Tech Support Forum - View Single Post - Repeated Shutdowns after AntiSpyCheck and Security Toolbar 7.1

YeloJakIt · 06-26-2008, 02:29 PM

alright so I tried last known good configuration and that didn't work. It shut down just as before. It didn't seem to help.

The 2nd one worked and here is the log report:

ComboFix 08-06-25.3 - Owner 2008-06-26 14:12:36.1 - NTFSx86

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Application Data\ShoppingReport
C:\Documents and Settings\Guest\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Guest\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Guest\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Guest\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Guest\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Guest\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Michelle\Application Data\ShoppingReport
C:\Documents and Settings\Michelle\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Michelle\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Michelle\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Michelle\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Michelle\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Michelle\Application Data\ShoppingReport\cs\report\send_storage.xml
.
---- Previous Run -------
.
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1169173661.old
C:\Program Files\WinBudget\bin\crap.1187408264.old
C:\Program Files\WinBudget\bin\matrix.dll.1187408262.old
C:\Program Files\WinBudget\bin\matrix.dll.1189301722.old
C:\WINDOWS\system32\tdidrv32.sys
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
.

2008-06-23 13:52 . 2008-06-23 13:52 <DIR> d-------- C:\Deckard
2008-06-23 13:33 . 2008-06-23 13:33 <DIR> d-------- C:\ie-spyad_zo
2008-06-17 15:52 . 2008-06-17 15:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-17 15:49 . 2008-06-17 15:49 <DIR> d-------- C:\Program Files\Lavalys
2008-06-16 15:19 . 2008-06-16 15:27 <DIR> d-------- C:\Program Files\Security Task Manager
2008-06-16 15:19 . 2008-06-16 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-16 00:42 . 2008-06-16 17:08 287,997 --a------ C:\Pass2.cmd
2008-06-16 00:19 . 2008-06-16 17:06 3,162 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-16 00:18 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-16 00:18 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-16 00:18 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-16 00:18 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-16 00:18 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-16 00:18 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-16 00:18 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-16 00:18 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-16 00:18 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-15 19:36 . 2008-06-15 19:36 18 --ah----- C:\SYSREST
2008-06-15 18:46 . 2004-04-02 16:38 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-2S4KN5K0H3\WINDOWS
2008-06-15 18:46 . 2008-06-15 18:47 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-2S4KN5K0H3
2008-06-15 18:42 . 2004-04-02 16:38 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-15 18:42 . 2008-06-15 18:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-11 13:57 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 16:41 . 2008-06-14 23:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-07 16:39 . 2008-06-07 16:39 <DIR> d-------- C:\Program Files\Sun
2008-06-07 16:39 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-07 16:36 . 2008-06-15 18:59 <DIR> d-------- C:\Program Files\LimeWire
2008-06-06 13:12 . 2008-06-06 13:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 19:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-06-26 19:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-23 19:29 --------- d-----w C:\Program Files\BitLord
2008-06-21 22:27 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-20 04:37 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2008-06-17 21:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-06-17 17:34 --------- d-----w C:\Program Files\McAfee
2008-06-16 21:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
2008-06-16 00:54 --------- d-----w C:\Program Files\Microsoft Plus! Digital Media Edition
2008-06-16 00:53 --------- d-----w C:\Program Files\DivX
2008-06-16 00:53 --------- d-----w C:\Program Files\DAP
2008-06-14 05:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 22:39 --------- d-----w C:\Program Files\Java
2008-05-14 04:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-05 22:14 --------- d-----w C:\Documents and Settings\Michelle\Application Data\U3
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 -c--a-w C:\WINDOWS\system32\msjint40.dll
2008-03-15 23:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\PROGRA~1\mcafee\mshr\ShrCL.EXE" [2007-12-04 13:32 111904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56 158208]

C:\Documents and Settings\Michelle\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdidrv32.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
--a------ 2007-11-08 01:15 4568576 C:\Program Files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-10-30 11:01 392832 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-10-25 16:33 563984 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-10-25 16:37 2178832 C:\Program Files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2004-11-11 19:50 212992 C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 17:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-30 22:57 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--------- 2004-01-16 05:33 49152 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"PlugPlay"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"MpfService"=2 (0x2)
"mnmsrvc"=3 (0x3)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"iPod Service"=3 (0x3)
"InCDsrvR"=2 (0x2)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"gusvc"=3 (0x3)
"FontCache3.0.0.0"=3 (0x3)
"Fax"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"Alerter"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 16:00:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-04-03 04:05:21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1159232941.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe:-I
"2008-05-15 07:45:26 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-06-01 07:00:04 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
BHO-{95667A7A-03B3-4EE0-91AE-A4DE74D25729} - C:\WINDOWS\system32\162123\162123.dll
BHO-{99BA268B-4021-4739-9945-3C774217FE75} - C:\Program Files\NetProject\sbmdl.dll
Toolbar-{51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll
WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
WebBrowser-{51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll
SharedTaskScheduler-{257f6f44-2c64-46bb-acb4-55f9b9e0ae08} - C:\WINDOWS\system32\psqnuvo.dll
MSConfigStartUp-AntiSpyCheck - C:\Program Files\AntiSpyCheck\AntiSpyCheck.exe
MSConfigStartUp-AntiSpyCheck 2.1 - C:\Program Files\AntiSpyCheck\AntiSpyCheck.exe
MSConfigStartUp-Bart Station - C:\Program Files\ISP50\hta\station.sbrt
MSConfigStartUp-KernelFaultCheck - C:\WINDOWS\system32\dumprep 0 -k

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-26 14:16:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\EverestDriver]
"ImagePath"="\??\C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
Completion time: 2008-06-26 14:18:30
ComboFix-quarantined-files.txt 2008-06-26 20:18:12

Pre-Run: 94,198,894,592 bytes free
Post-Run: 95,201,308,672 bytes free

290 --- E O F --- 2008-06-25 22:28:14

Other details I thought I should mention:[list][*]computer doesn't shut off by itself in safe mode if untouched

computer seems to shut off when computer takes on large task in safe mode but in normal mode will shut off sooner or later
I am using a laptop to post forums, so i have to use a jump drive to transport logs and programs. Is this dangerous to my laptop?

06-26-2008, 02:29 PM	#8 (permalink)
YeloJakIt Registered User Join Date: Jun 2008 Posts: 15 OS: xp	Re: Repeated Shutdowns after AntiSpyCheck and Security Toolbar 7.1 alright so I tried last known good configuration and that didn't work. It shut down just as before. It didn't seem to help. The 2nd one worked and here is the log report: ComboFix 08-06-25.3 - Owner 2008-06-26 14:12:36.1 - NTFSx86 Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Guest\Application Data\ShoppingReport C:\Documents and Settings\Guest\Application Data\ShoppingReport\cs\Config.xml C:\Documents and Settings\Guest\Application Data\ShoppingReport\cs\db\Aliases.dbs C:\Documents and Settings\Guest\Application Data\ShoppingReport\cs\db\Sites.dbs C:\Documents and Settings\Guest\Application Data\ShoppingReport\cs\dwld\WhiteList.xip C:\Documents and Settings\Guest\Application Data\ShoppingReport\cs\report\aggr_storage.xml C:\Documents and Settings\Guest\Application Data\ShoppingReport\cs\report\send_storage.xml C:\Documents and Settings\Michelle\Application Data\ShoppingReport C:\Documents and Settings\Michelle\Application Data\ShoppingReport\cs\Config.xml C:\Documents and Settings\Michelle\Application Data\ShoppingReport\cs\db\Aliases.dbs C:\Documents and Settings\Michelle\Application Data\ShoppingReport\cs\db\Sites.dbs C:\Documents and Settings\Michelle\Application Data\ShoppingReport\cs\dwld\WhiteList.xip C:\Documents and Settings\Michelle\Application Data\ShoppingReport\cs\report\aggr_storage.xml C:\Documents and Settings\Michelle\Application Data\ShoppingReport\cs\report\send_storage.xml . ---- Previous Run ------- . C:\Program Files\WinBudget C:\Program Files\WinBudget\bin\crap.1169173661.old C:\Program Files\WinBudget\bin\crap.1187408264.old C:\Program Files\WinBudget\bin\matrix.dll.1187408262.old C:\Program Files\WinBudget\bin\matrix.dll.1189301722.old C:\WINDOWS\system32\tdidrv32.sys D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 ))))))))))))))))))))))))))))))) . 2008-06-23 13:52 . 2008-06-23 13:52 <DIR> d-------- C:\Deckard 2008-06-23 13:33 . 2008-06-23 13:33 <DIR> d-------- C:\ie-spyad_zo 2008-06-17 15:52 . 2008-06-17 15:54 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-17 15:49 . 2008-06-17 15:49 <DIR> d-------- C:\Program Files\Lavalys 2008-06-16 15:19 . 2008-06-16 15:27 <DIR> d-------- C:\Program Files\Security Task Manager 2008-06-16 15:19 . 2008-06-16 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan 2008-06-16 00:42 . 2008-06-16 17:08 287,997 --a------ C:\Pass2.cmd 2008-06-16 00:19 . 2008-06-16 17:06 3,162 --a------ C:\WINDOWS\system32\tmp.reg 2008-06-16 00:18 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-06-16 00:18 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-06-16 00:18 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe 2008-06-16 00:18 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-06-16 00:18 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe 2008-06-16 00:18 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe 2008-06-16 00:18 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-06-16 00:18 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-06-16 00:18 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-06-15 19:36 . 2008-06-15 19:36 18 --ah----- C:\SYSREST 2008-06-15 18:46 . 2004-04-02 16:38 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-2S4KN5K0H3\WINDOWS 2008-06-15 18:46 . 2008-06-15 18:47 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-2S4KN5K0H3 2008-06-15 18:42 . 2004-04-02 16:38 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS 2008-06-15 18:42 . 2008-06-15 18:42 <DIR> d-------- C:\Documents and Settings\Administrator 2008-06-11 13:57 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-07 16:41 . 2008-06-14 23:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire 2008-06-07 16:39 . 2008-06-07 16:39 <DIR> d-------- C:\Program Files\Sun 2008-06-07 16:39 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-07 16:36 . 2008-06-15 18:59 <DIR> d-------- C:\Program Files\LimeWire 2008-06-06 13:12 . 2008-06-06 13:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-26 19:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype 2008-06-26 19:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-23 19:29 --------- d-----w C:\Program Files\BitLord 2008-06-21 22:27 --------- d-----w C:\Program Files\Common Files\McAfee 2008-06-20 04:37 --------- d-----w C:\Program Files\Linksys EasyLink Advisor 2008-06-17 21:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3 2008-06-17 17:34 --------- d-----w C:\Program Files\McAfee 2008-06-16 21:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM 2008-06-16 00:54 --------- d-----w C:\Program Files\Microsoft Plus! Digital Media Edition 2008-06-16 00:53 --------- d-----w C:\Program Files\DivX 2008-06-16 00:53 --------- d-----w C:\Program Files\DAP 2008-06-14 05:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-07 22:39 --------- d-----w C:\Program Files\Java 2008-05-14 04:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-05 22:14 --------- d-----w C:\Documents and Settings\Michelle\Application Data\U3 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-27 08:12 151,583 -c--a-w C:\WINDOWS\system32\msjint40.dll 2008-03-15 23:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "DelayShred"="c:\PROGRA~1\mcafee\mshr\ShrCL.EXE" [2007-12-04 13:32 111904] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56 158208] C:\Documents and Settings\Michelle\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdidrv32.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator] --a------ 2007-11-08 01:15 4568576 C:\Program Files\DAP\DAP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor] --a------ 2006-10-30 11:01 392832 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager] --a------ 2007-10-25 16:33 563984 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] --a------ 2007-10-25 16:37 2178832 C:\Program Files\Logitech\QuickCam\Quickcam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe] --a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager] --a------ 2004-11-11 19:50 212992 C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] -ra------ 2008-02-01 17:22 21898024 C:\Program Files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-07-30 22:57 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] --a------ 2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor] --a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer] --------- 2004-01-16 05:33 49152 C:\WINDOWS\system32\VTTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "xmlprov"=3 (0x3) "WZCSVC"=2 (0x2) "wuauserv"=2 (0x2) "wscsvc"=2 (0x2) "WmiApSrv"=3 (0x3) "WmdmPmSN"=3 (0x3) "winmgmt"=2 (0x2) "WebClient"=2 (0x2) "W32Time"=2 (0x2) "VSS"=3 (0x3) "UPS"=3 (0x3) "upnphost"=3 (0x3) "UMWdf"=2 (0x2) "TrkWks"=2 (0x2) "Themes"=2 (0x2) "TermService"=3 (0x3) "TapiSrv"=3 (0x3) "SysmonLog"=3 (0x3) "SwPrv"=3 (0x3) "stisvc"=2 (0x2) "SSDPSRV"=3 (0x3) "srservice"=2 (0x2) "Spooler"=2 (0x2) "ShellHWDetection"=2 (0x2) "SharedAccess"=2 (0x2) "SENS"=2 (0x2) "seclogon"=2 (0x2) "Schedule"=2 (0x2) "SCardSvr"=3 (0x3) "SamSs"=2 (0x2) "RSVP"=3 (0x3) "RDSessMgr"=3 (0x3) "RasMan"=3 (0x3) "ProtectedStorage"=2 (0x2) "PolicyAgent"=2 (0x2) "Pml Driver HPZ12"=3 (0x3) "PlugPlay"=2 (0x2) "ose"=3 (0x3) "odserv"=3 (0x3) "NtmsSvc"=3 (0x3) "NtLmSsp"=3 (0x3) "Nla"=3 (0x3) "Netman"=3 (0x3) "Netlogon"=3 (0x3) "MSIServer"=3 (0x3) "MSDTC"=3 (0x3) "MpfService"=2 (0x2) "mnmsrvc"=3 (0x3) "McSysmon"=3 (0x3) "McShield"=2 (0x2) "McProxy"=2 (0x2) "McODS"=3 (0x3) "McNASvc"=2 (0x2) "mcmscsvc"=2 (0x2) "LVSrvLauncher"=2 (0x2) "LVPrcSrv"=2 (0x2) "LVCOMSer"=2 (0x2) "LmHosts"=2 (0x2) "lanmanworkstation"=2 (0x2) "lanmanserver"=2 (0x2) "iPod Service"=3 (0x3) "InCDsrvR"=2 (0x2) "ImapiService"=3 (0x3) "idsvc"=3 (0x3) "HTTPFilter"=3 (0x3) "HidServ"=2 (0x2) "helpsvc"=2 (0x2) "gusvc"=3 (0x3) "FontCache3.0.0.0"=3 (0x3) "Fax"=3 (0x3) "FastUserSwitchingCompatibility"=3 (0x3) "EventSystem"=3 (0x3) "Eventlog"=2 (0x2) "ERSvc"=2 (0x2) "Dnscache"=2 (0x2) "dmserver"=3 (0x3) "dmadmin"=3 (0x3) "Dhcp"=2 (0x2) "CryptSvc"=2 (0x2) "COMSysApp"=3 (0x3) "clr_optimization_v2.0.50727_32"=3 (0x3) "CiSvc"=2 (0x2) "Browser"=2 (0x2) "BITS"=2 (0x2) "AudioSrv"=2 (0x2) "aspnet_state"=3 (0x3) "AppMgmt"=3 (0x3) "ALG"=3 (0x3) "Alerter"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder "2008-01-21 16:00:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-04-03 04:05:21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1159232941.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe:-I "2008-05-15 07:45:26 C:\WINDOWS\Tasks\McDefragTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe' "2008-06-01 07:00:04 C:\WINDOWS\Tasks\McQcTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe . - - - - ORPHANS REMOVED - - - - BHO-{549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) BHO-{95667A7A-03B3-4EE0-91AE-A4DE74D25729} - C:\WINDOWS\system32\162123\162123.dll BHO-{99BA268B-4021-4739-9945-3C774217FE75} - C:\Program Files\NetProject\sbmdl.dll Toolbar-{51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file) WebBrowser-{51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll SharedTaskScheduler-{257f6f44-2c64-46bb-acb4-55f9b9e0ae08} - C:\WINDOWS\system32\psqnuvo.dll MSConfigStartUp-AntiSpyCheck - C:\Program Files\AntiSpyCheck\AntiSpyCheck.exe MSConfigStartUp-AntiSpyCheck 2.1 - C:\Program Files\AntiSpyCheck\AntiSpyCheck.exe MSConfigStartUp-Bart Station - C:\Program Files\ISP50\hta\station.sbrt MSConfigStartUp-KernelFaultCheck - C:\WINDOWS\system32\dumprep 0 -k ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-26 14:16:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet002\Services\EverestDriver] "ImagePath"="\??\C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt" . Completion time: 2008-06-26 14:18:30 ComboFix-quarantined-files.txt 2008-06-26 20:18:12 Pre-Run: 94,198,894,592 bytes free Post-Run: 95,201,308,672 bytes free 290 --- E O F --- 2008-06-25 22:28:14 Other details I thought I should mention:[list][*]computer doesn't shut off by itself in safe mode if untouched computer seems to shut off when computer takes on large task in safe mode but in normal mode will shut off sooner or later I am using a laptop to post forums, so i have to use a jump drive to transport logs and programs. Is this dangerous to my laptop?