|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
10-01-2008, 11:11 PM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 15
OS: Windows XP SP2
|
Codec.exe virus ? Pop-ups; slow computer
I think I inadverdantly clicked on codec.exe prompt last night, which seems to have introduced a virus into my pc (Windows XP SP2). Continuous pop-ups ever since and computer has slowed to a crawl. I exclusively use Mozilla Firefox browser but pop-ups coming up in both Firefox and IE.
Followed HJT Help instructions before posting. Not sure if it is relevant, but noted the fact that the Panda ActiveScan took almost 4 hours to complete. One of the anti-malware apps identified the following on my hard drive : *Trojan Horse Generic 11.ALYZ *Trojan Horse Downloader 7.AUOM HJT log file: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:22:01 AM, on 10/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\HPZipm12.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: (no name) - {24B104BF-ED00-92F8-2C20-B7CE64BCBE93} - C:\WINDOWS\system32\lhukaqb.dll (file missing) O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [BM7f4d377f] Rundll32.exe "C:\WINDOWS\system32\jrmtaykl.dll",s O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Roia] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\APPATC~1\ati2evxx.exe" -vt ndrv O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O15 - Trusted Zone: etrade1.calyonfinancial.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: ,avgrsstx.dll nhkzxt.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- End of file - 8668 bytes ********************* ActiveScan log file: ;*********************************************************************************************************************************************************************************** ANALYSIS: 2008-10-01 23:53:03 PROTECTIONS: 1 MALWARE: 53 SUSPECTS: 2 ;*********************************************************************************************************************************************************************************** PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== AVG Anti-Virus Free 8.0 No Yes ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00000431 adware/ist.istbar Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42b8-B3F7-832E75EDD959} 00003428 adware/memorywatcher Adware No 0 Yes No hkey_local_machine\software\microsoft\internet explorer\window restrictions\iexplore.exe 00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0878B424-1F95-4e26-B5AB-F0D349D89650} 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk29E.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk29C.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk29A.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk298.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\0HAZ8HIB\wbk205.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\0HAZ8HIB\wbk213.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk27C.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\0HAZ8HIB\wbk21B.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\0HAZ8HIB\wbk22D.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk274.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk2AC.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk26A.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk268.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk2C4.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk2C6.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk2CE.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk266.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk25C.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk254.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk1DF.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk2E6.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk2E2.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk2AE.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\0HAZ8HIB\wbk23A.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk27E.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk2BC.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ZYKFY13M\wbk2D8.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\0HAZ8HIB\wbk23C.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Loca繁 Settings\Temporary Internet Files\Content.IE5\0HAZ8HIB\wbk244.tmp 00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\0HAZ8HIB\wbk28E.tmp 00029767 adware/delfinmedia Adware No 1 Yes No c:\keys.ini 00032745 adware/sahagent Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} 00034463 adware/wupd Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} 00040297 adware/blazefind Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\windows sr 2.0 00040297 adware/blazefind Adware No 0 Yes No c:\windows\key2.txt 00040471 adware/downloadware Adware No 0 Yes No c:\windows\digital signature 20040602.htm 00041487 adware/webhancer Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0} 00041487 adware/webhancer Adware No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0} 00041487 adware/webhancer Adware No 0 Yes No c:\program files\webhancer 00041487 adware/webhancer Adware No 0 Yes No c:\program files\webhancer 00041487 adware/webhancer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0} 00041487 adware/webhancer Adware No 0 Yes No hkey_classes_root\typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0} 00041487 adware/webhancer Adware No 0 Yes No hkey_classes_root\clsid\{c900b400-cdfe-11d3-976a-00e02913a9e0} 00041558 exploit/mhtredir.gen HackTools No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11311111-1551-1661-1771-000000000000} 00045952 spyware/media-motor Spyware No 1 Yes No c:\windows\unstall.exe 00047257 vbs/psyme.gen Virus/Trojan No 0 Yes Yes c:\program files\windows media player\wmplayer.exe.tmp 00048503 spyware/clipgenie Spyware No 1 Yes No hkey_current_user\software\traynotifier 00048504 spyware/whazit Spyware No 1 Yes No c:\windows\system32\kyf.dat 00049563 W32/Gibe.C.worm Virus/Worm No 1 Yes Yes archive folders\deleted items\last security pack\upgrade959.exe 00049563 W32/Gibe.C.worm Virus/Worm No 1 Yes No archive folders\deleted items\last security pack\upgrade959.exe 00097390 W32/Sober.D.worm Virus No 0 Yes Yes archive folders\deleted items\microsoft alert: please read!\update.zip[MS-Q4932366791.exe] 00097390 W32/Sober.D.worm Virus No 0 Yes Yes Local Folders\Deleted Items\Microsoft Alert: Please Re繁d!\UpDate.zip[MS-Q4932366791.exe] 00097390 W32/Sober.D.worm Virus No 0 Yes No archive folders\deleted items\microsoft alert: please read!\update.zip[MS-Q4932366791.exe] 00110532 spyware/clientman Spyware No 1 Yes No HKEY_CLASSES_ROOT\TypeLib\{026E4B83-1BF7-41CB-8233-4AF35341BC69} 00110532 spyware/clientman Spyware No 1 Yes No HKEY_CLASSES_ROOT\TypeLib\{8DBD1CE8-2720-4774-8CC6-32737958AC4B} 00110532 spyware/clientman Spyware No 1 Yes No hkey_classes_root\searchrep.searchreppp.1 00110532 spyware/clientman Spyware No 1 Yes No hkey_classes_root\clsid\{cc905ff6-b553-496c-9dfa-cff65adcd0fc} 00110532 spyware/clientman Spyware No 1 Yes No hkey_local_machine\software\classes\searchrep.searchreppp 00110532 spyware/clientman Spyware No 1 Yes No hkey_classes_root\searchrep.searchreppp 00110532 spyware/clientman Spyware No 1 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} 00135116 adware/esyndicate Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\wbcm 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.trafficmp.com/] 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.doubleclick.net/] 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.atdmt.com/] 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.tribalfusion.com/] 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.com.com/] 00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\jfm@azjmp[2].txt 00167753 Cookie/Statcounter TrackingC繁okie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\jfm@statcounter[1].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[ad.yieldmanager.com/] 00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\jfm@apmebf[1].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.serving-sys.com/] 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.bs.serving-sys.com/] 00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\jfm@adrevolver[2].txt 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\jfm@ads.pointroll[1].txt 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.zedo.com/] 00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.bluestreak.com/] 00173545 Cookie/Rn11 TrackingCookie No 0 Yes No C:\Documents and Settings\John\Application Data\Adobe\C繁okies\administrator@rn11[1].txt 00173905 Cookie/Xmts TrackingCookie No 0 Yes No C:\Documents and Settings\John\Application Data\Adobe\Cookies\administrator@xmts[1].txt 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-3615762775-1256799619-874574627-1006\Dc8.txt 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\John\Application Data\Adobe\Cookies\administrator@go[1].txt 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\jfm@go[2].txt 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-3615762775-1256799619-874574627-1006\Dc57.txt 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Tyler\Cookies\tyler@go[1].txt 00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.target.com/] 00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.target.com/] 00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.target.com/] 00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.target.com/] 00219235 adware/commad Adware No 0 Yes No c:\windows\system32\atmtd.dll 00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\currentcontrolset\services\network monitor 00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\services\cmdservice 00219235 adware/commad Adware No 0 Yes No c:\windows\system32\atmtd.dll._ 00219235 adware/commad Adware No 0 Yes No c:\windows\uninstall_nmon.vbs 00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\services\network monitor 00219235 adware/commad Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} 00219235 adware/commad Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} 00219235 adware/commad Adware No 0 Yes No c:\program files\network monitor 00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\currentcontrolset\services\cmdservice 00250251 Adware/ISearch Adware No 0 Yes No C:\System Volume Information\_restore{C28B515A-5E1F-4902-8357-BDD836815628}\RP1905\A0105073.exe 00262020 Cookie/Atwol繁 TrackingCookie No 0 Yes No C:\Documents and Settings\John\Application Data\Adobe\Cookies\administrator@atwola[1].txt 00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.atwola.com/] 00262492 Adware/CommAd Adware No 0 Yes No C:\WINDOWS\Sm9obg\mA6Cv0.vbs 00286738 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@cgi-bin[1].txt 00286738 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\John\Application Data\Adobe\Cookies\administrator@cgi-bin[1].txt 00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\jfm@ads.addynamix[2].txt 01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.enhance.com/] 01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\cookies.txt[.enhance.com/] 01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\jfm@adserver.easyad[1].txt 01692698 Generic Malware Virus/Trojan No 0 Yes Yes C:\WINDOWS\SYSTEM32\Macromed\Shockwave 8\Xtras\download\TheGrooveAlliance\3DGrooveXtrav181\groove.x32 02134569 Bck/Agent.QK Virus/Trojan No 0 Yes Yes C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0BB9725E-8CF5-4BB2-9973-F25CE5.asq 02941684 Trj/WmaDownloader.G Virus/Trojan No 0 Yes Yes C:\Documents and Settings\Administrator\Shared\The Hold Steady - Barfruit Blues.wma 02944473 Trj/Downloader.MDW Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{C28B515A-5E1F-4902-8357-BDD836815628}\RP1905\A0105074.exe 03584928 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{C28B515A-5E1F-4902-8357-BDD836815628}\RP1905\A0105072.exe[C:\System Volume Information\_restore{C28B515A-5E1F-4902-8357-BDD836815628}\RP1905\A0105072.exe][whiehlpr.dll] 03586664 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\webHancer\Programs\whinstaller.exe 03586664 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{C28B515A-5E1F-4902-8357-BDD836815628}\RP1905\A0105072.exe[C:\System Volume Information\_restore{C28B515A-5E1F-4902-8357-BDD836815628}\RP1905\A0105072.exe][whInstaller.exe] 03586803 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{C28B515A-5E1F-4902-8357-BDD836815628}\RP1905\A0105072.exe[C:\System Volume Information\_restore{C28B515A-5E1F-4902-8357-BDD836815628}\RP1905\A0105072.exe][whAgent.exe] ;=================================================================================================================================================================================== SUSPECTS Sent Location 繁 } ;=================================================================================================================================================================================== No C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple\Installer Cache\Apple Mobile Device Support 2.1.0.25\AppleMobileDeviceSupport.msi[unk_0051][EventFixer.exe] No C:\Program Files\Common Files\Apple\Mobile Device Support\bin\EventFixer.exe } ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description } ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== Thanks so much for your help! |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-05-2008, 05:39 AM
|
#2 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Codec.exe virus ? Pop-ups; slow computer
Hello and welcome to TSF
======== Logs Required log.txt info.txt If there is no response to this post within 72hrs, this thread will be closed. |
|
|
|
|
10-05-2008, 06:31 AM
|
#3 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 15
OS: Windows XP SP2
|
Re: Codec.exe virus ? Pop-ups; slow computer
Logfile of random's system information tool 1.04 (written by random/random)
Run by JFM at 2008-10-05 08:24:13 Microsoft Windows XP Professional Service Pack 2 System drive C: has 23 GB (31%) free of 76 GB Total RAM: 255 MB (20% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:24:53 AM, on 10/5/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Microsoft Office\Office10\EXCEL.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Administrator\Desktop\RSIT.exe C:\Program Files\trend micro\JFM.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: (no name) - {24B104BF-ED00-92F8-2C20-B7CE64BCBE93} - C:\WINDOWS\system32\lhukaqb.dll (file missing) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {108110EA-38DE-4317-837F-0548FC1B6C55} - C:\WINDOWS\system32\ssqQkIBq.dll (file missing) O2 - BHO: (no name) - {24B104BF-ED00-92F8-2C20-B7CE64BCBE93} - C:\WINDOWS\system32\lhukaqb.dll (file missing) O2 - BHO: (no name) - {66697A55-C008-488E-A976-2D8DA382350A} - C:\WINDOWS\system32\urqPgdaX.dll (file missing) O2 - BHO: {30063e25-e147-521a-d814-c7ad01545007} - {70054510-da7c-418d-a125-741e52e36003} - C:\WINDOWS\system32\nhkzxt.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {93AF5E6F-EA81-CC23-ACD8-EDCB259B50CC} - C:\WINDOWS\system32\muudlg.dll (file missing) O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing) O2 - BHO: (no name) - {EED933DF-1E1A-4534-8E2B-8531572422CC} - C:\WINDOWS\system32\yayxvWMf.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O15 - Trusted Zone: etrade1.calyonfinancial.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O20 - AppInit_DLLs: nhkzxt.dll O20 - Winlogon Notify: ssqQkIBq - ssqQkIBq.dll (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- End of file - 7405 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{108110EA-38DE-4317-837F-0548FC1B6C55}] C:\WINDOWS\system32\ssqQkIBq.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24B104BF-ED00-92F8-2C20-B7CE64BCBE93}] C:\WINDOWS\system32\lhukaqb.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66697A55-C008-488E-A976-2D8DA382350A}] C:\WINDOWS\system32\urqPgdaX.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70054510-da7c-418d-a125-741e52e36003}] C:\WINDOWS\system32\nhkzxt.dll [2008-10-01 115200] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93AF5E6F-EA81-CC23-ACD8-EDCB259B50CC}] C:\WINDOWS\system32\muudlg.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}] WhIeHelperObj Class - C:\Program Files\webHancer\programs\whiehlpr.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EED933DF-1E1A-4534-8E2B-8531572422CC}] C:\WINDOWS\system32\yayxvWMf.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}] C:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 143420] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "MMTray"=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe [2002-08-14 90112] "ShStatEXE"=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE [2004-09-22 94208] "McAfeeUpdaterUI"=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe [2005-12-07 131072] "Network Associates Error Reporting Service"=C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe [2003-10-07 147514] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe [2003-10-06 684032] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] C:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM7f4d377f] C:\WINDOWS\system32\jrmtaykl.dll [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-04-03 1603152] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-05-14 644696] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [2008-09-10 289576] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe [2001-08-23 331830] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [2001-08-16 28738] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0] C:\Program Files\Microsoft Money\System\Activation.exe [2001-07-25 241714] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe [2007-02-04 79400] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Roia] C:\DOCUME~1\ADMINI~1\MYDOCU~1\APPATC~1\ati2evxx.exe -vt ndrv [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2007-03-26 228088] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-10-25 210472] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-10-27 185632] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe [2006-09-20 20480] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Desktop Manager.lnk] C:\PROGRA~1\RESEAR~1\BLACKB~1\DESKTO~1.EXE [2007-03-28 1283608] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2005-12-15 282624] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe [2005-12-15 73728] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk] C:\PROGRA~1\MICROS~4\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe [2001-08-07 24633] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] C:\PROGRA~1\WinZip\WZQKPICK.EXE [2004-08-16 118784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="nhkzxt.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqQkIBq] ssqQkIBq.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{108110EA-38DE-4317-837F-0548FC1B6C55}"=C:\WINDOWS\system32\ssqQkIBq.dll [] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "authentication packages"=msv1_0 C:\WINDOWS\system32\yayxvWMf [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"=0 "NoDispAppearancePage"=0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "DisableTaskMgr"=0 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 "NoActiveDesktopChanges"=0 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\WINDOWS\SYSTEM32\LEXPPS.EXE"="C:\WINDOWS\SYSTEM32\LEXPPS.EXE:*:Disabled:LEXPPS" "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe" "C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe" "C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe" "C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe" "C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe" "C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe" "C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe" "C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe" "C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe" "C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox" "C:\Documents and Settings\Administrator\Application Data\U3\0001D67081810E8C\0DE4F643-C398-46ec-9339-2362F2311932\Exec\Skype.exe"="C:\Documents and Settings\Administrator\Application Data\U3\0001D67081810E8C\0DE4F643-C398-46ec-9339-2362F2311932\Exec\Skype.exe:*:Enabled:Skype" "C:\Program Files\BitTornado\btdownloadgui.exe"="C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui" "C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent" "C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire" "C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer" "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes" "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4be3a2a8-83e8-11dd-94f5-0007e9a98655}] shell\AutoRun\command - F:\wd_windows_tools\setup.exe ======List of files/folders created in the last 1 months====== 2008-10-05 08:24:13 ----D---- C:\rsit 2008-10-03 12:13:14 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg8 2008-10-02 19:22:41 ----D---- C:\Program Files\Common Files\Cisco Systems 2008-10-02 19:22:40 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee 2008-10-02 19:22:02 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates 2008-10-02 19:21:21 ----D---- C:\Program Files\Network Associates 2008-10-02 19:21:21 ----D---- C:\Program Files\Common Files\Network Associates 2008-10-02 00:20:54 ----D---- C:\Program Files\Trend Micro 2008-10-02 00:00:22 ----AD---- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP 2008-10-01 19:08:30 ----ASH---- C:\WINDOWS\system32\rgkwgxee.ini 2008-10-01 19:08:19 ----A---- C:\WINDOWS\system32\eexgwkgr.dll 2008-10-01 19:07:37 ----D---- C:\WINDOWS\pss 2008-10-01 19:05:13 ----A---- C:\WINDOWS\system32\nhkzxt.dll 2008-10-01 19:05:04 ----A---- C:\WINDOWS\system32\umqaubne.dll 2008-10-01 19:01:58 ----ASH---- C:\WINDOWS\system32\fMWvxyay.ini2 2008-10-01 19:01:56 ----ASH---- C:\WINDOWS\system32\fMWvxyay.ini 2008-10-01 15:42:51 ----D---- C:\Program Files\AVG 2008-10-01 15:17:48 ----A---- C:\WINDOWS\system32\mcrh.tmp 2008-10-01 15:03:08 ----D---- C:\Program Files\Panda Security 2008-10-01 13:52:41 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\PrevxCSI 2008-10-01 02:05:18 ----ASH---- C:\WINDOWS\system32\cqijlpxa.ini 2008-10-01 02:02:19 ----A---- C:\WINDOWS\system32\rurtzl.dll 2008-10-01 02:02:18 ----A---- C:\WINDOWS\system32\mitoqtci.dll 2008-10-01 02:00:35 ----A---- C:\WINDOWS\system32\ilautiyb.dll 2008-09-30 23:00:04 ----A---- C:\WINDOWS\system32\czsnnf.dll 2008-09-30 23:00:03 ----A---- C:\WINDOWS\system32\wjcghscr.dll 2008-09-30 22:58:23 ----ASH---- C:\WINDOWS\system32\wvmjjkqu.ini 2008-09-30 22:58:08 ----A---- C:\WINDOWS\pskt.ini 2008-09-30 22:58:08 ----A---- C:\WINDOWS\BM7f4d377f.txt 2008-09-30 22:58:05 ----A---- C:\WINDOWS\system32\qeuxownc.dll 2008-09-30 22:57:37 ----A---- C:\WINDOWS\system32\775dc09d-.txt 2008-09-30 22:57:02 ----ASH---- C:\WINDOWS\system32\XadgPqru.ini2 2008-09-30 22:57:01 ----ASH---- C:\WINDOWS\system32\XadgPqru.ini 2008-09-30 22:53:02 ----D---- C:\Program Files\webHancer 2008-09-30 22:52:49 ----A---- C:\WINDOWS\system32\atmtd.dll._ 2008-09-30 22:52:49 ----A---- C:\WINDOWS\system32\atmtd.dll 2008-09-30 22:52:28 ----A---- C:\WINDOWS\uninstall_nmon.vbs 2008-09-30 22:52:27 ----SHD---- C:\WINDOWS\Sm9obg 2008-09-30 22:52:27 ----D---- C:\Program Files\Network Monitor 2008-09-30 22:52:08 ----D---- C:\WINDOWS\system32\zep 2008-09-30 22:52:08 ----D---- C:\WINDOWS\system32\uib 2008-09-30 22:52:08 ----D---- C:\WINDOWS\system32\tcon 2008-09-30 22:52:08 ----D---- C:\WINDOWS\system32\SP6 2008-09-30 22:51:56 ----D---- C:\WINDOWS\system32\EV02 2008-09-30 22:51:49 ----A---- C:\WINDOWS\system32\geBurQGv.dll 2008-09-29 22:30:48 ----D---- C:\Documents and Settings\Administrator\Application Data\Canon 2008-09-17 18:28:17 ----D---- C:\Program Files\iTunes 2008-09-17 18:28:17 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-17 18:26:40 ----D---- C:\Program Files\Bonjour 2008-09-17 18:24:47 ----D---- C:\Program Files\QuickTime 2008-09-13 10:17:18 ----D---- C:\Documents and Settings\Administrator\Application Data\LimeWire 2008-09-13 10:16:30 ----D---- C:\Program Files\LimeWire 2008-09-12 20:37:44 ----D---- C:\Documents and Settings\Administrator\Application Data\FrostWire 2008-09-12 20:36:57 ----D---- C:\Program Files\FrostWire 2008-09-12 20:33:16 ----A---- C:\WINDOWS\system32\javaws.exe 2008-09-12 20:33:15 ----A---- C:\WINDOWS\system32\javaw.exe 2008-09-12 20:33:15 ----A---- C:\WINDOWS\system32\java.exe 2008-09-11 19:31:05 ----D---- C:\Incomplete 2008-09-11 19:30:54 ----D---- C:\MUSIC 2008-09-10 03:02:04 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$ 2008-09-10 03:00:30 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$ 2008-09-07 10:53:16 ----D---- C:\Documents and Settings\Administrator\Application Data\Research In Motion 2008-09-07 10:23:10 ----D---- C:\Documents and Settings\Administrator\Application Data\Blackberry Desktop 2008-09-07 09:30:13 ----D---- C:\Program Files\Common Files\Research In Motion ======List of files/folders modified in the last 1 months====== 2008-10-05 08:22:19 ----D---- C:\Program Files\Mozilla Firefox 2008-10-05 01:09:13 ----D---- C:\WINDOWS\Temp 2008-10-04 21:01:57 ----D---- C:\WINDOWS\Prefetch 2008-10-04 19  48 ----SHD---- C:\WINDOWS\Installer2008-10-04 19 46 ----D---- C:\Config.Msi2008-10-04 15:14:16 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-10-04 14:19:51 ----D---- C:\WINDOWS\system32\CatRoot2 2008-10-04 14:17:25 ----AC---- C:\WINDOWS\marscam.ini 2008-10-04 11:41:43 ----D---- C:\WINDOWS 2008-10-04 11:41:42 ----HD---- C:\WINDOWS\INF 2008-10-04 11:41:15 ----D---- C:\WINDOWS\TWAIN_32 2008-10-04 11:39:37 ----D---- C:\WINDOWS\SYSTEM32 2008-10-03 23:42:34 ----RASH---- C:\boot.ini 2008-10-03 23:42:34 ----A---- C:\WINDOWS\WIN.INI 2008-10-03 23:42:34 ----A---- C:\WINDOWS\SYSTEM.INI 2008-10-03 23:05:19 ----RD---- C:\POCKET CHANGE 2008-10-03 22:03:08 ----AC---- C:\WINDOWS\ntbtlog.txt 2008-10-03 22:03:02 ----D---- C:\Program Files 2008-10-03 22:02:38 ----D---- C:\Program Files\LEGO Island 2008-10-03 21:41:15 ----D---- C:\Program Files\Messenger 2008-10-03 21:29:25 ----D---- C:\WINDOWS\system32\CatRoot_bak 2008-10-03 21:23:28 ----D---- C:\WINDOWS\system32\CatRoot 2008-10-03 12:13:13 ----D---- C:\WINDOWS\system32\DRIVERS 2008-10-03 12:13:11 ----D---- C:\Documents and Settings 2008-10-03 11:55:11 ----D---- C:\Program Files\Spybot - Search & Destroy 2008-10-03 11:55:10 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-10-02 23:08:56 ----D---- C:\Spam 2008-10-02 23 17 ----D---- C:\WINDOWS\system32\Restore2008-10-02 21:20:13 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2008-10-02 19:22:41 ----D---- C:\Program Files\Common Files 2008-10-01 23:51:39 ----D---- C:\Program Files\Windows Media Player 2008-10-01 18:40:35 ----D---- C:\Program Files\ewido anti-malware 2008-10-01 15:41:32 ----D---- C:\Program Files\Common Files\Microsoft Shared 2008-10-01 15:41:30 ----D---- C:\WINDOWS\WinSxS 2008-10-01 09:05:27 ----D---- C:\WINDOWS\Registration 2008-09-30 22:52:37 ----D---- C:\temp 2008-09-30 18:57:04 ----D---- C:\I386 2008-09-30 18:56:52 ----D---- C:\JENNA 2008-09-30 18:56:51 ----D---- C:\Netgear 2008-09-29 18:08:20 ----D---- C:\Documents and Settings\Administrator\Application Data\uTorrent 2008-09-28 20:39:38 ----A---- C:\caisslog.txt 2008-09-17 18:47:53 ----D---- C:\Program Files\Apple Software Update 2008-09-17 18:29:29 ----DC---- C:\WINDOWS\system32\DRVSTORE 2008-09-17 18:28:43 ----D---- C:\Program Files\iPod 2008-09-17 18:25:03 ----D---- C:\Program Files\Common Files\Apple 2008-09-17 18:16:49 ----SD---- C:\WINDOWS\Tasks 2008-09-12 20:58:18 ----D---- C:\My Downloads 2008-09-12 20:33:13 ----D---- C:\Program Files\Java 2008-09-10 03:00:52 ----HD---- C:\WINDOWS\$hf_mig$ 2008-09-10 03:00:39 ----A---- C:\WINDOWS\imsins.BAK 2008-09-07 10:52:11 ----RSHDC---- C:\WINDOWS\system32\DLLCACHE 2008-09-07 10:32:12 ----D---- C:\Program Files\Common Files\Roxio Shared 2008-09-07 10:31:43 ----RSD---- C:\WINDOWS\Fonts 2008-09-07 10:31:34 ----D---- C:\Program Files\Roxio 2008-09-07 10:31:10 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Roxio 2008-09-07 10:24:42 ----D---- C:\WINDOWS\system32\ReinstallBackups 2008-09-07 09:15:35 ----D---- C:\Program Files\Common Files\Sonic Shared ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2007-02-02 9336] R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2007-02-02 9464] R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2003-10-06 241280] R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096] R1 NaiAvTdi1;NaiAvTdi1; C:\WINDOWS\system32\drivers\mvstdi5x.sys [2006-06-08 58464] R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632] R1 pwd_2k;pwd_2k; C:\WINDOWS\system32\drivers\pwd_2k.sys [2003-10-06 144250] R1 UdfReadr_xp;UdfReadr_xp; C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2003-10-06 206464] R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816] R3 ati2mtaa;ati2mtaa; C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys [2004-08-04 327040] R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696] R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2002-04-30 139776] R3 EntDrv51;EntDrv51; \??\C:\WINDOWS\system32\drivers\EntDrv51.sys [] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464] R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600] R3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2003-10-06 30662] R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160] R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2003-09-26 28164] R3 NaiAvFilter1;NaiAvFilter1; C:\WINDOWS\system32\drivers\naiavf5x.sys [2006-06-08 116864] R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496] R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2002-08-29 5888] R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-06-17 553624] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600] R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856] R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480] S1 cinemst22;cinemst22; C:\WINDOWS\System32\drivers\cinemst22.sys [] S2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [] S3 asbp2poa;asbp2poa; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\asbp2poa.sys [] S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS [] S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024] S3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2003-10-06 25930] S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [2005-10-27 49664] S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [2005-10-27 16496] S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [2005-10-27 21568] S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128] S3 mr7910;Photo Viewer; C:\WINDOWS\system32\DRIVERS\mr7910.sys [2006-08-02 114560] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504] S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376] S3 NAVAP;NAVAP; \??\C:\WINDOWS\System32\Drivers\NAVAP.SYS [] S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20021224.005\NAVENG.SYS [] S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20021224.005\NAVEX15.SYS [] S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880] S3 RimUsb;BlackBerry Device; C:\WINDOWS\System32\Drivers\RimUsb.sys [2006-11-07 22272] S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136] S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552] S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360] S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS [] S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-02-18 30464] S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496] S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2004-08-04 73472] S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-10 116040] R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888] R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2002-02-14 299008] R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [2005-12-07 98304] R2 McShield;Network Associates McShield; C:\Program Files\Network Associates\VirusScan\Mcshield.exe [2006-02-14 221191] R2 McTaskManager;Network Associates Task Manager; C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe [2006-06-08 29184] R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 270336] R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2005-03-14 69632] R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-10 536872] S2 Network Monitor;Network Monitor; C:\Program Files\Network Monitor\netmon.exe service [] S2 Roxio Upnp Server 9;Roxio Upnp Server 9; C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe [2007-03-25 359160] S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2007-03-26 310008] S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2007-03-26 166648] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728] S3 Roxio UPnP Renderer 9;Roxio UPnP Renderer 9; C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe [2007-03-25 88824] S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-03-26 1010424] S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336] -----------------EOF----------------- info.txt logfile of random's system information tool 1.04 2008-10-05 08:25:00 ======Uninstall list====== -->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 -->MsiExec.exe /I{0D397393-9B50-4C52-84D5-77E344289F87} -->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0} -->MsiExec.exe /I{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048} -->MsiExec.exe /I{83FFCFC7-88C6-41C6-8752-958A45325C82} -->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C} -->MsiExec.exe /X{11F93B4B-48F0-4A4E-AE77-DFA96A99664B} -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 3D Groove Playback Engine-->RunDll32 C:\WINDOWS\DOWNLO~1\GrooveAX.dll,_RemoveGroove@16 Adobe Acrobat - Reader 6.0.2 Update-->MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01} Adobe Acrobat and Reader 6.0.3 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603} Adobe Download Manager 1.2 (Remove Only)-->"C:\Program Files\Common Files\Adobe\ESD\uninst.exe" Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Photoshop Album 2.0 Starter Edition-->MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24} Adobe Reader 6.0.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001} Adobe Shockwave Player-->C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log Apple Mobile Device Support-->MsiExec.exe /I{AA9768AA-FF0B-4C66-A085-31E934F77841} Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033} AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe" Backyard Baseball 2001-->C:\WINDOWS\IsUninst.exe -fC:\HEGames\Baseball2001\Uninst.isu BCM V.92 56K Modem-->C:\WINDOWS\BCMSMU.exe quiet BlackBerry Desktop Software 4.2.2-->MsiExec.exe /I{75D6745B-2239-4182-A31F-F95CEBB35099} BlackBerry Desktop Software 4.2.2-->MsiExec.exe /i{75D6745B-2239-4182-A31F-F95CEBB35099} BlackBerry v4.2.2 for the 8830 Series Wireless Device-->MsiExec.exe /X{9B3367FE-8575-435E-A80D-B2E9EA67497A} Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959} Canon Camera Support Core Library-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033 Canon Camera Window DS for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010} Canon Camera Window DVC for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734} Canon Camera Window for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635} Canon MovieEdit Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8AF1E098-1A5C-4336-BBE2-D047ABB401ED} Canon MP Navigator EX 1.0-->"C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 1.0\uninst.ini Canon MX310 series User Registration-->C:\Program Files\Canon\IJEREG\MX310 series\UNINST.EXE Canon MX310 series-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX310_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX310_series /L0x0009 Canon My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini Canon PhotoRecord-->MsiExec.exe /X{0878E100-C0BB-41E8-B4C6-C486B61FDA7B} Canon RAW Image Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{45EF4EE3-F591-4B74-A477-0CAE12934CE7} Canon RemoteCapture Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA} Canon Utilities Easy-PhotoPrint EX-->C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini Canon Utilities PhotoStitch 3.1-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA} Canon Utilities Solution Menu-->C:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini Canon ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2} Command-->wscript "C:\WINDOWS\Sm9obg\mA6Cv0.vbs" Costco Photo Organizer-->MsiExec.exe /X{D20B0241-3B8B-4CC6-B54D-A3E7084A20CE} Dell Picture Studio - Dell Image Expert-->MsiExec.exe /I{0B8FF60F-C012-4459-AADF-A3AD4E3757DE} Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe" Disney Toontown Online-->C:\Program Files\Disney\Disney Online\ToontownOnline\uninst.exe DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC Easy CD Creator 5 Basic-->MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0} FLAC 1.1.4b (remove only)-->C:\Program Files\FLAC\uninstall.exe GdiplusUpgrade-->MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5} HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe" Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe" Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" IE Host-->C:\WINDOWS\System32\cdmodem2.exe Intel(R) PRO Ethernet Adapter and Software-->Prounstl.exe iPod for Windows 2005-03-23-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44A537A5-859C-43A6-8285-C0668142A090} /l1033 iPod for Windows 2005-09-23-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033 iPod for Windows 2006-03-23-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033 iPod shuffle Reset Utility-->MsiExec.exe /X{4BA8EF5E-D46A-454A-93AE-087D4A44CB74} iPod Update 2004-04-28-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E6696A8C-C55A-405C-AFEB-F3880A8BAA45} /l1033 iTunes-->MsiExec.exe /I{41B9E2CF-0B3F-442A-B5B3-592A4A355634} Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020} Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} LimeWire 4.16.7-->"C:\Program Files\LimeWire\uninstall.exe" LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE McAfee VirusScan Enterprise-->MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43} Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp" Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28} Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf Microsoft Encarta Encyclopedia Standard 2002-->MsiExec.exe /I{01001202-823E-46CD-A70E-BEE818F97169} Microsoft Money 2002 System Pack-->MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1} Microsoft Money 2002-->MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95} Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9} Microsoft Office XP Professional-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9} Microsoft Picture It! Photo 2002-->MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06} Microsoft Streets and Trips 2002-->MsiExec.exe /I{12BDDF23-B1DB-49C8-92D3-3E6841CCED61} Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Word 2002-->MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9} Microsoft Works 2002 Setup Launcher-->C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe E:\ Microsoft Works 6.0-->MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704} Microsoft Works Suite Add-in for Microsoft Word-->MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517} Monopoly-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hasbro Interactive\Monopoly\Uninst.isu" Mozilla Firefox (2.0.0.17)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe MS Access Join Two Tables Software 7.0-->"C:\Program Files\MS Access Join Two Tables Software\unins000.exe" MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F} MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF} MUSICMATCH Jukebox-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll Network Monitor-->wscript "C:\WINDOWS\uninstall_nmon.vbs" overland-->MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC} Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe Photo Viewer-->MsiExec.exe /I{67183F00-3DDC-497B-A090-4E2B79EAF1CD} PopCap Browser Plugin-->C:\Program Files\PopCap Games\PopCap Browser Plugin\Uninstall.exe PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall Presto! PageManager 7.15.16-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}\PMSetup.exe" -l0x9 anythinganything -removeonly QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB} RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Roxio Media Manager-->MsiExec.exe /X{66D171AA-670F-4309-9C74-5BA7F7DBA0B3} ScanSoft OmniPage SE 4-->MsiExec.exe /I{B2F3DBD9-A9D2-4838-B45D-C917DAB32BC3} Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe" Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe" Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe" Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe" Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe" Security Update for Windows XP (KB883939)-->"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe" Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe" Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe" Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe" Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe" Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe" Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe" Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe" Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe" Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe" Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe" Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe" Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe" Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe" Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe" Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe" Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe" Security Update for Windows XP (KB903235)-->"C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe" Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe" Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe" Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe" Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe" Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe" Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe" Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe" Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe" Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe" Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe" Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe" Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe" Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe" Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe" Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe" Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe" Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe" Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe" Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe" Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe" Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe" Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe" Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe" Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe" Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe" Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe" Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe" Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe" Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe" Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe" Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe" Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe" Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe" Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe" Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe" Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe" Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe" Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe" Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe" Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe" Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe" Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe" Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe" Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe" Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe" Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe" Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe" Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe" Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe" Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe" Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe" Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe" Security Update for Windows XP (KB928090)-->"C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe" Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe" Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe" Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe" Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe" Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe" Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe" Security Update for Windows XP (KB931768)-->"C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe" Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe" Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe" Security Update for Windows XP (KB933566)-->"C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe" Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe" Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe" Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe" Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe" Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe" Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe" Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe" Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe" Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe" Security Update for Windows XP (KB939653)-->"C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe" Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe" Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe" Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe" Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe" Security Update for Windows XP (KB942615)-->"C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe" Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe" Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe" Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe" Security Update for Windows XP (KB944338)-->"C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe" Security Update for Windows XP (KB944533)-->"C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe" Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe" Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe" Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe" Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Security Update for Windows XP (KB947864)-->"C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe" Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe" Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe" Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe" Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe" Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe" Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe" Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe" SereneScreen Marine Aquarium 2-->"C:\Program Files\SereneScreen\Marine Aquarium 2\unins000.exe" Shockwave-->C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" Tonka Search and Rescue-->C:\HASBRO\TONKA_SR\SR_DEL95.EXE Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe" Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe" Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe" Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe" Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe" Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe" Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe" Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe" Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe" Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe" Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe" Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe" Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe" Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe" Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe" Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe" Update for Windows XP (KB942840)-->"C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe" Update for Windows XP (KB946627)-->"C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe" Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe" Windows Defender Signatures-->MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C} Windows Driver Package - (mr7910) Image (08/08/2006 1.4.0.0)-->C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInstXP.exe /u C:\WINDOWS\system32\DRVSTORE\mr7910_1FFEF370F39864F3AAA62219D434AE06B02B70AB\mr7910.inf Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe" Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe" Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe" Windows SR 2.0-->C:\WINDOWS\UnstSA2.exe Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe Windows XP Hotfix - KB885884-->C:\WINDOWS\$NtUninstallKB885884$\spuninst\spuninst.exe Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe" Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe" Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe" Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall ======Hosts File====== 127.0.0.1 www.f1organizer.com #removed adware url 127.0.0.1 www.netpalnow.com #removed adware url 127.0.0.1 www.addictivetechnologies.com #removed adware url 192.168.1.150 murray-storage ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\QuickTime\QTSystem\ "windir"=%SystemRoot% "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=15 "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 4, GenuineIntel "PROCESSOR_REVISION"=0204 "NUMBER_OF_PROCESSORS"=1 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "FP_NO_HOST_CHECK"=NO "RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\ "CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip -----------------EOF----------------- Thank you very much. I hope we can figure ths out. Recent developments since my last post -- I cleaned out a few rarely used programs and defragged my hard drive. (Note I also have ordered more RAM as I realized I only have 256, but that's not really the issue). Still getting the pop-ups and outlook (my e-mail) is painfully slow. Thanks ! |
|
|
|
|
10-05-2008, 07:15 AM
|
#4 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Codec.exe virus ? Pop-ups; slow computer
Hello again
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. ======== Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, alack of symptoms does not mean that it is no longer present. Please DO NOT Attach logs to your posts unless you are advised to do so. ========== P2P P2P - I see you have P2P software LimeWire 4.16.7 installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections. References for the risk of these programs are Here, Here and Here. I also see entires for uTorrent, was this uninstalled previously? Also let me know if you are keeping Limewire or you have uninstalled it. =========== Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs : Java(TM) 6 Update 2 Leave Java(TM) 6 Update 7 installed LiveReg (Symantec Corporation) IE Host<---Software that displays pop-up/pop-under advertisements when the primary user interface is not visible, or which do not appear to be associated with the product. ============ Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Download this file from this Microsoft`s page: For XP Pro >> http://www.microsoft.com/downloads/d...displaylang=en Save it as it is originally named to your Desktop. Now close all open windows and programs, including all antivirus and antispyware programs.  Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console. As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Recovery Console is installed, this blue window will appear:  Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. ========== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========== Logs Required C;\Combofix.txt Hijackthis Log |
|
|
|
|
10-06-2008, 05:05 PM
|
#5 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 15
OS: Windows XP SP2
|
Re: Codec.exe virus ? Pop-ups; slow computer
TheBruce,
I wanted to ask a question before proceeding. When I tried to remove IE Host, I got the following error msg: "An error occurred while trying to remove IE Host. It may have already been uninstalled. Would you like to remove IE Host from the Add or Remove programs list?" Not knowing if this was the virus talking, I clicked "No" and am checking with you before proceeding any further. As per the Limewire, your comments re P2P are noted and understood. fwiw my computer was clean and operating properly until last week, specifically 30 Sept. Having reviewed the log of files/folders created in the last month, I am certain the malware I have originated on Sep 30th 22:51:49. All of those files listed from that point until Oct 1 02:05:18 appear suspicious. Not sure if that is pertinent, but I thought I'd mention it. I have not uninstalled Limewire or uTorrent. I will wait to proceed with the rest of the instructions (combo fix etc.) until I hear back from you on how to handle the IE Host error. (Is it OK to answer "yes" to the prompt?) Regards, Murdog |
|
|
|
|
10-06-2008, 05:13 PM
|
#6 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 15
OS: Windows XP SP2
|
Re: Codec.exe virus ? Pop-ups; slow computer
Sorry, few other basic questions that I know I'll have so might as well ask now to keep things rolling. When you say close all antispyware and antivirus, I'm not sure I know how to turn Macafee Virus Scan off. I assume that is all I have running currently, yes? I know I installed Panda and maybe a few others before posting, but I don't think they are actively running. Is there any way you can confirm that from seeing the logs I sent last time?
Also, while we're resolving this, should I NOT install the Microsoft updates when prompted )I have an icon in my taskbar - lower right - informing me that "updates are ready for your computer - click here to install these updates" Sorry to be obtuse, but better safe than sorry! I really apprec the assistance. Murdog |
|
|
|
|
10-06-2008, 05:31 PM
|
#7 (permalink) | |||||
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Codec.exe virus ? Pop-ups; slow computer
Hello again
Nothing wrong with asking question if you are not sure. Quote:
Quote:
Quote:
You can't turn the Security Center itself off but you CAN turn VirusScan off. Double-click the taskbar icon to open Security Center Click Advanced Menu (lower left) Click Configure (left) Click Computer & Files for VirusScan > You can turn them off there. Note that there is an Advanced button within those modules for further settings. Quote:
Quote:
|
|||||
|
|
|
|
10-06-2008, 07:31 PM
|
#8 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 15
OS: Windows XP SP2
|
Re: Codec.exe virus ? Pop-ups; slow computer
Couple of items -- might be pertinent or not.
1) The instructions for turning off Virus Scan did not really apply (there was no "advanced" tab at the bottom of my security center.) However, from the VirusScan Console, I was able to disable the on-access scanner as well as buffer overflow protection. I could not figure out how to disable the on-delivery e-mail scanner but I went ahead and ran ComboFix anyway. (I only mention this because Microsoft Outlook -- my e-mail -- has been running slow and might be affected by the virus as well.) 2) After ComboFix had finished running, but before it prepared the log report, my pc restarted on its own. When I logged in, ComboFix resumed at the "Preparing Log Report" screen. I noticed at that time that VirusScan had been enabled but hopefully it wasn't an issue. 3) When you say "Open HijackThis", is that accomplished by clicking on the desktop icon RSIT.exe which you sent me early on? I don't know if I have HijackThis installed so I used RSIT.exe which seemed to work fine. Both logs attached: ComboFix 08-10-06.05 - JFM 2008-10-06 20:20:23.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.71 [GMT -4:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Administrator\Application Data\ECURIT~1 C:\Documents and Settings\Administrator\Application Data\FNTS~1 C:\Documents and Settings\Administrator\Application Data\MANTEC~1 C:\Documents and Settings\Administrator\Application Data\MBOLS~1 C:\Documents and Settings\Administrator\Application Data\SMBOLS~1 C:\Documents and Settings\Administrator\Application Data\STEM32~1 C:\Documents and Settings\Administrator\Application Data\WNSXS~1 C:\Documents and Settings\Administrator\My Documents\APPATC~1 C:\Documents and Settings\Administrator\My Documents\APPATC~1\APPATC~1\ctxad-467.0000 C:\Documents and Settings\Administrator\My Documents\APPATC~1\APPATC~1\ctxad-467.0001 C:\Documents and Settings\Administrator\My Documents\APPATC~1\APPATC~1\ctxad-467.0002 C:\Documents and Settings\Administrator\My Documents\APPATC~1\APPATC~1\ctxad-467.0003 C:\Documents and Settings\Administrator\My Documents\APPATC~1\APPATC~1\ctxad-467.0004 C:\Documents and Settings\Administrator\My Documents\APPATC~1\APPATC~1\ctxad-467.0005 C:\Documents and Settings\Administrator\My Documents\APPATC~1\APPATC~1\ctxad-467.0006 C:\Documents and Settings\Administrator\My Documents\ASKS~1 C:\Documents and Settings\Administrator\My Documents\MBOLS~1 C:\Documents and Settings\Administrator\My Documents\RACLE~1 C:\Documents and Settings\Administrator\My Documents\SEMBLY~1 C:\Documents and Settings\Administrator\My Documents\STEM~1 C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\domains.txt C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\log.txt C:\Program Files\asembl~1 C:\Program Files\Common Files\fnts~1 C:\Program Files\Common Files\icroso~1 C:\Program Files\Common Files\mantec~1 C:\Program Files\icroso~1 C:\Program Files\network monitor C:\Program Files\racle~1 C:\Program Files\sks~1 C:\Program Files\stem32~1 C:\Program Files\webhancer C:\Program Files\webhancer\Programs\whagent.ini C:\Program Files\webhancer\Programs\whinstaller.exe C:\Program Files\ystem3~1 C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\temp\tn3 C:\WINDOWS\BM7f4d377f.txt C:\WINDOWS\BM7f4d377f.xml C:\WINDOWS\curity~1 C:\WINDOWS\fnts~1 C:\WINDOWS\pskt.ini C:\WINDOWS\system32\atmtd.dll C:\WINDOWS\system32\atmtd.dll._ C:\WINDOWS\system32\cfg.dat C:\WINDOWS\SYSTEM32\cqijlpxa.ini C:\WINDOWS\system32\crosof~1.net C:\WINDOWS\system32\curity~1 C:\WINDOWS\system32\czsnnf.dll C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\ecurit~1 C:\WINDOWS\system32\eexgwkgr.dll C:\WINDOWS\SYSTEM32\fMWvxyay.ini C:\WINDOWS\SYSTEM32\fMWvxyay.ini2 C:\WINDOWS\system32\fnts~1 C:\WINDOWS\system32\geBurQGv.dll C:\WINDOWS\system32\icroso~1.net C:\WINDOWS\system32\ilautiyb.dll C:\WINDOWS\system32\mbols~1 C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mitoqtci.dll C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\nhkzxt.dll C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\ppatch~1 C:\WINDOWS\system32\ppatch~2 C:\WINDOWS\system32\pppatc~1 C:\WINDOWS\system32\qeuxownc.dll C:\WINDOWS\system32\rgkwgxee.ini C:\WINDOWS\system32\rurtzl.dll C:\WINDOWS\system32\sembly~1 C:\WINDOWS\system32\sstem~1 C:\WINDOWS\system32\stem32~1 C:\WINDOWS\system32\umqaubne.dll C:\WINDOWS\system32\wjcghscr.dll C:\WINDOWS\system32\wnsxs~1 C:\WINDOWS\system32\wvmjjkqu.ini C:\WINDOWS\SYSTEM32\XadgPqru.ini C:\WINDOWS\SYSTEM32\XadgPqru.ini2 C:\WINDOWS\system32\ymbols~1 C:\WINDOWS\uninstall_nmon.vbs . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CMDSERVICE -------\Legacy_NETWORK_MONITOR -------\Service_cmdService -------\Service_Network Monitor ((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 ))))))))))))))))))))))))))))))) . 2008-10-05 08:24 . 2008-10-05 08:25 <DIR> d-------- C:\rsit 2008-10-03 12:13 . 2008-10-03 12:13 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg8 2008-10-03 12:13 . 2008-10-03 12:13 262,144 --a------ C:\Documents and Settings\KARI~4.HOM 2008-10-03 12:13 . 2008-10-03 12:13 262,144 --a------ C:\Documents and Settings\JOHN~4.HOM 2008-10-03 12:07 . 2008-10-03 12:07 262,144 --a------ C:\Documents and Settings\KARI~3.HOM 2008-10-03 12:07 . 2008-10-03 12:07 262,144 --a------ C:\Documents and Settings\JOHN~3.HOM 2008-10-02 21:02 . 2008-10-06 01:06 512 --a------ C:\WINDOWS\randseed.rnd 2008-10-02 19:22 . 2008-10-02 19:22 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems 2008-10-02 19:22 . 2008-10-02 19:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates 2008-10-02 19:22 . 2008-10-02 19:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee 2008-10-02 19:22 . 2006-06-08 20:00 116,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\naiavf5x.sys 2008-10-02 19:22 . 2006-06-08 20:00 58,464 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mvstdi5x.sys 2008-10-02 19:21 . 2008-10-02 19:22 <DIR> d-------- C:\Program Files\Network Associates 2008-10-02 19:21 . 2008-10-02 19:21 <DIR> d-------- C:\Program Files\Common Files\Network Associates 2008-10-02 00:20 . 2008-10-05 08:24 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-02 00:00 . 2008-10-02 23:01 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP 2008-10-01 19:37 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys 2008-10-01 15:42 . 2008-10-01 15:42 <DIR> d-------- C:\Program Files\AVG 2008-10-01 15:38 . 2008-10-01 15:44 8,192 --a------ C:\Documents and Settings\KARI~2.HOM 2008-10-01 15:38 . 2008-10-01 15:44 8,192 --a------ C:\Documents and Settings\JOHN~2.HOM 2008-10-01 15:20 . 2008-10-01 15:20 262,144 --a------ C:\Documents and Settings\KARI~1.HOM 2008-10-01 15:20 . 2008-10-01 15:20 262,144 --a------ C:\Documents and Settings\JOHN~1.HOM 2008-10-01 15:03 . 2008-10-01 15:03 <DIR> d-------- C:\Program Files\Panda Security 2008-10-01 13:52 . 2008-10-01 15:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\PrevxCSI 2008-09-30 22:54 . 2008-09-30 22:54 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Talkback 2008-09-30 22:52 . 2008-10-01 18:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\zep 2008-09-30 22:52 . 2008-09-30 22:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\uib 2008-09-30 22:52 . 2008-10-01 18:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\tcon 2008-09-30 22:52 . 2008-10-01 18:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\SP6 2008-09-30 22:52 . 2008-10-01 14:05 <DIR> d--hs---- C:\WINDOWS\Sm9obg 2008-09-30 22:51 . 2008-10-01 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\EV02 2008-09-30 22:51 . 2008-09-30 22:52 <DIR> d-------- C:\temp\xp34 2008-09-30 18:56 . 2008-09-30 18:56 7,680 --ahs---- C:\WINDOWS\Thumbs.db 2008-09-30 18:56 . 2008-09-30 18:56 5,120 --ahs---- C:\Thumbs.db 2008-09-29 22:30 . 2008-10-05 12:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Canon 2008-09-17 18:28 . 2008-09-17 18:29 <DIR> d-------- C:\Program Files\iTunes 2008-09-17 18:28 . 2008-09-17 18:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-17 18:26 . 2008-09-17 18:26 <DIR> d-------- C:\Program Files\Bonjour 2008-09-17 18:24 . 2008-09-17 18:25 <DIR> d-------- C:\Program Files\QuickTime 2008-09-13 10:17 . 2008-09-21 20:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire 2008-09-13 10:16 . 2008-09-13 10:16 <DIR> d-------- C:\Program Files\LimeWire 2008-09-12 20:37 . 2008-09-12 21:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FrostWire 2008-09-12 20:36 . 2008-09-12 20:51 <DIR> d-------- C:\Program Files\FrostWire 2008-09-11 19:31 . 2008-09-12 20:38 <DIR> d-------- C:\Incomplete 2008-09-11 19:30 . 2008-09-12 20:39 <DIR> d-------- C:\MUSIC 2008-09-07 10:53 . 2008-09-07 10:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Research In Motion 2008-09-07 10:23 . 2008-09-07 10:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Blackberry Desktop 2008-09-07 09:30 . 2008-09-07 10:22 <DIR> d-------- C:\Program Files\Common Files\Research In Motion . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-06 22:52 --------- d-----w C:\Program Files\Java 2008-10-06 00:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM 2008-10-04 15:45 --------- d-----w C:\Program Files\Google 2008-10-04 02:02 --------- d-----w C:\Program Files\LEGO Island 2008-10-03 20:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\COWON 2008-10-03 15:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-10-03 15:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-10-01 22:40 --------- d-----w C:\Program Files\ewido anti-malware 2008-09-30 22:56 5,632 --sha-w C:\Program Files\Thumbs.db 2008-09-29 22:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent 2008-09-17 22:47 --------- d-----w C:\Program Files\Apple Software Update 2008-09-17 22:28 --------- d-----w C:\Program Files\iPod 2008-09-17 22:25 --------- d-----w C:\Program Files\Common Files\Apple 2008-09-07 14:32 --------- d-----w C:\Program Files\Common Files\Roxio Shared 2008-09-07 14:31 --------- d-----w C:\Program Files\Roxio 2008-09-07 14:31 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Roxio 2008-09-07 13:15 --------- d-----w C:\Program Files\Common Files\Sonic Shared 2008-08-27 13:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NewSoft 2008-08-27 13:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Costco Photo Organizer 2008-08-22 20:55 --------- d-----w C:\Program Files\Canon 2008-08-22 20:47 --------- d-----w C:\Program Files\Common Files\NewSoft 2008-08-22 20:46 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-22 20:46 --------- d-----w C:\Program Files\NewSoft 2008-08-22 20:46 --------- d-----w C:\Program Files\Common Files\PDFView 2008-08-22 20:42 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared 2008-08-22 20:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft 2008-08-22 20:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ScanSoft 2008-08-22 20:41 --------- d-----w C:\Program Files\ScanSoft 2008-08-22 20:39 --------- d-----w C:\Program Files\Common Files\CANON 2008-08-22 20:35 --------- d--h--w C:\Documents and Settings\All Users.WINDOWS\Application Data\CanonBJ 2008-08-22 20:34 --------- d--h--w C:\Program Files\CanonBJ 2008-07-01 01:37 61,224 ----a-w C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe 2008-03-04 23:35 86,688 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT 2007-10-26 21:02 23,220,928 ----a-w C:\Program Files\JAD7_BASIC.exe 2007-10-25 22:57 11,043,944 ----a-w C:\Program Files\megamanager.exe 2007-10-23 22:47 1,206,366 ----a-w C:\Program Files\wrar371.exe 2007-10-22 03:51 2,590,138 ----a-w C:\Program Files\flac-1.1.4b.exe 2007-10-20 17:51 6,574,286 ----a-w C:\Program Files\videoraipodtouchconverter_Installer.exe 2007-10-17 21:55 105,303,336 ----a-w C:\Program Files\SMARTBoardSetup.exe 2007-06-10 17:47 15,732,984 ----a-w C:\Program Files\Google_Earth_BZXD.exe 2007-04-17 00:26 16,779,392 ----a-w C:\Program Files\jre-1_5_0_06-windows-i586-p.exe 2007-03-28 18:12 11,996,710 ----a-w C:\Program Files\Pub_MailMerge_final_ZA10177524.wmv 2007-03-27 23:52 1,410,680 ----a-w C:\Program Files\install_flash_player.exe 2006-12-25 20:25 1,646,592 ----a-w C:\Program Files\iPodshuffleResetUtilitySetup.exe 2006-12-15 01:10 630,784 ----a-w C:\Documents and Settings\Administrator\GoToAssist_chat2way__317_en.exe 2006-12-01 00:27 849 ----a-w C:\Program Files\AVG Anti-Spyware.lnk 2006-09-01 22:18 1,894 ----a-w C:\Program Files\HP Document Viewer.lnk 2006-09-01 22:14 898 ----a-w C:\Program Files\HP Photosmart Premier.lnk 2006-09-01 22:07 984 ----a-w C:\Program Files\HP Solution Center.lnk 2006-02-01 15:07 376,979 ------r C:\Program Files\Common Files\appmgr01.exe 2005-12-21 20:16 5,225,384 ----a-w C:\Program Files\Firefox Setup 1.5.exe 2004-02-25 03:48 16,706,160 -c--a-w C:\Program Files\AdbeRdr60_enu_full.exe 2004-02-25 03:46 6,262,872 ----a-w C:\Program Files\psa2se_us.exe 2003-10-06 23:16 11,726,143 ----a-w C:\Program Files\ecdc_v5.3.5.10_basic_enu.exe 2003-05-11 13:41 1,261,806 ----a-w C:\Program Files\MAquarium-V2.exe 2003-05-10 09:27 1,822,050 ----a-w C:\Program Files\EMpgPlay_20e.zip 2003-05-06 03:11 3,206,361 ----a-w C:\Program Files\vlc-0.5.3-win32.exe 2002-12-18 19:55 56,952 ----a-w C:\Documents and Settings\Kari\Application Data\GDIPFONTCACHEV1.DAT 2002-12-04 12:44 34,157,508 ----a-w C:\Program Files\trvte1107.exe 2002-11-22 19:05 56,952 ----a-w C:\Documents and Settings\John\Application Data\GDIPFONTCACHEV1.DAT 2005-07-29 20:24 472 --sha-r C:\WINDOWS\Sm9obg\mA6Cv0.vbs . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 131072] "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] C:\Documents and Settings\John\Start Menu\Programs\Startup\ Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [1998-06-06 325632] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=nhkzxt.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Desktop Manager.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Desktop Manager.lnk backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] --a------ 2003-10-06 19:17 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter] --a------ 2007-04-03 21:50 1603152 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu] --a------ 2007-05-14 21:01 644696 C:\Program Files\Canon\SolutionMenu\CNSLMAIN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 03:56 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-09-10 17:40 289576 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio] --a------ 2001-08-23 16:52 331830 C:\Program Files\Microsoft Works\WKSSB.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] --a------ 2001-08-16 23:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0] --a------ 2001-07-25 11:00 241714 C:\Program Files\Microsoft Money\System\Activation.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4] --a------ 2007-02-04 12:02 79400 C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 15:09 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2007-03-26 07:07 228088 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] --a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-10-27 14:08 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe] --a------ 2006-09-20 08:35 20480 C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\WrtMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] --a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "7948:TCP"= 7948:TCP:limewire "7948:UDP"= 7948:UDP:limewire R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544] R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 327040] S1 cinemst22;cinemst22;C:\WINDOWS\system32\drivers\cinemst22.sys [ ] S3 asbp2poa;asbp2poa;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\asbp2poa.sys [ ] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4be3a2a8-83e8-11dd-94f5-0007e9a98655}] \Shell\AutoRun\command - F:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder 2008-10-03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-{24B104BF-ED00-92F8-2C20-B7CE64BCBE93} - C:\WINDOWS\system32\lhukaqb.dll BHO-{108110EA-38DE-4317-837F-0548FC1B6C55} - C:\WINDOWS\system32\ssqQkIBq.dll BHO-{24B104BF-ED00-92F8-2C20-B7CE64BCBE93} - C:\WINDOWS\system32\lhukaqb.dll BHO-{66697A55-C008-488E-A976-2D8DA382350A} - C:\WINDOWS\system32\urqPgdaX.dll BHO-{70054510-da7c-418d-a125-741e52e36003} - C:\WINDOWS\system32\nhkzxt.dll BHO-{93AF5E6F-EA81-CC23-ACD8-EDCB259B50CC} - C:\WINDOWS\system32\muudlg.dll BHO-{EED933DF-1E1A-4534-8E2B-8531572422CC} - C:\WINDOWS\system32\yayxvWMf.dll HKCU-Run-Microsoft Works Update Detection - C:\Program Files\Microsoft Works\WkDetect.exe ShellExecuteHooks-{108110EA-38DE-4317-837F-0548FC1B6C55} - C:\WINDOWS\system32\ssqQkIBq.dll Notify-ssqQkIBq - ssqQkIBq.dll MSConfigStartUp-AVG8_TRAY - C:\PROGRA~1\AVG\AVG8\avgtray.exe MSConfigStartUp-BM7f4d377f - C:\WINDOWS\system32\jrmtaykl.dll MSConfigStartUp-HP Component Manager - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe MSConfigStartUp-HP Software Update - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe MSConfigStartUp-MSMSGS - C:\Program Files\Messenger\msmsgs.exe MSConfigStartUp-Roia - C:\DOCUME~1\ADMINI~1\MYDOCU~1\APPATC~1\ati2evxx.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oag4nv19.Default User\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-shkwav&p= FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-06 20:44:29 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\SYSTEM32\LEXBCES.EXE C:\WINDOWS\SYSTEM32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\SYSTEM32\HPZipm12.exe C:\WINDOWS\SYSTEM32\wscntfy.exe . ************************************************************************** . Completion time: 2008-10-06 21:04:08 - machine was rebooted ComboFix-quarantined-files.txt 2008-10-07 01:03:52 Pre-Run: 24,376,053,760 bytes free Post-Run: 26,269,757,440 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 379 --- E O F --- 2008-10-03 11:13:54 Logfile of random's system information tool 1.04 (written by random/random) Run by JFM at 2008-10-06 21:19:54 Microsoft Windows XP Professional Service Pack 2 System drive C: has 35 GB (46%) free of 76 GB Total RAM: 255 MB (35% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:20:06 PM, on 10/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\notepad.exe C:\Documents and Settings\Administrator\Desktop\RSIT.exe C:\Program Files\trend micro\JFM.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O15 - Trusted Zone: etrade1.calyonfinancial.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O20 - AppInit_DLLs: nhkzxt.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- End of file - 6142 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}] C:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 143420] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "MMTray"=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe [2002-08-14 90112] "ShStatEXE"=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE [2004-09-22 94208] "McAfeeUpdaterUI"=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe [2005-12-07 131072] "Network Associates Error Reporting Service"=C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe [2003-10-07 147514] "SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe [2003-10-06 684032] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] C:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-04-03 1603152] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-05-14 644696] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [2008-09-10 289576] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe [2001-08-23 331830] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [2001-08-16 28738] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0] C:\Program Files\Microsoft Money\System\Activation.exe [2001-07-25 241714] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe [2007-02-04 79400] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2007-03-26 228088] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-10-25 210472] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-10-27 185632] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe [2006-09-20 20480] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Desktop Manager.lnk] C:\PROGRA~1\RESEAR~1\BLACKB~1\DESKTO~1.EXE [2007-03-28 1283608] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2005-12-15 282624] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe [2005-12-15 73728] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk] C:\PROGRA~1\MICROS~4\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe [2001-08-07 24633] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] C:\PROGRA~1\WinZip\WZQKPICK.EXE [2004-08-16 118784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="nhkzxt.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDrives"=0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"= "NoDrives"= "NoDriveAutoRun"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\WINDOWS\SYSTEM32\LEXPPS.EXE"="C:\WINDOWS\SYSTEM32\LEXPPS.EXE:*:Disabled:LEXPPS" "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe" "C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe" "C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe" "C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe" "C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe" "C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe" "C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox" "C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent" "C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire" "C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer" "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes" "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4be3a2a8-83e8-11dd-94f5-0007e9a98655}] shell\AutoRun\command - F:\wd_windows_tools\setup.exe ======List of files/folders created in the last 1 months====== 2008-10-06 21:04:18 ----A---- C:\ComboFix.txt 2008-10-06 20:28:19 ----D---- C:\WINDOWS\temp 2008-10-06 20:14:39 ----A---- C:\Boot.bak 2008-10-06 20:14:22 ----D---- C:\cmdcons 2008-10-06 20:13:07 ----D---- C:\WINDOWS\erdnt 2008-10-06 20:12:15 ----D---- C:\QooBox 2008-10-06 20:12:11 ----A---- C:\WINDOWS\zip.exe 2008-10-06 20:12:11 ----A---- C:\WINDOWS\VFIND.exe 2008-10-06 20:12:11 ----A---- C:\WINDOWS\SWXCACLS.exe 2008-10-06 20:12:11 ----A---- C:\WINDOWS\SWSC.exe 2008-10-06 20:12:11 ----A---- C:\WINDOWS\SWREG.exe 2008-10-06 20:12:11 ----A---- C:\WINDOWS\sed.exe 2008-10-06 20:12:11 ----A---- C:\WINDOWS\NIRCMD.exe 2008-10-06 20:12:11 ----A---- C:\WINDOWS\grep.exe 2008-10-06 20:12:11 ----A---- C:\WINDOWS\fdsv.exe 2008-10-05 08:24:13 ----D---- C:\rsit 2008-10-03 12:13:14 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg8 2008-10-02 19:22:41 ----D---- C:\Program Files\Common Files\Cisco Systems 2008-10-02 19:22:40 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee 2008-10-02 19:22:02 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates 2008-10-02 19:21:21 ----D---- C:\Program Files\Network Associates 2008-10-02 19:21:21 ----D---- C:\Program Files\Common Files\Network Associates 2008-10-02 00:20:54 ----D---- C:\Program Files\Trend Micro 2008-10-02 00:00:22 ----AD---- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP 2008-10-01 19:07:37 ----D---- C:\WINDOWS\pss 2008-10-01 15:42:51 ----D---- C:\Program Files\AVG 2008-10-01 15:03:08 ----D---- C:\Program Files\Panda Security 2008-10-01 13:52:41 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\PrevxCSI 2008-09-30 22:57:37 ----A---- C:\WINDOWS\system32\775dc09d-.txt 2008-09-30 22:52:27 ----SHD---- C:\WINDOWS\Sm9obg 2008-09-30 22:52:08 ----D---- C:\WINDOWS\system32\zep 2008-09-30 22:52:08 ----D---- C:\WINDOWS\system32\uib 2008-09-30 22:52:08 ----D---- C:\WINDOWS\system32\tcon 2008-09-30 22:52:08 ----D---- C:\WINDOWS\system32\SP6 2008-09-30 22:51:56 ----D---- C:\WINDOWS\system32\EV02 2008-09-29 22:30:48 ----D---- C:\Documents and Settings\Administrator\Application Data\Canon 2008-09-17 18:28:17 ----D---- C:\Program Files\iTunes 2008-09-17 18:28:17 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-17 18:26:40 ----D---- C:\Program Files\Bonjour 2008-09-17 18:24:47 ----D---- C:\Program Files\QuickTime 2008-09-13 10:17:18 ----D---- C:\Documents and Settings\Administrator\Application Data\LimeWire 2008-09-13 10:16:30 ----D---- C:\Program Files\LimeWire 2008-09-12 20:37:44 ----D---- C:\Documents and Settings\Administrator\Application Data\FrostWire 2008-09-12 20:36:57 ----D---- C:\Program Files\FrostWire 2008-09-12 20:33:16 ----A---- C:\WINDOWS\system32\javaws.exe 2008-09-12 20:33:15 ----A---- C:\WINDOWS\system32\javaw.exe 2008-09-12 20:33:15 ----A---- C:\WINDOWS\system32\java.exe 2008-09-11 19:31:05 ----D---- C:\Incomplete 2008-09-11 19:30:54 ----D---- C:\MUSIC 2008-09-10 03:02:04 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$ 2008-09-10 03:00:30 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$ 2008-09-07 10:53:16 ----D---- C:\Documents and Settings\Administrator\Application Data\Research In Motion 2008-09-07 10:23:10 ----D---- C:\Documents and Settings\Administrator\Application Data\Blackberry Desktop 2008-09-07 09:30:13 ----D---- C:\Program Files\Common Files\Research In Motion ======List of files/folders modified in the last 1 months====== 2008-10-06 21:04:47 ----D---- C:\WINDOWS\SYSTEM32 2008-10-06 21:04:45 ----D---- C:\WINDOWS\system32\DRIVERS 2008-10-06 21:04:28 ----D---- C:\WINDOWS 2008-10-06 21:01:15 ----D---- C:\WINDOWS\system32\CatRoot2 2008-10-06 20:44:18 ----A---- C:\WINDOWS\system.ini 2008-10-06 20:43:46 ----D---- C:\WINDOWS\Prefetch 2008-10-06 20:35:00 ----D---- C:\WINDOWS\system32\CONFIG 2008-10-06 20:24:06 ----D---- C:\Program Files\Common Files 2008-10-06 20:24:05 ----D---- C:\WINDOWS\AppPatch 2008-10-06 20:20:57 ----D---- C:\temp 2008-10-06 20:20:57 ----D---- C:\Program Files 2008-10-06 20:14:40 ----RASH---- C:\boot.ini 2008-10-06 20:13:07 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-10-06 20:12:18 ----SHD---- C:\System Volume Information 2008-10-06 20:12:18 ----D---- C:\WINDOWS\system32\Restore 2008-10-06 18:52:53 ----SHD---- C:\WINDOWS\Installer 2008-10-06 18:52:53 ----D---- C:\Config.Msi 2008-10-06 18:52:51 ----D---- C:\Program Files\Java 2008-10-06 18:46:41 ----D---- C:\Program Files\Mozilla Firefox 2008-10-05 20:22:17 ----D---- C:\Documents and Settings\Administrator\Application Data\AdobeUM 2008-10-04 14:17:25 ----AC---- C:\WINDOWS\marscam.ini 2008-10-04 11:45:31 ----D---- C:\Program Files\Google 2008-10-04 11:41:42 ----HD---- C:\WINDOWS\INF 2008-10-04 11:41:15 ----D---- C:\WINDOWS\TWAIN_32 2008-10-03 23:42:34 ----A---- C:\WINDOWS\WIN.INI 2008-10-03 23:05:19 ----RD---- C:\POCKET CHANGE 2008-10-03 22:03:08 ----AC---- C:\WINDOWS\ntbtlog.txt 2008-10-03 22:02:38 ----D---- C:\Program Files\LEGO Island 2008-10-03 21:41:15 ----D---- C:\Program Files\Messenger 2008-10-03 21:29:25 ----D---- C:\WINDOWS\system32\CatRoot_bak 2008-10-03 21:23:28 ----D---- C:\WINDOWS\system32\CatRoot 2008-10-03 16:23:55 ----D---- C:\Documents and Settings\Administrator\Application Data\COWON 2008-10-03 12:13:11 ----D---- C:\Documents and Settings 2008-10-03 11:55:11 ----D---- C:\Program Files\Spybot - Search & Destroy 2008-10-03 11:55:10 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-10-02 23:08:56 ----D---- C:\Spam 2008-10-02 21:20:13 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2008-10-01 23:51:39 ----D---- C:\Program Files\Windows Media Player 2008-10-01 18:40:35 ----D---- C:\Program Files\ewido anti-malware 2008-10-01 15:41:32 ----D---- C:\Program Files\Common Files\Microsoft Shared 2008-10-01 15:41:30 ----D---- C:\WINDOWS\WinSxS 2008-10-01 09:05:27 ----D---- C:\WINDOWS\Registration 2008-09-30 18:57:04 ----D---- C:\I386 2008-09-30 18:56:52 ----D---- C:\JENNA 2008-09-30 18:56:51 ----D---- C:\Netgear 2008-09-29 18:08:20 ----D---- C:\Documents and Settings\Administrator\Application Data\uTorrent 2008-09-28 20:39:38 ----A---- C:\caisslog.txt 2008-09-17 18:47:53 ----D---- C:\Program Files\Apple Software Update 2008-09-17 18:29:29 ----DC---- C:\WINDOWS\system32\DRVSTORE 2008-09-17 18:28:43 ----D---- C:\Program Files\iPod 2008-09-17 18:25:03 ----D---- C:\Program Files\Common Files\Apple 2008-09-17 18:16:49 ----SD---- C:\WINDOWS\Tasks 2008-09-12 20:58:18 ----D---- C:\My Downloads 2008-09-10 03:00:52 ----HD---- C:\WINDOWS\$hf_mig$ 2008-09-10 03:00:39 ----A---- C:\WINDOWS\imsins.BAK 2008-09-07 10:52:11 ----RSHDC---- C:\WINDOWS\system32\DLLCACHE 2008-09-07 10:32:12 ----D---- C:\Program Files\Common Files\Roxio Shared 2008-09-07 10:31:43 ----RSD---- C:\WINDOWS\Fonts 2008-09-07 10:31:34 ----D---- C:\Program Files\Roxio 2008-09-07 10:31:10 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Roxio 2008-09-07 10:24:42 ----D---- C:\WINDOWS\system32\ReinstallBackups 2008-09-07 09:15:35 ----D---- C:\Program Files\Common Files\Sonic Shared ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2007-02-02 9336] R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2007-02-02 9464] R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2003-10-06 241280] R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096] R1 NaiAvTdi1;NaiAvTdi1; C:\WINDOWS\system32\drivers\mvstdi5x.sys [2006-06-08 58464] R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632] R1 pwd_2k;pwd_2k; C:\WINDOWS\system32\drivers\pwd_2k.sys [2003-10-06 144250] R1 UdfReadr_xp;UdfReadr_xp; C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2003-10-06 206464] R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816] R3 ati2mtaa;ati2mtaa; C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys [2004-08-04 327040] R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696] R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2002-04-30 139776] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464] R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600] R3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2003-10-06 30662] R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160] R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2003-09-26 28164] R3 NaiAvFilter1;NaiAvFilter1; C:\WINDOWS\system32\drivers\naiavf5x.sys [2006-06-08 116864] R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496] R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2002-08-29 5888] R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-06-17 553624] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600] R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856] R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104] R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480] S1 cinemst22;cinemst22; C:\WINDOWS\System32\drivers\cinemst22.sys [] S2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [] S3 asbp2poa;asbp2poa; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\asbp2poa.sys [] S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS [] S3 catchme;catchme; \??\C:\ComboFix\catchme.sys [] S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024] S3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2003-10-06 25930] S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [2005-10-27 49664] S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [2005-10-27 16496] S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [2005-10-27 21568] S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128] S3 mr7910;Photo Viewer; C:\WINDOWS\system32\DRIVERS\mr7910.sys [2006-08-02 114560] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504] S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376] S3 NAVAP;NAVAP; \??\C:\WINDOWS\System32\Drivers\NAVAP.SYS [] S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20021224.005\NAVENG.SYS [] S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20021224.005\NAVEX15.SYS [] S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880] S3 RimUsb;BlackBerry Device; C:\WINDOWS\System32\Drivers\RimUsb.sys [2006-11-07 22272] S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136] S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552] S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360] S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS [] S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-02-18 30464] S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-10 116040] R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888] R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2002-02-14 299008] R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [2005-12-07 98304] R2 McShield;Network Associates McShield; C:\Program Files\Network Associates\VirusScan\Mcshield.exe [2006-02-14 221191] R2 McTaskManager;Network Associates Task Manager; C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe [2006-06-08 29184] R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 270336] R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2005-03-14 69632] S2 Roxio Upnp Server 9;Roxio Upnp Server 9; C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe [2007-03-25 359160] S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2007-03-26 310008] S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2007-03-26 166648] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728] S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-10 536872] S3 Roxio UPnP Renderer 9;Roxio UPnP Renderer 9; C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe [2007-03-25 88824] S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-03-26 1010424] S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336] -----------------EOF----------------- |
|
|
|
|
10-07-2008, 05:02 AM
|
#9 (permalink) | ||||
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Codec.exe virus ? Pop-ups; slow computer
Hello again
Quote:
Quote:
Quote:
========= Download ATF-Cleaner by Atribune to your desktop. Do not run just yet, we will shorlty ========== Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall =========== Double-click ATF Cleaner.exe to open it Under Main choose: Windows Temp Current User Temp All Users Temp Cookies Temporary Internet Files Prefetch Java Cache *The other boxes are optional* Then click the Empty Selected button. If you have Firefox installed: Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. If you have Opera installed: Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. Click Exit on the Main menu to close the program. =========== Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Click Accept, when prompted to download and install the program files and database of malware definitions.
This animation will guide you through the process:  To optimize scanning time and produce a more sensible report for review:
========== Please download HijackThis to your desktop Alternate link This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Upon install, HijackThis should open for you. Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless. ========= Logs Required C:\Combofix.txt Kaspersky Scan Report Hijackthis Log How is the system running now. |
||||
|
|
|
|
10-07-2008, 09:19 PM
|
#10 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 15
OS: Windows XP SP2
|
Re: Codec.exe virus ? Pop-ups; slow computer
Combofix, Kaspersky and HJT logs:
ComboFix 08-10-07.06 - JFM 2008-10-07 19:18:56.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.40 [GMT -4:00]Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFscript.txt * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg8 . ((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 ))))))))))))))))))))))))))))))) . 2008-10-07 19:18 . 2008-10-07 19:18 <DIR> d-------- C:\quarantine 2008-10-05 08:24 . 2008-10-05 08:25 <DIR> d-------- C:\rsit 2008-10-03 12:13 . 2008-10-03 12:13 262,144 --a------ C:\Documents and Settings\KARI~4.HOM 2008-10-03 12:13 . 2008-10-03 12:13 262,144 --a------ C:\Documents and Settings\JOHN~4.HOM 2008-10-03 12:07 . 2008-10-03 12:07 262,144 --a------ C:\Documents and Settings\KARI~3.HOM 2008-10-03 12:07 . 2008-10-03 12:07 262,144 --a------ C:\Documents and Settings\JOHN~3.HOM 2008-10-02 21:02 . 2008-10-07 01:33 512 --a------ C:\WINDOWS\randseed.rnd 2008-10-02 19:22 . 2008-10-02 19:22 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems 2008-10-02 19:22 . 2008-10-02 19:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates 2008-10-02 19:22 . 2008-10-02 19:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee 2008-10-02 19:22 . 2006-06-08 20:00 116,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\naiavf5x.sys 2008-10-02 19:22 . 2006-06-08 20:00 58,464 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mvstdi5x.sys 2008-10-02 19:21 . 2008-10-02 19:22 <DIR> d-------- C:\Program Files\Network Associates 2008-10-02 19:21 . 2008-10-02 19:21 <DIR> d-------- C:\Program Files\Common Files\Network Associates 2008-10-02 00:20 . 2008-10-06 21:19 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-02 00:00 . 2008-10-02 23:01 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP 2008-10-01 19:37 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys 2008-10-01 15:42 . 2008-10-01 15:42 <DIR> d-------- C:\Program Files\AVG 2008-10-01 15:38 . 2008-10-01 15:44 8,192 --a------ C:\Documents and Settings\KARI~2.HOM 2008-10-01 15:38 . 2008-10-01 15:44 8,192 --a------ C:\Documents and Settings\JOHN~2.HOM 2008-10-01 15:20 . 2008-10-01 15:20 262,144 --a------ C:\Documents and Settings\KARI~1.HOM 2008-10-01 15:20 . 2008-10-01 15:20 262,144 --a------ C:\Documents and Settings\JOHN~1.HOM 2008-10-01 15:03 . 2008-10-01 15:03 <DIR> d-------- C:\Program Files\Panda Security 2008-10-01 13:52 . 2008-10-01 15:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\PrevxCSI 2008-09-30 22:54 . 2008-09-30 22:54 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Talkback 2008-09-30 22:52 . 2008-10-01 18:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\zep 2008-09-30 22:52 . 2008-09-30 22:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\uib 2008-09-30 22:52 . 2008-10-01 18:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\tcon 2008-09-30 22:52 . 2008-10-01 18:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\SP6 2008-09-30 22:52 . 2008-10-01 14:05 <DIR> d--hs---- C:\WINDOWS\Sm9obg 2008-09-30 22:51 . 2008-10-01 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\EV02 2008-09-30 22:51 . 2008-09-30 22:52 <DIR> d-------- C:\temp\xp34 2008-09-30 18:56 . 2008-09-30 18:56 7,680 --ahs---- C:\WINDOWS\Thumbs.db 2008-09-30 18:56 . 2008-09-30 18:56 5,120 --ahs---- C:\Thumbs.db 2008-09-29 22:30 . 2008-10-05 12:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Canon 2008-09-17 18:28 . 2008-09-17 18:29 <DIR> d-------- C:\Program Files\iTunes 2008-09-17 18:28 . 2008-09-17 18:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-17 18:26 . 2008-09-17 18:26 <DIR> d-------- C:\Program Files\Bonjour 2008-09-17 18:24 . 2008-09-17 18:25 <DIR> d-------- C:\Program Files\QuickTime 2008-09-13 10:17 . 2008-09-21 20:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire 2008-09-13 10:16 . 2008-09-13 10:16 <DIR> d-------- C:\Program Files\LimeWire 2008-09-12 20:37 . 2008-09-12 21:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FrostWire 2008-09-12 20:36 . 2008-09-12 20:51 <DIR> d-------- C:\Program Files\FrostWire 2008-09-11 19:31 . 2008-09-12 20:38 <DIR> d-------- C:\Incomplete 2008-09-11 19:30 . 2008-09-12 20:39 <DIR> d-------- C:\MUSIC 2008-09-07 10:53 . 2008-09-07 10:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Research In Motion 2008-09-07 10:23 . 2008-09-07 10:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Blackberry Desktop 2008-09-07 09:30 . 2008-09-07 10:22 <DIR> d-------- C:\Program Files\Common Files\Research In Motion . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-06 22:52 --------- d-----w C:\Program Files\Java 2008-10-06 00:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM 2008-10-04 15:45 --------- d-----w C:\Program Files\Google 2008-10-04 02:02 --------- d-----w C:\Program Files\LEGO Island 2008-10-03 20:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\COWON 2008-10-03 15:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-10-03 15:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-10-01 22:40 --------- d-----w C:\Program Files\ewido anti-malware 2008-09-30 22:56 5,632 --sha-w C:\Program Files\Thumbs.db 2008-09-29 22:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent 2008-09-17 22:47 --------- d-----w C:\Program Files\Apple Software Update 2008-09-17 22:28 --------- d-----w C:\Program Files\iPod 2008-09-17 22:25 --------- d-----w C:\Program Files\Common Files\Apple 2008-09-07 14:32 --------- d-----w C:\Program Files\Common Files\Roxio Shared 2008-09-07 14:31 --------- d-----w C:\Program Files\Roxio 2008-09-07 14:31 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Roxio 2008-09-07 13:15 --------- d-----w C:\Program Files\Common Files\Sonic Shared 2008-08-27 13:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NewSoft 2008-08-27 13:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Costco Photo Organizer 2008-08-22 20:55 --------- d-----w C:\Program Files\Canon 2008-08-22 20:47 --------- d-----w C:\Program Files\Common Files\NewSoft 2008-08-22 20:46 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-22 20:46 --------- d-----w C:\Program Files\NewSoft 2008-08-22 20:46 --------- d-----w C:\Program Files\Common Files\PDFView 2008-08-22 20:42 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared 2008-08-22 20:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft 2008-08-22 20:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ScanSoft 2008-08-22 20:41 --------- d-----w C:\Program Files\ScanSoft 2008-08-22 20:39 --------- d-----w C:\Program Files\Common Files\CANON 2008-08-22 20:35 --------- d--h--w C:\Documents and Settings\All Users.WINDOWS\Application Data\CanonBJ 2008-08-22 20:34 --------- d--h--w C:\Program Files\CanonBJ 2008-07-01 01:37 61,224 ----a-w C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe 2008-03-04 23:35 86,688 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT 2007-10-26 21:02 23,220,928 ----a-w C:\Program Files\JAD7_BASIC.exe 2007-10-25 22:57 11,043,944 ----a-w C:\Program Files\megamanager.exe 2007-10-23 22:47 1,206,366 ----a-w C:\Program Files\wrar371.exe 2007-10-22 03:51 2,590,138 ----a-w C:\Program Files\flac-1.1.4b.exe 2007-10-20 17:51 6,574,286 ----a-w C:\Program Files\videoraipodtouchconverter_Installer.exe 2007-10-17 21:55 105,303,336 ----a-w C:\Program Files\SMARTBoardSetup.exe 2007-06-10 17:47 15,732,984 ----a-w C:\Program Files\Google_Earth_BZXD.exe 2007-04-17 00:26 16,779,392 ----a-w C:\Program Files\jre-1_5_0_06-windows-i586-p.exe 2007-03-28 18:12 11,996,710 ----a-w C:\Program Files\Pub_MailMerge_final_ZA10177524.wmv 2007-03-27 23:52 1,410,680 ----a-w C:\Program Files\install_flash_player.exe 2006-12-25 20:25 1,646,592 ----a-w C:\Program Files\iPodshuffleResetUtilitySetup.exe 2006-12-15 01:10 630,784 ----a-w C:\Documents and Settings\Administrator\GoToAssist_chat2way__317_en.exe 2006-12-01 00:27 849 ----a-w C:\Program Files\AVG Anti-Spyware.lnk 2006-09-01 22:18 1,894 ----a-w C:\Program Files\HP Document Viewer.lnk 2006-09-01 22:14 898 ----a-w C:\Program Files\HP Photosmart Premier.lnk 2006-09-01 22:07 984 ----a-w C:\Program Files\HP Solution Center.lnk 2006-02-01 15:07 376,979 ------r C:\Program Files\Common Files\appmgr01.exe 2005-12-21 20:16 5,225,384 ----a-w C:\Program Files\Firefox Setup 1.5.exe 2004-02-25 03:48 16,706,160 -c--a-w C:\Program Files\AdbeRdr60_enu_full.exe 2004-02-25 03:46 6,262,872 ----a-w C:\Program Files\psa2se_us.exe 2003-10-06 23:16 11,726,143 ----a-w C:\Program Files\ecdc_v5.3.5.10_basic_enu.exe 2003-05-11 13:41 1,261,806 ----a-w C:\Program Files\MAquarium-V2.exe 2003-05-10 09:27 1,822,050 ----a-w C:\Program Files\EMpgPlay_20e.zip 2003-05-06 03:11 3,206,361 ----a-w C:\Program Files\vlc-0.5.3-win32.exe 2002-12-18 19:55 56,952 ----a-w C:\Documents and Settings\Kari\Application Data\GDIPFONTCACHEV1.DAT 2002-12-04 12:44 34,157,508 ----a-w C:\Program Files\trvte1107.exe 2002-11-22 19:05 56,952 ----a-w C:\Documents and Settings\John\Application Data\GDIPFONTCACHEV1.DAT 2005-07-29 20:24 472 --sha-r C:\WINDOWS\Sm9obg\mA6Cv0.vbs . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 131072] "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] C:\Documents and Settings\John\Start Menu\Programs\Startup\ Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [1998-06-06 325632] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"= 0 (0x0) [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Desktop Manager.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Desktop Manager.lnk backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] --a------ 2003-10-06 19:17 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter] --a------ 2007-04-03 21:50 1603152 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu] --a------ 2007-05-14 21:01 644696 C:\Program Files\Canon\SolutionMenu\CNSLMAIN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 03:56 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-09-10 17:40 289576 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio] --a------ 2001-08-23 16:52 331830 C:\Program Files\Microsoft Works\WKSSB.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] --a------ 2001-08-16 23:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0] --a------ 2001-07-25 11:00 241714 C:\Program Files\Microsoft Money\System\Activation.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4] --a------ 2007-02-04 12:02 79400 C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 15:09 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2007-03-26 07:07 228088 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] --a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-10-27 14:08 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe] --a------ 2006-09-20 08:35 20480 C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\WrtMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] --a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "7948:TCP"= 7948:TCP:limewire "7948:UDP"= 7948:UDP:limewire R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544] R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 327040] S1 cinemst22;cinemst22;C:\WINDOWS\system32\drivers\cinemst22.sys [ ] S3 asbp2poa;asbp2poa;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\asbp2poa.sys [ ] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4be3a2a8-83e8-11dd-94f5-0007e9a98655}] \Shell\AutoRun\command - F:\wd_windows_tools\setup.exe *Newly Created Service* - CATCHME *Newly Created Service* - ENTDRV51 . Contents of the 'Scheduled Tasks' folder 2008-10-03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-07 19:26:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-10-07 19:40:41 ComboFix-quarantined-files.txt 2008-10-07 23:40:24 ComboFix2.txt 2008-10-07 01:04:18 Pre-Run: 37,048,422,400 bytes free Post-Run: 37,034,819,584 bytes free 245 --- E O F --- 2008-10-03 11:13:54 -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Tuesday, October 7, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Wednesday, October 08, 2008 00:13:35 Records in database: 1298503 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ J:\ Z:\ Scan statistics: Files scanned: 106698 Threat name: 14 Infected objects: 132 Suspicious objects: 142 Duration of the scan: 02:32:46 File name / Threat name / Threats count C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Exploit.HTML.Iframe.FileDownload 6 C:\Documents and Settings\John\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 130 C:\Documents and Settings\John\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 6 C:\Documents and Settings\John\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Swen 114 C:\Documents and Settings\John\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Virus.Win32.Xorala 2 C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\geBurQGv.dll.vir Infected: Trojan.Win32.Monder.qnu 1 C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ilautiyb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alwt 1 C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qeuxownc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alvf 1 C:\quarantine\Av-test.txt.Vir Infected: EICAR-Test-File 1 C:\System Volume Information\_restore{C28B515A-5E1F-4902-8357-BDD836815628}\RP2\A0000014.dll Infected: Trojan.Win32.Monder.qnu 1 C:\System Volume Information\_restore{C28B515A-5E1F-4902-8357-BDD836815628}\RP2\A0000015.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.alwt 1 C:\System Volume Information\_restore{C28B515A-5E1F-4902-8357-BDD836815628}\RP2\A0000018.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.alvf 1 C:\WINDOWS\SYSTEM32\msdhmd.dll Infected: not-a-virus:AdWare.Win32.WebSearch.bb 1 C:\WINDOWS\SYSTEM32\uib\XPT87I16.exe Infected: Trojan-Clicker.Win32.Agent.duz 1 J:\Music\stella hurt.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1 J:\Music\Chris Brown - Forever.wma Infected: Trojan-Downloader.WMA.GetCodec.b 1 J:\Music\stella hurt elvis costello.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1 J:\Music\MILF Hunter 5 - Nikole (2008).avi Infected: Trojan-Downloader.WMA.GetCodec.a 1 J:\Music\lovebug jonas brothers.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1 J:\Music\videogirl jonas brothers.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1 J:\Music\strut the cheetah girls 2 18.wma Infected: Trojan-Downloader.WMA.Wimad.d 1 The selected area was scanned. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:17:54 PM, on 10/7/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Administrator\Local Settings\Temp\jkos-JFM\binaries\ScanningProcess.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O15 - Trusted Zone: etrade1.calyonfinancial.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- End of file - 5977 bytes |
|
|
|
|
10-08-2008, 06:27 AM
|
#11 (permalink) | ||
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Codec.exe virus ? Pop-ups; slow computer
Hello again
Quote:
========= Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ======== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ======= Logs Required C:\Combofix.txt Hijackthis Log |
||
|
|
|
|
10-08-2008, 12:28 PM
|
#12 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 15
OS: Windows XP SP2
|
Re: Codec.exe virus ? Pop-ups; slow computer
You wrote:
Quote: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Exploit.HTML.Iframe.FileDownload 6 C:\Documents and Settings\John\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 130 C:\Documents and Settings\John\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 6 C:\Documents and Settings\John\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Swen 114 C:\Documents and Settings\John\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Virus.Win32.Xorala 2 Kaspersky is flagging these e-mails in your Outlook archive pst(personal folder) and deleted items folders, you may want to clear out any e-mails inside those folders. Stupid question but just to be clear -- re the Kaspersky-flagged e-mails, while in Outlook should I delete ALL e-mails in both the "Deleted Items" and "Archives" folders? Or do you mean use explorer (or My Computer>C:) to locate the specific folders mentioned and then delete only the contents therein? Thank you. I'll take care of these items and post the logs tonight. |
|
|
|
|
10-08-2008, 01:25 PM
|
#13 (permalink) | ||
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Codec.exe virus ? Pop-ups; slow computer
Quote:
Quote:
|
||
|
|
|
|
10-08-2008, 06:44 PM
|
#14 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 15
OS: Windows XP SP2
|
Re: Codec.exe virus ? Pop-ups; slow computer
Hello again
Notes on my activity: - Deleted ALL e-mails in the "Archives" and "Deleted Items" folders of Outlook. As there were over 20,000 items, this took a long time (not sure if my 256 RAM is to blame) - When I dragged CFscript.txt into ComboFix, I was prompted to update ComboFix. I answered yes, but it said unable to update and ran with existing version. - After ComboFix had finished running and generated the log, all of my icons and taskbar disappeared from my screen (interestingly desktop background remained however). Rebooting brought everything back. Here are the ComboFix and HJT logs: ComboFix 08-10-08.02 - JFM 2008-10-08 19:59:06.3 - NTFSx86 Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFscript.txt * Created a new restore point * Resident AV is active FILE :: C:\Program Files\AVG Anti-Spyware.lnk C:\WINDOWS\SYSTEM32\msdhmd.dll C:\WINDOWS\SYSTEM32\uib\XPT87I16.exe J:\Music\Chris Brown - Forever.wma J:\Music\lovebug jonas brothers.mp3 J:\Music\MILF Hunter 5 - Nikole (2008).avi J:\Music\stella hurt elvis costello.mp3 J:\Music\stella hurt.mp3 J:\Music\strut the cheetah girls 2 18.wma J:\Music\videogirl jonas brothers.mp3 . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Administrator\Desktop\notepad.exe C:\Program Files\AVG Anti-Spyware.lnk C:\Program Files\AVG C:\WINDOWS\SYSTEM32\msdhmd.dll C:\WINDOWS\SYSTEM32\uib\XPT87I16.exe J:\Music\Chris Brown - Forever.wma J:\Music\lovebug jonas brothers.mp3 J:\Music\MILF Hunter 5 - Nikole (2008).avi J:\Music\stella hurt elvis costello.mp3 J:\Music\stella hurt.mp3 J:\Music\strut the cheetah girls 2 18.wma J:\Music\videogirl jonas brothers.mp3 . ((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 ))))))))))))))))))))))))))))))) . 2008-10-07 19:18 . 2008-10-08 19:59 <DIR> d-------- C:\quarantine 2008-10-05 08:24 . 2008-10-05 08:25 <DIR> d-------- C:\rsit 2008-10-03 12:13 . 2008-10-03 12:13 262,144 --a------ C:\Documents and Settings\KARI~4.HOM 2008-10-03 12:13 . 2008-10-03 12:13 262,144 --a------ C:\Documents and Settings\JOHN~4.HOM 2008-10-03 12:07 . 2008-10-03 12:07 262,144 --a------ C:\Documents and Settings\KARI~3.HOM 2008-10-03 12:07 . 2008-10-03 12:07 262,144 --a------ C:\Documents and Settings\JOHN~3.HOM 2008-10-02 21:02 . 2008-10-08 01:20 512 --a------ C:\WINDOWS\randseed.rnd 2008-10-02 19:22 . 2008-10-02 19:22 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems 2008-10-02 19:22 . 2008-10-02 19:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates 2008-10-02 19:22 . 2008-10-02 19:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee 2008-10-02 19:22 . 2006-06-08 20:00 116,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\naiavf5x.sys 2008-10-02 19:22 . 2006-06-08 20:00 58,464 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mvstdi5x.sys 2008-10-02 19:21 . 2008-10-02 19:22 <DIR> d-------- C:\Program Files\Network Associates 2008-10-02 19:21 . 2008-10-02 19:21 <DIR> d-------- C:\Program Files\Common Files\Network Associates 2008-10-02 00:20 . 2008-10-06 21:19 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-02 00:00 . 2008-10-02 23:01 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP 2008-10-01 19:37 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys 2008-10-01 15:38 . 2008-10-01 15:44 8,192 --a------ C:\Documents and Settings\KARI~2.HOM 2008-10-01 15:38 . 2008-10-01 15:44 8,192 --a------ C:\Documents and Settings\JOHN~2.HOM 2008-10-01 15:20 . 2008-10-01 15:20 262,144 --a------ C:\Documents and Settings\KARI~1.HOM 2008-10-01 15:20 . 2008-10-01 15:20 262,144 --a------ C:\Documents and Settings\JOHN~1.HOM 2008-10-01 15:03 . 2008-10-01 15:03 <DIR> d-------- C:\Program Files\Panda Security 2008-10-01 13:52 . 2008-10-01 15:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\PrevxCSI 2008-09-30 22:54 . 2008-09-30 22:54 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Talkback 2008-09-30 22:52 . 2008-10-01 18:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\zep 2008-09-30 22:52 . 2008-10-08 19:59 <DIR> d-------- C:\WINDOWS\SYSTEM32\uib 2008-09-30 22:52 . 2008-10-01 18:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\tcon 2008-09-30 22:52 . 2008-10-01 18:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\SP6 2008-09-30 22:52 . 2008-10-01 14:05 <DIR> d--hs---- C:\WINDOWS\Sm9obg 2008-09-30 22:51 . 2008-10-01 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\EV02 2008-09-30 22:51 . 2008-09-30 22:52 <DIR> d-------- C:\temp\xp34 2008-09-30 18:56 . 2008-09-30 18:56 7,680 --ahs---- C:\WINDOWS\Thumbs.db 2008-09-30 18:56 . 2008-09-30 18:56 5,120 --ahs---- C:\Thumbs.db 2008-09-29 22:30 . 2008-10-05 12:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Canon 2008-09-17 18:28 . 2008-09-17 18:29 <DIR> d-------- C:\Program Files\iTunes 2008-09-17 18:28 . 2008-09-17 18:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-17 18:26 . 2008-09-17 18:26 <DIR> d-------- C:\Program Files\Bonjour 2008-09-17 18:24 . 2008-09-17 18:25 <DIR> d-------- C:\Program Files\QuickTime 2008-09-13 10:17 . 2008-09-21 20:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire 2008-09-13 10:16 . 2008-09-13 10:16 <DIR> d-------- C:\Program Files\LimeWire 2008-09-12 20:37 . 2008-09-12 21:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FrostWire 2008-09-12 20:36 . 2008-09-12 20:51 <DIR> d-------- C:\Program Files\FrostWire 2008-09-11 19:31 . 2008-09-12 20:38 <DIR> d-------- C:\Incomplete 2008-09-11 19:30 . 2008-09-12 20:39 <DIR> d-------- C:\MUSIC . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-06 22:52 --------- d-----w C:\Program Files\Java 2008-10-06 00:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM 2008-10-04 15:45 --------- d-----w C:\Program Files\Google 2008-10-04 02:02 --------- d-----w C:\Program Files\LEGO Island 2008-10-03 20:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\COWON 2008-10-03 15:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-10-03 15:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-10-01 22:40 --------- d-----w C:\Program Files\ewido anti-malware 2008-09-30 22:56 5,632 --sha-w C:\Program Files\Thumbs.db 2008-09-29 22:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent 2008-09-17 22:47 --------- d-----w C:\Program Files\Apple Software Update 2008-09-17 22:28 --------- d-----w C:\Program Files\iPod 2008-09-17 22:25 --------- d-----w C:\Program Files\Common Files\Apple 2008-09-07 14:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Blackberry Desktop 2008-09-07 14:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Research In Motion 2008-09-07 14:32 --------- d-----w C:\Program Files\Common Files\Roxio Shared 2008-09-07 14:31 --------- d-----w C:\Program Files\Roxio 2008-09-07 14:31 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Roxio 2008-09-07 14:22 --------- d-----w C:\Program Files\Common Files\Research In Motion 2008-09-07 13:15 --------- d-----w C:\Program Files\Common Files\Sonic Shared 2008-08-27 13:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NewSoft 2008-08-27 13:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Costco Photo Organizer 2008-08-22 20:55 --------- d-----w C:\Program Files\Canon 2008-08-22 20:47 --------- d-----w C:\Program Files\Common Files\NewSoft 2008-08-22 20:46 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-22 20:46 --------- d-----w C:\Program Files\NewSoft 2008-08-22 20:46 --------- d-----w C:\Program Files\Common Files\PDFView 2008-08-22 20:42 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared 2008-08-22 20:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft 2008-08-22 20:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ScanSoft 2008-08-22 20:41 --------- d-----w C:\Program Files\ScanSoft 2008-08-22 20:39 --------- d-----w C:\Program Files\Common Files\CANON 2008-08-22 20:35 --------- d--h--w C:\Documents and Settings\All Users.WINDOWS\Application Data\CanonBJ 2008-08-22 20:34 --------- d--h--w C:\Program Files\CanonBJ 2008-07-01 01:37 61,224 ----a-w C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe 2008-03-04 23:35 86,688 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT 2007-10-26 21:02 23,220,928 ----a-w C:\Program Files\JAD7_BASIC.exe 2007-10-25 22:57 11,043,944 ----a-w C:\Program Files\megamanager.exe 2007-10-23 22:47 1,206,366 ----a-w C:\Program Files\wrar371.exe 2007-10-22 03:51 2,590,138 ----a-w C:\Program Files\flac-1.1.4b.exe 2007-10-20 17:51 6,574,286 ----a-w C:\Program Files\videoraipodtouchconverter_Installer.exe 2007-10-17 21:55 105,303,336 ----a-w C:\Program Files\SMARTBoardSetup.exe 2007-06-10 17:47 15,732,984 ----a-w C:\Program Files\Google_Earth_BZXD.exe 2007-04-17 00:26 16,779,392 ----a-w C:\Program Files\jre-1_5_0_06-windows-i586-p.exe 2007-03-28 18:12 11,996,710 ----a-w C:\Program Files\Pub_MailMerge_final_ZA10177524.wmv 2007-03-27 23:52 1,410,680 ----a-w C:\Program Files\install_flash_player.exe 2006-12-25 20:25 1,646,592 ----a-w C:\Program Files\iPodshuffleResetUtilitySetup.exe 2006-12-15 01:10 630,784 ----a-w C:\Documents and Settings\Administrator\GoToAssist_chat2way__317_en.exe 2006-09-01 22:18 1,894 ----a-w C:\Program Files\HP Document Viewer.lnk 2006-09-01 22:14 898 ----a-w C:\Program Files\HP Photosmart Premier.lnk 2006-09-01 22:07 984 ----a-w C:\Program Files\HP Solution Center.lnk 2006-02-01 15:07 376,979 ------r C:\Program Files\Common Files\appmgr01.exe 2005-12-21 20:16 5,225,384 ----a-w C:\Program Files\Firefox Setup 1.5.exe 2004-02-25 03:48 16,706,160 -c--a-w C:\Program Files\AdbeRdr60_enu_full.exe 2004-02-25 03:46 6,262,872 ----a-w C:\Program Files\psa2se_us.exe 2003-10-06 23:16 11,726,143 ----a-w C:\Program Files\ecdc_v5.3.5.10_basic_enu.exe 2003-05-11 13:41 1,261,806 ----a-w C:\Program Files\MAquarium-V2.exe 2003-05-10 09:27 1,822,050 ----a-w C:\Program Files\EMpgPlay_20e.zip 2003-05-06 03:11 3,206,361 ----a-w C:\Program Files\vlc-0.5.3-win32.exe 2002-12-18 19:55 56,952 ----a-w C:\Documents and Settings\Kari\Application Data\GDIPFONTCACHEV1.DAT 2002-12-04 12:44 34,157,508 ----a-w C:\Program Files\trvte1107.exe 2002-11-22 19:05 56,952 ----a-w C:\Documents and Settings\John\Application Data\GDIPFONTCACHEV1.DAT 2005-07-29 20:24 472 --sha-r C:\WINDOWS\Sm9obg\mA6Cv0.vbs . ((((((((((((((((((((((((((((( snapshot@2008-10-06_21.02.10.34 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-04 07:56:54 69,120 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\notepad.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 131072] "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] C:\Documents and Settings\John\Start Menu\Programs\Startup\ Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [1998-06-06 325632] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"= 0 (0x0) [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Desktop Manager.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Desktop Manager.lnk backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] --a------ 2003-10-06 19:17 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter] --a------ 2007-04-03 21:50 1603152 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu] --a------ 2007-05-14 21:01 644696 C:\Program Files\Canon\SolutionMenu\CNSLMAIN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 03:56 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-09-10 17:40 289576 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio] --a------ 2001-08-23 16:52 331830 C:\Program Files\Microsoft Works\WKSSB.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] --a------ 2001-08-16 23:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0] --a------ 2001-07-25 11:00 241714 C:\Program Files\Microsoft Money\System\Activation.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4] --a------ 2007-02-04 12:02 79400 C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 15:09 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2007-03-26 07:07 228088 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] --a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-10-27 14:08 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe] --a------ 2006-09-20 08:35 20480 C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\WrtMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] --a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "7948:TCP"= 7948:TCP:limewire "7948:UDP"= 7948:UDP:limewire R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544] R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 327040] S1 cinemst22;cinemst22;C:\WINDOWS\system32\drivers\cinemst22.sys [ ] S3 asbp2poa;asbp2poa;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\asbp2poa.sys [ ] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4be3a2a8-83e8-11dd-94f5-0007e9a98655}] \Shell\AutoRun\command - F:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder 2008-10-03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-08 20:05:56 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-10-08 20:23:22 ComboFix-quarantined-files.txt 2008-10-09 00:23:18 ComboFix2.txt 2008-10-07 23:40:47 ComboFix3.txt 2008-10-07 01:04:18 Pre-Run: 37,071,781,888 bytes free Post-Run: 37,115,211,776 bytes free 266 --- E O F --- 2008-10-03 11:13:54 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:36:24 PM, on 10/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O15 - Trusted Zone: etrade1.calyonfinancial.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- End of file - 5828 bytes Thanks, Murdog |
|
|
|
|
10-09-2008, 05:15 AM
|
#15 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Codec.exe virus ? Pop-ups; slow computer
Hello again
Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ========= Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========== Logs Required C:\Combofix.txt Hijackthis Log |
|
|
|
|
|
10-09-2008, 04:36 PM
|
#16 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 15
OS: Windows XP SP2
|
Re: Codec.exe virus ? Pop-ups; slow computer
Howdy.
Question: Should I turn off antivirus program (Macafee) and firewall whenever running combofix and hijackthis? Also not sure if this is relevant, but when I open my browser (firefox) after running combofix, it always tells me that "Firefox is not currently set up as my default browser". Lastly, I received my upgraded RAM today? Is there any reason to hold off on installing it until we have finished? Thanks, Murdog Logs: ComboFix 08-10-08.02 - JFM 2008-10-09 17:43:47.4 - NTFSx86 Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt * Created a new restore point * Resident AV is active FILE :: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\asbp2poa.sys C:\Program Files\jre-1_5_0_06-windows-i586-p.exe C:\Program Files\trvte1107.exe C:\WINDOWS\system32\drivers\cinemst22.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\jre-1_5_0_06-windows-i586-p.exe C:\Program Files\trvte1107.exe C:\temp C:\temp\adobe\EPS Parser Plug-in for Adobe PhotoDeluxe\EPSParsr.8by C:\temp\adobe\EPS Parser Plug-in for Adobe PhotoDeluxe\Readme.wri C:\temp\ATT327945.txt C:\temp\EmlResize_0.log C:\temp\SSLCert.cer C:\temp\xp34\cPH.log C:\WINDOWS\Sm9obg C:\WINDOWS\Sm9obg\mA6Cv0.vbs C:\WINDOWS\SYSTEM32\EV02 C:\WINDOWS\SYSTEM32\SP6 C:\WINDOWS\SYSTEM32\tcon C:\WINDOWS\SYSTEM32\uib C:\WINDOWS\SYSTEM32\zep . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ASBP2POA -------\Legacy_CINEMST22 -------\Service_asbp2poa -------\Service_cinemst22 ((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 ))))))))))))))))))))))))))))))) . 2008-10-07 19:18 . 2008-10-09 17:43 <DIR> d-------- C:\quarantine 2008-10-05 08:24 . 2008-10-05 08:25 <DIR> d-------- C:\rsit 2008-10-03 12:13 . 2008-10-03 12:13 262,144 --a------ C:\Documents and Settings\KARI~4.HOM 2008-10-03 12:13 . 2008-10-03 12:13 262,144 --a------ C:\Documents and Settings\JOHN~4.HOM 2008-10-03 12:07 . 2008-10-03 12:07 262,144 --a------ C:\Documents and Settings\KARI~3.HOM 2008-10-03 12:07 . 2008-10-03 12:07 262,144 --a------ C:\Documents and Settings\JOHN~3.HOM 2008-10-02 21:02 . 2008-10-09 01:42 512 --a------ C:\WINDOWS\randseed.rnd 2008-10-02 19:22 . 2008-10-02 19:22 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems 2008-10-02 19:22 . 2008-10-02 19:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates 2008-10-02 19:22 . 2008-10-02 19:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee 2008-10-02 19:22 . 2006-06-08 20:00 116,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\naiavf5x.sys 2008-10-02 19:22 . 2006-06-08 20:00 58,464 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mvstdi5x.sys 2008-10-02 19:21 . 2008-10-02 19:22 <DIR> d-------- C:\Program Files\Network Associates 2008-10-02 19:21 . 2008-10-02 19:21 <DIR> d-------- C:\Program Files\Common Files\Network Associates 2008-10-02 00:20 . 2008-10-06 21:19 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-02 00:00 . 2008-10-02 23:01 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP 2008-10-01 19:37 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys 2008-10-01 15:38 . 2008-10-01 15:44 8,192 --a------ C:\Documents and Settings\KARI~2.HOM 2008-10-01 15:38 . 2008-10-01 15:44 8,192 --a------ C:\Documents and Settings\JOHN~2.HOM 2008-10-01 15:20 . 2008-10-01 15:20 262,144 --a------ C:\Documents and Settings\KARI~1.HOM 2008-10-01 15:20 . 2008-10-01 15:20 262,144 --a------ C:\Documents and Settings\JOHN~1.HOM 2008-10-01 15:03 . 2008-10-01 15:03 <DIR> d-------- C:\Program Files\Panda Security 2008-10-01 13:52 . 2008-10-01 15:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\PrevxCSI 2008-09-30 22:54 . 2008-09-30 22:54 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Talkback 2008-09-30 18:56 . 2008-09-30 18:56 7,680 --ahs---- C:\WINDOWS\Thumbs.db 2008-09-30 18:56 . 2008-09-30 18:56 5,120 --ahs---- C:\Thumbs.db 2008-09-29 22:30 . 2008-10-05 12:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Canon 2008-09-17 18:28 . 2008-09-17 18:29 <DIR> d-------- C:\Program Files\iTunes 2008-09-17 18:28 . 2008-09-17 18:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-17 18:26 . 2008-09-17 18:26 <DIR> d-------- C:\Program Files\Bonjour 2008-09-17 18:24 . 2008-09-17 18:25 <DIR> d-------- C:\Program Files\QuickTime 2008-09-13 10:17 . 2008-09-21 20:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire 2008-09-13 10:16 . 2008-09-13 10:16 <DIR> d-------- C:\Program Files\LimeWire 2008-09-12 20:37 . 2008-09-12 21:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FrostWire 2008-09-12 20:36 . 2008-09-12 20:51 <DIR> d-------- C:\Program Files\FrostWire 2008-09-11 19:31 . 2008-09-12 20:38 <DIR> d-------- C:\Incomplete 2008-09-11 19:30 . 2008-09-12 20:39 <DIR> d-------- C:\MUSIC . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-06 22:52 --------- d-----w C:\Program Files\Java 2008-10-06 00:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM 2008-10-04 15:45 --------- d-----w C:\Program Files\Google 2008-10-04 02:02 --------- d-----w C:\Program Files\LEGO Island 2008-10-03 20:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\COWON 2008-10-03 15:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-10-03 15:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-10-01 22:40 --------- d-----w C:\Program Files\ewido anti-malware 2008-09-30 22:56 5,632 --sha-w C:\Program Files\Thumbs.db 2008-09-29 22:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent 2008-09-17 22:47 --------- d-----w C:\Program Files\Apple Software Update 2008-09-17 22:28 --------- d-----w C:\Program Files\iPod 2008-09-17 22:25 --------- d-----w C:\Program Files\Common Files\Apple 2008-09-07 14:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Blackberry Desktop 2008-09-07 14:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Research In Motion 2008-09-07 14:32 --------- d-----w C:\Program Files\Common Files\Roxio Shared 2008-09-07 14:31 --------- d-----w C:\Program Files\Roxio 2008-09-07 14:31 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Roxio 2008-09-07 14:22 --------- d-----w C:\Program Files\Common Files\Research In Motion 2008-09-07 13:15 --------- d-----w C:\Program Files\Common Files\Sonic Shared 2008-08-27 13:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NewSoft 2008-08-27 13:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Costco Photo Organizer 2008-08-22 20:55 --------- d-----w C:\Program Files\Canon 2008-08-22 20:47 --------- d-----w C:\Program Files\Common Files\NewSoft 2008-08-22 20:46 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-22 20:46 --------- d-----w C:\Program Files\NewSoft 2008-08-22 20:46 --------- d-----w C:\Program Files\Common Files\PDFView 2008-08-22 20:42 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared 2008-08-22 20:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft 2008-08-22 20:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ScanSoft 2008-08-22 20:41 --------- d-----w C:\Program Files\ScanSoft 2008-08-22 20:39 --------- d-----w C:\Program Files\Common Files\CANON 2008-08-22 20:35 --------- d--h--w C:\Documents and Settings\All Users.WINDOWS\Application Data\CanonBJ 2008-08-22 20:34 --------- d--h--w C:\Program Files\CanonBJ 2008-07-01 01:37 61,224 ----a-w C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe 2008-03-04 23:35 86,688 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT 2007-10-26 21:02 23,220,928 ----a-w C:\Program Files\JAD7_BASIC.exe 2007-10-25 22:57 11,043,944 ----a-w C:\Program Files\megamanager.exe 2007-10-23 22:47 1,206,366 ----a-w C:\Program Files\wrar371.exe 2007-10-22 03:51 2,590,138 ----a-w C:\Program Files\flac-1.1.4b.exe 2007-10-20 17:51 6,574,286 ----a-w C:\Program Files\videoraipodtouchconverter_Installer.exe 2007-10-17 21:55 105,303,336 ----a-w C:\Program Files\SMARTBoardSetup.exe 2007-06-10 17:47 15,732,984 ----a-w C:\Program Files\Google_Earth_BZXD.exe 2007-03-28 18:12 11,996,710 ----a-w C:\Program Files\Pub_MailMerge_final_ZA10177524.wmv 2007-03-27 23:52 1,410,680 ----a-w C:\Program Files\install_flash_player.exe 2006-12-25 20:25 1,646,592 ----a-w C:\Program Files\iPodshuffleResetUtilitySetup.exe 2006-12-15 01:10 630,784 ----a-w C:\Documents and Settings\Administrator\GoToAssist_chat2way__317_en.exe 2006-09-01 22:18 1,894 ----a-w C:\Program Files\HP Document Viewer.lnk 2006-09-01 22:14 898 ----a-w C:\Program Files\HP Photosmart Premier.lnk 2006-09-01 22:07 984 ----a-w C:\Program Files\HP Solution Center.lnk 2006-02-01 15:07 376,979 ------r C:\Program Files\Common Files\appmgr01.exe 2005-12-21 20:16 5,225,384 ----a-w C:\Program Files\Firefox Setup 1.5.exe 2004-02-25 03:48 16,706,160 -c--a-w C:\Program Files\AdbeRdr60_enu_full.exe 2004-02-25 03:46 6,262,872 ----a-w C:\Program Files\psa2se_us.exe 2003-10-06 23:16 11,726,143 ----a-w C:\Program Files\ecdc_v5.3.5.10_basic_enu.exe 2003-05-11 13:41 1,261,806 ----a-w C:\Program Files\MAquarium-V2.exe 2003-05-10 09:27 1,822,050 ----a-w C:\Program Files\EMpgPlay_20e.zip 2003-05-06 03:11 3,206,361 ----a-w C:\Program Files\vlc-0.5.3-win32.exe 2002-12-18 19:55 56,952 ----a-w C:\Documents and Settings\Kari\Application Data\GDIPFONTCACHEV1.DAT 2002-11-22 19:05 56,952 ----a-w C:\Documents and Settings\John\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( snapshot@2008-10-06_21.02.10.34 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-04 07:56:54 69,120 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\notepad.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 131072] "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] C:\Documents and Settings\John\Start Menu\Programs\Startup\ Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [1998-06-06 325632] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"= 0 (0x0) [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Desktop Manager.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Desktop Manager.lnk backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] --a------ 2003-10-06 19:17 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter] --a------ 2007-04-03 21:50 1603152 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu] --a------ 2007-05-14 21:01 644696 C:\Program Files\Canon\SolutionMenu\CNSLMAIN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 03:56 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-09-10 17:40 289576 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio] --a------ 2001-08-23 16:52 331830 C:\Program Files\Microsoft Works\WKSSB.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] --a------ 2001-08-16 23:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0] --a------ 2001-07-25 11:00 241714 C:\Program Files\Microsoft Money\System\Activation.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4] --a------ 2007-02-04 12:02 79400 C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 15:09 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2007-03-26 07:07 228088 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] --a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-10-27 14:08 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe] --a------ 2006-09-20 08:35 20480 C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\WrtMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] --a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "7948:TCP"= 7948:TCP:limewire "7948:UDP"= 7948:UDP:limewire R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544] R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 327040] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4be3a2a8-83e8-11dd-94f5-0007e9a98655}] \Shell\AutoRun\command - F:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder 2008-10-03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-09 18 28Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\SYSTEM32\LEXBCES.EXE C:\WINDOWS\SYSTEM32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\SYSTEM32\HPZipm12.exe . ************************************************************************** . Completion time: 2008-10-09 18:24:44 - machine was rebooted ComboFix-quarantined-files.txt 2008-10-09 22:24:28 ComboFix2.txt 2008-10-09 00:23:25 ComboFix3.txt 2008-10-07 23:40:47 ComboFix4.txt 2008-10-07 01:04:18 Pre-Run: 37,215,801,344 bytes free Post-Run: 37,151,764,480 bytes free 274 --- E O F --- 2008-10-03 11:13:54 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:29:51 PM, on 10/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O15 - Trusted Zone: etrade1.calyonfinancial.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- End of file - 5852 bytes |
|
|
|
|
10-09-2008, 05:04 PM
|
#17 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 15
OS: Windows XP SP2
|
Re: Codec.exe virus ? Pop-ups; slow computer
In answer to your question on how the system is running now, my web browsers seem to be ok and free of pop-ups. However, the last fews days, Microsoft Outlook (my e-mail program) has seemed to get worse than before. Often it takes an inordinately long time to even open (10-20 minutes) and after it is open, it seems to slow down the entire computer -- whatever windows I happen to have open at the time freeze up. Also, I can't just "x" it out -- opening the task manager (after much delay) and choosing to "End Process" (the Outlook.exe process, that is) is the only way to free up the pc. Mem usage on Outlook.exe process by the way is always over 100,000 K. (I have 1 GB of RAM ready to install which might help, but this Outlook issue seems to have intensified over the last 2 or 3 days)
p.s. On a totally unrelated matter, I'm just curious -- when replying, how do you get part of a previous msg inside the text box and set apart like that (I unsuccessfully tried to do it)? |
|
|
|
|
10-10-2008, 05:27 AM
|
#18 (permalink) | ||
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Codec.exe virus ? Pop-ups; slow computer
Quote:
http://community.mcafee.com/index.php Quote:
Can you post a hijackthis log. Last edited by TheBruce1; 10-10-2008 at 05:28 AM. |
||
|
|
|
|
10-10-2008, 04:24 PM
|
#19 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 15
OS: Windows XP SP2
|
Re: Codec.exe virus ? Pop-ups; slow computer
Hi
[quote]This could be caused by Mcafee SpamKiller, some people do have these problems, try disabling Spamkiller and see if that solves the problem. There is nothing in your logs that would indicate the problem you are having with Outlook./[quote] Thanks, I'll do some more research on Macafee. I don't see SpamKiller in my VirusScan Console, but I was able to disable something called "On-Delivery E-mail Scanner" so let's see if that helps. (On-Access Scanner and Buffer Overflow Protection are still enabled) I'll hold off on installing the memory upgrade until you give me the "all clear". Most recent HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:14:58 PM, on 10/10/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O15 - Trusted Zone: etrade1.calyonfinancial.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- End of file - 5929 bytes |
|
|
|
|
10-11-2008, 11:37 AM
|
#20 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Codec.exe virus ? Pop-ups; slow computer
Hello again
For the quotebox to work you need to do this [/quote], instead of /[quote] Delete RSIT from your desktop, also delete this folder c:\rsit. Uninstall Hijackthis via add/remove, you can keep ATF-Cleaner if you wish. If there are no further problems, continue with instructions below. ========= Well done, your logs are clean. Click start>run>type(or copy/paste command into run box): ComboFix /u Click ok. =========== Clear IE6 cookies *Open IE and click Tools *Click on Internet Options *Click on General Tab *Click on Delte Temp Files & Cookies buttons. Clear IE7 cookies *On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab. *On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too]. *Click OK, and then click OK again. Clear Firefox cookies/cache • Select "Tools" • Select "Options". • Select "Privacy". • In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want. • Click OK. • In Private area click "Clear Now". ------------------------------------------------------------------------------------------- MICROSOFT UPDATES 1.Click Start,Run, type sysdm.cpl, and then press OK. 2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended). Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday". ------------------------------------------------------------------------------------------ Useful Information and Programs to keep you safe. TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages: * Content category * Phishing scam detection * Site reputation * Page reputation WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites. WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites. Note:Only compatible with Firefox 1.5 and higher. -------------------------------------------------------------------------------------- Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Avant Firefox Opera K-Meleon ------------------------------------------------------------------------------------------ Free Antispyware Products SuperAntiSpyware Malwarebytes ' Anti-Malware SpywareBlaster to help prevent spyware from installing in the first place.
------------------------------------------------------------------ IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List. Download and installation instructions for IE-Spyad™ Here ----------------------------------------- The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. If your having trouble downloading & extracting,see link below for guidance: http://www.mvps.org/winhelp2002/hosts2.htm Once you have extracted the host file,double click on it and a new window will open. Double-click on mvps.batand follow the prompts --------------------------------------------------------------- Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. ---------------------------------------- SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users. Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. ============================================== Also, please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Please reply to this thread once more, as we may mark this as resolved, thanks. |
|
|
|
| Thread Tools | |
|
|
