Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SKYNET and UAC Rootkit Infection (and more?) [Solved]

Started by tradewizrd , Aug 20 2009 04:37 PM

  • This topic is locked This topic is locked

#1
tradewizrd
Posted 20 August 2009 - 04:37 PM

tradewizrd

    Member

  • Member
  • PipPip
  • 22 posts
I think I have a SKYNET/UAC Rootkit malware problem. I read the GtG intro advisories and ran the preliminaries suggested, and the fixes suggested for a similar infection, up to the point where ComboFix was required. I didn't want to go ahead alone, and would really appreciate your help. They symptoms are re-directed searches, disabled virus protection and malware search programs, etc.

The prior successfully resolved thread is here (http://www.geekstogo...ll-t248688.html), if what I've got is the same, as I think. Windows Live OneCare had it as Alureon.gen!C and Obfuscator.ET, but RootRepeal showed SKYNET and UACinit.dll, so it might even be worse!!!

Please let me know what I can do to make this easy to resolve. I'm not all that great at computer stuff, but I am diligent and will get back to you pronto.

Thanks in advance!

Here's my MBAM log:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/19/2009 3:14:59 PM
mbam-log-2009-08-19 (15-14-54).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 183979
Time elapsed: 32 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\SYSTEM32\SKYNETdgpaetpx.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\SKYNETwbqtvtlr.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\SKYNETnqtyxtur.sys (Trojan.Agent) -> No action taken.


Here's the RootRepeal txt file:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/20 14:37
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6E6B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C1F000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF64E9000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden Services
-------------------
Service Name: SKYNETbiqpktkl
Image Path: C:\WINDOWS\system32\drivers\SKYNETnqtyxtur.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACbawkvjxdqp.sys

==EOF==

And the OTL text file:

OTL logfile created on: 8/20/2009 2:44:25 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Branch\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.07 Mb Total Physical Memory | 703.55 Mb Available Physical Memory | 68.84% Memory free
2.40 Gb Paging File | 2.22 Gb Available in Paging File | 92.29% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 48.50 Gb Free Space | 65.14% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC
Current User Name: Branch
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/01/08 20:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/01/08 20:30:26 | 00,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/08/14 19:54:00 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/08/20 14:42:02 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Branch\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2004/05/25 21:15:48 | 00,397,312 | ---- | M] () -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Stopped])
SRV - [2004/04/01 16:05:48 | 00,077,824 | ---- | M] (Broadcom Corp.) -- C:\WINDOWS\System32\basfipm.exe -- (BAsfIpM [Auto | Stopped])
SRV - [2006/03/30 09:15:44 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8 [Auto | Stopped])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 22:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/12/01 12:01:02 | 00,033,752 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper [On_Demand | Stopped])
SRV - [2008/10/07 21:31:36 | 00,168,432 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Disabled | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [Disabled | Stopped])
SRV - [2008/07/29 20:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/02/25 18:06:42 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService [Auto | Stopped])
SRV - [2005/06/24 15:16:26 | 00,331,776 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPodService [Disabled | Stopped])
SRV - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Stopped])
SRV - [2009/01/08 20:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
SRV - [2009/01/09 11:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc [Disabled | Stopped])
SRV - [2009/04/01 14:21:30 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
SRV - [2009/01/09 08:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Stopped])
SRV - [2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Stopped])
SRV - [2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Stopped])
SRV - [2003/06/19 21:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Stopped])
SRV - [2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [On_Demand | Stopped])
SRV - [2008/07/29 20:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/04/13 17:12:02 | 00,065,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\nwwks.dll -- (NWCWorkstation [Auto | Stopped])
SRV - [2003/07/28 10:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/03/25 20:29:36 | 00,088,824 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9 [Disabled | Stopped])
SRV - [2007/03/25 20:29:34 | 00,359,160 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9 [Disabled | Stopped])
SRV - [2007/03/26 07:07:26 | 00,310,008 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9 [Disabled | Stopped])
SRV - [2007/03/26 07:07:20 | 01,010,424 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [Disabled | Stopped])
SRV - [2007/03/26 07:07:26 | 00,166,648 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9 [Disabled | Stopped])
SRV - File not found -- -- (WMP54Gv4SVC [Disabled | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...q={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/i/749
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "http://news.yahoo.com/i/749"
FF - prefs.js..extensions.enabledItems: {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}:1.5.2.35
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}:6.0.02
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}:6.0.01
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.9
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2
FF - prefs.js..keyword.URL: "http://us.yhs.search...2-tb-web_us&p="

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/03/24 16:42:18 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/03/01 17:57:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/06/24 09:31:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/14 19:54:15 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/14 19:54:15 | 00,000,000 | ---D | M]

[2008/08/26 20:34:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\mozilla\Extensions
[2008/08/26 20:34:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/20 09:56:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\mozilla\Firefox\Profiles\epzerqxl.default\extensions
[2009/01/14 06:35:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\mozilla\Firefox\Profiles\epzerqxl.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2008/12/15 18:25:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\mozilla\Firefox\Profiles\epzerqxl.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2009/08/20 09:56:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/14 19:54:15 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2007/06/12 05:17:11 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
[2007/07/27 22:07:18 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2007/10/28 20:23:00 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/04/16 20:22:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008/08/06 17:06:54 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/08/14 19:53:54 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/14 19:53:55 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2007/04/10 18:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\np-mswmp.dll
[2008/06/27 17:03:12 | 01,446,440 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/08/14 19:54:05 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2007/03/22 20:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL
[2007/03/05 13:59:06 | 00,645,504 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npOGAPlugin.dll
[2009/02/27 12:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/03/24 16:42:09 | 00,144,984 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll
[2008/10/28 10:13:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2008/10/28 10:13:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2008/10/28 10:13:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2008/10/28 10:13:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2008/10/28 10:13:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2008/10/28 10:13:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2008/10/28 10:13:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2008/03/24 16:42:28 | 00,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprjplug.dll
[2008/03/24 16:41:52 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll
[2008/12/01 12:01:02 | 00,114,540 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\mozilla firefox\plugins\np_gp.dll
[2009/08/14 19:54:07 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/08/14 19:54:07 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/08/11 02:54:58 | 00,001,490 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg_igeared.xml
[2009/08/14 19:54:07 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/08/14 19:54:07 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/08/14 19:54:07 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/08/14 19:54:07 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml

O1 HOSTS File: (23 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (ST) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (MSNToolBandBHO) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (MSN) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (MSN) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! ¤u¨ã¦C) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [dla] C:\WINDOWS\System32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [DVDLauncher] C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe (HP)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKCU..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam2.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O8 - Extra context menu item: &Search - File not found
O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2008/10/28 10:00:43 | 00,000,000 | ---D | M]
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2008/10/28 10:00:43 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2008/10/28 10:00:43 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &SMS - C:\Program Files\Yahoo!\Common [2008/10/28 10:00:43 | 00,000,000 | ---D | M]
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 47 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: 393 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase1140.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1225676296984 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 15:15:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - C:\WINDOWS\System32\nwwks.dll (Microsoft Corporation)
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/08/20 14:42:02 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Branch\Desktop\OTL.exe
[2009/08/20 14:36:58 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Branch\Desktop\settings.dat
[2009/08/20 14:36:43 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Branch\Desktop\RootRepeal.exe
[2009/08/20 14:29:28 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\bnxzcijo.sys
[2009/08/20 13:45:41 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/20 13:45:39 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/20 13:45:37 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/20 10:07:19 | 03,942,040 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Branch\Desktop\mbam setup.exe
[2009/08/20 09:45:41 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/08/20 09:44:46 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Branch\Desktop\erunt_setup.exe
[2009/08/20 09:43:29 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Documents and Settings\Branch\Desktop\SysRestorePoint.exe
[2009/08/20 09:41:17 | 00,272,384 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Branch\Desktop\TFC.exe
[2009/08/20 09:03:51 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/08/20 08:59:09 | 00,000,000 | ---D | C] -- C:\ERDNT
[2009/08/20 08:59:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/08/20 08:59:05 | 00,000,000 | ---D | C] -- C:\!FixIEDef
[2009/08/20 08:57:45 | 01,130,036 | ---- | C] (Malwareteks.com) -- C:\Documents and Settings\Branch\Desktop\FixIEDef.exe
[2009/08/20 00:44:43 | 00,008,212 | ---- | C] () -- C:\WINDOWS\mfebcdata
[2009/08/19 15:37:23 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2009/08/19 15:37:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/08/19 09:30:04 | 00,195,896 | ---- | C] () -- C:\Documents and Settings\Branch\My Documents\cc_20090819_092958.reg
[2009/08/19 08:51:40 | 00,363,349 | ---- | C] () -- C:\Documents and Settings\Branch\Desktop\shark_2.jpg
[2009/08/19 00:11:51 | 03,162,278 | ---- | C] () -- C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-00511102}.BAK
[2009/08/18 12:03:37 | 00,001,824 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
[2009/08/17 14:01:04 | 00,000,690 | ---- | C] () -- C:\Documents and Settings\Branch\Desktop\SpywareBlaster.lnk
[2009/08/17 14:01:03 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2009/08/17 11:27:04 | 00,000,104 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpfr2.cfg
[2009/08/17 11:26:59 | 00,001,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2009/08/17 11:25:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2009/08/17 11:24:18 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2009/08/17 11:24:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2009/08/17 10:01:15 | 00,000,000 | ---D | C] -- C:\_OTM
[2009/08/15 22:05:14 | 00,670,702 | ---- | C] () -- C:\Documents and Settings\Branch\Desktop\Cato Health Care Analysis.pdf
[2009/08/15 17:13:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Branch\My Documents\Downloads
[2009/08/14 08:17:58 | 00,014,109 | ---- | C] () -- C:\Documents and Settings\Branch\Desktop\Jag Interior.jpg
[2009/08/14 08:17:36 | 00,026,751 | ---- | C] () -- C:\Documents and Settings\Branch\Desktop\Jag Front.jpg
[2009/08/14 07:15:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Branch\Application Data\Malwarebytes
[2009/08/14 07:15:07 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/14 07:15:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/08/14 06:59:32 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Branch\Desktop\HijackThis.lnk
[2009/08/14 06:51:13 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Branch\Desktop\HJTInstall.exe
[2009/08/12 08:01:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Branch\Desktop\Anna
[2009/08/12 08:00:34 | 05,288,277 | ---- | C] () -- C:\Documents and Settings\Branch\Desktop\Shark T-Shirt.pdf
[2009/08/10 19:24:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/08/10 19:19:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Branch\Application Data\AVG8
[2009/08/10 17:43:13 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/08/10 17:43:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/08/10 16:08:53 | 00,170,571 | ---- | C] () -- C:\Documents and Settings\Branch\Desktop\shark_branch copy.jpg
[2009/08/08 08:11:40 | 00,016,896 | ---- | C] () -- C:\Documents and Settings\Branch\Desktop\Branch's Reconciliation.xls
[2009/08/07 06:20:19 | 02,909,136 | ---- | C] () -- C:\Documents and Settings\Branch\Desktop\The_Greatest_Prank_Call_Ever_WMV_V8.wmv
[2009/08/06 23:53:26 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/08/06 23:53:26 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for

========== Files - Modified Within 14 Days ==========

[2009/08/20 14:42:02 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Branch\Desktop\OTL.exe
[2009/08/20 14:36:58 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Branch\Desktop\settings.dat
[2009/08/20 14:36:45 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Branch\Desktop\RootRepeal.exe
[2009/08/20 14:31:31 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2009/08/20 14:30:20 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2009/08/20 14:29:28 | 00,061,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\bnxzcijo.sys
[2009/08/20 13:45:41 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/20 10:07:20 | 03,942,040 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Branch\Desktop\mbam setup.exe
[2009/08/20 09:44:47 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Branch\Desktop\erunt_setup.exe
[2009/08/20 09:43:30 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Documents and Settings\Branch\Desktop\SysRestorePoint.exe
[2009/08/20 09:41:17 | 00,272,384 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Branch\Desktop\TFC.exe
[2009/08/20 08:57:46 | 01,130,036 | ---- | M] (Malwareteks.com) -- C:\Documents and Settings\Branch\Desktop\FixIEDef.exe
[2009/08/20 00:45:14 | 00,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000004-00000000-00000002-00001102-00000004-00511102}.rfx
[2009/08/20 00:45:14 | 00,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000004-00000000-00000002-00001102-00000004-00511102}.rfx
[2009/08/20 00:45:14 | 00,027,408 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000004-00000000-00000002-00001102-00000004-00511102}.rfx
[2009/08/20 00:45:14 | 00,027,408 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000004-00000000-00000002-00001102-00000004-00511102}.rfx
[2009/08/20 00:45:14 | 00,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000004-00000000-00000002-00001102-00000004-00511102}.rfx
[2009/08/20 00:45:14 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/08/20 00:45:14 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/08/20 00:44:49 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/20 00:44:43 | 00,008,212 | ---- | M] () -- C:\WINDOWS\mfebcdata
[2009/08/20 00:35:47 | 03,162,278 | ---- | M] () -- C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-00511102}.CDF
[2009/08/20 00:35:47 | 03,162,278 | ---- | M] () -- C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-00511102}.BAK
[2009/08/20 00:35:36 | 00,000,725 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2009/08/20 00:35:36 | 00,000,246 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
[2009/08/20 00:35:36 | 00,000,229 | -HS- | M] () -- C:\BOOT.INI
[2009/08/19 15:19:10 | 00,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/08/19 15:16:59 | 00,029,621 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/08/19 15:16:29 | 06,360,150 | -H-- | M] () -- C:\Documents and Settings\Branch\Local Settings\Application Data\IconCache.db
[2009/08/19 09:30:14 | 00,195,896 | ---- | M] () -- C:\Documents and Settings\Branch\My Documents\cc_20090819_092958.reg
[2009/08/19 08:51:45 | 00,363,349 | ---- | M] () -- C:\Documents and Settings\Branch\Desktop\shark_2.jpg
[2009/08/19 07:25:23 | 00,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2009/08/17 14:01:04 | 00,000,690 | ---- | M] () -- C:\Documents and Settings\Branch\Desktop\SpywareBlaster.lnk
[2009/08/17 11:32:06 | 00,001,824 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2009/08/17 11:27:04 | 00,000,104 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpfr2.cfg
[2009/08/15 22:05:14 | 00,670,702 | ---- | M] () -- C:\Documents and Settings\Branch\Desktop\Cato Health Care Analysis.pdf
[2009/08/15 01:00:00 | 00,000,352 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/08/14 08:17:58 | 00,014,109 | ---- | M] () -- C:\Documents and Settings\Branch\Desktop\Jag Interior.jpg
[2009/08/14 08:17:36 | 00,026,751 | ---- | M] () -- C:\Documents and Settings\Branch\Desktop\Jag Front.jpg
[2009/08/14 06:59:32 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Branch\Desktop\HijackThis.lnk
[2009/08/14 06:51:15 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Branch\Desktop\HJTInstall.exe
[2009/08/12 08:00:47 | 05,288,277 | ---- | M] () -- C:\Documents and Settings\Branch\Desktop\Shark T-Shirt.pdf
[2009/08/10 18:44:28 | 00,001,682 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/08/10 16:08:56 | 00,170,571 | ---- | M] () -- C:\Documents and Settings\Branch\Desktop\shark_branch copy.jpg
[2009/08/08 09:41:00 | 00,018,432 | ---- | M] () -- C:\Documents and Settings\Branch\Desktop\Francine's Calculation at Separation.xls
[2009/08/08 09:41:00 | 00,016,896 | ---- | M] () -- C:\Documents and Settings\Branch\Desktop\Branch's Reconciliation.xls
[2009/08/07 06:20:23 | 02,909,136 | ---- | M] () -- C:\Documents and Settings\Branch\Desktop\The_Greatest_Prank_Call_Ever_WMV_V8.wmv
[2009/08/06 23:53:26 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/08/06 23:53:26 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for

========== LOP Check ==========

[2009/08/19 07:56:25 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/08/29 22:06:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2007/11/17 11:56:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2009/04/15 10:00:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intuit
[2008/09/10 06:38:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2008/09/03 20:11:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Roxio
[2005/04/07 10:24:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2009/08/17 11:42:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2008/09/10 06:42:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
[2009/08/17 11:47:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2009/08/19 08:10:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/08/14 17:13:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/07/05 06:51:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zenturi
[2009/07/08 12:53:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
[2009/08/14 07:15:14 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Branch\Application Data
[2005/05/17 20:03:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\1ClickDVDCopy
[2006/08/14 17:17:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\Aim
[2007/12/09 21:09:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\ArcSoft
[2008/08/29 22:06:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\Babylon
[2008/09/03 20:03:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\Blackberry Desktop
[2009/07/11 13:31:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\CopyToDvd
[2005/04/25 08:05:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\CyberLink
[2008/08/29 10:23:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\EPSON
[2007/08/13 21:33:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\Internet Chess Club
[2008/04/14 04:01:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\Intuit
[2005/04/16 14:37:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\iPodSoft
[2005/09/12 17:41:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\Leadertech
[2008/01/13 11:51:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\OfficeUpdate12
[2008/09/03 20:14:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\Research In Motion
[2008/09/05 05:28:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\Roxio
[2008/09/03 19:50:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\Smith Micro
[2008/10/30 19:24:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\uTorrent
[2009/07/08 13:23:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Branch\Application Data\ZoomBrowser EX
[2004/08/04 03:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\DESKTOP.INI
[2009/08/15 01:00:00 | 00,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/08/01 01:00:00 | 00,000,354 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2009/08/20 00:44:49 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/08/19 15:19:10 | 00,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
< End of report >

And the OTL Extras:

OTL Extras logfile created on: 8/20/2009 2:44:25 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Branch\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.07 Mb Total Physical Memory | 703.55 Mb Available Physical Memory | 68.84% Memory free
2.40 Gb Paging File | 2.22 Gb Available in Paging File | 92.29% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 48.50 Gb Free Space | 65.14% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC
Current User Name: Branch
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\blp\Wintrv\wintrv.exe" = C:\blp\Wintrv\wintrv.exe:*:Enabled:BLOOMBERG -- File not found
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- File not found
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{0D6D96F4-0CAF-4522-B05F-70A88EDECDFD}" = ArcSoft Print Creations
"{0D9F412B-AB21-4E89-B5AD-4F2F3EFF1CB8}" = WON eSignal Connectivity
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{1CA2E5E4-F4FE-44B4-95E9-77523FB95838}" = EPSON Stylus CX9400Fax Series Scanner Driver Update
"{25D24E84-64A9-40D2-85CF-540B1C4A6D52}" = Broadcom ASF Management Applications
"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{412033BC-44CF-48D9-B813-4B835101F4D3}" = Adobe Illustrator 10.0.3
"{47808F78-F178-49DC-B708-15FE538B16FF}" = iTunes
"{48AFBB60-8CF5-4605-BB04-704DD8702B80}" = VZAccess Manager for RIM
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{4DDC3BED-CC68-44AA-B435-D727B620CA5B}" = Linksys Wireless-G PCI Adapter
"{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}" = Roxio Media Manager
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.1
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6A136B9A-1895-436F-83F8-30D9C68BB6EA}" = Rhapsody Player Engine
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{75D6745B-2239-4182-A31F-F95CEBB35099}" = BlackBerry Desktop Software 4.2.2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A5F34E2-37CF-4AD4-808C-2D413786E31A}" = Microsoft Visual C Runtime
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow! Plus
"{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}" = Google Earth
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AA77219C-0A77-4FF3-8CC5-2DC08469E6FF}_is1" = Karaoke CD+G Creator Pro
"{ABEB838C-A1A7-4C5D-B7E1-8B4314600813}" = MSN Messenger 7.0
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.2
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{D03E7B00-CA85-4684-9321-1888873C34BD}" = ArcSoft PhotoImpression 6
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"Adobe AIR" = Adobe AIR
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"ATI Display Driver" = ATI Display Driver
"AudioConSole" = Creative Audio Console
"Belarc Advisor" = Belarc Advisor 8.1
"BlackBerry_{75D6745B-2239-4182-A31F-F95CEBB35099}" = BlackBerry Desktop Software 4.2.2
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner (remove only)
"CopyToDVD_is1" = CopyToDVD
"CSCLIB" = Canon Camera Support Core Library
"EOS Utility" = Canon Utilities EOS Utility
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"ERUNT_is1" = ERUNT 1.1j
"ExtractNow_is1" = ExtractNow
"Forte Agent" = Forté Agent
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{25D24E84-64A9-40D2-85CF-540B1C4A6D52}" = Broadcom ASF Management Applications
"InstallShield_{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"InstallShield_{47808F78-F178-49DC-B708-15FE538B16FF}" = iTunes
"iPod Agent_is1" = iPod Agent 0.8.1.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.5.2)" = Mozilla Firefox (3.5.2)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"MSN Toolbar" = MSN Toolbar
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoStitch" = Canon Utilities PhotoStitch
"Q828026" = Windows Media Player Hotfix [See Q828026 for more information]
"QuickTime" = QuickTime
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 6.0" = RealPlayer
"RealVNC_is1" = VNC Free Edition 4.1.2
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"Silent Package Run-Time Sample" = EPSON CX9400 User's Guide
"SpywareBlaster_is1" = SpywareBlaster 4.2
"TurboTax 2008" = TurboTax 2008
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Anti-Spy" = Yahoo! Anti-Spy
"Yahoo! Companion" = Yahoo! ¤u¨ã¦C
"Yahoo! Customizations" = Yahoo! extras
"Yahoo! Extras" = Yahoo! Browser Services
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"YInstHelper" = Yahoo! Install Manager
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/20/2009 5:34:12 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of c:\WINDOWS\Installer\3b10a22.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:12 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of c:\WINDOWS\Installer\3b10a22.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:12 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\5067.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:12 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\5067.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:12 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\16d4900.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:12 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\16d4900.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:13 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\1efcd.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:13 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\1efcd.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:13 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\ebe50c.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:13 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\ebe50c.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

[ Application Events ]
Error - 8/20/2009 5:34:12 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of c:\WINDOWS\Installer\3b10a22.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:12 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of c:\WINDOWS\Installer\3b10a22.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:12 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\5067.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:12 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\5067.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:12 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\16d4900.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:12 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\16d4900.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:13 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\1efcd.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:13 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\1efcd.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:13 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\ebe50c.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 8/20/2009 5:34:13 AM | Computer Name = PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\ebe50c.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

[ System Events ]
Error - 8/20/2009 5:12:48 PM | Computer Name = PC | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 8/20/2009 5:12:50 PM | Computer Name = PC | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 8/20/2009 5:12:50 PM | Computer Name = PC | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 8/20/2009 5:12:51 PM | Computer Name = PC | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 8/20/2009 5:22:24 PM | Computer Name = PC | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 8/20/2009 5:22:24 PM | Computer Name = PC | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 8/20/2009 5:22:24 PM | Computer Name = PC | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 8/20/2009 5:28:49 PM | Computer Name = PC | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 8/20/2009 5:28:49 PM | Computer Name = PC | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 8/20/2009 5:28:49 PM | Computer Name = PC | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058


< End of report >
  • 0

Advertisements

#2
sage5
Posted 20 August 2009 - 05:45 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi tradewizard,

Welcome to Geeks to Go!
I am sage5, and I will be helping you with this problem.

There are a some things that I need to make clear to you, before we continue, that will help us both:
  • Please read all of my instructions, in each post, before you continue with the fix. (If there is anything that you need clarified/don't understand, please ask)
  • Please don't perform any steps/fixes with tools that I have not asked you to do. Many of the fixes require specific steps to be taken in a set order.
  • Make sure that all of the logs/reports, that I ask for, get posted completely.
  • Check out the information Here, if you are unsure how to send replies etc

OK, on with the fix:

Open RootRepeal, click theHidden Services tab and select Scan. Right click and select Wipe File on:

SKYNETbiqpktkl
UACd.sys

Reboot your machine

Please download the following & save to your Desktop:
If you have not yet downloaded ComboFix do so now. If you have a copy that is more than a couple of days old, delete it & download the latest version from:
Link 1
Link 2

NOTE: If you are guest watching this topic. ComboFix is a very powerful tool. The disclaimer clearly states that you should not use it without supervision. There is good reason for this as ComboFix can, and sometimes does, run into conflict on a computer and render it unusable.

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the text from C:\ComboFix.txt in your next reply.

Cheers,

sage5
  • 0

#3
tradewizrd
Posted 21 August 2009 - 10:24 AM

tradewizrd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks for getting back to me so quickly! I ran RootRepeal scan under Hidden Services and it listed the files (and a third, BASFND).

I right-clicked and wiped UACd.sys successfully, but doing the same to SKYNETbiqpktkl returned an error message:

RootRepeal Error
Could not find file on disk

log follows:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/21 09:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden Services
-------------------
Service Name: BASFND
Image PathC:\WINDOWS\system32\Drivers\BASFND.sys

Service Name: SKYNETbiqpktkl
Image PathC:\WINDOWS\system32\drivers\SKYNETnqtyxtur.sys

Service Name: UACd.sys
Image PathC:\WINDOWS\system32\drivers\UACbawkvjxdqp.sys

Please advise.
  • 0

#4
sage5
Posted 21 August 2009 - 07:01 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
OK, let try this:
Open RootRepeal, click theHidden Services tab and select Scan. right click and select Force Delete on:

SKYNETnqtyxtur.sys --->(BASFND.sys is a Broadcom driver, so leave it be)

Reboot your machine

When done, continue with the ComboFix scan instructions in the last post & post me the log file produced


Cheers,

sage5
  • 0

#5
tradewizrd
Posted 21 August 2009 - 07:34 PM

tradewizrd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Sage,
Ran RootRepeal scan for Hidden Files, tried to force delete the SKYNET file without success.

Error Message said:

Could not force delete file! Error code 0xc0000034!

log follows:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/21 18:25
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden Services
-------------------
Service Name: BASFND
Image PathC:\WINDOWS\system32\Drivers\BASFND.sys

Service Name: SKYNETbiqpktkl
Image PathC:\WINDOWS\system32\drivers\SKYNETnqtyxtur.sys

Service Name: UACd.sys
Image PathC:\WINDOWS\system32\drivers\UACbawkvjxdqp.sys


btw, don't know if it is significant, but when I run RootRepeal (from the desktop icon), I get an error message at initialization that reads:

"Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog."

When I click on "OK" about five times, the program screen shows.

Please advise.
  • 0

#6
sage5
Posted 21 August 2009 - 09:27 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Alright, let's see if we can get the ComboFix scan done.
Post the log file created as your next reply.

Cheers,

sage5
  • 0

#7
tradewizrd
Posted 21 August 2009 - 11:00 PM

tradewizrd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Sage5,
I ran ComboFix and it returned this log:

ComboFix 09-08-21.01 - Branch 08/21/2009 21:32.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.781 [GMT -7:00]
Running from: c:\documents and settings\Branch\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\138cc2.msp
c:\windows\Installer\167d43.msp
c:\windows\Installer\167da7.msp
c:\windows\Installer\326523.msi
c:\windows\Installer\326529.msi
c:\windows\Installer\91800.msp
c:\windows\Installer\c9aed1.msi
c:\windows\Installer\fe798.msp
c:\windows\Installer\fe7fc.msp
c:\windows\system32\drivers\fad.sys
c:\windows\system32\uacinit.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWCWORKSTATION
-------\Legacy_SKYNETbiqpktkl
-------\Legacy_UACd.sys
-------\Service_NWCWorkstation
-------\Service_SKYNETbiqpktkl
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.

2009-08-20 23:01 . 2009-08-20 23:01 -------- d-----w- C:\bd234416596857541efb022f6e68
2009-08-20 20:45 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-20 20:45 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 16:45 . 2009-08-20 16:45 -------- d-----w- c:\program files\ERUNT
2009-08-20 16:03 . 2009-08-20 16:03 -------- d-----w- C:\VundoFix Backups
2009-08-20 15:59 . 2009-08-20 15:59 -------- d-----w- C:\ERDNT
2009-08-20 15:59 . 2009-08-20 15:59 -------- d-----w- C:\!FixIEDef
2009-08-19 22:37 . 2009-08-20 07:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-19 22:18 . 2009-08-20 21:31 19968 ----a-w- c:\windows\system32\UACcbqpcimkjt.dll
2009-08-17 21:01 . 2009-08-17 21:09 -------- d-----w- c:\program files\SpywareBlaster
2009-08-17 18:25 . 2009-08-17 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-17 18:24 . 2009-08-17 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-17 18:24 . 2009-08-17 18:24 -------- d-----w- c:\program files\Common Files\iS3
2009-08-17 17:01 . 2009-08-17 17:01 -------- d-----w- C:\_OTM
2009-08-17 13:47 . 2009-08-20 21:31 30208 ----a-w- c:\windows\system32\UACebeufmpxbx.dll
2009-08-17 13:46 . 2009-08-20 21:31 174 ----a-w- c:\windows\system32\UAClnlsbisqsv.dat
2009-08-17 13:46 . 2009-08-17 13:46 26624 ----a-w- c:\windows\system32\UACqjejklyxud.dll
2009-08-17 13:46 . 2009-08-17 13:46 54784 ----a-w- c:\windows\system32\drivers\UACbawkvjxdqp.sys
2009-08-14 14:15 . 2009-08-14 14:15 -------- d-----w- c:\documents and settings\Branch\Application Data\Malwarebytes
2009-08-14 14:15 . 2009-08-20 20:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-14 14:15 . 2009-08-14 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-13 14:44 . 2009-08-13 14:44 488960 ----a-w- c:\documents and settings\Branch\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv302-0811070-0-main.dll
2009-08-13 14:44 . 2009-08-13 14:44 319488 ----a-w- c:\documents and settings\Branch\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-08-11 23:24 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 02:24 . 2009-08-19 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-11 02:19 . 2009-08-11 02:19 -------- d-----w- c:\documents and settings\Branch\Application Data\AVG8
2009-08-11 00:43 . 2009-08-20 14:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 00:43 . 2009-08-20 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-01 15:06 . 2009-08-01 15:06 -------- d-----w- c:\program files\Doblon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 04:37 . 2008-09-04 03:14 256 ----a-w- c:\windows\system32\pool.bin
2009-08-19 15:10 . 2007-10-29 04:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-17 18:32 . 2009-08-17 18:26 1824 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-17 18:27 . 2009-08-17 18:27 104 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-17 09:11 . 2009-03-12 18:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-14 12:32 . 2007-04-28 22:14 -------- d-----w- c:\program files\McAfee
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 22:18 . 2005-04-15 04:34 -------- d-----w- c:\program files\ScottradeELITE
2009-08-01 06:17 . 2009-04-09 21:10 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 20:31 . 2005-05-18 02:58 -------- d-----w- c:\documents and settings\Branch\Application Data\CopyToDvd
2009-07-10 10:09 . 2006-08-07 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-08 20:23 . 2007-11-23 04:01 -------- d-----w- c:\documents and settings\Branch\Application Data\ZoomBrowser EX
2009-07-08 19:53 . 2007-11-03 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-07-06 21:18 . 2009-04-23 21:58 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-29 16:12 . 2004-08-04 10:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 10:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2004-08-04 10:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-14 339968]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-24 185896]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 228088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-06-24 278528]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-31 196608]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-04-16 98304]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\SYSTEM32\CTXFIHLP.EXE [2006-08-11 18944]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]

c:\documents and settings\Branch\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2008-3-7 1733936]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=2 (0x2)
"nmservice"=2 (0x2)
"nmraapache"=3 (0x3)
"0176051221207152mcinstcleanup"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2/25/2009 6:06 PM 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/12/2009 10:42 AM 210216]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/15/2008 6:26 PM 33752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BASFND
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-03-12 17:53]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-03-12 17:53]

2009-08-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-25 05:18]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-SITEguard - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.yahoo.com/i/749
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search -
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Branch\Application Data\Mozilla\Firefox\Profiles\epzerqxl.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.yahoo.com/i/749
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 21:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2496)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\BAsfIpM.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Research in Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Research in Motion\USB Drivers\BbDevMgr.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
c:\progra~1\McAfee\VIRUSS~1\mcods.exe
c:\progra~1\McAfee\VIRUSS~1\mcvsshld.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
.
**************************************************************************
.
Completion time: 2009-08-22 21:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-22 04:47

Pre-Run: 51,962,109,952 bytes free
Post-Run: 51,907,031,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
280 --- E O F --- 2009-08-19 10:02

Thanks for the help so far. Let me know what you would like me to do next. By the way, should I re-enable MacAfee Virus scan? I believe I still have the Windows firewall going.

Best regards.
  • 0

#8
sage5
Posted 21 August 2009 - 11:15 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi tradewizard ,

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

:Files
c:\windows\system32\UACcbqpcimkjt.dll
c:\windows\system32\UACebeufmpxbx.dll
c:\windows\system32\UAClnlsbisqsv.dat
c:\windows\system32\UACqjejklyxud.dll
c:\windows\system32\drivers\UACbawkvjxdqp.sys

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered & reboot if necessary.
  • Now you will EITHER:
    • be asked to "Click OK to open the fix log". Click OK. ---> OR
    • need to retrieve the fix log for me. It will be in the C:\_OTL\Moved Files folder named something like 06082009_112536.log (first 6 digits = date format MMDDYYY, last 6 digits = Time format HHMMSS (24hr))
  • Copy & paste the text from the most recent log.

Now you should leave your McAfee applications disabled until you have completed the following:
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA technology to perform the scan. If you do not have the latest JAVA version, follow the instructions below, to download and install the latest version.

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 14.
  • Scroll down to where it says JRE 6 Update 14.
  • Click the "Download" button to the right.
  • Select your Operating System Platform, & Language and check the box that says: Java SE Runtime Environment 6u14 with JavaFX 1 License Agreement.
  • Click on Continue.
  • Click on the link to download jre-6u14-windows-i586.exe & save to your Desktop.
  • Close all programs you may have running - especially your web browser, then double click on the jre-6u14-windows-i586.exe
    Note: this version should uninstall all the previous versions from your PC
    (Vista users, right click on the jre-6u14-windows-i586.exe and select "Run as an Administrator.")

Proceed with the Scan:
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following are checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place, like C:\kasper.txt
  • Please post this log in your next reply.

Cheers,

sage5
  • 0

#9
tradewizrd
Posted 21 August 2009 - 11:30 PM

tradewizrd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Sage,
Would you mind providing a link to download OTL.exe? I do not see the icon for the program on my desktop.
Thanks.
  • 0

#10
sage5
Posted 22 August 2009 - 12:18 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
You must have had it, the log is in you first post.
No matter, download OTL & save to your Desktop.
  • 0

Advertisements

#11
tradewizrd
Posted 22 August 2009 - 12:57 AM

tradewizrd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thank you, Sage5.
I ran OTL and the log follows:

All processes killed
========== OTL ==========
Process explorer.exe killed successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\SITEguard not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
========== FILES ==========
LoadLibrary failed for c:\windows\system32\UACcbqpcimkjt.dll
c:\windows\system32\UACcbqpcimkjt.dll NOT unregistered.
c:\windows\system32\UACcbqpcimkjt.dll moved successfully.
LoadLibrary failed for c:\windows\system32\UACebeufmpxbx.dll
c:\windows\system32\UACebeufmpxbx.dll NOT unregistered.
c:\windows\system32\UACebeufmpxbx.dll moved successfully.
c:\windows\system32\UAClnlsbisqsv.dat moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\UACqjejklyxud.dll
c:\windows\system32\UACqjejklyxud.dll NOT unregistered.
c:\windows\system32\UACqjejklyxud.dll moved successfully.
c:\windows\system32\drivers\UACbawkvjxdqp.sys moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Branch
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\Branch\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 111826 bytes
->Java cache emptied: 29654468 bytes
->FireFox cache emptied: 40981826 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32835 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 67.53 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.0.10.7 log created on 08212009_234547

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

*******

I will do the Kapersky scan next. The OTL icon had disappeared from my desktop, and OTL did not show on my 'start' list of programs, even though I'd used it yesterday. I didn't know how much 'searching' or browsing I should do with the computer in this condition, without disrupting the process. Thanks for the link.

Be back shortly with Kapersky results.
  • 0

#12
tradewizrd
Posted 22 August 2009 - 08:30 AM

tradewizrd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Sage5,
Here's the Kapersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, August 22, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, August 22, 2009 08:49:20
Records in database: 2675575
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Objects scanned: 76644
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:16:17


File name / Threat / Threats count
C:\Documents and Settings\Branch\My Documents\Downloads\tube3287.exe Infected: Trojan.Win32.Agent.cuog 1
C:\_OTL\MovedFiles\08212009_234547\windows\system32\UACcbqpcimkjt.dll Infected: Packed.Win32.TDSS.y 1
C:\_OTL\MovedFiles\08212009_234547\windows\system32\UACqjejklyxud.dll Infected: Trojan.Win32.TDSS.amwo 1

Selected area has been scanned.

******

Thanks and please advise.
  • 0

#13
sage5
Posted 22 August 2009 - 06:17 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
That looks good, we just need to delete the first, the other 2 are quarantined by OTL.
Browse to the C:\Documents and Settings\Branch\My Documents\Downloads\ folder & delete tube3287.exe

Now, you should just need to perform these last cleanup operations & you will be good to go.
Clean out temp files etc:
Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    NOTE: It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process.
    Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
  • Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Cleanup with OTL:
  • Please double-click OTL.exe to run it.
  • Click the Clean up button
  • Click NO at the restart prompt (We will do that in a moment.)

To Clear Restore points, please do the following:
  • Go to Start > Control Panel.
  • Double-click the System icon.
    • NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.
  • Click the System Restore tab.
  • Put a check by Disable System Restore.
  • Click Apply, OK, OK. Click Yes if you are prompted to restart Windows. Otherwise Reboot normally.
After reboot, you must turn System Restore back on:
  • Go back to the System Restore tab.
  • UNcheck Disable System Restore.
  • Click Apply, OK, OK. Click Yes if you are prompted to restart Windows.

Lastly, some extra or better security for your PC:

The programs recommended below are freeware alternatives to some of your security software & might reduce the potential for spyware infection in the future:-

Spyware Prevention:
Spyware Blaster by JavaCool Software, prevents spyware installing and consumes no system resources.
IE/SpyAd, stops suspect sites loading ActiveX, popups etc onto your PC. An excellent tutorial is Here

Spyware Detection:
[url="http://"http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.htm"]Malwarebytes Anti-Malware[/url] is my favourite here.

Anti-Virus:
The first line of defence, especially since some will now detect trojans as well.
Avira's Avira AntiVir Personal and Grisoft's Avast! Free Edition are among the best freebies.
*Please note* You should never install more than one anti-virus program on a PC, as it will cause conflicts.

Firewall:
A Firewall is an essential tool in the security of any PC connected to the Internet.
Sunbelt Personal Firewall and Comodo are both excellent freeware.

Alternate Browsers:
Thankfully, there are now some excellent alternatives to MS Internet Explorer. They offer better security, more stability, and better speed.
A couple of good examples are: Firefox and Opera

Other Updates:
Vital security patches and updates are available for Microsoft Windows and Internet Explorer at the Windows Update Site
It is equally important to update the other security software you use, on a regular basis.

Further reading about these issues is available in a very good article: How did I get infected in the first place ? (by Tony Klein and dvk01)

All the best & safe surfing in the future,

sage5
  • 0

#14
tradewizrd
Posted 23 August 2009 - 09:39 PM

tradewizrd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Sage 5!
Thank you so much for the great work. I really appreciate what you did - and so quickly and efficiently, too. It's a huge relief. I'll go through the software recommendations, and read the material you linked me to.

Should I try to run another scan at Kapersky or elsewhere? My google searches are not being re-directed, and the machine sure seems to be running better and faster.

Thanks again
  • 0

#15
sage5
Posted 23 August 2009 - 10:19 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
You are very welcome tradewizrd :)

I don't think you need bother with any other scans, we can give your PC a clean bill of health.
1. Make sure that your existing security software (McAfee) is active & regularly updated.

2. Your Java version should now be up to date so you can go through the Add/Remove Programs page of the Control Panel & remove the following redundant versions:
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Please take note of any other programs that you don't recognise in that list, and if you are not using them, uninstall them.

All the best,

sage5
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP