Background virus?

View previous topic View next topic Go down

Background virus?

Post by GussieFinch on Mon Jul 26, 2010 6:48 pm

Hi there, I've used your service before and I found it to be very helpful. So here I am again!

The last two days my computer's fan has been running continuously (and noisily). Yesterday I did some spyware/malaware removal and got rid of some items, which seemed to be the solution.

Today, I wake up to the same thing. I am thinking there is still something that is running in the background because fan is still on, computer is sluggish and I am getting the occasional redirect when on the Internet.

Let me know what you want me to run!

Thank you in advance!

Barbara

GussieFinch
Novice
Novice

Status :
Online
Offline

Posts Posts : 47
Joined Joined : 2009-11-29
OS : Windows XP Media Center Edition

View user profile

Back to top Go down

Re: Background virus?

Post by Belahzur on Mon Jul 26, 2010 8:49 pm

Hello.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Background virus?

Post by GussieFinch on Mon Jul 26, 2010 10:54 pm

The extras.txt wasn't created. Is this normal/okay?



OTL logfile created on: 7/26/2010 5:42:09 PM - Run 4
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\z\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 81.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.91 Gb Total Space | 84.03 Gb Free Space | 58.39% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 953.73 Mb Total Space | 318.00 Mb Free Space | 33.34% Space Free | Partition Type: FAT
Drive F: | 953.73 Mb Total Space | 536.97 Mb Free Space | 56.30% Space Free | Partition Type: FAT
Drive G: | 931.51 Gb Total Space | 499.68 Gb Free Space | 53.64% Space Free | Partition Type: NTFS
Drive H: | 953.73 Mb Total Space | 357.39 Mb Free Space | 37.47% Space Free | Partition Type: FAT
Drive I: | 953.73 Mb Total Space | 931.53 Mb Free Space | 97.67% Space Free | Partition Type: FAT
Drive K: | 465.76 Gb Total Space | 258.31 Gb Free Space | 55.46% Space Free | Partition Type: NTFS

Computer Name: MAIN_DELL
Current User Name: z
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/26 17:32:31 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\z\Desktop\OTL.exe
PRC - [2010/07/26 17:18:25 | 000,059,964 | ---- | M] (Macrovision Europe Ltd.) -- C:\Documents and Settings\z\Local Settings\temp\clclean.0001
PRC - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/02/03 00:55:40 | 003,941,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Altiris\StreamingAgent\bin\AppMgrService.exe
PRC - [2009/02/03 00:55:36 | 001,119,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Altiris\StreamingAgent\bin\AppMgrGui.exe
PRC - [2008/04/17 13:50:24 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/12/22 13:33:10 | 000,109,344 | ---- | M] (Logitech Inc.) -- c:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2006/12/22 13:27:28 | 000,497,176 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
PRC - [2006/10/23 07:50:35 | 000,046,640 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PRC - [2006/03/21 10:30:17 | 000,069,632 | ---- | M] (Creative Labs) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
PRC - [2005/09/08 06:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/02/23 16:57:24 | 000,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Mixer\CTSVolFE.exe
PRC - [2003/08/27 11:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe


========== Modules (SafeList) ==========

MOD - [2010/07/26 17:32:31 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\z\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2006/12/22 13:32:58 | 000,092,960 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcInj.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (gusvc)
SRV - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc)
SRV - [2009/02/03 00:55:40 | 003,941,792 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Altiris\StreamingAgent\bin\AppMgrService.exe -- (AppMgrService)
SRV - [2006/12/22 13:34:52 | 000,105,248 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2006/12/22 13:33:10 | 000,109,344 | ---- | M] (Logitech Inc.) [Auto | Running] -- c:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2006/10/23 07:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)
SRV - [2006/03/21 10:30:17 | 000,069,632 | ---- | M] (Creative Labs) [On_Demand | Running] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2003/08/27 11:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\z\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/02/02 23:59:02 | 000,160,768 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\AppStream.sys -- (APPSTREAM)
DRV - [2009/02/02 23:58:10 | 000,138,752 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\RegHook.sys -- (REGHOOK)
DRV - [2008/04/13 13:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/24 17:37:00 | 000,138,384 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2006/12/22 13:32:48 | 000,025,632 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2006/12/22 13:32:24 | 001,963,680 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2006/12/22 13:30:42 | 001,683,232 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Lvckap.sys -- (LVcKap)
DRV - [2006/12/14 22:42:18 | 000,022,432 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2006/12/14 22:42:08 | 001,090,720 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 5000(UVC)
DRV - [2006/12/14 22:41:56 | 000,041,248 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2006/12/14 22:40:14 | 001,513,120 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvpopflt.sys -- (lvpopflt)
DRV - [2006/03/21 10:35:15 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2005/09/12 04:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/09/08 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 06:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 13:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 13:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/12 06:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/08/04 05:10:18 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/06/06 22:40:48 | 000,180,736 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
DRV - [2005/05/25 23:34:00 | 000,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTUSFSYN.SYS -- (CTUSFSYN)
DRV - [2005/03/25 17:11:00 | 001,350,272 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sigfilt.sys -- (sigfilt)
DRV - [2005/03/05 01:06:50 | 000,135,296 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinavxx.sys -- (ATIAVPCI)
DRV - [2005/01/11 01:15:00 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTSFM2K.SYS -- (ctsfm2k)
DRV - [2005/01/11 01:15:00 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTOSS2K.SYS -- (ossrv)
DRV - [2004/12/23 02:58:00 | 000,008,704 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PFMODNT.SYS -- (PfModNT)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/03 23:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/03/24 11:12:44 | 000,004,272 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\bvrp_pci.sys -- (bvrp_pci)
DRV - [2004/02/09 12:06:22 | 000,015,360 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NetMotCM.sys -- (ndiscm)
DRV - [2003/11/17 22:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 22:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 22:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/01/10 16:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [You must be registered and logged in to see this link.] [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/06/29 09:41:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{4C96E80D-68EC-4BB8-B340-0BE6EE953952}: C:\Documents and Settings\z\Local Settings\Application Data\{4C96E80D-68EC-4BB8-B340-0BE6EE953952} [2010/07/25 17:54:43 | 000,000,000 | ---D | M]

[2010/07/24 17:15:58 | 000,002,076 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: ([2010/07/25 20:53:48 | 000,413,985 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14321 more lines...
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (HP Print Clips) - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems)
O4 - HKLM..\Run: [AppMgrGui] C:\Program Files\Altiris\StreamingAgent\bin\exeForService.exe (Symantec Corporation)
O4 - HKLM..\Run: [CTSVolFE] C:\Program Files\Creative\Mixer\CTSVolFE.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [Dqokojuyib] C:\WINDOWS\irecehez.DLL (Sonic Solutions)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe (Logitech Inc.)
O4 - HKLM..\Run: [MBMon] C:\WINDOWS\System32\CTMBHA.DLL ()
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKCU..\Run: [SetDefaultMIDI] C:\WINDOWS\MIDIDEF.EXE (Creative Technology Ltd)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O15 - HKCU\..Trusted Domains: //@surf.mar@/ ([]money in Local intranet)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: citibank.com ([online] https in Trusted sites)
O15 - HKCU\..Trusted Domains: gamehouse.com ([global.fb] http in Local intranet)
O15 - HKCU\..Trusted Domains: lasallebank.com ([onlinebanking] https in Trusted sites)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} [You must be registered and logged in to see this link.] (Office Genuine Advantage Validation Tool)
O16 - DPF: {3356DB7C-58A7-11D4-AA5C-006097314BF8} [You must be registered and logged in to see this link.] (LaunchObj Class)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} [You must be registered and logged in to see this link.] (Snapfish Activia)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} [You must be registered and logged in to see this link.] (Windows Live Safety Center Base Module)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (OnlineScanner Control)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} [You must be registered and logged in to see this link.] (Groove Control)
O16 - DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} [You must be registered and logged in to see this link.] (IWS Photo Upload Tool)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} [You must be registered and logged in to see this link.] (Virtools WebPlayer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} [You must be registered and logged in to see this link.] (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} [You must be registered and logged in to see this link.] (Persits Software XUpload)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\z\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\z\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {2D0C3614-D550-4b6b-BF80-D83C4544D6AE} - C:\Program Files\Altiris\StreamingAgent\bin\ShExecHook.dll (Symantec Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 05:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/03/23 15:28:28 | 000,000,090 | ---- | M] () - E:\AUTORUN.INF -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/26 17:32:54 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\z\Desktop\OTL.exe
[2010/07/25 17:54:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\z\Local Settings\Application Data\{4C96E80D-68EC-4BB8-B340-0BE6EE953952}
[2010/07/25 17:53:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\z\Local Settings\Application Data\ekuffvtur
[2010/07/25 17:52:59 | 000,000,000 | ---D | C] -- K:\Documents and Settings
[2010/07/25 17:51:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/24 23:10:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/07/24 16:59:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/24 16:06:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/24 16:06:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/14 01:07:36 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/26 17:43:19 | 000,766,464 | ---- | M] () -- C:\WINDOWS\System32\drivers\mwuzwry.sys
[2010/07/26 17:32:31 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\z\Desktop\OTL.exe
[2010/07/26 17:20:31 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/26 17:20:05 | 000,031,765 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/07/26 17:18:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/26 17:18:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/26 17:17:55 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2010/07/26 15:01:44 | 015,728,640 | ---- | M] () -- C:\Documents and Settings\z\ntuser.dat
[2010/07/26 15:01:22 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\z\ntuser.ini
[2010/07/26 15:00:23 | 015,532,540 | -H-- | M] () -- C:\Documents and Settings\z\Local Settings\Application Data\IconCache.db
[2010/07/26 14:53:03 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job
[2010/07/26 14:45:07 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Nfezikufev.dat
[2010/07/26 13:02:37 | 000,003,874 | ---- | M] () -- C:\Documents and Settings\z\Application Data\SAS7_000.DAT
[2010/07/26 12:28:31 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Qyiveq.bin
[2010/07/25 20:53:48 | 000,413,985 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/25 20:10:45 | 000,000,584 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/07/25 20:10:45 | 000,000,584 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/07/25 17:53:21 | 000,000,150 | ---- | M] () -- C:\zrpt.xml
[2010/07/25 17:51:47 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/25 17:00:01 | 000,000,390 | ---- | M] () -- C:\WINDOWS\tasks\SpeedyPC Program Check.job
[2010/07/24 13:25:43 | 000,000,753 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/24 12:42:51 | 001,871,593 | ---- | M] () -- C:\2010-07-24 Flood_7.jpg
[2010/07/24 12:42:27 | 002,000,184 | ---- | M] () -- C:\2010-07-24 Flood_6.jpg
[2010/07/24 12:42:05 | 000,447,862 | ---- | M] () -- C:\2010-07-24 Flood_5.jpg
[2010/07/24 12:41:48 | 001,062,133 | ---- | M] () -- C:\2010-07-24 Flood_4.jpg
[2010/07/24 12:41:23 | 000,907,730 | ---- | M] () -- C:\2010-07-24 Flood_3.jpg
[2010/07/24 12:41:06 | 001,413,520 | ---- | M] () -- C:\2010-07-24 Flood_2.jpg
[2010/07/24 12:40:43 | 002,144,160 | ---- | M] () -- C:\2010-07-24 Flood_1.jpg
[2010/07/21 07:14:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/07/18 21:45:37 | 000,033,832 | ---- | M] () -- C:\Documents and Settings\z\Application Data\wklnhst.dat
[2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2010/07/15 01:00:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/07/05 20:47:31 | 000,002,539 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Dragon NaturallySpeaking 10.0.lnk
[2010/07/01 01:00:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/06/29 22:14:51 | 000,024,064 | ---- | M] () -- K:\trifold.sig
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/25 17:54:44 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Nfezikufev.dat
[2010/07/25 17:54:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Qyiveq.bin
[2010/07/25 17:53:18 | 000,766,464 | ---- | C] () -- C:\WINDOWS\System32\drivers\mwuzwry.sys
[2010/07/25 17:53:17 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\Updater.job
[2010/07/25 17:52:58 | 000,000,150 | ---- | C] () -- C:\zrpt.xml
[2010/07/24 12:42:47 | 001,871,593 | ---- | C] () -- C:\2010-07-24 Flood_7.jpg
[2010/07/24 12:42:24 | 002,000,184 | ---- | C] () -- C:\2010-07-24 Flood_6.jpg
[2010/07/24 12:42:03 | 000,447,862 | ---- | C] () -- C:\2010-07-24 Flood_5.jpg
[2010/07/24 12:41:45 | 001,062,133 | ---- | C] () -- C:\2010-07-24 Flood_4.jpg
[2010/07/24 12:41:20 | 000,907,730 | ---- | C] () -- C:\2010-07-24 Flood_3.jpg
[2010/07/24 12:41:03 | 001,413,520 | ---- | C] () -- C:\2010-07-24 Flood_2.jpg
[2010/07/24 12:40:39 | 002,144,160 | ---- | C] () -- C:\2010-07-24 Flood_1.jpg
[2010/06/29 22:14:50 | 000,024,064 | ---- | C] () -- K:\trifold.sig
[2009/10/07 02:46:36 | 000,025,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/02/03 00:31:48 | 000,294,912 | ---- | C] () -- C:\WINDOWS\AppStreamRes1033.dll
[2008/08/28 14:50:12 | 000,000,036 | ---- | C] () -- C:\WINDOWS\AEBFONT.INI
[2008/08/28 14:50:04 | 000,000,013 | ---- | C] () -- C:\WINDOWS\bcpkey.ini
[2008/02/04 18:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/02/13 21:43:59 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/02/13 15:23:18 | 000,048,205 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2007/01/04 14:01:20 | 000,018,057 | ---- | C] () -- C:\WINDOWS\CSTBox.INI
[2006/12/26 16:11:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\plclient.INI
[2006/12/23 14:13:10 | 000,000,061 | ---- | C] () -- C:\WINDOWS\CTWave32.ini
[2006/12/23 14:00:39 | 000,000,072 | ---- | C] () -- C:\WINDOWS\sbwin.ini
[2006/12/22 13:30:42 | 001,683,232 | ---- | C] () -- C:\WINDOWS\System32\drivers\Lvckap.sys
[2006/08/04 12:14:20 | 000,000,525 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2006/04/12 16:46:08 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2006/04/01 15:59:44 | 000,000,081 | ---- | C] () -- C:\WINDOWS\PARSONS.INI
[2006/03/25 12:02:44 | 000,004,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\bvrp_pci.sys
[2006/03/23 23:04:58 | 000,006,216 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/03/23 23:04:58 | 000,000,104 | RHS- | C] () -- C:\WINDOWS\System32\690E1F2E0D.sys
[2006/03/21 10:50:21 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/03/21 10:43:32 | 000,000,479 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/03/21 10:40:00 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/03/21 10:30:44 | 000,005,811 | ---- | C] () -- C:\WINDOWS\System32\CTSBMB.INI
[2006/03/21 10:02:36 | 000,004,969 | ---- | C] () -- C:\WINDOWS\System32\Sigfilt.ini
[2006/03/21 10:02:36 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2006/03/21 10:02:22 | 001,345,520 | ---- | C] () -- C:\WINDOWS\System32\CTMBHA.DLL
[2006/03/21 10:01:18 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 09:38:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 05:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 05:18:33 | 001,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz(3).dll
[2005/08/16 05:18:33 | 001,287,680 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2005/08/05 15:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 234 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F35A93AD
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5A823589
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

GussieFinch
Novice
Novice

Status :
Online
Offline

Posts Posts : 47
Joined Joined : 2009-11-29
OS : Windows XP Media Center Edition

View user profile

Back to top Go down

Re: Background virus?

Post by Belahzur on Tue Jul 27, 2010 9:11 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Background virus?

Post by GussieFinch on Wed Jul 28, 2010 1:29 am

Okay, some SIDENOTES.
Before I ran Combo-Fix, the computer was total sluggish and hardly loading any web sites. so I ran a
Malwarebytes which removed 7 items and Spybot S&D which removed Virtumonde.prx

Then I did have some problems with Combo-Fix, had to interrupt it, but then finally did get through it. Here's the log:

ComboFix 10-07-26.04 - z 07/27/2010 19:52:46.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3710.3041 [GMT -5:00]
Running from: c:\documents and settings\z\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\z\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\z\Local Settings\Application Data\{4C96E80D-68EC-4BB8-B340-0BE6EE953952}
c:\documents and settings\z\Local Settings\Application Data\{4C96E80D-68EC-4BB8-B340-0BE6EE953952}\chrome.manifest
c:\documents and settings\z\Local Settings\Application Data\{4C96E80D-68EC-4BB8-B340-0BE6EE953952}\chrome\content\_cfg.js
c:\documents and settings\z\Local Settings\Application Data\{4C96E80D-68EC-4BB8-B340-0BE6EE953952}\chrome\content\overlay.xul
c:\documents and settings\z\Local Settings\Application Data\{4C96E80D-68EC-4BB8-B340-0BE6EE953952}\install.rdf
c:\documents and settings\z\Local Settings\temp\clclean.0001.dir.0001\~df394b.tmp
c:\program files\Mozilla Firefox\searchplugins\google_search.xml

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-25 22:54 . 2010-07-27 20:31 0 ----a-w- c:\windows\Qyiveq.bin
2010-07-25 22:54 . 2010-07-26 19:45 120 ----a-w- c:\windows\Nfezikufev.dat
2010-07-25 22:53 . 2010-07-28 01:05 766464 ----a-w- c:\windows\system32\drivers\mwuzwry.sys
2010-07-25 22:53 . 2010-07-25 22:53 -------- d-----w- c:\documents and settings\z\Local Settings\Application Data\ekuffvtur
2010-07-25 22:51 . 2010-07-25 22:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-14 06:07 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 01:03 . 2007-02-13 20:25 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-27 17:38 . 2007-10-31 01:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-27 17:37 . 2009-04-30 17:32 -------- d-----w- c:\program files\SpywareBlaster
2010-07-27 02:45 . 2010-07-27 02:45 503808 ----a-w- c:\documents and settings\z\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-133298b9-n\msvcp71.dll
2010-07-27 02:45 . 2010-07-27 02:45 499712 ----a-w- c:\documents and settings\z\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-133298b9-n\jmc.dll
2010-07-27 02:45 . 2010-07-27 02:45 348160 ----a-w- c:\documents and settings\z\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-133298b9-n\msvcr71.dll
2010-07-26 18:02 . 2006-12-26 22:49 3874 ----a-w- c:\documents and settings\z\Application Data\SAS7_000.DAT
2010-07-26 01:43 . 2007-09-04 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-25 22:51 . 2009-12-17 08:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-25 00:22 . 2006-04-06 19:35 -------- d-----w- c:\documents and settings\z\Application Data\Canon
2010-07-24 18:30 . 2007-02-14 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-07-19 02:45 . 2006-03-24 19:44 33832 ----a-w- c:\documents and settings\z\Application Data\wklnhst.dat
2010-07-15 20:18 . 2007-02-20 18:03 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-16 02:19 . 2010-06-16 02:19 25214 ----a-r- c:\documents and settings\z\Application Data\Microsoft\Installer\{21614F95-2732-417C-881E-FDD545F9B4BC}\ARPPRODUCTICON.exe
2010-06-16 02:19 . 2006-03-31 18:53 -------- d-----w- c:\program files\The Print Shop 21
2010-06-15 19:02 . 2010-02-18 00:45 339024 ----a-w- c:\documents and settings\z\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-15 18:59 . 2006-03-31 18:59 -------- d-----w- c:\program files\Web Publish
2010-06-15 18:23 . 2006-03-31 18:53 -------- d-----w- c:\program files\Common Files\Broderbund
2010-06-14 14:31 . 2005-08-16 10:40 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-13 17:35 . 2010-06-13 17:35 -------- d-----w- c:\program files\ESET
2010-06-09 02:14 . 2009-10-15 17:40 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-09 01:33 . 2009-11-28 23:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 01:20 . 2010-06-09 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedyPC
2010-06-09 01:20 . 2010-06-09 01:20 -------- d-----w- c:\program files\SpeedyPC
2010-05-04 17:20 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2005-08-16 10:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-11-28 23:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-11-28 23:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-06 18:42 . 2006-03-24 04:04 104 --sh--r- c:\windows\system32\690E1F2E0D.sys
2010-03-06 18:42 . 2006-03-24 04:04 6216 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2006-12-22 497176]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-23 149280]
"AppMgrGui"="c:\program files\Altiris\StreamingAgent\bin\exeForService.exe" [2009-02-03 54688]
"CTSVolFE"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-05-03 160592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{2D0C3614-D550-4b6b-BF80-D83C4544D6AE}"= "c:\program files\Altiris\StreamingAgent\bin\ShExecHook.dll" [2009-02-03 107936]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CallControl 4.5]
2002-05-18 16:05 122368 ----a-w- c:\program files\FaxTalk Communicator\FTCtrl32.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 00:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-09-15 15:47 57344 ------w- c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 08:04 332800 ----a-w- c:\progra~1\DELLSU~1\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2007-10-08 21:50 41824 ----a-w- c:\program files\Common Files\AOL\1170476348\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 02:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2001-11-20 04:10 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-15 02:50 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-10-15 02:49 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 21:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2006-12-22 18:28 756248 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-18 19:00 8192 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
2002-02-21 01:01 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-03-21 15:35 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
2008-05-03 17:19 160592 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-03-07 03:54 24095528 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 15:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-04-17 18:50 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 07:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2005-09-19 13:42 1159168 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1170476348\\ee\\aolsoftware.exe"=

R1 APPSTREAM;AppStream;c:\windows\system32\drivers\AppStream.sys [2/2/2009 11:59 PM 160768]
R2 AppMgrService;AWE 6.1 Streaming Agent;c:\program files\Altiris\StreamingAgent\bin\AppMgrService.exe [2/3/2009 12:55 AM 3941792]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/1/2008 9:57 PM 93320]
R2 REGHOOK;REGHOOK;c:\windows\system32\drivers\RegHook.sys [2/2/2009 11:58 PM 138752]

--- Other Services/Drivers In Memory ---

*Deregistered* - mwuzwry

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-20 17:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-20 17:22]

2010-07-27 c:\windows\Tasks\SpeedyPC Program Check.job
- c:\program files\SpeedyPC\SpeedyPC.exe [2010-03-18 00:03]

2010-06-09 c:\windows\Tasks\SpeedyPC.job
- c:\program files\SpeedyPC\SpeedyPC.exe [2010-03-18 00:03]

2010-07-27 c:\windows\Tasks\Updater.job
- k:\documents and settings\All Users\Application Data\Update\seupd.exe [2010-07-24 22:16]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Customize Menu - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: citibank.com\online
Trusted Zone: lasallebank.com\onlinebanking
Trusted Zone: musicmatch.com\online
DPF: {3356DB7C-58A7-11D4-AA5C-006097314BF8} - [You must be registered and logged in to see this link.]
DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Dqokojuyib - c:\windows\irecehez.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-27 20:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mwuzwry]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4154388428-524900779-1368262275-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:06,70,88,7e,1a,eb,83,91,be,92,ac,83,fb,c1,a3,5f,d1,9c,66,69,bf,eb,d4,
ac,6d,97,17,37,0a,ed,86,3e,50,d8,0e,1c,7d,a2,85,1d,c2,90,61,c8,d6,c3,a5,91,\
"??"=hex:b3,63,35,0c,d0,1b,29,1f,0b,4d,22,c5,a9,03,97,e6

[HKEY_USERS\S-1-5-21-4154388428-524900779-1368262275-1005_Classes\Appstream\GhostRegistryChangesRoot\Software\Classes]
"SymbolicLinkValue"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6520)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\wanmpsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\z\LOCALS~1\Temp\clclean.0001
c:\program files\Altiris\StreamingAgent\Bin\AppMgrGui.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
.
**************************************************************************
.
Completion time: 2010-07-27 20:12:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-28 01:12
ComboFix2.txt 2010-06-13 03:03

Pre-Run: 90,074,288,128 bytes free
Post-Run: 90,059,341,824 bytes free

- - End Of File - - E182B904A0E8BD2C0717DC1943912A70

GussieFinch
Novice
Novice

Status :
Online
Offline

Posts Posts : 47
Joined Joined : 2009-11-29
OS : Windows XP Media Center Edition

View user profile

Back to top Go down

Re: Background virus?

Post by Belahzur on Fri Jul 30, 2010 12:16 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    File::
    c:\windows\Qyiveq.bin
    c:\windows\Nfezikufev.dat
    c:\windows\system32\drivers\mwuzwry.sys

    Folder::
    c:\documents and settings\z\Local Settings\Application Data\ekuffvtur

    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mwuzwry]

    RegLock::
    [HKEY_USERS\S-1-5-21-4154388428-524900779-1368262275-1005_Classes\Appstream\GhostRegistryChangesRoot\Software\Classes]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Background virus?

Post by GussieFinch on Sat Jul 31, 2010 6:44 pm

ComboFix 10-07-26.04 - z 07/31/2010 13:22:11.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3710.2942 [GMT -5:00]
Running from: c:\documents and settings\z\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\z\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Nfezikufev.dat"
"c:\windows\Qyiveq.bin"
"c:\windows\system32\drivers\mwuzwry.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\z\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\z\Local Settings\Application Data\ekuffvtur
c:\documents and settings\z\Local Settings\temp\clclean.0001.dir.0000\~df394b.tmp
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\Nfezikufev.dat
c:\windows\Qyiveq.bin
c:\windows\system32\drivers\mwuzwry.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_mwuzwry
-------\Service_mwuzwry


((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-25 22:51 . 2010-07-25 22:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-14 06:07 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-31 18:32 . 2007-02-13 20:25 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-27 17:38 . 2007-10-31 01:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-27 17:37 . 2009-04-30 17:32 -------- d-----w- c:\program files\SpywareBlaster
2010-07-27 02:45 . 2010-07-27 02:45 503808 ----a-w- c:\documents and settings\z\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-133298b9-n\msvcp71.dll
2010-07-27 02:45 . 2010-07-27 02:45 499712 ----a-w- c:\documents and settings\z\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-133298b9-n\jmc.dll
2010-07-27 02:45 . 2010-07-27 02:45 348160 ----a-w- c:\documents and settings\z\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-133298b9-n\msvcr71.dll
2010-07-26 18:02 . 2006-12-26 22:49 3874 ----a-w- c:\documents and settings\z\Application Data\SAS7_000.DAT
2010-07-26 01:43 . 2007-09-04 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-25 22:51 . 2009-12-17 08:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-25 00:22 . 2006-04-06 19:35 -------- d-----w- c:\documents and settings\z\Application Data\Canon
2010-07-24 18:30 . 2007-02-14 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-07-19 02:45 . 2006-03-24 19:44 33832 ----a-w- c:\documents and settings\z\Application Data\wklnhst.dat
2010-07-15 20:18 . 2007-02-20 18:03 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-16 02:19 . 2010-06-16 02:19 25214 ----a-r- c:\documents and settings\z\Application Data\Microsoft\Installer\{21614F95-2732-417C-881E-FDD545F9B4BC}\ARPPRODUCTICON.exe
2010-06-16 02:19 . 2006-03-31 18:53 -------- d-----w- c:\program files\The Print Shop 21
2010-06-15 19:02 . 2010-02-18 00:45 339024 ----a-w- c:\documents and settings\z\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-15 18:59 . 2006-03-31 18:59 -------- d-----w- c:\program files\Web Publish
2010-06-15 18:23 . 2006-03-31 18:53 -------- d-----w- c:\program files\Common Files\Broderbund
2010-06-14 14:31 . 2005-08-16 10:40 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-13 17:35 . 2010-06-13 17:35 -------- d-----w- c:\program files\ESET
2010-06-09 02:14 . 2009-10-15 17:40 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-09 01:33 . 2009-11-28 23:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 01:20 . 2010-06-09 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedyPC
2010-06-09 01:20 . 2010-06-09 01:20 -------- d-----w- c:\program files\SpeedyPC
2010-05-04 17:20 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-06 18:42 . 2006-03-24 04:04 104 --sh--r- c:\windows\system32\690E1F2E0D.sys
2010-03-06 18:42 . 2006-03-24 04:04 6216 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2006-12-22 497176]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-23 149280]
"AppMgrGui"="c:\program files\Altiris\StreamingAgent\bin\exeForService.exe" [2009-02-03 54688]
"CTSVolFE"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-05-03 160592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{2D0C3614-D550-4b6b-BF80-D83C4544D6AE}"= "c:\program files\Altiris\StreamingAgent\bin\ShExecHook.dll" [2009-02-03 107936]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CallControl 4.5]
2002-05-18 16:05 122368 ----a-w- c:\program files\FaxTalk Communicator\FTCtrl32.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 00:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-09-15 15:47 57344 ------w- c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 08:04 332800 ----a-w- c:\progra~1\DELLSU~1\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2007-10-08 21:50 41824 ----a-w- c:\program files\Common Files\AOL\1170476348\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 02:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2001-11-20 04:10 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-15 02:50 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-10-15 02:49 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 21:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2006-12-22 18:28 756248 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-18 19:00 8192 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
2002-02-21 01:01 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-03-21 15:35 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
2008-05-03 17:19 160592 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-03-07 03:54 24095528 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 15:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-04-17 18:50 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 07:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2005-09-19 13:42 1159168 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1170476348\\ee\\aolsoftware.exe"=

R1 APPSTREAM;AppStream;c:\windows\system32\drivers\AppStream.sys [2/2/2009 11:59 PM 160768]
R2 AppMgrService;AWE 6.1 Streaming Agent;c:\program files\Altiris\StreamingAgent\bin\AppMgrService.exe [2/3/2009 12:55 AM 3941792]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/1/2008 9:57 PM 93320]
R2 REGHOOK;REGHOOK;c:\windows\system32\drivers\RegHook.sys [2/2/2009 11:58 PM 138752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-20 17:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-20 17:22]

2010-07-30 c:\windows\Tasks\SpeedyPC Program Check.job
- c:\program files\SpeedyPC\SpeedyPC.exe [2010-03-18 00:03]

2010-06-09 c:\windows\Tasks\SpeedyPC.job
- c:\program files\SpeedyPC\SpeedyPC.exe [2010-03-18 00:03]

2010-07-31 c:\windows\Tasks\Updater.job
- k:\documents and settings\All Users\Application Data\Update\seupd.exe [2010-07-24 22:16]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Customize Menu - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: citibank.com\online
Trusted Zone: lasallebank.com\onlinebanking
Trusted Zone: musicmatch.com\online
DPF: {3356DB7C-58A7-11D4-AA5C-006097314BF8} - [You must be registered and logged in to see this link.]
DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-31 13:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4154388428-524900779-1368262275-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:06,70,88,7e,1a,eb,83,91,be,92,ac,83,fb,c1,a3,5f,d1,9c,66,69,bf,eb,d4,
ac,6d,97,17,37,0a,ed,86,3e,50,d8,0e,1c,7d,a2,85,1d,c2,90,61,c8,d6,c3,a5,91,\
"??"=hex:b3,63,35,0c,d0,1b,29,1f,0b,4d,22,c5,a9,03,97,e6

[HKEY_USERS\S-1-5-21-4154388428-524900779-1368262275-1005_Classes\Appstream\GhostRegistryChangesRoot\Software\Classes]
"SymbolicLinkValue"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4764)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\wanmpsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\z\LOCALS~1\Temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\Altiris\StreamingAgent\Bin\AppMgrGui.exe
.
**************************************************************************
.
Completion time: 2010-07-31 13:41:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-31 18:41
ComboFix2.txt 2010-07-28 01:12
ComboFix3.txt 2010-06-13 03:03

Pre-Run: 89,837,457,408 bytes free
Post-Run: 89,901,473,792 bytes free

- - End Of File - - B414C45BD35878B093B9F13F7B16B9BB

GussieFinch
Novice
Novice

Status :
Online
Offline

Posts Posts : 47
Joined Joined : 2009-11-29
OS : Windows XP Media Center Edition

View user profile

Back to top Go down

Re: Background virus?

Post by Belahzur on Sat Jul 31, 2010 11:20 pm

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Background virus?

Post by GussieFinch on Mon Aug 02, 2010 12:50 am

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=6e9985483733004b82f7fefa5657aa2a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-13 06:39:07
# local_time=2010-06-13 01:39:07 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 16580147 16580147 0 0
# compatibility_mode=5121 16776869 100 96 5354407 28456499 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=134091
# found=7
# cleaned=7
# scan_time=2974
C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn2.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn4.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent25.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent55.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Altiris\StreamingAgent\bin\aslogr.exe probably a variant of Win32/TrojanDownloader.Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C
# version=7
# IEXPLORE.EXE=7.00.6000.17055 (vista_gdr.100414-0533)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=6e9985483733004b82f7fefa5657aa2a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-08-01 05:50:25
# local_time=2010-08-01 12:50:25 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 20810936 20810936 0 0
# compatibility_mode=5121 16776869 100 96 682298 32687288 0 0
# compatibility_mode=8192 67108863 100 0 3310042 3310042 0 0
# scanned=127105
# found=0
# cleaned=0
# scan_time=2863

GussieFinch
Novice
Novice

Status :
Online
Offline

Posts Posts : 47
Joined Joined : 2009-11-29
OS : Windows XP Media Center Edition

View user profile

Back to top Go down

Re: Background virus?

Post by Belahzur on Mon Aug 02, 2010 6:29 pm

Hello.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum