|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
|
|
LinkBack | Thread Tools |
09-26-2007, 02:00 PM
|
#1 (permalink) |
|
Registered User
Join Date: Mar 2006
Location: Lanark Scotland
Posts: 164
OS: windows xp pro
  |
Am i Infected? (rightonads)random popups
Deckard's System Scanner v20070905.67
Run by Don Tait on 2007-09-26 20:42:33 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 36: 2007-09-26 19:42:39 UTC - RP360 - Deckard's System Scanner Restore Point 35: 2007-09-25 23:21:12 UTC - RP359 - System Checkpoint 34: 2007-09-24 17:47:49 UTC - RP358 - System Checkpoint 33: 2007-09-22 21:10:56 UTC - RP357 - System Checkpoint 32: 2007-09-21 21:07:42 UTC - RP356 - System Checkpoint -- First Restore Point -- 1: 2007-08-15 04:51:36 UTC - RP325 - System Checkpoint Performed disk cleanup. -- HijackThis (run as Don Tait.exe) -------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 20:43:07, on 26/09/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Windows Media Player\WMPNSCFG.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\PROGRA~1\McAfee.com\PERSON~2\MpfAgent.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Don Tait\Desktop\dss.exe C:\PROGRA~1\HIJACK~1\DONTAI~1.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molb...4/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188421132921 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188421058312 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molb...21/mcgdmgr.cab O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing) O20 - Winlogon Notify: winmqx32 - winmqx32.dll (file missing) O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 RecAgent - c:\windows\system32\drivers\sldrv\recagent.sys <Not Verified; ; Modem> R0 sisidex - c:\windows\system32\drivers\sisidex.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver> R0 sisperf (Add Performance Filter Driver) - c:\windows\system32\drivers\sisperf.sys <Not Verified; Silicon Integrated Systems Corp.; SiS Filer Driver> R1 MPFIREWL - c:\windows\system32\drivers\mpfirewall.sys <Not Verified; McAfee Security; McAfee Personal Firewall Plus> R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver> R2 nxsIO32 (NextSensor Kernel I/O Driver) - c:\windows\system32\drivers\nxsio32.sys R3 Mtlmnt5 - c:\windows\system32\drivers\sldrv\mtlmnt5.sys <Not Verified; ; Modem> R3 Slntamr (SmartLink AMR_PCI Driver) - c:\windows\system32\drivers\sldrv\slntamr.sys <Not Verified; ; Modem> R3 SlWdmSup - c:\windows\system32\drivers\sldrv\slwdmsup.sys <Not Verified; ; Modem> S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing) S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing) S3 FXDRV - d:\fxdrv.sys (file missing) S3 Mtlstrm - c:\windows\system32\drivers\sldrv\mtlstrm.sys <Not Verified; ; Modem> S3 rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\rtl8139.sys (file missing) S3 SlNtHal - c:\windows\system32\drivers\sldrv\slnthal.sys <Not Verified; ; Modem> S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64> S3 VMnetAdapter (VMware Virtual Ethernet Adapter Driver) - c:\windows\system32\drivers\vmnetadapter.sys <Not Verified; VMware, Inc.; VMware virtual network adapter driver (32-bit)> S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S4 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe (file missing) S4 SLService (SmartLinkService) - slmdmsr.exe <Not Verified; ; Modem> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: SiS 900-Based PCI Fast Ethernet Adapter Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_0C56105B&REV_90\3&61AAA01&0&20 Manufacturer: SiS Name: SiS 900-Based PCI Fast Ethernet Adapter PNP Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_0C56105B&REV_90\3&61AAA01&0&20 Service: SISNICXP -- Scheduled Tasks ------------------------------------------------------------- 2007-09-26 20:43:00 496 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-junior).job 2007-09-26 20:42:00 500 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-Don Tait).job 2007-09-26 20:42:00 496 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-junior).job 2007-09-26 20:39:00 500 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-Don Tait).job 2007-09-26 20:05:06 260 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job -- Files created between 2007-08-26 and 2007-09-26 ----------------------------- 2007-09-26 19:08:45 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-09-26 19:08:44 0 d-------- C:\WINDOWS\LastGood 2007-09-24 15:37:01 0 d-------- C:\Program Files\Adssite Advanced Toolbar 2007-09-24 15:37:01 0 d-------- C:\Documents and Settings\Don Tait\Application Data\Adssite Advanced Toolbar 2007-09-21 12:47:26 0 dr-h----- C:\Documents and Settings\Don Tait\Recent 2007-09-16 22:18:39 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64> 2007-09-04 22:44:08 0 d-------- C:\Inetpub 2007-08-29 22:24:52 49152 --a------ C:\WINDOWS\InstFunc.exe 2007-08-29 22:24:52 12288 --a------ C:\WINDOWS\InstFunc.dll <Not Verified; Silicon Integrated Systems Corporation; SiS (R) VGA Install Function Dynamic Link Library> 2007-08-29 22:14:57 0 d-------- C:\WINDOWS\system32\Inetsrv6 2007-08-27 21:25:57 0 d-------- C:\Documents and Settings\Don Tait\Application Data\NewzToolz 2007-08-27 21:25:35 0 d-------- C:\Program Files\NewzToolz -- Find3M Report --------------------------------------------------------------- 2007-09-26 19:47:11 0 d-------- C:\Program Files\MSN Messenger 2007-09-26 19:46:51 0 d-------- C:\Program Files\Microsoft Virtual PC 2007-09-26 19:44:11 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-09-26 19:44:07 0 d-------- C:\Program Files\Messenger 2007-09-26 19:41:21 0 d-------- C:\Program Files\Common Files\AOL 2007-09-26 19:40:04 0 d-------- C:\Program Files\AOL 9.0b 2007-09-25 23:27:15 0 d-------- C:\Program Files\Yahoo! 2007-09-03 19:48:05 0 d-------- C:\Documents and Settings\Don Tait\Application Data\uTorrent 2007-08-16 20:10:33 0 d-------- C:\Program Files\MSXML 4.0 2007-08-14 23:49:28 0 d-------- C:\Program Files\CramMaster 2007-08-10 18:31:01 0 d-------- C:\Program Files\UltraISO 2007-08-08 19:14:33 0 d-------- C:\Program Files\AvantGo Connect 2007-08-02 20:51:59 44264 --a------ C:\Documents and Settings\Don Tait\Application Data\GDIPFONTCACHEV1.DAT 2007-07-28 20:55:04 0 d-------- C:\Documents and Settings\Don Tait\Application Data\Talkback 2007-07-28 20:54:42 0 d-------- C:\Documents and Settings\Don Tait\Application Data\Mozilla -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [21/08/2003 18:10] "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [27/08/2003 11:00] "VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [08/08/2003 18:02] "VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [17/08/2003 21:50] "MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe" [18/08/2003 18:57] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27/03/2006 15:53] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06] "SiSPower"="SiSPower.dll" [02/09/2004 06:47 C:\WINDOWS\system32\SiSPower.dll] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:00] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [19/01/2007 13:54] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [04/01/2005 11:50] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/10/2006 21:05] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineij32] wineij32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmqx32] winmqx32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpsa32] winpsa32.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] C:\Program Files\Common Files\AOL\1144696762\ee\AOLSoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower] Rundll32.exe SiSPower.dll,ModeAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=2 (0x2) "SLService"=2 (0x2) "MDM"=2 (0x2) "IDriverT"=3 (0x3) "AOLService"=2 (0x2) "AOL ACS"=2 (0x2) "gusvc"=3 (0x3) -- End of Deckard's System Scanner: finished at 2007-09-26 20:44:35 ------------ Deckard's System Scanner v20070905.67 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel(R) Pentium(R) 4 CPU 3.20GHz CPU 1: Intel(R) Pentium(R) 4 CPU 3.20GHz Percentage of Memory in Use: 51% Physical Memory (total/avail): 735.48 MiB / 353.73 MiB Pagefile Memory (total/avail): 1414.55 MiB / 1105 MiB Virtual Memory (total/avail): 2047.88 MiB / 1967.65 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 151.51 GiB total, 90.15 GiB free. D: is CDROM (No Media) \\.\PHYSICALDRIVE0 - HDT722516DLAT80 - 153.38 GiB - 2 partitions \PARTITION0 (bootable) - Installable File System - 151.51 GiB - C: \PARTITION1 - Unknown - 1921.81 MiB -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is disabled. FirstRunDisabled is set. AntivirusOverride is set. FirewallOverride is set. [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL 9.0" "C:\\Program Files\\AOL 9.0a\\waol.exe"="C:\\Program Files\\AOL 9.0a\\waol.exe:*:Enabled:AOL" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL" "C:\\Program Files\\AOL 9.0b\\waol.exe"="C:\\Program Files\\AOL 9.0b\\waol.exe:*:Enabled:AOL 9.0b" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL 9.0" "C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" "C:\\Program Files\\AOL 9.0a\\waol.exe"="C:\\Program Files\\AOL 9.0a\\waol.exe:*:Enabled:AOL" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\utorrent\\utorrent.exe"="C:\\Program Files\\utorrent\\utorrent.exe:*:Enabled:µTorrent" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL" "C:\\Program Files\\AOL 9.0b\\waol.exe"="C:\\Program Files\\AOL 9.0b\\waol.exe:*:Enabled:AOL 9.0b" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader" "C:\\Program Files\\Common Files\\AOL\\1144696762\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1144696762\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:ActiveSync Connection Manager" "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:*:Enabled:ActiveSync Application" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Don Tait\Application Data CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=DONIETAIT34 ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Don Tait LOGONSERVER=\\DONIETAIT34 NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0403 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\DONTAI~1\LOCALS~1\Temp TMP=C:\DOCUME~1\DONTAI~1\LOCALS~1\Temp USERDOMAIN=DONIETAIT34 USERNAME=Don Tait USERPROFILE=C:\Documents and Settings\Don Tait windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Don Tait (admin) junior Administrator (new local, admin) -- Add/Remove Programs --------------------------------------------------------- --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> --> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL --> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL --> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL --> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL --> C:\WINDOWS\UNRecode.exe /UNINSTALL --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe" -l0x9 -uninst --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003} AOL Toolbar --> "C:\Program Files\AOL Toolbar\UNWISE.EXE" /u "C:\Program Files\AOL Toolbar\INSTALL.LOG" AOL Uninstaller --> C:\Program Files\Common Files\AOL\uninstaller.exe µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL BT Voyager 105 ADSL Modem --> C:\Program Files\BT Voyager 105 ADSL Modem\uninstall.exe BT Voyager Modem AOL Test --> C:\WINDOWS\AppRun.exe C:\PROGRA~1\VOYAGE~2 CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe" CramMaster Database --> C:\PROGRA~1\CRAMMA~1\UNWISE.EXE C:\PROGRA~1\CRAMMA~1\Install.log CramMaster Engine --> C:\PROGRA~1\CRAMMA~1\UNWISE.EXE C:\PROGRA~1\CRAMMA~1\Install.log DVD Decoder Pak for Windows XP --> MsiExec.exe /X{92C5DB3D-9D6F-4324-BB11-57825F4C2635} Error Messages for Windows --> C:\WINDOWS\SDUnInst.exe c:\program files\software by design\mswinerr.uni ExamForce Engine Installation CM 7.7 --> C:\PROGRA~1\CRAMMA~1\UNWISE.EXE C:\PROGRA~1\CRAMMA~1\Install.log Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll" HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" ieSpell --> "C:\Program Files\ieSpell\uninst.exe" IIS6 Manager --> MsiExec.exe /X{3FBC5FCA-F989-4D5D-93F6-B185EEE1EC76} J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060} J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090} Lavasoft VX2 Cleaner --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\INSTALL.LOG Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe Letter Chase Typing Tutor 3.71 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Letter Chase Typing\Letter Chase Typing Tutor 3.71\DeIsL1.isu" -c"C:\Program Files\Letter Chase Typing\Letter Chase Typing Tutor 3.71\_ISREG32.DLL" LimeWire PRO 4.12.3 --> "C:\Program Files\LimeWire\uninstall.exe" Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log McAfee Personal Firewall Plus --> C:\PROGRA~1\McAfee.com\PERSON~2\UNWISE.EXE /U C:\PROGRA~1\McAfee.com\PERSON~2\INSTALL.LOG McAfee SecurityCenter --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm McAfee VirusScan --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /interact=1 /script_proactive=1 /start=c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm Microsoft 70-270 test --> C:\WINDOWS\unvise32.exe C:\Program Files\cert21\Microsoft 70-270 test\uninstal.log Microsoft ActiveSync 3.8 --> "C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll" Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Flight Simulator X Demo --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{B98A34C0-A6A2-4087-B272-557C1C6D0A07} Microsoft Halo Trial --> "C:\Program Files\Microsoft Games\Halo Trial\UNINSTAL.EXE" /runtemp /addremove Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Virtual PC 2004 --> MsiExec.exe /X{4082365B-0985-499A-920D-E4D4414DC58F} Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7} Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E} Nero 7 Demo --> MsiExec.exe /I{84B2CF01-194D-2284-B313-F2E0D78D1033} OpenOffice.org 2.0 --> MsiExec.exe /I{76BB7B2D-748F-4AE9-89C3-78C051833EA1} Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan Planet Poker --> C:\PROGRA~1\PLANET~1\UNWISE.EXE C:\PROGRA~1\PLANET~1\INSTALL.LOG Quest for Knowledge --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Serebra A+ Course\Setup\Skillb\Uninstall\setup.exe" QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log Radio Decoder Pro --> C:\WINDOWS\iun6002.exe "C:\Program Files\Radio Decoder Pro\irunin.ini" RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0 Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE SiS 900 PCI Fast Ethernet Adapter Driver --> C:\WINDOWS\SiS\900\Uninst.exe SiS VGA Utilities --> Rundll32 SiSInst.dll,Uninstall VGA,R,oem4.inf Smart Link 56K Voice Modem --> C:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{1306C737-0AF4-46C7-B282-64E099304712} Stamina 2.5 --> "C:\Program Files\Stamina\uninstall.exe" Tabbed Browsing (Windows Live Toolbar) --> MsiExec.exe /X{FDB226E3-D55D-4922-894F-20CE4646077D} TypingMaster Pro --> "C:\Program Files\TypingMaster\unins000.exe" UltraISO 8.0 Premium Edition --> "C:\Program Files\UltraISO\unins000.exe" Unlocker 1.8.5 --> C:\Program Files\Unlocker\uninst.exe Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u WebFldrs XP --> Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333} Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe" Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F} Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D} Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {C6876FE6-A314-4628-B0D7-F3EE5E35C4B4} Windows Live Toolbar --> MsiExec.exe /X{C6876FE6-A314-4628-B0D7-F3EE5E35C4B4} Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{D3F28364-8B10-45F1-8C2D-0037F4538BBB} Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{328420FA-7638-4AB1-81DF-E0FECEFF24E3} Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe" Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840} Windows Vista Upgrade Advisor --> MsiExec.exe /I{F80BA35D-D1CD-4B8B-8129-9FC918F9D42D} Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD} XML Paper Specification Shared Components Pack 1.0 --> -- Application Event Log ------------------------------------------------------- Event Record #/Type5391 / Error Event Submitted/Written: 09/19/2007 06:23:57 AM Event ID/Source: 1802 / SecurityCenter Event Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall. Event Record #/Type5284 / Error Event Submitted/Written: 08/30/2007 07:18:24 PM Event ID/Source: 1013 / MsiInstaller Event Description: Product: Microsoft Virtual Server 2005 R2 SP1 -- Setup has detected that Virtual PC is running. You should shut down all Virtual Machines and stop Virtual PC before running setup to prevent possible data loss. Event Record #/Type5261 / Error Event Submitted/Written: 08/29/2007 09:47:53 PM Event ID/Source: 1013 / MsiInstaller Event Description: Product: Microsoft Virtual Server 2005 R2 SP1 -- Setup has detected that Virtual PC is running. You should shut down all Virtual Machines and stop Virtual PC before running setup to prevent possible data loss. Event Record #/Type5253 / Error Event Submitted/Written: 08/29/2007 09:12:23 PM Event ID/Source: 1002 / Application Hang Event Description: Hanging application UltraISO.exe, version 8.0.0.1392, hang module hungapp, version 0.0.0.0, hang address 0x00000000. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type53621 / Error Event Submitted/Written: 09/26/2007 08:42:09 PM Event ID/Source: 29 / W32Time Event Description: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time. Event Record #/Type53620 / Error Event Submitted/Written: 09/26/2007 08:42:09 PM Event ID/Source: 17 / W32Time Event Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) Event Record #/Type53618 / Error Event Submitted/Written: 09/26/2007 08:42:09 PM Event ID/Source: 29 / W32Time Event Description: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time. Event Record #/Type53617 / Error Event Submitted/Written: 09/26/2007 08:42:09 PM Event ID/Source: 17 / W32Time Event Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) Event Record #/Type53615 / Error Event Submitted/Written: 09/26/2007 06:53:37 PM Event ID/Source: 29 / W32Time Event Description: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time. -- End of Deckard's System Scanner: finished at 2007-09-26 20:44:35 ------------ |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
09-28-2007, 12:32 AM
|
#2 (permalink) | |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3
|
Re: Am i Infected? (rightonads)random popups
Please download Combofix from HERE
Save ComboFix to the desktop. ==================== Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open *notepad* and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript.txt into ComboFix.exe Restart your computer. When finished, it shall produce a log for you at C:\ComboFix.txt Post back the ComboFix.txt along with a fresh HijackThis log please. *Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall* ==================== Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT. O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing) O20 - Winlogon Notify: winmqx32 - winmqx32.dll (file missing) O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing) Reboot and post a new HJT log..
__________________
Eddy |
|
|
|
|
|
09-28-2007, 11:58 AM
|
#3 (permalink) |
|
Registered User
Join Date: Mar 2006
Location: Lanark Scotland
Posts: 164
OS: windows xp pro
|
Re: Am i Infected? (rightonads)random popups
Thank you for looking at this for me Pancake
ComboFix 07-09-28.7 - Don Tait 2007-09-28 18:20:39.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.489 [GMT 1:00] Running from: C:\Documents and Settings\Don Tait\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Don Tait\Desktop\CFScript.txt, * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data.\Starware C:\Documents and Settings\All Users\Application Data.\Starware\buttons\cursorcafe.bmp C:\Documents and Settings\All Users\Application Data.\Starware\buttons\FindIt.bmp C:\Documents and Settings\All Users\Application Data.\Starware\buttons\FindItHot.bmp C:\Documents and Settings\All Users\Application Data.\Starware\buttons\findithotxp.png C:\Documents and Settings\All Users\Application Data.\Starware\buttons\finditxp.png C:\Documents and Settings\All Users\Application Data.\Starware\buttons\games.bmp C:\Documents and Settings\All Users\Application Data.\Starware\buttons\Highlight.bmp C:\Documents and Settings\All Users\Application Data.\Starware\buttons\HighlightHot.bmp C:\Documents and Settings\All Users\Application Data.\Starware\buttons\highlighthotxp.png C:\Documents and Settings\All Users\Application Data.\Starware\buttons\highlightxp.png C:\Documents and Settings\All Users\Application Data.\Starware\buttons\logo.bmp C:\Documents and Settings\All Users\Application Data.\Starware\buttons\logoxp.bmp C:\Documents and Settings\All Users\Application Data.\Starware\buttons\Reference.bmp C:\Documents and Settings\All Users\Application Data.\Starware\buttons\ReferenceHot.bmp C:\Documents and Settings\All Users\Application Data.\Starware\buttons\referencehotxp.png C:\Documents and Settings\All Users\Application Data.\Starware\buttons\referencexp.png C:\Documents and Settings\All Users\Application Data.\Starware\buttons\screensaver.bmp C:\Documents and Settings\All Users\Application Data.\Starware\buttons\Weather.bmp C:\Documents and Settings\All Users\Application Data.\Starware\buttons\weatherhotxp.png C:\Documents and Settings\All Users\Application Data.\Starware\buttons\weatherxp.png C:\Documents and Settings\All Users\Application Data.\Starware\contexts\error.xml C:\Documents and Settings\All Users\Application Data.\Starware\contexts\related.xml C:\Documents and Settings\All Users\Application Data.\Starware\contexts\travel.xml C:\Documents and Settings\All Users\Application Data.\Starware\images\walertXP.bmp C:\Documents and Settings\All Users\Application Data.\Starware\SimpleUpdate\ProductMessagingConfig.xml C:\Documents and Settings\All Users\Application Data.\Starware\SimpleUpdate\ProductMessagingConfig.xml.backup C:\Documents and Settings\All Users\Application Data.\Starware\SimpleUpdate\SimpleUpdateConfig.xml C:\Documents and Settings\All Users\Application Data.\Starware\SimpleUpdate\SimpleUpdateConfig.xml.backup C:\Documents and Settings\All Users\Application Data.\Starware\SimpleUpdate\TimerManagerConfig.xml C:\Documents and Settings\All Users\Application Data.\Starware\SimpleUpdate\TimerManagerConfig.xml.backup C:\Documents and Settings\All Users\Application Data\Starware\buttons\cursorcafe.bmp C:\Documents and Settings\All Users\Application Data\Starware\buttons\FindIt.bmp C:\Documents and Settings\All Users\Application Data\Starware\buttons\FindItHot.bmp C:\Documents and Settings\All Users\Application Data\Starware\buttons\findithotxp.png C:\Documents and Settings\All Users\Application Data\Starware\buttons\finditxp.png C:\Documents and Settings\All Users\Application Data\Starware\buttons\games.bmp C:\Documents and Settings\All Users\Application Data\Starware\buttons\Highlight.bmp C:\Documents and Settings\All Users\Application Data\Starware\buttons\HighlightHot.bmp C:\Documents and Settings\All Users\Application Data\Starware\buttons\highlighthotxp.png C:\Documents and Settings\All Users\Application Data\Starware\buttons\highlightxp.png C:\Documents and Settings\All Users\Application Data\Starware\buttons\logo.bmp C:\Documents and Settings\All Users\Application Data\Starware\buttons\logoxp.bmp C:\Documents and Settings\All Users\Application Data\Starware\buttons\Reference.bmp C:\Documents and Settings\All Users\Application Data\Starware\buttons\ReferenceHot.bmp C:\Documents and Settings\All Users\Application Data\Starware\buttons\referencehotxp.png C:\Documents and Settings\All Users\Application Data\Starware\buttons\referencexp.png C:\Documents and Settings\All Users\Application Data\Starware\buttons\screensaver.bmp C:\Documents and Settings\All Users\Application Data\Starware\buttons\Weather.bmp C:\Documents and Settings\All Users\Application Data\Starware\buttons\weatherhotxp.png C:\Documents and Settings\All Users\Application Data\Starware\buttons\weatherxp.png C:\Documents and Settings\All Users\Application Data\Starware\contexts\error.xml C:\Documents and Settings\All Users\Application Data\Starware\contexts\related.xml C:\Documents and Settings\All Users\Application Data\Starware\contexts\travel.xml C:\Documents and Settings\All Users\Application Data\Starware\images\walertXP.bmp C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml.backup C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml.backup C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml.backup . ((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 ))))))))))))))))))))))))))))))) . 2007-09-28 18:20 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-27 19:02 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-09-26 19:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-09-24 15:37 <DIR> d-------- C:\Program Files\Adssite Advanced Toolbar 2007-09-24 15:37 <DIR> d-------- C:\Documents and Settings\Don Tait\Application Data\Adssite Advanced Toolbar 2007-09-16 22:18 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS 2007-09-04 22:44 <DIR> d-------- C:\Inetpub 2007-08-29 22:24 49,152 --a------ C:\WINDOWS\InstFunc.exe 2007-08-29 22:24 337,320 --a------ C:\WINDOWS\difxapi.dll 2007-08-29 22:24 12,288 --a------ C:\WINDOWS\InstFunc.dll 2007-08-29 22:22 36,352 --------- C:\WINDOWS\system32\tsgqec.dll 2007-08-29 22:22 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll 2007-08-29 22:22 116,736 --------- C:\WINDOWS\system32\aaclient.dll 2007-08-29 22:14 <DIR> d-------- C:\WINDOWS\system32\Inetsrv6 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-26 19:47 --------- d-------- C:\Program Files\MSN Messenger 2007-09-26 19:46 --------- d-------- C:\Program Files\Microsoft Virtual PC 2007-09-26 19:44 --------- d-------- C:\Program Files\Microsoft ActiveSync 2007-09-26 19:41 --------- d-------- C:\Program Files\Common Files\AOL 2007-09-26 19:40 --------- d-------- C:\Program Files\AOL 9.0b 2007-09-25 23:27 --------- d-------- C:\Program Files\Yahoo! 2007-09-03 19:48 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\uTorrent 2007-08-28 23:55 --------- d-------- C:\Program Files\NewzToolz 2007-08-28 23:55 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\NewzToolz 2007-08-16 20:10 --------- d-------- C:\Program Files\MSXML 4.0 2007-08-14 23:49 --------- d-------- C:\Program Files\CramMaster 2007-08-10 18:31 --------- d-------- C:\Program Files\UltraISO 2007-08-08 19:14 --------- d-------- C:\Program Files\AvantGo Connect 2007-08-03 08:31 18688 --a------ C:\WINDOWS\system32\drivers\srvkp.sys 2007-08-03 08:31 1571001 --a------ C:\WINDOWS\system32\sisgl.dll 2007-08-03 08:14 3527168 --a------ C:\WINDOWS\system32\sisgrv.dll 2007-08-03 08:10 321536 --a------ C:\WINDOWS\system32\drivers\sisgrp.sys 2007-08-03 08:07 9728 --a------ C:\WINDOWS\system32\SiSPIns2.dll 2007-08-03 08:05 49152 --a------ C:\WINDOWS\system32\SiSBase.dll 2007-08-03 08:05 258048 --a------ C:\WINDOWS\system32\SiSParse.dll 2007-08-03 08:05 172032 --a------ C:\WINDOWS\system32\SiSInst.dll 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-28 20:55 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\Talkback . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-21 18:10] "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 11:00] "VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 18:02] "VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50] "MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe" [2003-08-18 18:57] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-27 15:53] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "SiSPower"="SiSPower.dll" [2004-09-02 06:47 C:\WINDOWS\system32\SiSPower.dll] "CleanUp"="C:\PROGRA~1\McAfee.com\Shared\mcappins.exe" [2003-08-18 21:49] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 11:50] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineij32] wineij32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmqx32] winmqx32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpsa32] winpsa32.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] C:\Program Files\Common Files\AOL\1144696762\ee\AOLSoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower] Rundll32.exe SiSPower.dll,ModeAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=2 (0x2) "SLService"=2 (0x2) "MDM"=2 (0x2) "IDriverT"=3 (0x3) "AOLService"=2 (0x2) "AOL ACS"=2 (0x2) "gusvc"=3 (0x3) R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys R2 nxsIO32;NextSensor Kernel I/O Driver;\??\C:\WINDOWS\System32\DRIVERS\nxsIO32.sys R3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS S3 FXDRV;FXDRV;\??\D:\Fxdrv.sys S3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder "2007-09-28 17:05:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2007-09-28 17:18:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-Don Tait).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe "2007-09-28 17:22:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-junior).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe "2007-09-28 17:22:00 C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-Don Tait).job" "2007-09-28 17:18:00 C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-junior).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-28 18:22:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-28 18:23:01 C:\ComboFix-quarantined-files.txt ... 2007-09-28 18:22 . --- E O F --- Deckard's System Scanner v20070905.67 Run by Don Tait on 2007-09-28 18:55:36 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Don Tait.exe) -------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 18:55:48, on 28/09/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\PROGRA~1\McAfee.com\PERSON~2\MpfAgent.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\AOL 9.0b\waol.exe C:\Program Files\AOL 9.0b\shellmon.exe C:\Program Files\Common Files\AOL\aoltpspd.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Don Tait\Desktop\dss.exe C:\PROGRA~1\HIJACK~1\DONTAI~1.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molb...4/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188421132921 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188421058312 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molb...21/mcgdmgr.cab O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5CCA21B5-C703-44B0-92C1-78EC1E850148}: NameServer = 205.188.146.145 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~2\MPFSERVICE.exe -- Files created between 2007-08-28 and 2007-09-28 ----------------------------- 2007-09-26 19:08:45 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-09-24 15:37:01 0 d-------- C:\Program Files\Adssite Advanced Toolbar 2007-09-24 15:37:01 0 d-------- C:\Documents and Settings\Don Tait\Application Data\Adssite Advanced Toolbar 2007-09-21 12:47:26 0 dr-h----- C:\Documents and Settings\Don Tait\Recent 2007-09-16 22:18:39 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64> 2007-09-04 22:44:08 0 d-------- C:\Inetpub 2007-08-29 22:24:52 49152 --a------ C:\WINDOWS\InstFunc.exe 2007-08-29 22:24:52 12288 --a------ C:\WINDOWS\InstFunc.dll <Not Verified; Silicon Integrated Systems Corporation; SiS (R) VGA Install Function Dynamic Link Library> 2007-08-29 22:14:57 0 d-------- C:\WINDOWS\system32\Inetsrv6 -- Find3M Report --------------------------------------------------------------- 2007-09-26 19:47:11 0 d-------- C:\Program Files\MSN Messenger 2007-09-26 19:46:51 0 d-------- C:\Program Files\Microsoft Virtual PC 2007-09-26 19:44:11 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-09-26 19:44:07 0 d-------- C:\Program Files\Messenger 2007-09-26 19:41:21 0 d-------- C:\Program Files\Common Files\AOL 2007-09-26 19:40:04 0 d-------- C:\Program Files\AOL 9.0b 2007-09-25 23:27:15 0 d-------- C:\Program Files\Yahoo! 2007-09-03 19:48:05 0 d-------- C:\Documents and Settings\Don Tait\Application Data\uTorrent 2007-08-28 23:55:38 0 d-------- C:\Program Files\NewzToolz 2007-08-28 23:55:38 0 d-------- C:\Documents and Settings\Don Tait\Application Data\NewzToolz 2007-08-16 20:10:33 0 d-------- C:\Program Files\MSXML 4.0 2007-08-14 23:49:28 0 d-------- C:\Program Files\CramMaster 2007-08-10 18:31:01 0 d-------- C:\Program Files\UltraISO 2007-08-08 19:14:33 0 d-------- C:\Program Files\AvantGo Connect 2007-08-02 20:51:59 44264 --a------ C:\Documents and Settings\Don Tait\Application Data\GDIPFONTCACHEV1.DAT 2007-07-28 20:55:04 0 d-------- C:\Documents and Settings\Don Tait\Application Data\Talkback 2007-07-28 20:54:42 0 d-------- C:\Documents and Settings\Don Tait\Application Data\Mozilla -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [21/08/2003 18:10] "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [27/08/2003 11:00] "VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [08/08/2003 18:02] "VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [17/08/2003 21:50] "MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe" [18/08/2003 18:57] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27/03/2006 15:53] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06] "SiSPower"="SiSPower.dll" [02/09/2004 06:47 C:\WINDOWS\system32\SiSPower.dll] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:00] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [19/01/2007 13:54] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [04/01/2005 11:50] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/10/2006 21:05] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] C:\Program Files\Common Files\AOL\1144696762\ee\AOLSoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower] Rundll32.exe SiSPower.dll,ModeAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=2 (0x2) "SLService"=2 (0x2) "MDM"=2 (0x2) "IDriverT"=3 (0x3) "AOLService"=2 (0x2) "AOL ACS"=2 (0x2) "gusvc"=3 (0x3) *Newly Created Service* - ATWPKT2 -- End of Deckard's System Scanner: finished at 2007-09-28 18:56:07 ------------ |
|
|
|
|
09-28-2007, 05:43 PM
|
#4 (permalink) | |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3
|
Re: Am i Infected? (rightonads)random popups
Just this last bit to clean up.You should be finding things running better now.?
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open *notepad* and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFScript.txt into ComboFix.exe Restart your computer. When finished, it shall produce a log for you at C:\ComboFix.txt Post back the ComboFix.txt along with a fresh HijackThis log please. *Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
__________________
Eddy |
|
|
|
|
|
09-29-2007, 01:39 PM
|
#5 (permalink) |
|
Registered User
Join Date: Mar 2006
Location: Lanark Scotland
Posts: 164
OS: windows xp pro
|
Re: Am i Infected? (rightonads)random popups
Cheers here it is
ComboFix 07-09-28.7 - Don Tait 2007-09-29 20:30:11.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502 [GMT 1:00] Running from: C:\Documents and Settings\Don Tait\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Don Tait\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-29 ))))))))))))))))))))))))))))))) . 2007-09-28 18:20 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-27 19:02 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-09-26 19:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-09-24 15:37 <DIR> d-------- C:\Program Files\Adssite Advanced Toolbar 2007-09-24 15:37 <DIR> d-------- C:\Documents and Settings\Don Tait\Application Data\Adssite Advanced Toolbar 2007-09-16 22:18 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS 2007-09-04 22:44 <DIR> d-------- C:\Inetpub 2007-08-29 22:24 49,152 --a------ C:\WINDOWS\InstFunc.exe 2007-08-29 22:24 337,320 --a------ C:\WINDOWS\difxapi.dll 2007-08-29 22:24 12,288 --a------ C:\WINDOWS\InstFunc.dll 2007-08-29 22:22 36,352 --------- C:\WINDOWS\system32\tsgqec.dll 2007-08-29 22:22 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll 2007-08-29 22:22 116,736 --------- C:\WINDOWS\system32\aaclient.dll 2007-08-29 22:14 <DIR> d-------- C:\WINDOWS\system32\Inetsrv6 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-26 19:47 --------- d-------- C:\Program Files\MSN Messenger 2007-09-26 19:46 --------- d-------- C:\Program Files\Microsoft Virtual PC 2007-09-26 19:44 --------- d-------- C:\Program Files\Microsoft ActiveSync 2007-09-26 19:41 --------- d-------- C:\Program Files\Common Files\AOL 2007-09-26 19:40 --------- d-------- C:\Program Files\AOL 9.0b 2007-09-25 23:27 --------- d-------- C:\Program Files\Yahoo! 2007-09-03 19:48 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\uTorrent 2007-08-28 23:55 --------- d-------- C:\Program Files\NewzToolz 2007-08-28 23:55 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\NewzToolz 2007-08-16 20:10 --------- d-------- C:\Program Files\MSXML 4.0 2007-08-14 23:49 --------- d-------- C:\Program Files\CramMaster 2007-08-10 18:31 --------- d-------- C:\Program Files\UltraISO 2007-08-08 19:14 --------- d-------- C:\Program Files\AvantGo Connect 2007-08-03 08:31 18688 --a------ C:\WINDOWS\system32\drivers\srvkp.sys 2007-08-03 08:31 1571001 --a------ C:\WINDOWS\system32\sisgl.dll 2007-08-03 08:14 3527168 --a------ C:\WINDOWS\system32\sisgrv.dll 2007-08-03 08:10 321536 --a------ C:\WINDOWS\system32\drivers\sisgrp.sys 2007-08-03 08:07 9728 --a------ C:\WINDOWS\system32\SiSPIns2.dll 2007-08-03 08:05 49152 --a------ C:\WINDOWS\system32\SiSBase.dll 2007-08-03 08:05 258048 --a------ C:\WINDOWS\system32\SiSParse.dll 2007-08-03 08:05 172032 --a------ C:\WINDOWS\system32\SiSInst.dll 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-28 20:55 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\Talkback . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-21 18:10] "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 11:00] "VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 18:02] "VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50] "MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe" [2003-08-18 18:57] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-27 15:53] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "SiSPower"="SiSPower.dll" [2004-09-02 06:47 C:\WINDOWS\system32\SiSPower.dll] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 11:50] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] C:\Program Files\Common Files\AOL\1144696762\ee\AOLSoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower] Rundll32.exe SiSPower.dll,ModeAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=2 (0x2) "SLService"=2 (0x2) "MDM"=2 (0x2) "IDriverT"=3 (0x3) "AOLService"=2 (0x2) "AOL ACS"=2 (0x2) "gusvc"=3 (0x3) R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys R2 nxsIO32;NextSensor Kernel I/O Driver;\??\C:\WINDOWS\System32\DRIVERS\nxsIO32.sys R3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS S3 FXDRV;FXDRV;\??\D:\Fxdrv.sys S3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys . Contents of the 'Scheduled Tasks' folder "2007-09-28 20:05:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2007-09-29 19:30:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-Don Tait).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe "2007-09-29 19:32:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-junior).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe "2007-09-29 19:32:00 C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-Don Tait).job" "2007-09-29 19:28:00 C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-junior).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-29 20:31:36 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-29 20:32:10 C:\ComboFix-quarantined-files.txt ... 2007-09-29 20:32 C:\ComboFix2.txt ... 2007-09-28 18:23 . --- E O F --- ComboFix 07-09-28.7 - Don Tait 2007-09-29 20:30:11.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502 [GMT 1:00] Running from: C:\Documents and Settings\Don Tait\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Don Tait\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-29 ))))))))))))))))))))))))))))))) . 2007-09-28 18:20 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-27 19:02 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-09-26 19:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-09-24 15:37 <DIR> d-------- C:\Program Files\Adssite Advanced Toolbar 2007-09-24 15:37 <DIR> d-------- C:\Documents and Settings\Don Tait\Application Data\Adssite Advanced Toolbar 2007-09-16 22:18 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS 2007-09-04 22:44 <DIR> d-------- C:\Inetpub 2007-08-29 22:24 49,152 --a------ C:\WINDOWS\InstFunc.exe 2007-08-29 22:24 337,320 --a------ C:\WINDOWS\difxapi.dll 2007-08-29 22:24 12,288 --a------ C:\WINDOWS\InstFunc.dll 2007-08-29 22:22 36,352 --------- C:\WINDOWS\system32\tsgqec.dll 2007-08-29 22:22 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll 2007-08-29 22:22 116,736 --------- C:\WINDOWS\system32\aaclient.dll 2007-08-29 22:14 <DIR> d-------- C:\WINDOWS\system32\Inetsrv6 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-26 19:47 --------- d-------- C:\Program Files\MSN Messenger 2007-09-26 19:46 --------- d-------- C:\Program Files\Microsoft Virtual PC 2007-09-26 19:44 --------- d-------- C:\Program Files\Microsoft ActiveSync 2007-09-26 19:41 --------- d-------- C:\Program Files\Common Files\AOL 2007-09-26 19:40 --------- d-------- C:\Program Files\AOL 9.0b 2007-09-25 23:27 --------- d-------- C:\Program Files\Yahoo! 2007-09-03 19:48 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\uTorrent 2007-08-28 23:55 --------- d-------- C:\Program Files\NewzToolz 2007-08-28 23:55 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\NewzToolz 2007-08-16 20:10 --------- d-------- C:\Program Files\MSXML 4.0 2007-08-14 23:49 --------- d-------- C:\Program Files\CramMaster 2007-08-10 18:31 --------- d-------- C:\Program Files\UltraISO 2007-08-08 19:14 --------- d-------- C:\Program Files\AvantGo Connect 2007-08-03 08:31 18688 --a------ C:\WINDOWS\system32\drivers\srvkp.sys 2007-08-03 08:31 1571001 --a------ C:\WINDOWS\system32\sisgl.dll 2007-08-03 08:14 3527168 --a------ C:\WINDOWS\system32\sisgrv.dll 2007-08-03 08:10 321536 --a------ C:\WINDOWS\system32\drivers\sisgrp.sys 2007-08-03 08:07 9728 --a------ C:\WINDOWS\system32\SiSPIns2.dll 2007-08-03 08:05 49152 --a------ C:\WINDOWS\system32\SiSBase.dll 2007-08-03 08:05 258048 --a------ C:\WINDOWS\system32\SiSParse.dll 2007-08-03 08:05 172032 --a------ C:\WINDOWS\system32\SiSInst.dll 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-28 20:55 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\Talkback . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-21 18:10] "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 11:00] "VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 18:02] "VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50] "MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe" [2003-08-18 18:57] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-27 15:53] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "SiSPower"="SiSPower.dll" [2004-09-02 06:47 C:\WINDOWS\system32\SiSPower.dll] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 11:50] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] C:\Program Files\Common Files\AOL\1144696762\ee\AOLSoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower] Rundll32.exe SiSPower.dll,ModeAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=2 (0x2) "SLService"=2 (0x2) "MDM"=2 (0x2) "IDriverT"=3 (0x3) "AOLService"=2 (0x2) "AOL ACS"=2 (0x2) "gusvc"=3 (0x3) R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys R2 nxsIO32;NextSensor Kernel I/O Driver;\??\C:\WINDOWS\System32\DRIVERS\nxsIO32.sys R3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS S3 FXDRV;FXDRV;\??\D:\Fxdrv.sys S3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys . Contents of the 'Scheduled Tasks' folder "2007-09-28 20:05:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2007-09-29 19:30:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-Don Tait).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe "2007-09-29 19:32:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-junior).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe "2007-09-29 19:32:00 C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-Don Tait).job" "2007-09-29 19:28:00 C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-junior).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-29 20:31:36 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-29 20:32:10 C:\ComboFix-quarantined-files.txt ... 2007-09-29 20:32 C:\ComboFix2.txt ... 2007-09-28 18:23 . --- E O F --- ComboFix 07-09-28.7 - Don Tait 2007-09-29 20:30:11.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502 [GMT 1:00] Running from: C:\Documents and Settings\Don Tait\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Don Tait\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-29 ))))))))))))))))))))))))))))))) . 2007-09-28 18:20 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-27 19:02 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-09-26 19:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-09-24 15:37 <DIR> d-------- C:\Program Files\Adssite Advanced Toolbar 2007-09-24 15:37 <DIR> d-------- C:\Documents and Settings\Don Tait\Application Data\Adssite Advanced Toolbar 2007-09-16 22:18 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS 2007-09-04 22:44 <DIR> d-------- C:\Inetpub 2007-08-29 22:24 49,152 --a------ C:\WINDOWS\InstFunc.exe 2007-08-29 22:24 337,320 --a------ C:\WINDOWS\difxapi.dll 2007-08-29 22:24 12,288 --a------ C:\WINDOWS\InstFunc.dll 2007-08-29 22:22 36,352 --------- C:\WINDOWS\system32\tsgqec.dll 2007-08-29 22:22 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll 2007-08-29 22:22 116,736 --------- C:\WINDOWS\system32\aaclient.dll 2007-08-29 22:14 <DIR> d-------- C:\WINDOWS\system32\Inetsrv6 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-26 19:47 --------- d-------- C:\Program Files\MSN Messenger 2007-09-26 19:46 --------- d-------- C:\Program Files\Microsoft Virtual PC 2007-09-26 19:44 --------- d-------- C:\Program Files\Microsoft ActiveSync 2007-09-26 19:41 --------- d-------- C:\Program Files\Common Files\AOL 2007-09-26 19:40 --------- d-------- C:\Program Files\AOL 9.0b 2007-09-25 23:27 --------- d-------- C:\Program Files\Yahoo! 2007-09-03 19:48 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\uTorrent 2007-08-28 23:55 --------- d-------- C:\Program Files\NewzToolz 2007-08-28 23:55 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\NewzToolz 2007-08-16 20:10 --------- d-------- C:\Program Files\MSXML 4.0 2007-08-14 23:49 --------- d-------- C:\Program Files\CramMaster 2007-08-10 18:31 --------- d-------- C:\Program Files\UltraISO 2007-08-08 19:14 --------- d-------- C:\Program Files\AvantGo Connect 2007-08-03 08:31 18688 --a------ C:\WINDOWS\system32\drivers\srvkp.sys 2007-08-03 08:31 1571001 --a------ C:\WINDOWS\system32\sisgl.dll 2007-08-03 08:14 3527168 --a------ C:\WINDOWS\system32\sisgrv.dll 2007-08-03 08:10 321536 --a------ C:\WINDOWS\system32\drivers\sisgrp.sys 2007-08-03 08:07 9728 --a------ C:\WINDOWS\system32\SiSPIns2.dll 2007-08-03 08:05 49152 --a------ C:\WINDOWS\system32\SiSBase.dll 2007-08-03 08:05 258048 --a------ C:\WINDOWS\system32\SiSParse.dll 2007-08-03 08:05 172032 --a------ C:\WINDOWS\system32\SiSInst.dll 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-28 20:55 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\Talkback . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-21 18:10] "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 11:00] "VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 18:02] "VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50] "MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe" [2003-08-18 18:57] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-27 15:53] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "SiSPower"="SiSPower.dll" [2004-09-02 06:47 C:\WINDOWS\system32\SiSPower.dll] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 11:50] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] C:\Program Files\Common Files\AOL\1144696762\ee\AOLSoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower] Rundll32.exe SiSPower.dll,ModeAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=2 (0x2) "SLService"=2 (0x2) "MDM"=2 (0x2) "IDriverT"=3 (0x3) "AOLService"=2 (0x2) "AOL ACS"=2 (0x2) "gusvc"=3 (0x3) R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys R2 nxsIO32;NextSensor Kernel I/O Driver;\??\C:\WINDOWS\System32\DRIVERS\nxsIO32.sys R3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS S3 FXDRV;FXDRV;\??\D:\Fxdrv.sys S3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys . Contents of the 'Scheduled Tasks' folder "2007-09-28 20:05:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2007-09-29 19:30:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-Don Tait).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe "2007-09-29 19:32:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-junior).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe "2007-09-29 19:32:00 C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-Don Tait).job" "2007-09-29 19:28:00 C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-junior).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-29 20:31:36 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-29 20:32:10 C:\ComboFix-quarantined-files.txt ... 2007-09-29 20:32 C:\ComboFix2.txt ... 2007-09-28 18:23 . --- E O F --- ComboFix 07-09-28.7 - Don Tait 2007-09-29 20:30:11.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502 [GMT 1:00] Running from: C:\Documents and Settings\Don Tait\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Don Tait\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-29 ))))))))))))))))))))))))))))))) . 2007-09-28 18:20 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-27 19:02 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-09-26 19:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-09-24 15:37 <DIR> d-------- C:\Program Files\Adssite Advanced Toolbar 2007-09-24 15:37 <DIR> d-------- C:\Documents and Settings\Don Tait\Application Data\Adssite Advanced Toolbar 2007-09-16 22:18 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS 2007-09-04 22:44 <DIR> d-------- C:\Inetpub 2007-08-29 22:24 49,152 --a------ C:\WINDOWS\InstFunc.exe 2007-08-29 22:24 337,320 --a------ C:\WINDOWS\difxapi.dll 2007-08-29 22:24 12,288 --a------ C:\WINDOWS\InstFunc.dll 2007-08-29 22:22 36,352 --------- C:\WINDOWS\system32\tsgqec.dll 2007-08-29 22:22 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll 2007-08-29 22:22 116,736 --------- C:\WINDOWS\system32\aaclient.dll 2007-08-29 22:14 <DIR> d-------- C:\WINDOWS\system32\Inetsrv6 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-26 19:47 --------- d-------- C:\Program Files\MSN Messenger 2007-09-26 19:46 --------- d-------- C:\Program Files\Microsoft Virtual PC 2007-09-26 19:44 --------- d-------- C:\Program Files\Microsoft ActiveSync 2007-09-26 19:41 --------- d-------- C:\Program Files\Common Files\AOL 2007-09-26 19:40 --------- d-------- C:\Program Files\AOL 9.0b 2007-09-25 23:27 --------- d-------- C:\Program Files\Yahoo! 2007-09-03 19:48 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\uTorrent 2007-08-28 23:55 --------- d-------- C:\Program Files\NewzToolz 2007-08-28 23:55 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\NewzToolz 2007-08-16 20:10 --------- d-------- C:\Program Files\MSXML 4.0 2007-08-14 23:49 --------- d-------- C:\Program Files\CramMaster 2007-08-10 18:31 --------- d-------- C:\Program Files\UltraISO 2007-08-08 19:14 --------- d-------- C:\Program Files\AvantGo Connect 2007-08-03 08:31 18688 --a------ C:\WINDOWS\system32\drivers\srvkp.sys 2007-08-03 08:31 1571001 --a------ C:\WINDOWS\system32\sisgl.dll 2007-08-03 08:14 3527168 --a------ C:\WINDOWS\system32\sisgrv.dll 2007-08-03 08:10 321536 --a------ C:\WINDOWS\system32\drivers\sisgrp.sys 2007-08-03 08:07 9728 --a------ C:\WINDOWS\system32\SiSPIns2.dll 2007-08-03 08:05 49152 --a------ C:\WINDOWS\system32\SiSBase.dll 2007-08-03 08:05 258048 --a------ C:\WINDOWS\system32\SiSParse.dll 2007-08-03 08:05 172032 --a------ C:\WINDOWS\system32\SiSInst.dll 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-28 20:55 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\Talkback . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-21 18:10] "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 11:00] "VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 18:02] "VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50] "MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe" [2003-08-18 18:57] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-27 15:53] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "SiSPower"="SiSPower.dll" [2004-09-02 06:47 C:\WINDOWS\system32\SiSPower.dll] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 11:50] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] C:\Program Files\Common Files\AOL\1144696762\ee\AOLSoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower] Rundll32.exe SiSPower.dll,ModeAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=2 (0x2) "SLService"=2 (0x2) "MDM"=2 (0x2) "IDriverT"=3 (0x3) "AOLService"=2 (0x2) "AOL ACS"=2 (0x2) "gusvc"=3 (0x3) R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys R2 nxsIO32;NextSensor Kernel I/O Driver;\??\C:\WINDOWS\System32\DRIVERS\nxsIO32.sys R3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS S3 FXDRV;FXDRV;\??\D:\Fxdrv.sys S3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys . Contents of the 'Scheduled Tasks' folder "2007-09-28 20:05:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2007-09-29 19:30:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-Don Tait).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe "2007-09-29 19:32:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-junior).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe "2007-09-29 19:32:00 C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-Don Tait).job" "2007-09-29 19:28:00 C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-junior).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-29 20:31:36 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-29 20:32:10 C:\ComboFix-quarantined-files.txt ... 2007-09-29 20:32 C:\ComboFix2.txt ... 2007-09-28 18:23 . --- E O F --- ComboFix 07-09-28.7 - Don Tait 2007-09-29 20:30:11.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502 [GMT 1:00] Running from: C:\Documents and Settings\Don Tait\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Don Tait\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-29 ))))))))))))))))))))))))))))))) . 2007-09-28 18:20 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-27 19:02 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-09-26 19:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-09-24 15:37 <DIR> d-------- C:\Program Files\Adssite Advanced Toolbar 2007-09-24 15:37 <DIR> d-------- C:\Documents and Settings\Don Tait\Application Data\Adssite Advanced Toolbar 2007-09-16 22:18 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS 2007-09-04 22:44 <DIR> d-------- C:\Inetpub 2007-08-29 22:24 49,152 --a------ C:\WINDOWS\InstFunc.exe 2007-08-29 22:24 337,320 --a------ C:\WINDOWS\difxapi.dll 2007-08-29 22:24 12,288 --a------ C:\WINDOWS\InstFunc.dll 2007-08-29 22:22 36,352 --------- C:\WINDOWS\system32\tsgqec.dll 2007-08-29 22:22 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll 2007-08-29 22:22 116,736 --------- C:\WINDOWS\system32\aaclient.dll 2007-08-29 22:14 <DIR> d-------- C:\WINDOWS\system32\Inetsrv6 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-26 19:47 --------- d-------- C:\Program Files\MSN Messenger 2007-09-26 19:46 --------- d-------- C:\Program Files\Microsoft Virtual PC 2007-09-26 19:44 --------- d-------- C:\Program Files\Microsoft ActiveSync 2007-09-26 19:41 --------- d-------- C:\Program Files\Common Files\AOL 2007-09-26 19:40 --------- d-------- C:\Program Files\AOL 9.0b 2007-09-25 23:27 --------- d-------- C:\Program Files\Yahoo! 2007-09-03 19:48 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\uTorrent 2007-08-28 23:55 --------- d-------- C:\Program Files\NewzToolz 2007-08-28 23:55 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\NewzToolz 2007-08-16 20:10 --------- d-------- C:\Program Files\MSXML 4.0 2007-08-14 23:49 --------- d-------- C:\Program Files\CramMaster 2007-08-10 18:31 --------- d-------- C:\Program Files\UltraISO 2007-08-08 19:14 --------- d-------- C:\Program Files\AvantGo Connect 2007-08-03 08:31 18688 --a------ C:\WINDOWS\system32\drivers\srvkp.sys 2007-08-03 08:31 1571001 --a------ C:\WINDOWS\system32\sisgl.dll 2007-08-03 08:14 3527168 --a------ C:\WINDOWS\system32\sisgrv.dll 2007-08-03 08:10 321536 --a------ C:\WINDOWS\system32\drivers\sisgrp.sys 2007-08-03 08:07 9728 --a------ C:\WINDOWS\system32\SiSPIns2.dll 2007-08-03 08:05 49152 --a------ C:\WINDOWS\system32\SiSBase.dll 2007-08-03 08:05 258048 --a------ C:\WINDOWS\system32\SiSParse.dll 2007-08-03 08:05 172032 --a------ C:\WINDOWS\system32\SiSInst.dll 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-28 20:55 --------- d-------- C:\Documents and Settings\Don Tait\Application Data\Talkback . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-21 18:10] "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 11:00] "VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 18:02] "VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50] "MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~2\MpfTray.exe" [2003-08-18 18:57] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-27 15:53] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "SiSPower"="SiSPower.dll" [2004-09-02 06:47 C:\WINDOWS\system32\SiSPower.dll] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 11:50] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] C:\Program Files\Common Files\AOL\1144696762\ee\AOLSoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower] Rundll32.exe SiSPower.dll,ModeAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=2 (0x2) "SLService"=2 (0x2) "MDM"=2 (0x2) "IDriverT"=3 (0x3) "AOLService"=2 (0x2) "AOL ACS"=2 (0x2) "gusvc"=3 (0x3) R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys R2 nxsIO32;NextSensor Kernel I/O Driver;\??\C:\WINDOWS\System32\DRIVERS\nxsIO32.sys R3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS S3 FXDRV;FXDRV;\??\D:\Fxdrv.sys S3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys . Contents of the 'Scheduled Tasks' folder "2007-09-28 20:05:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2007-09-29 19:30:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-Don Tait).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe "2007-09-29 19:32:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DONIETAIT34-junior).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe "2007-09-29 19:32:00 C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-Don Tait).job" "2007-09-29 19:28:00 C:\WINDOWS\Tasks\McAfee.com Update Check (E3C7A46C3816480-junior).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-29 20:31:36 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-29 20:32:10 C:\ComboFix-quarantined-files.txt ... 2007-09-29 20:32 C:\ComboFix2.txt ... 2007-09-28 18:23 . --- E O F --- |
|
|
|
|
09-29-2007, 06:10 PM
|
#6 (permalink) |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3
|
Re: Am i Infected? (rightonads)random popups
Now that you are clean,and If you wish to do so, here are a few things that you can do that will help keep your computer a bit more clean and secure..
THESE STEPS ARE VERY IMPORTANT Let's reset system restore Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points. A To disable the System Restore feature: 1. Click on the Start button. 2. Hover over the Computer option, right click on it and then click Properties. 3. On the left hand side, click Advanced Settings. 4. If asked to permit the action, click on Allow. 5. Click on the System Protection tab. 6. Uncheck any checkboxes listed for your hard drives. 7. Press OK. B. Reboot. C Turn ON System Restore. Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives. Is your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version if required. Updating Java: Download the latest version of Java Runtime Environment (JRE) 6u2 (http://java.sun.com/javase/downloads/index.jsp). Scroll down to where it says The J2SE Runtime Environment (JRE) allows end-users to run Java applications. Click the Download button to the right. Check the box that says: Accept License Agreement. The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version. UPDATING WINDOWS AND INTERNET EXPLORER IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates. If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update. Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialize and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. If you have not already done so, you might want to run Disk Cleanup and run it in each user's profile: Run Disk Cleanup Click "Start > Programs > Accessories > System Tools > Disk Cleanup" Please make sure the following are checked: -- Downloaded Program Files -- Temporary Internet Files -- Recycle Bin -- Temporary Files Click "OK" and Disk Cleanup will delete those files for you. ======================================================== The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item. Download SpywareBlaster Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes kill bits in the registry, so that certain activex controls can't install. If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html) You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.ph...7615f4682b4cef) SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html) Download iespyad It puts many bad webpages on your restricted zones list. This means that you can still view the bad webpages, but the webpages cannot do certain things (such as use javascripts and cookies). Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!! Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps: Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok Keep Anti Virus Software updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. See here (http://www.snapfiles.com/Freeware/security/fwvirus.html) to choose one. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out. Here (http://www.snapfiles.com/Freeware/se...wfirewall.html) are some Vista compatible firewalls also. Know What You're Installing Check the source. To avoid malware, make sure your software comes from a reputable source. Be particularly suspicious of sponsored software (software that relies on advertising) or software that claims to speed up your Internet connection. Use Custom Install. If you feel comfortable with software installation, you can choose Custom Install (as opposed to Typical Install). Custom Install allows you to select only the software components you wish to install, and leave out others (such as potential spyware). Modify Security Settings (Internet Explorer 6) To reduce the risk of installing malware, you can set Internet Explorer to high security mode. To do so: Open Internet Explorer. Go to Tools > Internet Options…. On the Internet Options screen, select the Security tab, then select the Internet icon (if it is not already selected). Under Security level for this zone, click Default Level. Set the slider to High. Note: You may have to lower the security level to view certain Web sites. Next, select the Trusted Sites icon. Under Security level for this zone, click Default Level. Set the slider to Medium. Click Apply, then OK to save the changes. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm Let us know if we have not resolved your problem. Otherwise, you are good to go. Happy and Safe Surfing!
__________________
Eddy |
|
|
|
| Thread Tools | |
|
|
