...), and it showed two ROOTKIT entries. He tells me that he tried to reboot to finish removal and the PC shut down after the WINDOWS splash page. He ran it again in SAFE MODE where it revealed nothing and then everything booted up (seemingly) fine.

Upon my return, I noticed there were some STARTUP entries in the McAfee control logs that appear to be from Microsoft AND some unrecognized inbound entries into ports on my pc. I blocked them, turned on alerts and logs for EVERYTHING and, once again, shut down.

Now a question: The IT guy at the office told me he's heard that TDSS Killer has caused some major hard drive problems for some users. He tends to exaggerate some, and I might add, had no suggestions of his own to offer. Therefore, I am wondering, what types of problems (if any) might I expect?

Please know that I am not trying to be doubtful of your advice nor ungrateful for your help...however, my knowledge is very limited and, should something go awry, I am concerned about my abilities to recover.

If there are potentially devastating issues, is there an alternative to TDSS Killer? Or, would that be GMER that I couldn't get to run?

Thanks again,

j

Maniac · July 12, 2010

After MALWAREBYTES initially detected and removed the ROOTKIT AGENT, all scans thereafter showed nothing - including those performed by SUPER ANTI-SPYWARE.
Although I instructed him to shut down for the weekend, before doing so, my son ran a full scan of SUPER ANTI-SPYWARE again (he meant well...), and it showed two ROOTKIT entries. He tells me that he tried to reboot to finish removal and the PC shut down after the WINDOWS splash page. He ran it again in SAFE MODE where it revealed nothing and then everything booted up (seemingly) fine.
Upon my return, I noticed there were some STARTUP entries in the McAfee control logs that appear to be from Microsoft AND some unrecognized inbound entries into ports on my pc. I blocked them, turned on alerts and logs for EVERYTHING and, once again, shut down.

Sorry, but this makes my job very difficult because I don't know what was changed and I don't know what to do.

The IT guy at the office told me he's heard that TDSS Killer has caused some major hard drive problems for some users. He tends to exaggerate some, and I might add, had no suggestions of his own to offer. Therefore, I am wondering, what types of problems (if any) might I expect?

Our goal here is to use fewer tools and seek the easiest solutions for us and for you too. For the solution to the TDSS rootkit, we trust TDSSKiller tool, which is supported by Kaspersky Lab. We chose it because the work it is very easy and because it is extremely effective. This is the easiest solution, which we have as a resource at that time. It is updated regularly, and it is important to us. I have decided at least 15 cases through it and I can say that until now none of the people with whom I worked was not reported a technical problem with it. This is my personal practice. If there is any risk, it will have things that we can try, besides himself. Whatever you say.

This IT guy, ask him if he really come across a problem with it, let's send this information to Kaspersky Lab.

GMER is not a solution in our case.

jkal · July 12, 2010

Sorry, but this makes my job very difficult because I don't know what was changed and I don't know what to do.
I understand, and it was certainly not my intent to do so. Shall I provide another HIJACK THIS log before following your last instructions?
Our goal here is to use fewer tools and seek the easiest solutions for us and for you too. For the solution to the TDSS rootkit, we trust TDSSKiller tool, which is supported by Kaspersky Lab. We chose it because the work it is very easy and because it is extremely effective. This is the easiest solution, which we have as a resource at that time. It is updated regularly, and it is important to us. I have decided at least 15 cases through it and I can say that until now none of the people with whom I worked was not reported a technical problem with it. This is my personal practice. If there is any risk, it will have things that we can try, besides himself. Whatever you say.
This IT guy, ask him if he really come across a problem with it, let's send this information to Kaspersky Lab.
GMER is not a solution in our case.

I certainly trust the judgment of yourself along with the other good people in this forum. Just thought I'd ask, as he made it sound problematic. If you wrote back that there were some known problems that may require the user to be a bit more 'sophisticated' to set things right, then I would graciously decline.

In no way did I mean to be insulting or to impede your ability to help as your time and efforts are greatly appreciated.

j

Maniac · July 12, 2010

As you wish, we'll skip it.

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Open Tools -> Options -> Main tab
- Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

jkal · July 12, 2010

Here's the COMBOFIX LOG:

ComboFix 10-07-12.02 - Jim 07/12/2010 17:52:55.5.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2704 [GMT -5:00]

Running from: c:\documents and settings\Jim\Desktop\Combo-Fix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\init32.exe

.

((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))

.

2010-07-10 02:39 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-07-10 02:38 . 2010-07-10 02:38 -------- d-----w- c:\program files\Panda Security

2010-07-08 03:06 . 2010-07-08 03:08 -------- d-----w- c:\program files\Windows Live Safety Center

2010-07-01 02:16 . 2010-07-01 02:16 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\likxcnwtm

2010-06-23 01:24 . 2010-06-23 01:24 -------- d--h--w- c:\windows\msdownld.tmp

2010-06-13 21:35 . 2010-06-13 21:35 -------- d-----w- c:\program files\3ivx

2010-06-13 21:35 . 2010-06-13 21:35 -------- d-----w- c:\program files\Flip Video

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-12 11:07 . 2010-05-08 05:06 63488 ----a-w- c:\documents and settings\Jim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-07-12 11:07 . 2009-04-29 23:49 117760 ----a-w- c:\documents and settings\Jim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-07-12 02:12 . 2009-02-11 23:20 -------- d-----w- c:\program files\Steam

2010-07-10 02:56 . 2008-04-23 10:48 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-07-08 05:12 . 2009-05-17 23:34 215152 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-07-08 02:58 . 2009-04-29 23:48 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-07-01 11:19 . 2008-03-01 06:22 -------- d-----w- c:\program files\SpeedFan

2010-06-20 18:39 . 2007-11-10 00:52 79864 ----a-w- c:\documents and settings\Jim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-15 16:57 . 2009-09-13 16:15 -------- d-----w- c:\program files\McAfee

2010-06-05 04:47 . 2009-12-28 22:53 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-03 10:29 . 2010-06-03 10:29 388096 ----a-r- c:\documents and settings\Jim\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-06-02 21:24 . 2010-06-02 21:24 -------- d-----w- c:\program files\WebEx

2010-05-30 04:02 . 2010-05-30 04:02 503808 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-222cd58c-n\msvcp71.dll

2010-05-30 04:02 . 2010-05-30 04:02 499712 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-222cd58c-n\jmc.dll

2010-05-30 04:02 . 2010-05-30 04:02 348160 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-222cd58c-n\msvcr71.dll

2010-05-30 04:02 . 2010-05-30 04:02 61440 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-299e7599-n\decora-sse.dll

2010-05-30 04:02 . 2010-05-30 04:02 12800 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-299e7599-n\decora-d3d.dll

2010-05-30 03:57 . 2009-10-11 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-05-17 00:15 . 2010-05-16 20:58 -------- d-----w- c:\documents and settings\Jim\Application Data\Sony

2010-05-16 20:58 . 2010-05-16 20:58 -------- d-----w- c:\documents and settings\Jim\Application Data\Publish Providers

2010-05-16 20:52 . 2010-05-16 20:49 -------- d-----w- c:\program files\Sony

2010-05-16 20:50 . 2010-05-16 20:50 -------- d-----w- c:\program files\Vstplugins

2010-05-16 20:50 . 2010-05-16 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony

2010-05-16 20:41 . 2009-09-15 03:11 -------- d-----w- c:\documents and settings\Jim\Application Data\Tropico 3 Demo

2010-05-15 21:18 . 2010-05-15 21:18 -------- d-----w- c:\documents and settings\Jim\Application Data\Unity

2010-05-04 21:32 . 2009-05-17 23:35 137200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-05-04 17:20 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 12:00 78336 ------w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2008-07-23 20:40 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:14 . 2010-05-02 05:14 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-05-02 05:14 . 2010-05-02 05:14 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-05-02 05:14 . 2010-05-02 05:14 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-05-02 05:14 . 2010-05-02 05:14 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-05-02 05:14 . 2010-05-02 05:14 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-05-02 05:14 . 2010-05-02 05:14 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-05-02 05:14 . 2010-05-02 05:14 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-05-02 05:14 . 2010-05-02 05:14 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-05-02 05:14 . 2010-05-02 05:14 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

2010-05-02 05:13 . 2007-11-09 22:29 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-05-02 05:09 . 2010-05-02 05:09 734728 ----a-w- c:\documents and settings\Jim\Application Data\Real\RealPlayer\setup\AU_setup13.exe

2010-04-29 20:39 . 2009-11-26 05:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 20:39 . 2009-11-26 05:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 01:50 . 2010-04-20 01:50 503808 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-112f53b3-n\msvcp71.dll

2010-04-20 01:50 . 2010-04-20 01:50 499712 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-112f53b3-n\jmc.dll

2010-04-20 01:50 . 2010-04-20 01:50 348160 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-112f53b3-n\msvcr71.dll

2010-04-20 01:50 . 2010-04-20 01:50 61440 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-32b5f60d-n\decora-sse.dll

2010-04-20 01:50 . 2010-04-20 01:50 12800 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-32b5f60d-n\decora-d3d.dll

2009-11-26 04:43 . 2009-11-26 04:43 1312080 ----a-w- c:\program files\59B770ebQ.exe

2009-06-27 03:08 . 2008-03-20 21:21 17408 --sha-w- c:\program files\Thumbs.db

2008-10-13 23:25 . 2008-10-13 23:25 9679360 ----a-w- c:\program files\TomTomHOMEwinlatest.exe

2008-10-13 23:16 . 2008-10-13 23:16 19411496 ----a-w- c:\program files\TomTomHOME2winlatest.exe

2008-05-19 06:37 . 2008-05-19 06:37 4846342 ----a-w- c:\program files\REVISED BACK ART.bmp

2008-03-22 04:46 . 2008-03-22 04:47 41392 ----a-w- c:\program files\coverart3xb3.jpg

2008-03-22 03:59 . 2008-03-22 03:59 93218 ----a-w- c:\program files\untitled444.PNG

2008-03-22 03:54 . 2008-03-22 03:50 113997 ----a-w- c:\program files\untitled333.PNG

2008-03-22 01:47 . 2008-03-22 04:50 142749 ----a-w- c:\program files\morebackcover3ix0.jpg

2008-03-20 22:57 . 2008-03-20 22:57 102447 ----a-w- c:\program files\untitled222.PNG

2008-03-20 21:38 . 2008-03-20 21:34 129823 ----a-w- c:\program files\untitled.bmp

2008-03-15 05:29 . 2008-03-15 05:26 135318 ----a-w- c:\program files\cdstomperew5.png

2008-03-08 08:21 . 2008-03-08 08:21 498870 ----a-w- c:\program files\cd3.bmp

2008-03-08 08:07 . 2008-03-08 08:07 498870 ----a-w- c:\program files\cd sticker2.bmp

2008-03-08 08:04 . 2008-03-08 08:04 1562706 ----a-w- c:\program files\cd2.bmp

2008-02-27 21:35 . 2008-02-27 21:35 26166770 ----a-w- c:\program files\NAV05ENG.exe

2007-11-26 01:53 . 2007-11-26 01:53 9479520 ----a-w- c:\program files\winzip111.exe

2007-11-23 04:18 . 2007-11-23 04:18 585257 ----a-w- c:\program files\tabled32.exe

2007-11-21 01:03 . 2007-11-21 01:03 3469976 ----a-w- c:\program files\DivXCodec.exe

1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\steam\steam.exe" [2010-07-09 1238352]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-08 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"Norton Ghost 12.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2007-03-29 2037352]

"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]

"RTHDCPL"="c:\windows\RTHDCPL.EXE" [2007-07-05 16380416]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-02 202256]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-8 113664]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-8 113664]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-05 15:11 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk

backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk

backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2007-03-09 17:09 63712 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-01-12 04:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]

2007-10-11 14:45 31232 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtariBanner]

2001-05-23 00:17 49152 ----a-w- c:\program files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]

2007-02-09 02:43 95800 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2007-03-14 21:52 3770024 ----a-w- c:\program files\TomTom HOME\TomTomHOME.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=

"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=

"c:\\WINDOWS\\system32\\defrag.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Steam\\SteamApps\\jkalabokis\\team fortress 2\\hl2.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\fear2\\FEAR2.exe"=

"c:\\Program Files\\Eidos\\Batman Arkham Asylum\\Binaries\\ShippingPC-BmGame.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=

"c:\\Program Files\\Steam\\steam.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty world at war\\CoDWaW.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty world at war\\CoDWaWmp.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\swkotor\\swkotor.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\assassin's creed 2\\AssassinsCreedIIGame.exe"=

"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\r.u.s.e. beta\\Ruse.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\metro 2033\\metro2033.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect 2\\Binaries\\MassEffect2.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect 2\\MassEffect2Launcher.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect 2\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=

"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/9/2010 9:39 PM 28552]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [4/28/2009 11:33 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 67656]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/15/2009 4:30 PM 93320]

R2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/30/2008 3:21 PM 30152]

S2 0311831276621050mcinstcleanup;McAfee Application Installer Cleanup (0311831276621050);c:\windows\TEMP\031183~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\031183~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S3 cpuz130;cpuz130;\??\c:\docume~1\Jim\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Jim\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/9/2009 4:35 PM 25832]

S3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [5/11/2009 2:11 PM 267760]

S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [5/11/2009 2:11 PM 218608]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 12872]

.

Contents of the 'Scheduled Tasks' folder

2010-07-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-06-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-15 17:22]

2010-07-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-15 17:22]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab

FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\uckq9agm.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\Jim\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\Jim\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-aaaAaaa

AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Jim\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-12 17:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-602162358-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1935655697-602162358-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:1f,26,40,04,05,49,4d,e4,c0,b8,84,2a,58,16,3d,bd,94,5a,0a,df,d6,72,59,

8e,5b,3d,15,76,cb,70,32,5c,1c,77,ef,48,a0,7b,91,d7,5b,d3,31,4f,ab,24,4d,ba,\

"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1935655697-602162358-839522115-1004\Software\SecuROM\License information*]

"datasecu"=hex:81,0f,33,35,34,fe,83,b2,76,70,0e,06,6b,d5,66,e3,2c,db,04,20,8f,

e9,15,dc,a1,19,64,67,ec,57,6d,d0,9f,72,f6,f6,12,44,df,9c,33,af,54,70,2f,0a,\

"rkeysecu"=hex:00,9d,cd,93,ed,cc,95,7d,b2,39,62,1c,fc,25,7c,70

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"NoChange"="1"

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

@=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

Completion time: 2010-07-12 17:58:41

ComboFix-quarantined-files.txt 2010-07-12 22:58

Pre-Run: 118,101,827,584 bytes free

Post-Run: 118,115,729,408 bytes free

- - End Of File - - 76B9018B47849668BFA1DF37FBA38D50

Maniac · July 13, 2010

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

Please go here then click on:
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Now click on Advanced Settings and select the following:

- Remove found threats
- Scan archives
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology

[*]Now click on:

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on:

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

jkal · July 14, 2010

Borislav -

Here's the ESET LOG - However, just FYI - McAfee picked up COMBO-FIX as an ARTEMIS TROJAN and blocked it.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=bc1221254df4a3419b8c182b188dff42

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-07-14 02:03:35

# local_time=2010-07-13 09:03:35 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 37226649 37226649 0 0

# compatibility_mode=5121 16776613 100 96 8898150 31068745 0 0

# compatibility_mode=8192 67108863 100 0 23413414 23413414 0 0

# scanned=313708

# found=0

# cleaned=0

# scan_time=9397

Thanks again,

j

Maniac · July 14, 2010

Please download to your Desktop: Dr.Web CureIt

After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
Once the short scan has finished, Click on the Complete scan radio button.
Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
On the File types tab ensure you select All files
Click on the Actions tab and set the following:
- Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
- Infected packages Archive = Move, E-mails = Report, Containers = Move
- Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
- Do not change the Rename extension - default is: #??
- Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
- Leave prompt on Action checked
[*]On the Log file tab leave the Log to file checked.
[*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
[*]Log mode = Append
[*]Encoding = ANSI
[*]Details Leave Names of file packers and Statistics checked.
[*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
[*]On the General tab leave the Scan Priority on High
[*]Click the Apply button at the bottom, and then the OK button.
[*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
[*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
[*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
[*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
[*]Click 'Yes to all' if it asks if you want to cure/move the files.
[*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
[*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
[*]Save the report to your Desktop. The report will be called DrWeb.csv
[*]Close Dr.Web Cureit.
[*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
[*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

jkal · July 15, 2010

Here are the logs:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 5:35:11 AM, on 7/15/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PnkBstrB.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Norton Ghost\Agent\VProTray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\program files\steam\steam.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll