Author Topic: How do I know if I have a RAT? (Read 10272 times)

AirHalling · « **on:** February 05, 2009, 01:52:51 PM »

I received an evil e-mail that was opened by an unsuspecting family member and now I don't know what to do.

The email states: "you will unsuspectingly open one of your emails and when you do you will introduce a RAT (remote access trojan) into your .exe files. These are cloaked viruses that jump your firewall and bypass your security suite. It infects your files and registry, then it alters you BIOS. You can scan for viruses and it remains undetected. Then you have to wipe your entire hard drive."

Clearly this person has it out for us and that is a whole separate issue. But right now I don't even know where to begin.

I have Windows XP, macafee, and I usually run Malwarebytes anti-Maleware every few weeks.

Geek-9pm · « **Reply #1 on:** February 05, 2009, 02:16:39 PM »

Did you think that was a threat?
Why did you open the e-mail?
If you open unknown e-mail that indeed will happen.
It was not me that sent the e-mail, but that is the kind of
thing I have been trying to tell about and nobdy believes
that it is so easy to compromise a PC.
I have had a number of cases where an infection was so bad that I have to reformat the HDD and do a clean install. So far has not got to the point where I had to flash the BIOS!

AirHalling · « **Reply #2 on:** February 05, 2009, 02:56:49 PM »

Yes it is a threat and if it is from who I think it is from they will try to send whatever they can.

It was opened by accident because like most people that want you to open a bad e-mail they put something in the subject line that sounded valid.

Regardless I know that Trojans are out there and I have removed a few and try to keep my pc protected.

BUT there are always new malicious programs out there!

evilfantasy · « **Reply #3 on:** February 05, 2009, 03:34:41 PM »

If McAfee or MalwareBytes don't find anything I'm skeptical you are actually infected. That said there is always a chance.

We can have a quick look.

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

Double click on RSIT.exe to run.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open.
log.txt <will be maximized and info.txt <will be minimized
Please post the contents of both logs in the next reply.

AirHalling · « **Reply #4 on:** February 05, 2009, 03:55:01 PM »

I apologize but I didn't give you all of my information.

Malwarebyte's found 3 trojan vundos. Here is that log:

Malwarebytes' Anti-Malware 1.20
Database version: 941
Windows 5.1.2600 Service Pack 3

4:05:38 PM 2/5/2009
mbam-log-2-5-2009 (16-05-38).txt

Scan type: Quick Scan
Objects scanned: 47300
Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

I was concerned that this so-called RAT was possibly undetected.

I will post the other requests in two separate posts. They are too long for one.

AirHalling · « **Reply #5 on:** February 05, 2009, 03:56:24 PM »

log file:
Logfile of random's system information tool 1.05 (written by random/random)
Run by airhalling at 2009-02-05 16:42:10
Microsoft Windows XP Professional Service Pack 3
System drive C: has 58 GB (77%) free of 76 GB
Total RAM: 1015 MB (45% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:16 PM, on 2/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rhapsody\rhaphlpr.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\airhalling\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\airhalling.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=20011&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:/Documents and Settings/airhalling/My Documents/My Music/Temp/Tunebite/.downloading/profile/rrproxy_ie_49791246.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [RegistryCleanerProMFCT] C:\Program Files\RegistryCleanerPro\RegistryCleanerPro.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O20 - AppInit_DLLs: xooqxv.dll yuvgjm.dll spixsm.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\airhalling\My Documents\My Pictures\Yosemite.jpg

--
End of file - 7969 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\odwguswb.job

======Registry dump======

still too long, see next post...

AirHalling · « **Reply #6 on:** February 05, 2009, 03:57:12 PM »

rest of log...

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
Yahoo! Companion BHO - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL [2005-03-04 327246]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
AskBar BHO - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-07-17 279944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-09-24 308832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2004-05-12 744960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll [2007-07-12 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA102584-3B97-47e7-B9BC-75D54C110A7D}]
Tunebite_WebRipPlugin Class - C:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll [2008-09-15 144688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL [2005-03-04 327246]
{3041d03e-fd4b-44e0-b742-2d9b88305f98} - Ask Toolbar - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-07-17 279944]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-11-28 98304]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-11-28 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-11-28 118784]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2007-06-29 286720]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-11-01 582992]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-09-24 185872]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [2007-07-12 132496]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"=C:\Program Files\MSN Messenger\msnmsgr.exe [2005-06-14 6856704]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe [2008-12-12 9555968]
"RegistryCleanerProMFCT"=C:\Program Files\RegistryCleanerPro\RegistryCleanerPro.exe [2008-09-16 13422592]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe
PowerReg Scheduler.exe
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="xooqxv.dll yuvgjm.dll spixsm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-11-28 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe"="C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\WINDOWS\EXPLORER.EXE"="C:\WINDOWS\EXPLORER.EXE:*:Enabled:Windows Explorer"
"C:\Program Files\MySpace\IM\MySpaceIM.exe"="C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpaceIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"

======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2009-02-05 16:42:10 ----D---- C:\rsit
2009-01-30 15:43:56 ----D---- C:\Program Files\AskBarDis
2009-01-28 17:57:36 ----D---- C:\Program Files\A360
2009-01-26 16:11:36 ----ASH---- C:\WINDOWS\system32\yJikmUvw.ini2
2009-01-26 16:11:36 ----ASH---- C:\WINDOWS\system32\yJikmUvw.ini
2009-01-25 14:21:02 ----ASH---- C:\WINDOWS\system32\mnVxayxx.ini2
2009-01-25 14:21:02 ----ASH---- C:\WINDOWS\system32\mnVxayxx.ini
2009-01-15 03:01:41 ----HD---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-13 20:12:37 ----D---- C:\Program Files\NOS
2009-01-13 20:12:37 ----D---- C:\Documents and Settings\All Users\Application Data\NOS

======List of files/folders modified in the last 1 months======

2064-04-14 12:20:40 ----D---- C:\WDSTW
2009-02-05 14:44:26 ----A---- C:\WINDOWS\LEXSTAT.INI
2009-02-01 14:26:18 ----A---- C:\WINDOWS\system32\4b5ea7be-.txt
2009-01-23 18:19:32 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-09 19:35:28 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DcCam;Kodak Camera Proxy; C:\WINDOWS\system32\DRIVERS\DcCam.sys [2004-05-20 36918]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R2 DCFS2K;Kodak DCFS2K Driver; C:\WINDOWS\system32\drivers\dcfs2k.sys [2004-06-02 38705]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-11-28 1353820]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-11-15 4225920]
R3 IntelC51;IntelC51; C:\WINDOWS\system32\DRIVERS\IntelC51.sys [2003-05-16 2202674]
R3 IntelC52;IntelC52; C:\WINDOWS\system32\DRIVERS\IntelC52.sys [2003-05-16 451625]
R3 IntelC53;IntelC53; C:\WINDOWS\system32\DRIVERS\IntelC53.sys [2003-05-16 29541]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-12-14 85120]
R3 tbhsd;Tunebite High-Speed Dubbing; C:\WINDOWS\system32\drivers\tbhsd.sys [2008-09-15 43552]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
R3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S1 Exportit;Exportit; C:\WINDOWS\system32\DRIVERS\exportit.sys [2004-06-02 151985]
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\system32\DRIVERS\ctljystk.sys [2001-08-17 3712]
S3 DcFpoint;DcFpoint; C:\WINDOWS\system32\DRIVERS\DcFpoint.sys [2004-05-20 61564]
S3 DcLps;Legacy Polling Service; C:\WINDOWS\system32\DRIVERS\DcLps.sys [2004-05-20 8022]
S3 DcPTP;dcptp; C:\WINDOWS\system32\DRIVERS\DcPTP.sys [2004-05-20 68950]
S3 EL90X;3Com EtherLink XL 90X Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xnd5.sys []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 NtApm;NT Apm/Legacy Interface Driver; C:\WINDOWS\system32\DRIVERS\NtApm.sys [2006-02-28 9344]
S3 S3SAVAGE4M;S3SAVAGE4M; C:\WINDOWS\system32\DRIVERS\s3sav4m.sys [2001-08-17 77824]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-08-15 106496]
R2 KodakCCS;Kodak Camera Connection Software; C:\WINDOWS\system32\drivers\KodakCCS.exe [2004-05-24 322104]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2004-01-13 311296]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; c:\program files\common files\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

AirHalling · « **Reply #7 on:** February 05, 2009, 03:57:48 PM »

info file:

info.txt logfile of random's system information tool 1.05 2009-02-05 16:42:20

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Creative\SBLive\PROGRAM\CTZAPDEV.EXE
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\AudioHQ.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Launcher\Launcher.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Recorder\Recorder.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SurMixer.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Uninstall\Installer.isu"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adaptec DirectCD-->C:\WINDOWS\uninst.exe -fc:\progra~1\cd-wri~1\directcd\DeIsL2.isu -c"c:\progra~1\cd-wri~1\directcd\\Dcduhlp.dll"
Ad-Aware SE Personal-->C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
Adobe Atmosphere Player for Acrobat and Adobe Reader-->C:\WINDOWS\atmoUn.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Shockwave Player-->C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~2\Install.log
America Online-->C:\Program Files\Common Files\aolshare\Aolunins_us.exe
AOL Coach Version 1.0(Build:20020823.1)-->C:\WINDOWS\AolCInUn.exe
Ask Toolbar-->"C:\Program Files\AskBarDis\unins000.exe"
Belarc Advisor 7.0-->C:\PROGRA~1\BELARC\ADVISOR\Uninstall.exe C:\PROGRA~1\BELARC\ADVISOR\INSTALL.LOG
CD-Writer Plus software-->C:\Program Files\CD-Writer Plus\hpremove.exe
Chutes and Ladders-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\Chutes\DeIsL1.isu"
Comcast High-Speed Internet Install Wizard-->C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel(R) Graphics Media Accelerator Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
Kodak EasyShare software-->C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_9_14d8e\Setup.exe /APR-REMOVE
Lexmark 4200 Series-->C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBMUN5C.EXE -dLexmark 4200 Series
LiveUpdate 2.0 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MathPlayer-->C:\Program Files\Design Science\MathPlayer\Setup.exe -u
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft IntelliType Pro-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft Hardware\Keyboard\Uninst.isu" -c"C:\Program Files\Microsoft Hardware\Keyboard\sutils.dll"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MySpaceIM-->C:\Program Files\MySpace\IM\Uninstall.exe
PartyPokerNet-->"C:\Program Files\PartyGaming.Net\PartyPokerNet\Uninstall.exe" "C:\Program Files\PartyGaming.Net\PartyPokerNet\install.log"
PokerStars.net-->"C:\Program Files\PokerStars.NET\PokerStarsUninstall.exe" /u:PokerStars.net
PokerStars-->C:\Program Files\PokerStars\Uninstall.EXE /u:"PokerStars"
RealArcade-->C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RegistryCleanerPro 1.0-->C:\Program Files\RegistryCleanerPro\uninst.exe
Roxio UDF Reader-->C:\WINDOWS\SYSTEM32\udfrunin.exe
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Sound Blaster Live! Value-->C:\Program Files\Creative\Uninstall\CTUNINST.EXE /U:UNINST1.INI
Spybot - Search & Destroy 1.3-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TaxCut Standard 2005-->C:\PROGRA~1\TaxCut05\Program\removetc.exe
Uninstall InControl Tools 99-->C:\Program Files\Diamond\Setup99\install.exe -uh
Unity Web Player-->C:\Program Files\Unity\WebPlayer\Uninstall.exe
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Westwood Shared Internet Components-->C:\Westwood\Internet\UnstllAP.EXE
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinZip-->"C:\PROGRAM FILES\WINZIP\WINZIP32.EXE" /uninstall

======Security center information======

AV: McAfee VirusScan
FW: McAfee Personal Firewall

System event log

Computer Name: PII300MHZ
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 10653
Source Name: W32Time
Time Written: 20080806001117.000000-300
Event Type: warning
User:

Computer Name: PII300MHZ
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the stopped state.

Record Number: 10652
Source Name: Service Control Manager
Time Written: 20080805210439.000000-300
Event Type: information
User:

Computer Name: PII300MHZ
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the running state.

Record Number: 10651
Source Name: Service Control Manager
Time Written: 20080805210429.000000-300
Event Type: information
User:

Computer Name: PII300MHZ
Event Code: 7035
Message: The IMAPI CD-Burning COM Service service was successfully sent a start control.

Record Number: 10650
Source Name: Service Control Manager
Time Written: 20080805210428.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: PII300MHZ
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the stopped state.

Record Number: 10649
Source Name: Service Control Manager
Time Written: 20080805103708.000000-300
Event Type: information
User:

Application event log

Computer Name: PII300MHZ
Event Code: 5000
Message: McShield service started.

Engine version : 5300.2777

DAT version : 5478.0000

Number of signatures in EXTRA.DAT : None

Names of threats that EXTRA.DAT can detect : None

Record Number: 6712
Source Name: McLogEvent
Time Written: 20081229221153.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: PII300MHZ
Event Code: 1000
Message: Faulting application firefox.exe, version 1.9.0.3257, faulting module unknown, version 0.0.0.0, fault address 0x1000cea6.

Record Number: 6711
Source Name: Application Error
Time Written: 20081224194653.000000-360
Event Type: error
User:

Computer Name: PII300MHZ
Event Code: 5000
Message: McShield service started.

Engine version : 5300.2777

DAT version : 5474.0000

Number of signatures in EXTRA.DAT : None

Names of threats that EXTRA.DAT can detect : None

Record Number: 6710
Source Name: McLogEvent
Time Written: 20081224194600.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: PII300MHZ
Event Code: 7
Message: Successful auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

Record Number: 6709
Source Name: crypt32
Time Written: 20081223211642.000000-360
Event Type: information
User:

Computer Name: PII300MHZ
Event Code: 5000
Message: McShield service started.

Engine version : 5300.2777

DAT version : 5473.0000

Number of signatures in EXTRA.DAT : None

Names of threats that EXTRA.DAT can detect : None

Record Number: 6708
Source Name: McLogEvent
Time Written: 20081223173336.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;%SYSTEMROOT%\COMMAND;C:\Program Files\QuickTime\QTSystem\
"windir"=C:\WINDOWS
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0409
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=C:\WINDOWS\TEMP
"TMP"=C:\WINDOWS\TEMP
"winbootdir"=C:\WINDOWS
"PROMPT"=$p$g
"BLASTER"=A220 I7 D1 H5 P330 T6
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0\lib\ext\QTJava.zip

-----------------EOF-----------------

evilfantasy · « **Reply #8 on:** February 05, 2009, 04:18:25 PM »

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=20011&l=dis
- BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
- O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
- O4 - HKCU\..\Run: [RegistryCleanerProMFCT] C:\Program Files\RegistryCleanerPro\RegistryCleanerPro.exe <-This is a rouge tool.
- O4 - Global Startup: PowerReg Scheduler.exe
- O20 - AppInit_DLLs: xooqxv.dll yuvgjm.dll spixsm.dll

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Go to Add/Remove Programs and uninstall:

Ask Toolbar
LiveUpdate 2.0 (Symantec Corporation)
RegistryCleanerPro 1.0
Spybot - Search & Destroy 1.3 <-This is about 2 years out of date

.
----------

Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

Double-click Lop S&D.exe
Choose the language by typing of the corresponding letter and press Enter
Click OK at the informative window
Type 1, to choose Option 1 (Search) then press Enter
Wait until the end of the scan
A report will be generated, post the contents of it in your next reply.

A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt

AirHalling · « **Reply #9 on:** February 06, 2009, 08:19:57 PM »

I performed the request utilizing Hijack This.

I did not remove spybot. I realize it is old. My question though is that is gave me a message about removing the program and having some issues with quarantined files. I will post that later since I didn't write it down exactly.

AirHalling · « **Reply #10 on:** February 06, 2009, 08:20:40 PM »

Here is the result of the Lop S&D. Looks like my vundo isn't gone.

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Uniprocessor Free : Intel(R) Celeron(R) CPU 2.66GHz )
BIOS : Award Modular BIOS v6.00PG
USER : airhalling ( Administrator )
BOOT : Normal boot
Antivirus : McAfee VirusScan (Activated)
Firewall : McAfee Personal Firewall (Activated)
A:\ (USB)
C:\ (Local Disk) - FAT32 - Total:74 Go (Free:56 Go)
E:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Fri 02/06/2009|21:12 )

--------------------\\ Listing folders in APPLIC~1

[07/20/2007|10:44] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> 4200Series
[05/27/2008|07:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL
[08/19/2007|06:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[08/19/2007|06:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[07/11/2008|09:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Citrix
[07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Kodak
[07/11/2008|10:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[08/24/2007|02:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee
[07/20/2007|10:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[07/20/2007|11:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> MSN6
[01/13/2009|08:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NOS
[07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[09/26/2008|08:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> RapidSolution
[07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[08/10/2007|11:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Support.com
[07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec
[07/20/2007|11:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trymedia
[07/20/2007|11:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Viewpoint
[01/03/2008|08:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage

[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> 4200Series
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Adobe
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> AdobeUM
[09/07/2007|09:26] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Apple
[08/19/2007|06:16] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Apple Computer
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> ApplicationHistory
[07/11/2008|09:11] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Citrix
[01/09/2008|10:48] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> FunWebProducts
[11/29/2008|04:42] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Google
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Identities
[07/21/2007|04:00] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> InstallShield
[08/19/2007|06:23] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Lavasoft
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Macromedia
[07/11/2008|10:08] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Malwarebytes
[07/11/2008|09:00] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> McAfee
[07/20/2007|10:44] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Microsoft
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Microsoft Web Folders
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Mozilla
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> MSN6
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> MSNInstaller
[08/29/2008|03:32] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> MySpace
[05/27/2008|07:50] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> NOS
[09/26/2008|08:26] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> RapidSolution
[12/25/2007|12:39] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Real
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Snapfish
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Sun
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Support.com
[03/30/2008|03:43] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> SupportSoft
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Talkback
[07/16/2008|11:36] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Unity
[10/23/2007|01:40] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Viewpoint
[07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\<DIR> Wildfire

[08/24/2007|02:10] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Apple
[07/20/2007|10:44] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

[07/16/2008|12:11] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Help
[07/20/2007|10:44] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[02/05/2009 11:00 PM][--a------] C:\WINDOWS\tasks\odwguswb.job
[01/15/2009 02:18 AM][--a------] C:\WINDOWS\tasks\McDefragTask.job
[02/01/2009 01:00 AM][--a------] C:\WINDOWS\tasks\McQcTask.job
[02/06/2009 04:52 PM][--a------] C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job
[02/04/2009 11:00 PM][--a------] C:\WINDOWS\tasks\Tune-up Application Start.job
[06/08/2000 05:00 PM][-r-h-----] C:\WINDOWS\tasks\DESKTOP.INI
[01/30/2009 08:22 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT

--------------------\\ Listing Folders in C:\Program Files

[01/28/2009|05:57] C:\Program Files\<DIR> A360
[02/14/2005|04:00] C:\Program Files\<DIR> ABBYY FineReader 5.0 Sprint
[02/14/2005|04:00] C:\Program Files\<DIR> ABBYY FineReader 6.0
[01/01/1998|12:06] C:\Program Files\<DIR> Accessories
[02/03/2006|03:11] C:\Program Files\<DIR> Actiontec
[01/31/2002|02:41] C:\Program Files\<DIR> Adaptec
[01/01/1998|12:32] C:\Program Files\<DIR> Adobe
[09/22/2001|07:41] C:\Program Files\<DIR> AIM95
[11/05/2002|08:10] C:\Program Files\<DIR> America Online 8.0
[11/05/2002|08:20] C:\Program Files\<DIR> AOL Companion
[01/31/2002|09:10] C:\Program Files\<DIR> Audiogalaxy Satellite
[07/06/2005|10:24] C:\Program Files\<DIR> Belarc
[09/02/2008|03:09] C:\Program Files\<DIR> Best Buy Digital Music Store Powered by Rhapsody
[12/25/2007|12:39] C:\Program Files\<DIR> Best Buy Rhapsody
[02/01/2007|05:24] C:\Program Files\<DIR> BFG
[01/01/1998|10:35] C:\Program Files\<DIR> CD-Writer Plus
[01/01/1998|12:06] C:\Program Files\<DIR> CHAT
[01/01/1998|12:06] C:\Program Files\<DIR> Common Files
[07/20/2007|11:03] C:\Program Files\<DIR> ComPlus Applications
[01/01/1998|01:27] C:\Program Files\<DIR> Creative
[02/03/2006|04:11] C:\Program Files\<DIR> Design Science
[01/01/1998|01:15] C:\Program Files\<DIR> Diamond
[01/01/1998|12:03] C:\Program Files\<DIR> DirectCD
[01/01/1998|12:07] C:\Program Files\<DIR> DIRECTX
[09/08/2001|08:56] C:\Program Files\<DIR> EACom
[12/25/2007|01:15] C:\Program Files\<DIR> eMusic Download Manager
[02/13/2002|09:00] C:\Program Files\<DIR> Franklin Covey
[01/01/1998|12:06] C:\Program Files\<DIR> FrontPage Express
[10/31/2001|01:41] C:\Program Files\<DIR> Hasbro Interactive
[01/01/1998|12:21] C:\Program Files\<DIR> InstallShield Installation Information
[07/21/2007|04:38] C:\Program Files\<DIR> Intel
[01/01/1998|12:06] C:\Program Files\<DIR> Internet Explorer
[03/31/2006|11:35] C:\Program Files\<DIR> Java
[04/04/2005|07:20] C:\Program Files\<DIR> Kodak
[07/06/2005|10:26] C:\Program Files\<DIR> Lavasoft
[12/25/2001|08:08] C:\Program Files\<DIR> LEGO Media
[02/14/2005|03:57] C:\Program Files\<DIR> Lexmark 4200 Series
[07/11/2008|10:08] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[08/24/2007|02:45] C:\Program Files\<DIR> McAfee
[08/24/2007|02:45] C:\Program Files\<DIR> McAfee.com
[07/20/2007|11:02] C:\Program Files\<DIR> Messenger
[01/01/1998|01:50] C:\Program Files\<DIR> Microsoft FrontPage
[01/01/1998|12:21] C:\Program Files\<DIR> Microsoft Hardware
[01/01/1998|02:00] C:\Program Files\<DIR> Microsoft Money
[01/01/1998|01:48] C:\Program Files\<DIR> Microsoft Office
[02/03/2006|04:14] C:\Program Files\<DIR> Microsoft Picture It! 9
[01/01/1998|01:51] C:\Program Files\<DIR> Microsoft Visual Studio
[01/01/1998|12:33] C:\Program Files\<DIR> Movie Maker
[07/06/2005|12:44] C:\Program Files\<DIR> Mozilla Firefox
[02/03/2006|03:54] C:\Program Files\<DIR> MSN
[02/07/2006|12:25] C:\Program Files\<DIR> MSN Games
[01/01/1998|12:49] C:\Program Files\<DIR> MSN Gaming Zone
[02/03/2006|04:07] C:\Program Files\<DIR> MSN Messenger
[07/21/2007|05:45] C:\Program Files\<DIR> MSXML 4.0
[08/29/2008|03:37] C:\Program Files\<DIR> MySpace
[01/01/1998|12:06] C:\Program Files\<DIR> NetMeeting
[01/13/2009|08:12] C:\Program Files\<DIR> NOS
[01/01/1998|12:09] C:\Program Files\<DIR> Online Services
[01/01/1998|12:06] C:\Program Files\<DIR> Outlook Express
[02/17/2006|03:27] C:\Program Files\<DIR> PartyGaming.net
[02/12/2006|11:37] C:\Program Files\<DIR> PartyPoker.net
[09/26/2008|08:24] C:\Program Files\<DIR> PixiePack Codec Pack
[01/01/1998|12:06] C:\Program Files\<DIR> PLUS!
[08/18/2007|09:30] C:\Program Files\<DIR> Poker.com
[02/13/2006|04:24] C:\Program Files\<DIR> PokerStars
[11/29/2007|06:22] C:\Program Files\<DIR> PokerStars.NET
[04/14/2004|02:38] C:\Program Files\<DIR> PowerQuest
[02/03/2006|04:08] C:\Program Files\<DIR> QMgr
[08/19/2007|06:18] C:\Program Files\<DIR> QuickTime
[09/26/2008|08:21] C:\Program Files\<DIR> RapidSolution
[09/08/2001|06:02] C:\Program Files\<DIR> Real
[09/23/2008|12:12] C:\Program Files\<DIR> RegistryCleanerPro
[09/05/2008|11:20] C:\Program Files\<DIR> Rhapsody
[07/06/2005|11:18] C:\Program Files\<DIR> SAV9
[07/06/2005|11:02] C:\Program Files\<DIR> Spybot - Search & Destroy
[03/30/2008|03:43] C:\Program Files\<DIR> support.com
[07/06/2005|11:23] C:\Program Files\<DIR> Symantec
[07/06/2005|11:21] C:\Program Files\<DIR> Symantec Client Security
[02/12/2006|08:20] C:\Program Files\<DIR> TaxCut05
[09/23/2008|10:55] C:\Program Files\<DIR> Trend Micro
[01/01/1998|01:08] C:\Program Files\<DIR> Uninstall Information
[07/16/2008|11:36] C:\Program Files\<DIR> Unity
[11/05/2002|08:19] C:\Program Files\<DIR> Viewpoint
[01/01/1998|01:53] C:\Program Files\<DIR> Web Publish
[09/02/2008|06:22] C:\Program Files\<DIR> Windows Media Connect 2
[01/01/1998|12:33] C:\Program Files\<DIR> Windows Media Player
[07/20/2007|11:01] C:\Program Files\<DIR> Windows NT
[01/01/1998|01:10] C:\Program Files\<DIR> WindowsUpdate
[07/06/2005|02:21] C:\Program Files\<DIR> WinZip
[07/20/2007|11:57] C:\Program Files\<DIR> xerox
[12/07/2005|12:56] C:\Program Files\<DIR> Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[01/01/1998|12:32] C:\Program Files\Common Files\<DIR> Adobe
[11/05/2002|07:33] C:\Program Files\Common Files\<DIR> AOL
[11/05/2002|08:10] C:\Program Files\Common Files\<DIR> aolshare
[08/19/2007|06:17] C:\Program Files\Common Files\<DIR> Apple
[01/01/1998|01:51] C:\Program Files\Common Files\<DIR> Designer
[01/01/1998|12:21] C:\Program Files\Common Files\<DIR> InstallShield
[03/31/2006|11:33] C:\Program Files\Common Files\<DIR> Java
[01/04/2007|05:16] C:\Program Files\Common Files\<DIR> Kodak
[08/24/2007|02:45] C:\Program Files\Common Files\<DIR> McAfee
[01/01/1998|12:06] C:\Program Files\Common Files\<DIR> Microsoft Shared
[04/04/2005|07:20] C:\Program Files\Common Files\<DIR> MSSoap
[01/01/1998|01:02] C:\Program Files\Common Files\<DIR> ODBC
[02/17/2006|08:11] C:\Program Files\Common Files\<DIR> PokerStars.com
[09/08/2001|06:02] C:\Program Files\Common Files\<DIR> Real
[01/01/1998|12:11] C:\Program Files\Common Files\<DIR> SERVICES
[07/20/2007|10:47] C:\Program Files\Common Files\<DIR> SpeechEngines
[03/30/2008|03:42] C:\Program Files\Common Files\<DIR> SupportSoft
[07/06/2005|11:21] C:\Program Files\Common Files\<DIR> Symantec Shared
[01/01/1998|12:08] C:\Program Files\Common Files\<DIR> SYSTEM
[09/24/2008|01:56] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 38 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\AIRHAL~1\Cookies\airhalling@advertising[1].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 21:15:02
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

C:\WINDOWS\system32\mnVxayxx.ini
C:\WINDOWS\system32\mnVxayxx.ini2
C:\WINDOWS\system32\yJikmUvw.ini
C:\WINDOWS\system32\yJikmUvw.ini2
==> VUNDO <==

[F:241][D:20]-> C:\DOCUME~1\AIRHAL~1\LOCALS~1\Temp
[F:21][D:0]-> C:\DOCUME~1\AIRHAL~1\Cookies
[F:7150][D:9]-> C:\DOCUME~1\AIRHAL~1\LOCALS~1\TEMPOR~1\content.IE5
[F:2][D:0]-> C:\Recycled

1 - "C:\Lop SD\LopR_1.txt" - Fri 02/06/2009|21:16 - Option : [1]

--------------------\\ Scan completed at 21:16:00

evilfantasy · « **Reply #11 on:** February 06, 2009, 08:35:37 PM »

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
C:\WINDOWS\system32\mnVxayxx.ini
C:\WINDOWS\system32\mnVxayxx.ini2
C:\WINDOWS\system32\yJikmUvw.ini
C:\WINDOWS\system32\yJikmUvw.ini2
C:\DOCUME~1\AIRHAL~1\Cookies\airhalling@advertising[1].txt

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

AirHalling · « **Reply #12 on:** February 06, 2009, 09:08:35 PM »

The log is huge so here it comes in three parts:

ComboFix 09-02-06.01 - airhalling 2009-02-06 21:57:46.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.378 [GMT -6:00]
Running from: c:\documents and settings\airhalling\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\airhalling\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\docume~1\AIRHAL~1\Cookies\airhalling@advertising[1].txt
c:\windows\system32\mnVxayxx.ini
c:\windows\system32\mnVxayxx.ini2
c:\windows\system32\yJikmUvw.ini
c:\windows\system32\yJikmUvw.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\AIRHAL~1\Cookies\airhalling@advertising[1].txt
c:\documents and settings\airhalling\Application Data\FunWebProducts
c:\documents and settings\airhalling\Application Data\FunWebProducts\Data\airhalling\avatar.dat
c:\documents and settings\airhalling\Application Data\Google\T-Scan
c:\documents and settings\airhalling\Application Data\Google\T-Scan\n.gif
c:\documents and settings\airhalling\Application Data\Google\T-Scan\t.gif
c:\documents and settings\airhalling\Application Data\Google\T-Scan\y.gif
c:\program files\A360
c:\program files\A360\av360.exe.tmp
c:\program files\Internet Explorer\msimg32.dll
c:\windows\start.exe
c:\windows\system32\mnVxayxx.ini
c:\windows\system32\mnVxayxx.ini2
c:\windows\system32\yJikmUvw.ini
c:\windows\system32\yJikmUvw.ini2
c:\windows\Tasks\odwguswb.job
c:\windows\Web\default.htt
c:\windows\wiaserviv.log

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\winlogon.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 )))))))))))))))))))))))))))))))
.

2009-02-06 21:11 . 2009-02-06 21:11   <DIR>   d--------   C:\Lop SD
2009-02-05 16:42 . 2009-02-05 16:42   <DIR>   d--------   C:\rsit
2009-02-04 00:52 . 2009-02-04 00:52   36,398   --a------   C:\EasyShare.dmp
2009-01-13 20:12 . 2009-01-13 20:12   <DIR>   d--------   c:\program files\NOS
2009-01-13 20:12 . 2009-01-13 20:12   <DIR>   d--------   c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 17:22   34   ----a-w   c:\documents and settings\airhalling\jagex_runescape_preferences.dat
2008-12-13 06:40   3,593,216   ------w   c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-12-11 10:57   333,952   ----a-w   c:\windows\system32\drivers\srv.sys
2008-12-11 10:57   333,952   ------w   c:\windows\SYSTEM32\dllcache\srv.sys
2008-11-29 22:39   295,424   ----a-w   c:\windows\SYSTEM32\termsrv.dll
2008-08-29 21:38   34,928   ----a-w   c:\documents and settings\airhalling\Application Data\GDIPFONTCACHEV1.DAT
2008-07-12 03:11   61,224   ----a-w   c:\documents and settings\airhalling\GoToAssistDownloadHelper.exe
2008-01-13 17:08   774,144   ----a-w   c:\program files\RngInterstitial.dll
2006-03-22 01:04   75   ----a-w   c:\documents and settings\airhalling\Application Data\fusioncache.dat
1998-01-01 07:01   271   --sh--w   c:\program files\desktop.ini
1998-01-01 07:01   23,357   ---h--w   c:\program files\folder.htt
2008-08-12 05:09   32,768   --sha-w   c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081120080812\index.dat
.

------- Sigcheck -------

AirHalling · « **Reply #13 on:** February 06, 2009, 09:09:12 PM »

------- Sigcheck -------

2008-11-29 16:39 295424 63999d0abd8dabfd76a9c07f6e104868   c:\windows\SYSTEM32\termsrv.dll
2006-02-28 12:00 295424 b60c877d16d9c880b952fda04adf16e6   c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f   c:\windows\ServicePackFiles\i386\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2005-06-14 6856704]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-24 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 8.0 Tray Icon.lnk - c:\program files\America Online 8.0\aoltray.exe [2002-11-05 36939]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 757760]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\airhalling\My Documents\My Pictures\Yosemite.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.VDOM"= vdowave.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IntelSMAPL"=IntelCdx.exe
"PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" /s
"<NO NAME>"=
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"KodakCCS"=c:\windows\System32\Drivers\KodakCCS.exe
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AudioHQ"=c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE
"CTAVTray"=c:\program files\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
"POINTER"=point32.exe
"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe"
"LexStart"=lexstart.exe
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"vptray"=c:\progra~1\SYMANT~1\SYMANT~2\VPTRAY.EXE
"LoadQM"=loadqm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"<NO NAME>"=
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-13 33752]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\SYSTEM32\DRIVERS\NtApm.sys [2001-08-17 9344]
S3 S3SAVAGE4M;S3SAVAGE4M;c:\windows\SYSTEM32\DRIVERS\s3sav4m.sys [2007-07-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\PCHealth Scheduler for Data Collection.job
- c:\windows\PCHEALTH\SUPPORT\PCHSCHD.EXE []

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

AirHalling · « **Reply #14 on:** February 06, 2009, 09:09:42 PM »

- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file)

.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\airhalling\Application Data\Mozilla\Firefox\Profiles\rweu1nvh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-offrhap&p=
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://errorpage.comcast.net/?cat=Web&con=dc&safe=on&q=
FF - prefs.js: network.proxy.ftp - :0
FF - prefs.js: network.proxy.gopher - :0
FF - prefs.js: network.proxy.http - :0
FF - prefs.js: network.proxy.socks - :0
FF - prefs.js: network.proxy.ssl - :0
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\RapidSolution\Tunebite\plugins\GeckoBased\[email protected]\components\TB_WebRipFFPlugin.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\RapidSolution\Tunebite\plugins\GeckoBased\[email protected]\plugins\np_TB_OgloPlugin.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 22:03:27
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\MCAFEE\MSC\MCMSCSVC.EXE
c:\program files\COMMON FILES\MCAFEE\MNA\MCNASVC.EXE
c:\program files\COMMON FILES\MCAFEE\MCPROXY\MCPROXY.EXE
c:\program files\MCAFEE\VIRUSSCAN\MCSHIELD.EXE
c:\program files\MCAFEE\MPF\MPFSRV.EXE
c:\progra~1\mcafee\msc\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-02-06 22:05:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-07 04:05:44

Pre-Run: 61,045,899,264 bytes free
Post-Run: 61,254,008,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

233 --- E O F --- 2009-01-15 09:01:46

AirHalling · « **Reply #15 on:** February 06, 2009, 09:15:23 PM »

By the way, this forum has been a life saver for me more than once and everyone of you deserves a large medal. You are saints in my book.

evilfantasy · « **Reply #16 on:** February 06, 2009, 09:38:11 PM »

OK that got what I was worried about so that's good!

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

Go to your desktop and double click on the removal tool and then click Setup.
Once open Click Next
Accept the license agreement and click Next
Type in the letters/numbers that you see into the text box then click Next.
Then click Next and the tool will start running.
Once finished restart the PC and run the tool again to ensure everything has been removed.
Delete Nortonremoval tool from your Desktop.

.
----------

How is the computer running now?

,

AirHalling · « **Reply #17 on:** March 01, 2009, 12:30:57 PM »

o.k. You are probably thinking I am a pain since it has been three weeks since I last followed up on my post but life sure throws some curve balls at you. Husband and four kids and a mom with lung cancer sometimes keep you away from things.

ANYWAY, your last bit of instructions seem confusing. You are telling me to download the norton, run it but then remove it when I am done. Is that correct? Or are you just telling me to remove it from the desktop and not to uninstall it? I'm a bit confundido.

The system appears to be functioning well. My core problem lies in the fact that our pc is a family pc. You are helping me with my husbands opening a malicious email. In addition, my children are all over the web and who knows what they are picking up as they go. Ironic that they can pick up viruses at school and also on the pc.

So...now that it appears I am nearing the final step of correcting my problems. Is there a thread I should read on keeping my pc healthy. I thought I was with the malware sweeps I was running but clearly it is not enough. Any of your advice would be appreciated.

evilfantasy · « **Reply #18 on:** March 01, 2009, 12:45:43 PM »

Quote

ANYWAY, your last bit of instructions seem confusing. You are telling me to download the norton, run it but then remove it when I am done. Is that correct? Or are you just telling me to remove it from the desktop and not to uninstall it? I'm a bit confundido.

There are paarts of Norton leftover on the computer and that tool will remove them. Yes delete it once you are done.

Final steps and advice.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Computer Hope Forum

News:

Author Topic: How do I know if I have a RAT? (Read 10272 times)

AirHalling

Geek-9pm

AirHalling

evilfantasy

AirHalling

AirHalling

AirHalling

AirHalling

evilfantasy

AirHalling

AirHalling

evilfantasy

AirHalling

AirHalling

AirHalling

AirHalling

evilfantasy

AirHalling

evilfantasy