My mother had some malware problems with her computer. Per the forum guidelines, I ran scans with MalwareBytes, ATF Cleaner, and RSIT. I've posted the relevant logs below. I would very much appreciate if someone could review the logs, and let me know if further cleaning of the computer needs to be done.
My mom's computer runs Vista. She has McAfee Security Center installed. She told me that when her problems began with (fake) security pop-ups, she ran her McAfee Antivirus. It wasn't successful in detecting anything. She believes the malware may have damaged her antivirus software as the McAfee antivirus will not process automatic updates since the most recent malware exposure. Please let me know if you need further info.
Thanks in advance!
Cheryl
MALWAREBYTES LOG
Malwarebytes' Anti-Malware 1.33
Database version: 1703
Windows 6.0.6001 Service Pack 1
1/28/2009 7:48:42 PM
mbam-log-2009-01-28 (19-48-42).txt
Scan type: Quick Scan
Objects scanned: 49012
Time elapsed: 3 minute(s), 33 second(s)
Memory Processes Infected: 4
Memory Modules Infected: 6
Registry Keys Infected: 175
Registry Values Infected: 12
Registry Data Items Infected: 0
Folders Infected: 23
Files Infected: 93
Memory Processes Infected:
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Unloaded process successfully.
C:\Users\Charlee\AppData\Local\Temp\~tmpc.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE (Adware.MyWebSearch) -> Unloaded process successfully.
C:\Users\Charlee\AppData\Local\Temp\~tmpa.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Windows\System32\msxml71.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0f8ecf4f-3646-4c3a-8881-8e138ffcaf70} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b813095c-81c0-4e40-aa14-67520372b987} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9d7be3e-141a-4c85-8cd6-32461f3df2c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cff4ce82-3aa2-451f-9b77-7165605fb835} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8e6f1832-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9571378-68a1-443d-b082-284f960c6d17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\kikabu (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{adb01e81-3c79-4272-a0f1-7b2be7a782dc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d292-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d296-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{53ced2d0-5e9a-4761-9005-648404e6f7e5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{938aa51a-996c-4884-98ce-80dd16a5c9da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolband.ttb000000 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolband.ttb000000.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{363f3850-e33c-4f7e-8a17-e7df0f12d52a} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ac41f2bd-ee7d-4bc2-8c2e-4198e83cead3} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df1c8e21-4045-4d67-b528-335f1a4f0de9} (Adware.Navipromo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d9fffb27-d62a-4d64-8cec-1ff006528805} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9233c3c0-1472-4091-a505-5580a23bb4ac} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c7c343b5-26e8-4c17-a71c-9c8bb6fbd676} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a93c934-025b-4c3a-b38e-9654a7003239} (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6f282b65-56bf-4bd1-a8b2-a4449a05863d} (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c7c343b5-26e8-4c17-a71c-9c8bb6fbd676} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mywebsearchservice (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mywebsearchservice (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mywebsearchservice (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch email plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch email plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\my web search bar search scope monitor (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFox (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Instant Access (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\Center (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\DesktopIcons (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\Multi (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\Multi\20090120070118 (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\Multi\20090120070118\Common (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\Multi\20090120070118\js (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\Multi\20090120070118\medias (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\Avatar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\SrchAstt\1.bin (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\Charlee\AppData\Local\Temp\~tmpc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
C:\Windows\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows\System32\msxml71.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows\System32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\Center\-- The nicest hobby on Earth ;) --slaves.lnk (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\DesktopIcons\-- The nicest hobby on Earth ;) --slaves.lnk (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\Multi\20090120070118\dialerexe.ini (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\Multi\20090120070118\instant access.exe (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\Multi\20090120070118\Common\module.php (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\Multi\20090120070118\js\js_api_dialer.php (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Instant Access\Multi\20090120070118\medias\dialer.ico (Trojan.Dialer) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\CM.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\WB.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\Charlee\Favorites\Cheap Software.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Windows\System32\sf.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Charlee\Favorites\MP3 Download.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Windows\System32\m3.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Charlee\Favorites\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Charlee\Favorites\VIP -- Look for another playground --.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Charlee\Favorites\Cheap - No chance for spammers - Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Windows\System32\c.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\m.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\p.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\s.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\Q2rDBaih.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Charlee\Favorites\SMS TRAP.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Charlee\AppData\Local\Temp\~tmpa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Charlee\AppData\Local\Temp\~tmpb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Charlee\AppData\Local\Temp\~tmpd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Charlee\AppData\Local\Temp\~tmpe.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Charlee\AppData\Local\Temp\ert52013.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Windows\ios.dat (Malware.Trace) -> Quarantined and deleted successfully.
RSIT LOGS
Logfile of random's system information tool 1.05 (written by random/random)
Run by Charlee at 2009-01-28 20:07:16
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 378 GB (79%) free of 477 GB
Total RAM: 3070 MB (67% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:19 PM, on 1/28/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Common Files\AOL\1211411712\ee\aolsoftware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Charlee\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Charlee.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: IAOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1211411712\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MoneyBackgoundBanking] "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Cognac] C:\Windows\TEMP\3562.tmp.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Cognac] C:\Windows\TEMP\3562.tmp.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\system32\Shdocvw.dll
O13 - Gopher Prefix:
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://www.infospace.com/mypoints.main/tba...pointsSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227243469345
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEACDC0A-B548-48D9-BD14-80D9495EA1F3}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8734 bytes
======Scheduled tasks folder======
C:\Windows\tasks\At1.job
C:\Windows\tasks\At10.job
C:\Windows\tasks\At11.job
C:\Windows\tasks\At12.job
C:\Windows\tasks\At13.job
C:\Windows\tasks\At14.job
C:\Windows\tasks\At15.job
C:\Windows\tasks\At16.job
C:\Windows\tasks\At17.job
C:\Windows\tasks\At18.job
C:\Windows\tasks\At19.job
C:\Windows\tasks\At2.job
C:\Windows\tasks\At20.job
C:\Windows\tasks\At21.job
C:\Windows\tasks\At22.job
C:\Windows\tasks\At23.job
C:\Windows\tasks\At24.job
C:\Windows\tasks\At25.job
C:\Windows\tasks\At26.job
C:\Windows\tasks\At27.job
C:\Windows\tasks\At28.job
C:\Windows\tasks\At29.job
C:\Windows\tasks\At3.job
C:\Windows\tasks\At30.job
C:\Windows\tasks\At31.job
C:\Windows\tasks\At32.job
C:\Windows\tasks\At33.job
C:\Windows\tasks\At34.job
C:\Windows\tasks\At35.job
C:\Windows\tasks\At36.job
C:\Windows\tasks\At37.job
C:\Windows\tasks\At38.job
C:\Windows\tasks\At39.job
C:\Windows\tasks\At4.job
C:\Windows\tasks\At40.job
C:\Windows\tasks\At41.job
C:\Windows\tasks\At42.job
C:\Windows\tasks\At43.job
C:\Windows\tasks\At44.job
C:\Windows\tasks\At45.job
C:\Windows\tasks\At46.job
C:\Windows\tasks\At47.job
C:\Windows\tasks\At48.job
C:\Windows\tasks\At5.job
C:\Windows\tasks\At6.job
C:\Windows\tasks\At7.job
C:\Windows\tasks\At8.job
C:\Windows\tasks\At9.job
C:\Windows\tasks\McDefragTask.job
C:\Windows\tasks\McQcTask.job
C:\Windows\tasks\User_Feed_Synchronization-{E5AC5E40-5F43-436C-B883-256FC03BA0F0}.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-15 320920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
AOL Toolbar Loader - C:\Program Files\AOL Toolbar\aoltb.dll [2008-11-05 1275176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-11-09 58688]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-15 34816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5BED3930-2E9E-76D8-BACC-80DF2188D455}
{DE9C389F-3316-41A7-809B-AA305ED9D922} - AOL Toolbar - C:\Program Files\AOL Toolbar\aoltb.dll [2008-11-05 1275176]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe [2008-05-21 26112]
"HostManager"=C:\Program Files\Common Files\AOL\1211411712\ee\AOLSoftware.exe [2008-06-24 41824]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-15 136600]
"LogitechCommunicationsManager"=C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [2007-10-25 563984]
"LogitechQuickCamRibbon"=C:\Program Files\Logitech\QuickCam\Quickcam.exe [2007-10-25 2178832]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-11-01 582992]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-12-10 49152]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"MoneyBackgoundBanking"=C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe [2008-02-19 53264]
"AOL Fast Start"=C:\Program Files\AOL 9.0\AOL.EXE [2006-11-10 50736]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c1507fe-b028-11dd-8fc4-8ad2b2b5f9be}]
shell\AutoRun\command - G:\setupSNK.exe
======List of files/folders created in the last 1 months======
2009-01-28 20:07:16 ----D---- C:\rsit
2009-01-28 20:04:33 ----D---- C:\Program Files\Trend Micro
2009-01-28 19:33:00 ----D---- C:\Users\Charlee\AppData\Roaming\Malwarebytes
2009-01-28 19:32:54 ----D---- C:\ProgramData\Malwarebytes
2009-01-28 19:32:54 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-23 11:30:45 ----SHD---- C:\Config.Msi
2009-01-21 22:04:18 ----D---- C:\ProgramData\Word Whomp Underground
2009-01-20 22:58:58 ----A---- C:\Windows\_MSRSTRT.EXE
2009-01-20 01:07:31 ----A---- C:\Windows\dialerexe.ini
2009-01-20 01:07:30 ----A---- C:\Windows\system32\nsinet.exe
2009-01-16 20:27:25 ----D---- C:\Program Files\AOL Toolbar
2009-01-15 12:43:01 ----A---- C:\Windows\system32\javaws.exe
2009-01-15 12:43:01 ----A---- C:\Windows\system32\javaw.exe
2009-01-15 12:43:01 ----A---- C:\Windows\system32\java.exe
2009-01-15 12:43:01 ----A---- C:\Windows\system32\deploytk.dll
2009-01-14 17:36:24 ----D---- C:\ProgramData\Office Genuine Advantage
2009-01-12 12:34:29 ----D---- C:\ProgramData\Intenium
2009-01-10 15:21:13 ----D---- C:\ProgramData\Symantec
2009-01-09 15:50:35 ----D---- C:\Program Files\Mystery Case Files - Ravenhearst
2009-01-09 15:48:04 ----D---- C:\Program Files\bfgclient
2009-01-09 15:46:36 ----D---- C:\BigFishGamesCache
2009-01-07 15:13:32 ----D---- C:\Program Files\Trillian
2009-01-04 15:20:05 ----A---- C:\Windows\system32\DEBUG_LOG.txt
2009-01-04 14:25:57 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-01-03 13:34:17 ----D---- C:\Users\Charlee\AppData\Roaming\Pharaohs Secret
2009-01-03 12:55:40 ----D---- C:\Windows\system32\Adobe
======List of files/folders modified in the last 1 months======
2009-01-28 20:07:07 ----D---- C:\Windows\Temp
2009-01-28 20:04:33 ----D---- C:\Program Files
2009-01-28 19:59:09 ----D---- C:\Windows\Prefetch
2009-01-28 19:58:50 ----D---- C:\Windows\System32
2009-01-28 19:58:50 ----D---- C:\Windows\inf
2009-01-28 19:58:50 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-01-28 19:57:41 ----AD---- C:\ProgramData\TEMP
2009-01-28 19:52:41 ----D---- C:\Program Files\McAfee
2009-01-28 19:52:15 ----D---- C:\Windows\system32\drivers
2009-01-28 19:52:15 ----D---- C:\Program Files\Internet Explorer
2009-01-28 19:48:35 ----D---- C:\Windows
2009-01-28 19:32:54 ----HD---- C:\ProgramData
2009-01-28 17:28:49 ----D---- C:\mcafee_mcpr
2009-01-27 22:30:25 ----D---- C:\Program Files\Oberon Media
2009-01-27 22:29:48 ----SHD---- C:\System Volume Information
2009-01-25 00:42:43 ----SHD---- C:\$Recycle.Bin
2009-01-24 11:54:02 ----SD---- C:\Users\Charlee\AppData\Roaming\Microsoft
2009-01-24 04:19:17 ----SD---- C:\Windows\Downloaded Program Files
2009-01-24 03:07:00 ----D---- C:\Program Files\Mozilla Firefox
2009-01-23 11:30:47 ----SHD---- C:\Windows\Installer
2009-01-22 19:17:16 ----D---- C:\ProgramData\Yahoo!
2009-01-22 15:01:53 ----D---- C:\Windows\system32\catroot2
2009-01-22 15:00:11 ----D---- C:\Program Files\Google
2009-01-21 22:04:06 ----D---- C:\Users\Charlee\AppData\Roaming\Pogo Games
2009-01-21 14:04:41 ----D---- C:\ProgramData\Apple Computer
2009-01-21 14:04:41 ----D---- C:\Program Files\Common Files
2009-01-21 14:04:30 ----DC---- C:\Windows\system32\DRVSTORE
2009-01-21 14:02:47 ----D---- C:\ProgramData\Google
2009-01-20 23:10:02 ----D---- C:\Program Files\Astro Gemini Software
2009-01-20 23:09:41 ----D---- C:\Windows\system32\Tasks
2009-01-20 23:08:51 ----D---- C:\Windows\system32\catroot
2009-01-20 22:58:48 ----D---- C:\Windows\system32\Macromed
2009-01-20 13:52:51 ----D---- C:\Users\Charlee\AppData\Roaming\Mozilla
2009-01-20 01:10:32 ----D---- C:\Windows\Tasks
2009-01-20 00:38:47 ----D---- C:\Windows\system32\Msdtc
2009-01-20 00:38:44 ----D---- C:\Windows\system32\wbem
2009-01-20 00:37:49 ----D---- C:\Windows\system32\config
2009-01-20 00:37:29 ----D---- C:\Windows\system32\spool
2009-01-20 00:37:29 ----D---- C:\Windows\Minidump
2009-01-20 00:37:17 ----D---- C:\Windows\registration
2009-01-20 00:33:04 ----D---- C:\Windows\Logs
2009-01-19 10:31:28 ----D---- C:\Windows\system32\WDI
2009-01-16 20:27:25 ----D---- C:\ProgramData\AOL
2009-01-16 20:26:48 ----D---- C:\Program Files\Common Files\AOL
2009-01-16 20:26:28 ----D---- C:\Windows\winsxs
2009-01-16 19:37:31 ----A---- C:\Windows\win.ini
2009-01-15 12:45:10 ----D---- C:\Program Files\Windows Mail
2009-01-15 12:42:38 ----D---- C:\Program Files\Java
2009-01-14 17:29:29 ----D---- C:\Heather
2009-01-12 12:32:47 ----D---- C:\Program Files\Gateway Games
2009-01-12 12:25:09 ----D---- C:\My Games
2009-01-12 12:25:06 ----D---- C:\Program Files\RealArcade
2009-01-09 20:35:28 ----A---- C:\Windows\system32\mrt.exe
2009-01-09 14:20:53 ----D---- C:\Program Files\Yahoo!
2009-01-07 16:47:32 ----D---- C:\Program Files\Common Files\microsoft shared
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; C:\Windows\System32\Drivers\Mpfp.sys [2007-07-13 125728]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 RMCAST;RMCAST (Pgm) Protocol Driver; C:\Windows\system32\DRIVERS\RMCAST.sys [2008-05-09 113664]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-06-29 8704]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-03-29 3544064]
R3 Dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-19 131584]
R3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-19 16384]
R3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-19 36864]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 HidBatt;HID UPS Battery Driver; C:\Windows\system32\DRIVERS\HidBatt.sys [2008-01-19 21504]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-06-20 984064]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2007-06-20 267264]
R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\Windows\system32\DRIVERS\LVPr2Mon.sys [2007-10-11 25624]
R3 LVUSBSta;Logitech USB Monitor Filter; C:\Windows\system32\drivers\LVUSBSta.sys [2007-10-12 41752]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\Windows\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; C:\Windows\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvm60x32.sys [2006-11-02 429056]
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
R3 wanatw;WAN Miniport (ATW); C:\Windows\system32\DRIVERS\wanatw4.sys [2006-11-29 33588]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-06-20 660480]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC); C:\Windows\system32\DRIVERS\xcbda.sys [2007-12-07 158336]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys []
S3 LVcKap;Logitech AEC Driver; C:\Windows\system32\DRIVERS\LVcKap.sys [2007-10-19 2109976]
S3 LVMVDrv;Logitech Machine Vision Engine Loader; C:\Windows\system32\DRIVERS\LVMVDrv.sys [2007-10-11 2142488]
S3 mferkdk;McAfee Inc. mferkdk; C:\Windows\system32\drivers\mferkdk.sys [2007-11-22 33832]
S3 mfesmfk;McAfee Inc. mfesmfk; C:\Windows\system32\drivers\mfesmfk.sys [2007-12-02 40488]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 PID_PEPI;Logitech QuickCam IM(PID_PEPI); C:\Windows\system32\DRIVERS\LV302V32.SYS [2007-10-12 1279000]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-19 73088]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2008-03-29 667648]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 LVCOMSer;LVCOMSer; C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe [2007-10-19 186904]
R2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2007-10-19 141848]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-06-29 386560]
R3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S2 LVSrvLauncher;LVSrvLauncher; C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe [2007-10-19 141848]
S3 GameConsoleService;GameConsoleService; C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe [2008-05-05 165416]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
-----------------EOF-----------------
info.txt logfile of random's system information tool 1.05 2009-01-28 20:07:22
======Uninstall list======
-->"C:\Program Files\Gateway Games\FATE\Uninstall.exe"
-->"C:\Program Files\Gateway Games\Gateway Game Console\Uninstall.exe"
-->"C:\Program Files\Gateway Games\Geneforge 3\Uninstall.exe"
-->"C:\Program Files\Gateway Games\Geneforge\Uninstall.exe"
-->"C:\Program Files\Gateway Games\Green Valley - Fun on the Farm\Uninstall.exe"
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
32 Bit HP CIO Components Installer-->MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Shockwave Player 11-->C:\Windows\system32\adobe\SHOCKW~1\UNWISE.EXE C:\Windows\system32\Adobe\SHOCKW~1\Install.log
Age Of Japan II-->"C:\Program Files\Realore\Age Of Japan II\unins000.exe"
Anatomy and Physiology Essential Study Partner v. 2.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4334CC92-3D9B-11D5-8362-00500422546E}\Setup.exe"
AOL Registration-->"C:\Program Files\AOL\RC\uninstall.exe"
AOL Toolbar -->"C:\Program Files\AOL Toolbar\uninstall.exe"
AOL Uninstaller (Choose which Products to Remove)-->C:\Program Files\Common Files\AOL\uninstaller.exe
Aqua Bubble 2-->"C:\Program Files\Realore\Aqua Bubble 2\unins000.exe"
Big City Adventure Sydney-->"C:\Program Files\Oberon Media\Big City Adventure Sydney\Uninstall.exe" "C:\Program Files\Oberon Media\Big City Adventure Sydney\install.log"
Big Fish Games Client-->C:\Program Files\bfgclient\Uninstall.exe
Big Kahuna Reef-->"C:\Program Files\Oberon Media\Big Kahuna Reef\Uninstall.exe" "C:\Program Files\Oberon Media\Big Kahuna Reef\install.log"
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
CouponBar-->regsvr32 /u /s "C:\Users\Charlee\AppData\Local\Temp\low\CouponBarIE.dll"
Dynamic Human 2.0-->C:\Windows\IsUninst.exe -f"C:\Program Files\Dynamic Human 2.0\Uninst.isu"
Elf Bowling 7 The Last Insult-->"C:\Program Files\Oberon Media\Elf Bowling 7 The Last Insult\Uninstall.exe" "C:\Program Files\Oberon Media\Elf Bowling 7 The Last Insult\install.log"
Gateway Games-->"C:\Program Files\Gateway Games\Uninstall.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Customer Participation Program 8.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 8.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP OCR Software 8.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
HP Photosmart Essential-->MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B-->C:\Program Files\HP\Digital Imaging\{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}\setup\hpzscr01.exe -datfile hposcr19.dat -onestop -showdisconnect -forcereboot
HP Product Assistant-->MsiExec.exe /I{36FDBE6E-6684-462B-AE98-9A39A1B200CC}
HP Solution Center 8.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update-->MsiExec.exe /X{FE57DE70-95DE-4B64-9266-84DA811053DB}
HPSSupply-->MsiExec.exe /X{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ 6 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Learn2 Player (Uninstall Only)-->C:\Program Files\Learn2.com\StRunner\stuninst.exe
Logitech QuickCam-->MsiExec.exe /X{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}
Mahjong Escape Ancient Japan-->"C:\Program Files\Oberon Media\Mahjong Escape Ancient Japan\Uninstall.exe" "C:\Program Files\Oberon Media\Mahjong Escape Ancient Japan\install.log"
Mahjong Garden Deluxe-->"C:\Program Files\Oberon Media\Mahjong Garden Deluxe\Uninstall.exe" "C:\Program Files\Oberon Media\Mahjong Garden Deluxe\install.log"
Mahjongg Artifacts 2-->"C:\Program Files\Oberon Media\Mahjongg Artifacts 2\Uninstall.exe" "C:\Program Files\Oberon Media\Mahjongg Artifacts 2\install.log"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Mark and Mandis Love Story-->"C:\Program Files\Oberon Media\Mark and Mandis Love Story\Uninstall.exe" "C:\Program Files\Oberon Media\Mark and Mandis Love Story\install.log"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Money Plus-->"C:\Program Files\Microsoft Money Plus\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Money Shared Libraries-->MsiExec.exe /X{7F1B3341-A94E-4F5C-B587-CA0EB964221E}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft VC9 runtime libraries-->MsiExec.exe /I{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Mystery Case Files: Ravenhearst ™-->"C:\Program Files\Mystery Case Files - Ravenhearst\Uninstall.exe"
OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
Puzzle Hero 1.1.1-->"C:\Program Files\Puzzle Hero\unins000.exe"
Qloud Plugin for Windows Media Player-->C:\Program Files\Qloud\Windows Media Player\WMQloudPluginUninstall.exe
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
RealArcade-->"C:\Program Files\RealArcade\Installer\bin\gameinstaller.exe" "C:\Program Files\RealArcade\Installer\installerMain.clf" "C:\Program Files\RealArcade\Installer\uninstall\RealArcade.rguninst" "AddRemove"
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
RTC Client API v1.2-->MsiExec.exe /X{44CDBD1B-89FB-4E02-8319-2A4C550F664A}
Safari Island Deluxe-->C:\DOCUME~1\Safari Island Deluxe\UNWISE.EXE /U C:\DOCUME~1\Safari Island Deluxe\INSTALL.LOG
Scrabble Blast Deluxe-->"C:\Program Files\Oberon Media\Scrabble Blast Deluxe\Uninstall.exe" "C:\Program Files\Oberon Media\Scrabble Blast Deluxe\install.log"
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_HSF\UIU32m.exe -U -I*.INF
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
The Rise of Atlantis-->"C:\Program Files\Oberon Media\The Rise of Atlantis\Uninstall.exe" "C:\Program Files\Oberon Media\The Rise of Atlantis\install.log"
Tri Peaks 2 Quest For The Ruby Ring-->"C:\Program Files\Oberon Media\Tri Peaks 2 Quest For The Ruby Ring\Uninstall.exe" "C:\Program Files\Oberon Media\Tri Peaks 2 Quest For The Ruby Ring\install.log"
Trillian-->C:\Program Files\Trillian\trillian.exe /uninstall
Update for Microsoft Office 2007 Help for Common Features (KB957244)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {C8C72583-C907-4D20-8973-C3858D96BD9E}
Update for Microsoft Office Excel 2007 Help (KB957242)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {51864046-74C8-487B-97CD-6167A4B1DB56}
Update for Microsoft Office OneNote 2007 Help (KB957245)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {7332DE60-DC79-4578-A60A-A5EA0D6E032B}
Update for Microsoft Office PowerPoint 2007 Help (KB957247)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {B20E2C59-EEC5-4102-9E50-5DBB2093C37D}
Update for Microsoft Office Word 2007 Help (KB957252)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {54DF3345-0720-4224-9740-C7E00303F565}
Update for Microsoft Script Editor Help (KB957253)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {F21BF703-548C-47B2-B92A-6876E9566C42}
Update for Office 2007 (KB946691)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Way To Go! Bowling-->"C:\Program Files\Oberon Media\Way To Go! Bowling\Uninstall.exe" "C:\Program Files\Oberon Media\Way To Go! Bowling\install.log"
Womens Murder Club-->"C:\Program Files\Oberon Media\Womens Murder Club\Uninstall.exe" "C:\Program Files\Oberon Media\Womens Murder Club\install.log"
Word Riot Deluxe-->"C:\Program Files\Oberon Media\Word Riot Deluxe\Uninstall.exe" "C:\Program Files\Oberon Media\Word Riot Deluxe\install.log"
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
======Security center information======
AS: Windows Defender
System event log
Computer Name: Charlees-PC
Event Code: 7036
Message: The Windows Update service entered the running state.
Record Number: 83548
Source Name: Service Control Manager
Time Written: 20090129005500.000000-000
Event Type: Information
User:
Computer Name: Charlees-PC
Event Code: 7036
Message: The Windows Media Center Service Launcher service entered the stopped state.
Record Number: 83549
Source Name: Service Control Manager
Time Written: 20090129005500.000000-000
Event Type: Information
User:
Computer Name: Charlees-PC
Event Code: 10029
Message: DCOM started the service TrustedInstaller with arguments "" in order to run the server:
{752073A1-23F2-4396-85F0-8FDB879ED0ED}
Record Number: 83550
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20090129005558.000000-000
Event Type: Information
User:
Computer Name: Charlees-PC
Event Code: 7036
Message: The Windows Modules Installer service entered the running state.
Record Number: 83551
Source Name: Service Control Manager
Time Written: 20090129005559.000000-000
Event Type: Information
User:
Computer Name: Charlees-PC
Event Code: 7036
Message: The Windows Modules Installer service entered the stopped state.
Record Number: 83552
Source Name: Service Control Manager
Time Written: 20090129010559.000000-000
Event Type: Information
User:
Application event log
Computer Name: Charlees-PC
Event Code: 20224
Message: CoId={179F8EF6-13B1-48F4-85B7-97239ACE7566}: The link to the Remote Access Server has been established by user SYSTEM.
Record Number: 18611
Source Name: RasClient
Time Written: 20090129005440.000000-000
Event Type: Information
User:
Computer Name: Charlees-PC
Event Code: 20225
Message: CoId={179F8EF6-13B1-48F4-85B7-97239ACE7566}: The user SYSTEM has dialed a connection named The Internet (1) to the Remote Access Server which has successfully connected. The connection parameters are:
TunnelIpAddress = 172.163.146.88
TunnelIpv6Address = None
Dial-in User = .
Record Number: 18612
Source Name: RasClient
Time Written: 20090129005441.000000-000
Event Type: Information
User:
Computer Name: Charlees-PC
Event Code: 1
Message: The Windows Security Center Service has started.
Record Number: 18613
Source Name: SecurityCenter
Time Written: 20090129005459.000000-000
Event Type: Information
User:
Computer Name: Charlees-PC
Event Code: 1001
Message: Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Record Number: 18614
Source Name: Microsoft-Windows-LoadPerf
Time Written: 20090129005850.000000-000
Event Type: Information
User:
Computer Name: Charlees-PC
Event Code: 1000
Message: Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.
Record Number: 18615
Source Name: Microsoft-Windows-LoadPerf
Time Written: 20090129005850.000000-000
Event Type: Information
User:
Security event log
Computer Name: Charlees-PC
Event Code: 4672
Message: Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3267972482-450216133-219477661-1000
Account Name: Charlee
Account Domain: Charlees-PC
Logon ID: 0x3dc1b
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 26439
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090129005243.681753-000
Event Type: Audit Success
User:
Computer Name: Charlees-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume3\Windows\System32\drivers\atwpkt2.sys
Record Number: 26440
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090129005322.880353-000
Event Type: Audit Failure
User:
Computer Name: Charlees-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: CHARLEES-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x240
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 26441
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090129005558.524353-000
Event Type: Audit Success
User:
Computer Name: Charlees-PC
Event Code: 4624
Message: An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: CHARLEES-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x240
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 26442
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090129005558.524353-000
Event Type: Audit Success
User:
Computer Name: Charlees-PC
Event Code: 4672
Message: Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 26443
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090129005558.524353-000
Event Type: Audit Success
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=16
"PROCESSOR_IDENTIFIER"=x86 Family 16 Model 2 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=0202
"NUMBER_OF_PROCESSORS"=4
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
-----------------EOF-----------------
Full Version: Please Review my Logs
MBAM certainly did it's job. However, RSIT shows there is more to do and it only reports. So, on to the next step.
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it at least 20-30 minutes to finish if needed.
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it at least 20-30 minutes to finish if needed.
Thank you for your help so far. Following is the log from ComboFix. How does it look?
Cheryl
ComboFix 09-01-21.04 - Charlee 2009-01-29 21:46:46.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2195 [GMT -5:00]
Running from: c:\users\Charlee\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\dialerexe.ini
c:\windows\system32\nsinet.exe
.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.
2009-01-28 20:07 . 2009-01-28 20:07 <DIR> d-------- C:\rsit
2009-01-28 20:04 . 2009-01-28 20:04 <DIR> d-------- c:\program files\Trend Micro
2009-01-28 19:33 . 2009-01-28 19:33 <DIR> d-------- c:\users\Charlee\AppData\Roaming\Malwarebytes
2009-01-28 19:32 . 2009-01-28 19:32 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-01-28 19:32 . 2009-01-28 19:32 <DIR> d-------- c:\programdata\Malwarebytes
2009-01-28 19:32 . 2009-01-28 19:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-28 19:32 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-28 19:32 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-21 22:04 . 2009-01-21 22:04 <DIR> d-------- c:\users\All Users\Word Whomp Underground
2009-01-21 22:04 . 2009-01-21 22:04 <DIR> d-------- c:\programdata\Word Whomp Underground
2009-01-20 22:58 . 2009-01-20 22:58 2,560 --a------ c:\windows\_MSRSTRT.EXE
2009-01-16 20:27 . 2009-01-16 20:27 <DIR> d-------- c:\program files\AOL Toolbar
2009-01-15 12:43 . 2009-01-15 12:42 410,984 --a------ c:\windows\System32\deploytk.dll
2009-01-14 19:37 . 2008-12-15 21:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-14 17:36 . 2009-01-14 17:36 <DIR> d-------- c:\users\All Users\Office Genuine Advantage
2009-01-14 17:36 . 2009-01-14 17:36 <DIR> d-------- c:\programdata\Office Genuine Advantage
2009-01-12 12:34 . 2009-01-12 12:34 <DIR> d-------- c:\users\All Users\Intenium
2009-01-12 12:34 . 2009-01-12 12:34 <DIR> d-------- c:\programdata\Intenium
2009-01-10 15:21 . 2009-01-10 15:21 <DIR> d-------- c:\users\All Users\Symantec
2009-01-10 15:21 . 2009-01-10 15:21 <DIR> d-------- c:\programdata\Symantec
2009-01-09 15:50 . 2009-01-09 15:51 <DIR> d-------- c:\program files\Mystery Case Files - Ravenhearst
2009-01-09 15:48 . 2009-01-09 15:48 <DIR> d-------- c:\program files\bfgclient
2009-01-09 15:46 . 2009-01-09 15:50 <DIR> d-------- C:\BigFishGamesCache
2009-01-07 15:45 . 2009-01-07 15:45 <DIR> dr------- c:\windows\System32\config\systemprofile\Music
2009-01-07 15:13 . 2009-01-07 18:46 <DIR> d-------- c:\program files\Trillian
2009-01-04 14:25 . 2009-01-18 23:15 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-03 13:34 . 2009-01-03 14:41 <DIR> d-------- c:\users\Charlee\AppData\Roaming\Pharaohs Secret
2009-01-03 12:55 . 2009-01-03 12:56 <DIR> d-------- c:\windows\System32\Adobe
2008-12-24 13:08 . 2008-12-24 13:08 <DIR> d-------- c:\users\Charlee\AppData\Roaming\Geneforge 3 Saved Games
2008-12-23 17:56 . 2008-12-23 17:57 <DIR> d-------- c:\program files\QuickTime
2008-12-21 22:48 . 2008-12-21 22:50 <DIR> d-------- c:\users\Charlee\AppData\Roaming\SecretIslandEng
2008-12-18 18:50 . 2008-05-30 14:19 507,400 --a------ c:\windows\System32\XAudio2_1.dll
2008-12-18 18:50 . 2008-05-30 14:18 238,088 --a------ c:\windows\System32\xactengine3_1.dll
2008-12-18 18:50 . 2008-05-30 14:17 65,032 --a------ c:\windows\System32\XAPOFX1_0.dll
2008-12-18 18:49 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\System32\D3DX9_38.dll
2008-12-18 18:49 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\System32\D3DCompiler_38.dll
2008-12-18 18:49 . 2008-05-30 14:11 467,984 --a------ c:\windows\System32\d3dx10_38.dll
2008-12-18 18:49 . 2008-05-30 14:17 25,608 --a------ c:\windows\System32\X3DAudio1_4.dll
2008-12-11 10:51 . 2008-10-21 20:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-10 23:30 . 2008-10-31 20:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-10 23:30 . 2008-10-29 01:29 2,927,104 --a------ c:\windows\explorer.exe
2008-12-10 23:30 . 2008-06-22 20:59 2,868,736 --a------ c:\windows\System32\mf.dll
2008-12-10 23:30 . 2008-10-15 23:47 827,392 --a------ c:\windows\System32\wininet.dll
2008-12-10 23:30 . 2008-10-21 00:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-10 23:30 . 2008-10-31 22:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-10 23:29 . 2008-06-22 20:59 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-10 23:29 . 2008-06-22 20:58 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-06 20:13 . 2009-01-12 12:25 <DIR> d-------- c:\users\Public\RealArcade
2008-12-06 20:13 . 2009-01-12 12:25 <DIR> d-------- C:\My Games
2008-12-06 20:12 . 2009-01-12 12:25 <DIR> d-------- c:\program files\RealArcade
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 00:57 --------- d---a-w c:\programdata\TEMP
2009-01-29 00:52 --------- d-----w c:\program files\McAfee
2009-01-28 03:30 --------- d-----w c:\program files\Oberon Media
2009-01-23 00:17 --------- d-----w c:\programdata\Yahoo!
2009-01-22 20:00 --------- d-----w c:\program files\Google
2009-01-22 03:04 --------- d-----w c:\users\Charlee\AppData\Roaming\Pogo Games
2009-01-21 19:04 --------- d-----w c:\programdata\Apple Computer
2009-01-21 04:10 --------- d-----w c:\program files\Astro Gemini Software
2009-01-17 01:27 --------- d-----w c:\programdata\AOL
2009-01-17 01:26 --------- d-----w c:\program files\Common Files\AOL
2009-01-15 17:45 --------- d-----w c:\program files\Windows Mail
2009-01-15 17:42 --------- d-----w c:\program files\Java
2009-01-12 17:32 --------- d-----w c:\program files\Gateway Games
2009-01-09 19:20 --------- d-----w c:\program files\Yahoo!
2008-12-25 22:39 --------- d-----w c:\programdata\WildTangent
2008-12-20 03:49 --------- d-----w c:\users\Charlee\AppData\Roaming\PlayFirst
2008-12-20 03:49 --------- d-----w c:\programdata\PlayFirst
2008-12-11 15:53 --------- d-----w c:\programdata\Microsoft Help
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-27 18:54 339,968 ----a-w c:\windows\System32\pythoncom25.dll
2008-10-27 18:54 2,117,632 ----a-w c:\windows\System32\python25.dll
2008-10-27 18:54 114,688 ----a-w c:\windows\System32\pywintypes25.dll
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 19:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 18:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-06-26 02:58 174 --sha-w c:\program files\desktop.ini
2008-01-12 01:06 100,640 ----a-w c:\users\Safari Island Deluxe\safariisland.dll
2008-01-12 01:06 1,697,048 ----a-w c:\users\Safari Island Deluxe\SafariIsland.exe
2007-12-04 21:02 152,064 ----a-w c:\users\Safari Island Deluxe\UNWISE.EXE
2007-11-05 20:07 222,536 ----a-w c:\users\Safari Island Deluxe\GDF.dll
2007-07-03 19:58 577,536 ----a-w c:\users\Safari Island Deluxe\EbAdServingT25.dll
2007-06-25 20:25 162,304 ----a-w c:\users\Safari Island Deluxe\fmod.dll
2007-02-02 18:23 57,344 ----a-w c:\users\Safari Island Deluxe\GDFUninstall.exe
2007-02-02 18:17 106,496 ----a-w c:\users\Safari Island Deluxe\GameuxInstallHelper.dll
2006-10-05 11:51 532,480 ----a-w c:\users\Safari Island Deluxe\js32T.dll
2006-10-05 11:28 155,750 ----a-w c:\users\Safari Island Deluxe\nspr4T.dll
2008-09-19 20:42 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-09-19 20:42 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-09-19 20:42 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MoneyBackgoundBanking"="c:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]
"AOL Fast Start"="c:\program files\AOL 9.0\AOL.EXE" [2006-11-10 50736]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-05-21 26112]
"HostManager"="c:\program files\Common Files\AOL\1211411712\ee\AOLSoftware.exe" [2008-06-24 41824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-15 136600]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DelayShred"="c:\progra~1\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CDA9DF3C-1BE0-410F-B092-449CE2BE990D}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{10AD40BB-3FC5-43AB-BCCC-89FA419282C7}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{05268DE9-AD68-445F-AF3D-BBCE762E74EB}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{4DCAB73F-B138-4D16-AC41-44773B66B5CE}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{90829CD5-8A3F-4E9F-958C-31830DB4271C}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{7F95EF16-AF00-4FB0-9C07-171C3916BBFD}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{F012869B-1E85-4922-B9DB-ACA0115CA84A}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{3D17761F-351F-4167-BF0B-C0193660923D}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{8A0E48A8-7923-430D-A72E-3B37E698F310}"= UDP:c:\program files\Common Files\AOL\1211411712\ee\aolsoftware.exe:AOL Shared Components
"{B221D1F3-8FBC-4C15-8778-B653B347D1A7}"= TCP:c:\program files\Common Files\AOL\1211411712\ee\aolsoftware.exe:AOL Shared Components
"{D61DB296-5506-4F56-90A5-CF74A521D47C}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
"{D7B702FF-882E-4D9C-B65F-EBF0329AE61F}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
"{9FCBB4CD-3A8A-4753-9112-D17B7CC1B8DC}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{CF2AB7A0-7F86-41ED-A4CE-35E3693FD873}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{3CF3C4C5-35C8-4054-8651-9928858F541F}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{07B538F2-AB8B-4C98-A357-45330C3D8268}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{6CAA4765-65B8-4F0C-AEBB-ABE3A1F232DE}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{43979D9B-1F57-4240-BDB1-47A95950281D}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{461F5302-0076-4AF1-8A0C-6DB7E3978BEF}"= UDP:c:\program files\AOL 9.1\waol.exe:AOL
"{5B0C958A-2604-4513-9A4F-1505D59AE2C1}"= TCP:c:\program files\AOL 9.1\waol.exe:AOL
"{413B6479-94D5-4D9A-AF26-23A9EE4FA848}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{667E9DF6-05FC-496A-9BF5-866F5AB29EE9}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{63D864C3-3448-4C9B-8439-27755EED7BA5}c:\\program files\\aol 9.1\\waol.exe"= UDP:c:\program files\aol 9.1\waol.exe:AOL Software
"UDP Query User{A1B91E61-34D0-403D-A2E1-76A434B833BB}c:\\program files\\aol 9.1\\waol.exe"= TCP:c:\program files\aol 9.1\waol.exe:AOL Software
"{903485E5-6424-4A23-8C87-AB2FAD66B6DB}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{40EA6CA3-BE37-4562-8D40-26AB5621924B}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A1A4E592-65ED-4615-A666-2D187CDEBFC2}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{FE320E5D-5D78-43A6-B4DB-3CA55E511A08}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{19A1DD1C-8F3C-4F70-B107-D2B372F8B43B}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{B7F03BD1-4A21-42CC-AD3D-42E70BF6BC56}"= UDP:c:\program files\AOL\RC\regclient.exe:AOL
"{E7FF4913-0CE6-4339-BE02-4218A1E8683C}"= TCP:c:\program files\AOL\RC\regclient.exe:AOL
"{366E7B90-5700-49CC-BDF5-D3774F570A66}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{5858D9AB-FDEF-4122-B246-3CD015952DF0}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{C992398A-6BDA-44CA-BC9C-01E6CEFCD2D0}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{83F8AF88-8ED0-43FB-94DF-C085CCF84BC1}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{249378AD-9C31-47B6-923F-5B121F7A4006}"= UDP:c:\program files\AOL 9.0a\waol.exe:AOL
"{89388B76-081E-4123-A878-949F6045C3A3}"= TCP:c:\program files\AOL 9.0a\waol.exe:AOL
"{C8A80B56-B34F-4637-853A-9E7E58979394}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{32DBE7A6-83D6-4EC5-BE39-A4CB80A11C9E}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{A97C1227-C607-49E1-ACC4-50E1FB9F6B8D}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{457EF4B9-8A94-4AB7-B357-07E8A9D25771}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{4497F8DD-2D29-45E5-9E60-047A71F40081}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL
"{BDB05111-24BA-46A4-A396-1B485198EEFA}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL
"{38950C16-4B90-454C-BA92-BB1E631F4675}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
"{9F79FD6A-765D-48AE-B48C-D168BF24FEB8}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
"{D4D282AB-3430-452E-B2C2-B2CE8F23F1FA}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1A9EA78C-D358-4840-9D76-76EA2740B845}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\System32\drivers\xcbda.sys [2007-12-07 158336]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ATWPKT2
*Deregistered* - ATWPKT2
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c1507fe-b028-11dd-8fc4-8ad2b2b5f9be}]
\shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
2009-01-25 c:\windows\Tasks\At1.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At10.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-26 c:\windows\Tasks\At11.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-26 c:\windows\Tasks\At12.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-26 c:\windows\Tasks\At13.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At14.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-27 c:\windows\Tasks\At15.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-27 c:\windows\Tasks\At16.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At17.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At18.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At19.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At2.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-30 c:\windows\Tasks\At20.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-30 c:\windows\Tasks\At21.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-30 c:\windows\Tasks\At22.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At23.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At24.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-24 c:\windows\Tasks\At25.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At26.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At27.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At28.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At29.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At3.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At30.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At31.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At32.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At33.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At34.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-26 c:\windows\Tasks\At35.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-26 c:\windows\Tasks\At36.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-26 c:\windows\Tasks\At37.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At38.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-27 c:\windows\Tasks\At39.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At4.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-27 c:\windows\Tasks\At40.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At41.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At42.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At43.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-30 c:\windows\Tasks\At44.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-30 c:\windows\Tasks\At45.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-30 c:\windows\Tasks\At46.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At47.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At48.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At5.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At6.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At7.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At8.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At9.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-01-29 c:\windows\Tasks\User_Feed_Synchronization-{E5AC5E40-5F43-436C-B883-256FC03BA0F0}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
HKU-Default-Run-Cognac - c:\windows\TEMP\3562.tmp.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-US\local\search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\users\Charlee\AppData\Roaming\Mozilla\Firefox\Profiles\eney0i65.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ab&query=
FF - component: c:\users\Charlee\AppData\Roaming\Mozilla\Firefox\Profiles\eney0i65.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 21:49:53
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-29 21:52:13
ComboFix-quarantined-files.txt 2009-01-30 02:52:09
Pre-Run: 399,077,175,296 bytes free
Post-Run: 399,126,257,664 bytes free
350 --- E O F --- 2009-01-15 17:45:18
Cheryl
ComboFix 09-01-21.04 - Charlee 2009-01-29 21:46:46.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2195 [GMT -5:00]
Running from: c:\users\Charlee\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\dialerexe.ini
c:\windows\system32\nsinet.exe
.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.
2009-01-28 20:07 . 2009-01-28 20:07 <DIR> d-------- C:\rsit
2009-01-28 20:04 . 2009-01-28 20:04 <DIR> d-------- c:\program files\Trend Micro
2009-01-28 19:33 . 2009-01-28 19:33 <DIR> d-------- c:\users\Charlee\AppData\Roaming\Malwarebytes
2009-01-28 19:32 . 2009-01-28 19:32 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-01-28 19:32 . 2009-01-28 19:32 <DIR> d-------- c:\programdata\Malwarebytes
2009-01-28 19:32 . 2009-01-28 19:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-28 19:32 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-28 19:32 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-21 22:04 . 2009-01-21 22:04 <DIR> d-------- c:\users\All Users\Word Whomp Underground
2009-01-21 22:04 . 2009-01-21 22:04 <DIR> d-------- c:\programdata\Word Whomp Underground
2009-01-20 22:58 . 2009-01-20 22:58 2,560 --a------ c:\windows\_MSRSTRT.EXE
2009-01-16 20:27 . 2009-01-16 20:27 <DIR> d-------- c:\program files\AOL Toolbar
2009-01-15 12:43 . 2009-01-15 12:42 410,984 --a------ c:\windows\System32\deploytk.dll
2009-01-14 19:37 . 2008-12-15 21:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-14 17:36 . 2009-01-14 17:36 <DIR> d-------- c:\users\All Users\Office Genuine Advantage
2009-01-14 17:36 . 2009-01-14 17:36 <DIR> d-------- c:\programdata\Office Genuine Advantage
2009-01-12 12:34 . 2009-01-12 12:34 <DIR> d-------- c:\users\All Users\Intenium
2009-01-12 12:34 . 2009-01-12 12:34 <DIR> d-------- c:\programdata\Intenium
2009-01-10 15:21 . 2009-01-10 15:21 <DIR> d-------- c:\users\All Users\Symantec
2009-01-10 15:21 . 2009-01-10 15:21 <DIR> d-------- c:\programdata\Symantec
2009-01-09 15:50 . 2009-01-09 15:51 <DIR> d-------- c:\program files\Mystery Case Files - Ravenhearst
2009-01-09 15:48 . 2009-01-09 15:48 <DIR> d-------- c:\program files\bfgclient
2009-01-09 15:46 . 2009-01-09 15:50 <DIR> d-------- C:\BigFishGamesCache
2009-01-07 15:45 . 2009-01-07 15:45 <DIR> dr------- c:\windows\System32\config\systemprofile\Music
2009-01-07 15:13 . 2009-01-07 18:46 <DIR> d-------- c:\program files\Trillian
2009-01-04 14:25 . 2009-01-18 23:15 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-03 13:34 . 2009-01-03 14:41 <DIR> d-------- c:\users\Charlee\AppData\Roaming\Pharaohs Secret
2009-01-03 12:55 . 2009-01-03 12:56 <DIR> d-------- c:\windows\System32\Adobe
2008-12-24 13:08 . 2008-12-24 13:08 <DIR> d-------- c:\users\Charlee\AppData\Roaming\Geneforge 3 Saved Games
2008-12-23 17:56 . 2008-12-23 17:57 <DIR> d-------- c:\program files\QuickTime
2008-12-21 22:48 . 2008-12-21 22:50 <DIR> d-------- c:\users\Charlee\AppData\Roaming\SecretIslandEng
2008-12-18 18:50 . 2008-05-30 14:19 507,400 --a------ c:\windows\System32\XAudio2_1.dll
2008-12-18 18:50 . 2008-05-30 14:18 238,088 --a------ c:\windows\System32\xactengine3_1.dll
2008-12-18 18:50 . 2008-05-30 14:17 65,032 --a------ c:\windows\System32\XAPOFX1_0.dll
2008-12-18 18:49 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\System32\D3DX9_38.dll
2008-12-18 18:49 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\System32\D3DCompiler_38.dll
2008-12-18 18:49 . 2008-05-30 14:11 467,984 --a------ c:\windows\System32\d3dx10_38.dll
2008-12-18 18:49 . 2008-05-30 14:17 25,608 --a------ c:\windows\System32\X3DAudio1_4.dll
2008-12-11 10:51 . 2008-10-21 20:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-10 23:30 . 2008-10-31 20:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-10 23:30 . 2008-10-29 01:29 2,927,104 --a------ c:\windows\explorer.exe
2008-12-10 23:30 . 2008-06-22 20:59 2,868,736 --a------ c:\windows\System32\mf.dll
2008-12-10 23:30 . 2008-10-15 23:47 827,392 --a------ c:\windows\System32\wininet.dll
2008-12-10 23:30 . 2008-10-21 00:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-10 23:30 . 2008-10-31 22:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-10 23:29 . 2008-06-22 20:59 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-10 23:29 . 2008-06-22 20:58 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-06 20:13 . 2009-01-12 12:25 <DIR> d-------- c:\users\Public\RealArcade
2008-12-06 20:13 . 2009-01-12 12:25 <DIR> d-------- C:\My Games
2008-12-06 20:12 . 2009-01-12 12:25 <DIR> d-------- c:\program files\RealArcade
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 00:57 --------- d---a-w c:\programdata\TEMP
2009-01-29 00:52 --------- d-----w c:\program files\McAfee
2009-01-28 03:30 --------- d-----w c:\program files\Oberon Media
2009-01-23 00:17 --------- d-----w c:\programdata\Yahoo!
2009-01-22 20:00 --------- d-----w c:\program files\Google
2009-01-22 03:04 --------- d-----w c:\users\Charlee\AppData\Roaming\Pogo Games
2009-01-21 19:04 --------- d-----w c:\programdata\Apple Computer
2009-01-21 04:10 --------- d-----w c:\program files\Astro Gemini Software
2009-01-17 01:27 --------- d-----w c:\programdata\AOL
2009-01-17 01:26 --------- d-----w c:\program files\Common Files\AOL
2009-01-15 17:45 --------- d-----w c:\program files\Windows Mail
2009-01-15 17:42 --------- d-----w c:\program files\Java
2009-01-12 17:32 --------- d-----w c:\program files\Gateway Games
2009-01-09 19:20 --------- d-----w c:\program files\Yahoo!
2008-12-25 22:39 --------- d-----w c:\programdata\WildTangent
2008-12-20 03:49 --------- d-----w c:\users\Charlee\AppData\Roaming\PlayFirst
2008-12-20 03:49 --------- d-----w c:\programdata\PlayFirst
2008-12-11 15:53 --------- d-----w c:\programdata\Microsoft Help
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-27 18:54 339,968 ----a-w c:\windows\System32\pythoncom25.dll
2008-10-27 18:54 2,117,632 ----a-w c:\windows\System32\python25.dll
2008-10-27 18:54 114,688 ----a-w c:\windows\System32\pywintypes25.dll
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 19:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 18:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-06-26 02:58 174 --sha-w c:\program files\desktop.ini
2008-01-12 01:06 100,640 ----a-w c:\users\Safari Island Deluxe\safariisland.dll
2008-01-12 01:06 1,697,048 ----a-w c:\users\Safari Island Deluxe\SafariIsland.exe
2007-12-04 21:02 152,064 ----a-w c:\users\Safari Island Deluxe\UNWISE.EXE
2007-11-05 20:07 222,536 ----a-w c:\users\Safari Island Deluxe\GDF.dll
2007-07-03 19:58 577,536 ----a-w c:\users\Safari Island Deluxe\EbAdServingT25.dll
2007-06-25 20:25 162,304 ----a-w c:\users\Safari Island Deluxe\fmod.dll
2007-02-02 18:23 57,344 ----a-w c:\users\Safari Island Deluxe\GDFUninstall.exe
2007-02-02 18:17 106,496 ----a-w c:\users\Safari Island Deluxe\GameuxInstallHelper.dll
2006-10-05 11:51 532,480 ----a-w c:\users\Safari Island Deluxe\js32T.dll
2006-10-05 11:28 155,750 ----a-w c:\users\Safari Island Deluxe\nspr4T.dll
2008-09-19 20:42 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-09-19 20:42 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-09-19 20:42 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MoneyBackgoundBanking"="c:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]
"AOL Fast Start"="c:\program files\AOL 9.0\AOL.EXE" [2006-11-10 50736]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-05-21 26112]
"HostManager"="c:\program files\Common Files\AOL\1211411712\ee\AOLSoftware.exe" [2008-06-24 41824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-15 136600]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DelayShred"="c:\progra~1\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CDA9DF3C-1BE0-410F-B092-449CE2BE990D}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{10AD40BB-3FC5-43AB-BCCC-89FA419282C7}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{05268DE9-AD68-445F-AF3D-BBCE762E74EB}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{4DCAB73F-B138-4D16-AC41-44773B66B5CE}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{90829CD5-8A3F-4E9F-958C-31830DB4271C}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{7F95EF16-AF00-4FB0-9C07-171C3916BBFD}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{F012869B-1E85-4922-B9DB-ACA0115CA84A}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{3D17761F-351F-4167-BF0B-C0193660923D}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{8A0E48A8-7923-430D-A72E-3B37E698F310}"= UDP:c:\program files\Common Files\AOL\1211411712\ee\aolsoftware.exe:AOL Shared Components
"{B221D1F3-8FBC-4C15-8778-B653B347D1A7}"= TCP:c:\program files\Common Files\AOL\1211411712\ee\aolsoftware.exe:AOL Shared Components
"{D61DB296-5506-4F56-90A5-CF74A521D47C}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
"{D7B702FF-882E-4D9C-B65F-EBF0329AE61F}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
"{9FCBB4CD-3A8A-4753-9112-D17B7CC1B8DC}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{CF2AB7A0-7F86-41ED-A4CE-35E3693FD873}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{3CF3C4C5-35C8-4054-8651-9928858F541F}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{07B538F2-AB8B-4C98-A357-45330C3D8268}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{6CAA4765-65B8-4F0C-AEBB-ABE3A1F232DE}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{43979D9B-1F57-4240-BDB1-47A95950281D}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{461F5302-0076-4AF1-8A0C-6DB7E3978BEF}"= UDP:c:\program files\AOL 9.1\waol.exe:AOL
"{5B0C958A-2604-4513-9A4F-1505D59AE2C1}"= TCP:c:\program files\AOL 9.1\waol.exe:AOL
"{413B6479-94D5-4D9A-AF26-23A9EE4FA848}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{667E9DF6-05FC-496A-9BF5-866F5AB29EE9}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{63D864C3-3448-4C9B-8439-27755EED7BA5}c:\\program files\\aol 9.1\\waol.exe"= UDP:c:\program files\aol 9.1\waol.exe:AOL Software
"UDP Query User{A1B91E61-34D0-403D-A2E1-76A434B833BB}c:\\program files\\aol 9.1\\waol.exe"= TCP:c:\program files\aol 9.1\waol.exe:AOL Software
"{903485E5-6424-4A23-8C87-AB2FAD66B6DB}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{40EA6CA3-BE37-4562-8D40-26AB5621924B}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A1A4E592-65ED-4615-A666-2D187CDEBFC2}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{FE320E5D-5D78-43A6-B4DB-3CA55E511A08}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{19A1DD1C-8F3C-4F70-B107-D2B372F8B43B}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{B7F03BD1-4A21-42CC-AD3D-42E70BF6BC56}"= UDP:c:\program files\AOL\RC\regclient.exe:AOL
"{E7FF4913-0CE6-4339-BE02-4218A1E8683C}"= TCP:c:\program files\AOL\RC\regclient.exe:AOL
"{366E7B90-5700-49CC-BDF5-D3774F570A66}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{5858D9AB-FDEF-4122-B246-3CD015952DF0}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{C992398A-6BDA-44CA-BC9C-01E6CEFCD2D0}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{83F8AF88-8ED0-43FB-94DF-C085CCF84BC1}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{249378AD-9C31-47B6-923F-5B121F7A4006}"= UDP:c:\program files\AOL 9.0a\waol.exe:AOL
"{89388B76-081E-4123-A878-949F6045C3A3}"= TCP:c:\program files\AOL 9.0a\waol.exe:AOL
"{C8A80B56-B34F-4637-853A-9E7E58979394}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{32DBE7A6-83D6-4EC5-BE39-A4CB80A11C9E}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{A97C1227-C607-49E1-ACC4-50E1FB9F6B8D}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{457EF4B9-8A94-4AB7-B357-07E8A9D25771}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{4497F8DD-2D29-45E5-9E60-047A71F40081}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL
"{BDB05111-24BA-46A4-A396-1B485198EEFA}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL
"{38950C16-4B90-454C-BA92-BB1E631F4675}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
"{9F79FD6A-765D-48AE-B48C-D168BF24FEB8}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
"{D4D282AB-3430-452E-B2C2-B2CE8F23F1FA}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1A9EA78C-D358-4840-9D76-76EA2740B845}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\System32\drivers\xcbda.sys [2007-12-07 158336]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ATWPKT2
*Deregistered* - ATWPKT2
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c1507fe-b028-11dd-8fc4-8ad2b2b5f9be}]
\shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
2009-01-25 c:\windows\Tasks\At1.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At10.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-26 c:\windows\Tasks\At11.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-26 c:\windows\Tasks\At12.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-26 c:\windows\Tasks\At13.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At14.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-27 c:\windows\Tasks\At15.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-27 c:\windows\Tasks\At16.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At17.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At18.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At19.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At2.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-30 c:\windows\Tasks\At20.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-30 c:\windows\Tasks\At21.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-30 c:\windows\Tasks\At22.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At23.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At24.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-24 c:\windows\Tasks\At25.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At26.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At27.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At28.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At29.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At3.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At30.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At31.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At32.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At33.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At34.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-26 c:\windows\Tasks\At35.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-26 c:\windows\Tasks\At36.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-26 c:\windows\Tasks\At37.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At38.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-27 c:\windows\Tasks\At39.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At4.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-27 c:\windows\Tasks\At40.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At41.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At42.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At43.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-30 c:\windows\Tasks\At44.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-30 c:\windows\Tasks\At45.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-30 c:\windows\Tasks\At46.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At47.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-29 c:\windows\Tasks\At48.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At5.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At6.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At7.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At8.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-25 c:\windows\Tasks\At9.job
- c:\windows\system32\Q2rDBaih.exe []
2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-01-29 c:\windows\Tasks\User_Feed_Synchronization-{E5AC5E40-5F43-436C-B883-256FC03BA0F0}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
HKU-Default-Run-Cognac - c:\windows\TEMP\3562.tmp.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-US\local\search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\users\Charlee\AppData\Roaming\Mozilla\Firefox\Profiles\eney0i65.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ab&query=
FF - component: c:\users\Charlee\AppData\Roaming\Mozilla\Firefox\Profiles\eney0i65.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 21:49:53
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-29 21:52:13
ComboFix-quarantined-files.txt 2009-01-30 02:52:09
Pre-Run: 399,077,175,296 bytes free
Post-Run: 399,126,257,664 bytes free
350 --- E O F --- 2009-01-15 17:45:18
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
2. Open notepad and copy/paste the text in the quotebox below into it:
QUOTE
KillAll::
File::
c:\windows\system32\Q2rDBaih.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
File::
c:\windows\system32\Q2rDBaih.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
I ran the ComboFix script. When the ComboFix program started, I received a message stating today's date, and giving me the option of using "Reduced Functionality Mode" or quitting the program. I proceeded in Reduced Functionality Mode. The log is posted below.
So far the clean-up has gone well. Thank you for your clear instructions. What's next?
Best regards,
Cheryl
ComboFix 09-01-21.04 - Charlee 2009-01-31 20:53:57.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2165 [GMT -5:00]
Running from: c:\users\Charlee\Desktop\ComboFix.exe
Command switches used :: c:\users\Charlee\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
FILE ::
c:\windows\system32\Q2rDBaih.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.
2009-01-28 20:07 . 2009-01-28 20:07 <DIR> d-------- C:\rsit
2009-01-28 20:04 . 2009-01-28 20:04 <DIR> d-------- c:\program files\Trend Micro
2009-01-28 19:33 . 2009-01-28 19:33 <DIR> d-------- c:\users\Charlee\AppData\Roaming\Malwarebytes
2009-01-28 19:32 . 2009-01-28 19:32 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-01-28 19:32 . 2009-01-28 19:32 <DIR> d-------- c:\programdata\Malwarebytes
2009-01-28 19:32 . 2009-01-28 19:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-28 19:32 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-28 19:32 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-21 22:04 . 2009-01-21 22:04 <DIR> d-------- c:\users\All Users\Word Whomp Underground
2009-01-21 22:04 . 2009-01-21 22:04 <DIR> d-------- c:\programdata\Word Whomp Underground
2009-01-20 22:58 . 2009-01-20 22:58 2,560 --a------ c:\windows\_MSRSTRT.EXE
2009-01-16 20:27 . 2009-01-16 20:27 <DIR> d-------- c:\program files\AOL Toolbar
2009-01-15 12:43 . 2009-01-15 12:42 410,984 --a------ c:\windows\System32\deploytk.dll
2009-01-14 19:37 . 2008-12-15 21:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-14 17:36 . 2009-01-14 17:36 <DIR> d-------- c:\users\All Users\Office Genuine Advantage
2009-01-14 17:36 . 2009-01-14 17:36 <DIR> d-------- c:\programdata\Office Genuine Advantage
2009-01-12 12:34 . 2009-01-12 12:34 <DIR> d-------- c:\users\All Users\Intenium
2009-01-12 12:34 . 2009-01-12 12:34 <DIR> d-------- c:\programdata\Intenium
2009-01-10 15:21 . 2009-01-10 15:21 <DIR> d-------- c:\users\All Users\Symantec
2009-01-10 15:21 . 2009-01-10 15:21 <DIR> d-------- c:\programdata\Symantec
2009-01-09 15:50 . 2009-01-09 15:51 <DIR> d-------- c:\program files\Mystery Case Files - Ravenhearst
2009-01-09 15:48 . 2009-01-09 15:48 <DIR> d-------- c:\program files\bfgclient
2009-01-09 15:46 . 2009-01-09 15:50 <DIR> d-------- C:\BigFishGamesCache
2009-01-07 15:45 . 2009-01-07 15:45 <DIR> dr------- c:\windows\System32\config\systemprofile\Music
2009-01-07 15:13 . 2009-01-07 18:46 <DIR> d-------- c:\program files\Trillian
2009-01-04 14:25 . 2009-01-18 23:15 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-03 13:34 . 2009-01-03 14:41 <DIR> d-------- c:\users\Charlee\AppData\Roaming\Pharaohs Secret
2009-01-03 12:55 . 2009-01-03 12:56 <DIR> d-------- c:\windows\System32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 00:57 --------- d---a-w c:\programdata\TEMP
2009-01-29 00:52 --------- d-----w c:\program files\McAfee
2009-01-28 03:30 --------- d-----w c:\program files\Oberon Media
2009-01-23 00:17 --------- d-----w c:\programdata\Yahoo!
2009-01-22 20:00 --------- d-----w c:\program files\Google
2009-01-22 03:04 --------- d-----w c:\users\Charlee\AppData\Roaming\Pogo Games
2009-01-21 19:04 --------- d-----w c:\programdata\Apple Computer
2009-01-21 04:10 --------- d-----w c:\program files\Astro Gemini Software
2009-01-17 01:27 --------- d-----w c:\programdata\AOL
2009-01-17 01:26 --------- d-----w c:\program files\Common Files\AOL
2009-01-15 17:45 --------- d-----w c:\program files\Windows Mail
2009-01-15 17:42 --------- d-----w c:\program files\Java
2009-01-12 17:32 --------- d-----w c:\program files\Gateway Games
2009-01-12 17:25 --------- d-----w c:\program files\RealArcade
2009-01-09 19:20 --------- d-----w c:\program files\Yahoo!
2008-12-25 22:39 --------- d-----w c:\programdata\WildTangent
2008-12-24 18:08 --------- d-----w c:\users\Charlee\AppData\Roaming\Geneforge 3 Saved Games
2008-12-23 22:57 --------- d-----w c:\program files\QuickTime
2008-12-22 03:50 --------- d-----w c:\users\Charlee\AppData\Roaming\SecretIslandEng
2008-12-20 03:49 --------- d-----w c:\users\Charlee\AppData\Roaming\PlayFirst
2008-12-20 03:49 --------- d-----w c:\programdata\PlayFirst
2008-12-11 15:53 --------- d-----w c:\programdata\Microsoft Help
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-06-26 02:58 174 --sha-w c:\program files\desktop.ini
2008-01-12 01:06 100,640 ----a-w c:\users\Safari Island Deluxe\safariisland.dll
2008-01-12 01:06 1,697,048 ----a-w c:\users\Safari Island Deluxe\SafariIsland.exe
2007-12-04 21:02 152,064 ----a-w c:\users\Safari Island Deluxe\UNWISE.EXE
2007-11-05 20:07 222,536 ----a-w c:\users\Safari Island Deluxe\GDF.dll
2007-07-03 19:58 577,536 ----a-w c:\users\Safari Island Deluxe\EbAdServingT25.dll
2007-06-25 20:25 162,304 ----a-w c:\users\Safari Island Deluxe\fmod.dll
2007-02-02 18:23 57,344 ----a-w c:\users\Safari Island Deluxe\GDFUninstall.exe
2007-02-02 18:17 106,496 ----a-w c:\users\Safari Island Deluxe\GameuxInstallHelper.dll
2006-10-05 11:51 532,480 ----a-w c:\users\Safari Island Deluxe\js32T.dll
2006-10-05 11:28 155,750 ----a-w c:\users\Safari Island Deluxe\nspr4T.dll
2008-09-19 20:42 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-09-19 20:42 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-09-19 20:42 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-29_21.50.31.05 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-30 02:49:54 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-01 01:56:13 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-01 01:56:13 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-01-29 21:49:38 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-01-31 22:54:15 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-01-29 21:49:38 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-31 22:54:15 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-29 21:49:38 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-31 22:54:15 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-01-30 02:49:37 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-01 01:56:13 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-01 01:56:13 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-01-30 02:40:17 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-01 01:32:41 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-01-30 02:40:17 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-01 01:32:41 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-30 02:40:17 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-01 01:32:41 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-01-29 22:43:48 101,144 ----a-w c:\windows\System32\perfc009.dat
+ 2009-01-31 16:49:26 101,144 ----a-w c:\windows\System32\perfc009.dat
- 2009-01-29 22:43:48 595,446 ----a-w c:\windows\System32\perfh009.dat
+ 2009-01-31 16:49:26 595,446 ----a-w c:\windows\System32\perfh009.dat
- 2009-01-29 20:29:52 10,120 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3267972482-450216133-219477661-1000_UserData.bin
+ 2009-01-31 16:45:14 10,300 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3267972482-450216133-219477661-1000_UserData.bin
- 2009-01-29 22:41:18 61,454 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-01-31 16:45:13 61,668 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-01-29 22:41:15 51,622 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-01-31 16:45:09 51,638 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MoneyBackgoundBanking"="c:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]
"AOL Fast Start"="c:\program files\AOL 9.0\AOL.EXE" [2006-11-10 50736]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-05-21 26112]
"HostManager"="c:\program files\Common Files\AOL\1211411712\ee\AOLSoftware.exe" [2008-06-24 41824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-15 136600]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DelayShred"="c:\progra~1\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CDA9DF3C-1BE0-410F-B092-449CE2BE990D}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{10AD40BB-3FC5-43AB-BCCC-89FA419282C7}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{05268DE9-AD68-445F-AF3D-BBCE762E74EB}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{4DCAB73F-B138-4D16-AC41-44773B66B5CE}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{90829CD5-8A3F-4E9F-958C-31830DB4271C}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{7F95EF16-AF00-4FB0-9C07-171C3916BBFD}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{F012869B-1E85-4922-B9DB-ACA0115CA84A}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{3D17761F-351F-4167-BF0B-C0193660923D}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{8A0E48A8-7923-430D-A72E-3B37E698F310}"= UDP:c:\program files\Common Files\AOL\1211411712\ee\aolsoftware.exe:AOL Shared Components
"{B221D1F3-8FBC-4C15-8778-B653B347D1A7}"= TCP:c:\program files\Common Files\AOL\1211411712\ee\aolsoftware.exe:AOL Shared Components
"{D61DB296-5506-4F56-90A5-CF74A521D47C}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
"{D7B702FF-882E-4D9C-B65F-EBF0329AE61F}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
"{9FCBB4CD-3A8A-4753-9112-D17B7CC1B8DC}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{CF2AB7A0-7F86-41ED-A4CE-35E3693FD873}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{3CF3C4C5-35C8-4054-8651-9928858F541F}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{07B538F2-AB8B-4C98-A357-45330C3D8268}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{6CAA4765-65B8-4F0C-AEBB-ABE3A1F232DE}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{43979D9B-1F57-4240-BDB1-47A95950281D}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{461F5302-0076-4AF1-8A0C-6DB7E3978BEF}"= UDP:c:\program files\AOL 9.1\waol.exe:AOL
"{5B0C958A-2604-4513-9A4F-1505D59AE2C1}"= TCP:c:\program files\AOL 9.1\waol.exe:AOL
"{413B6479-94D5-4D9A-AF26-23A9EE4FA848}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{667E9DF6-05FC-496A-9BF5-866F5AB29EE9}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{63D864C3-3448-4C9B-8439-27755EED7BA5}c:\\program files\\aol 9.1\\waol.exe"= UDP:c:\program files\aol 9.1\waol.exe:AOL Software
"UDP Query User{A1B91E61-34D0-403D-A2E1-76A434B833BB}c:\\program files\\aol 9.1\\waol.exe"= TCP:c:\program files\aol 9.1\waol.exe:AOL Software
"{903485E5-6424-4A23-8C87-AB2FAD66B6DB}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{40EA6CA3-BE37-4562-8D40-26AB5621924B}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A1A4E592-65ED-4615-A666-2D187CDEBFC2}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{FE320E5D-5D78-43A6-B4DB-3CA55E511A08}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{19A1DD1C-8F3C-4F70-B107-D2B372F8B43B}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{B7F03BD1-4A21-42CC-AD3D-42E70BF6BC56}"= UDP:c:\program files\AOL\RC\regclient.exe:AOL
"{E7FF4913-0CE6-4339-BE02-4218A1E8683C}"= TCP:c:\program files\AOL\RC\regclient.exe:AOL
"{366E7B90-5700-49CC-BDF5-D3774F570A66}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{5858D9AB-FDEF-4122-B246-3CD015952DF0}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{C992398A-6BDA-44CA-BC9C-01E6CEFCD2D0}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{83F8AF88-8ED0-43FB-94DF-C085CCF84BC1}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{249378AD-9C31-47B6-923F-5B121F7A4006}"= UDP:c:\program files\AOL 9.0a\waol.exe:AOL
"{89388B76-081E-4123-A878-949F6045C3A3}"= TCP:c:\program files\AOL 9.0a\waol.exe:AOL
"{C8A80B56-B34F-4637-853A-9E7E58979394}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{32DBE7A6-83D6-4EC5-BE39-A4CB80A11C9E}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{A97C1227-C607-49E1-ACC4-50E1FB9F6B8D}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{457EF4B9-8A94-4AB7-B357-07E8A9D25771}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{4497F8DD-2D29-45E5-9E60-047A71F40081}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL
"{BDB05111-24BA-46A4-A396-1B485198EEFA}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL
"{38950C16-4B90-454C-BA92-BB1E631F4675}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
"{9F79FD6A-765D-48AE-B48C-D168BF24FEB8}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
"{D4D282AB-3430-452E-B2C2-B2CE8F23F1FA}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1A9EA78C-D358-4840-9D76-76EA2740B845}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\System32\drivers\xcbda.sys [2007-12-07 158336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c1507fe-b028-11dd-8fc4-8ad2b2b5f9be}]
\shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-01-31 c:\windows\Tasks\User_Feed_Synchronization-{E5AC5E40-5F43-436C-B883-256FC03BA0F0}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-US\local\search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\users\Charlee\AppData\Roaming\Mozilla\Firefox\Profiles\eney0i65.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ab&query=
FF - component: c:\users\Charlee\AppData\Roaming\Mozilla\Firefox\Profiles\eney0i65.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 20:56:16
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(12264)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\combofix\hidec.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AOL 9.0\waol.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehrecvr.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
c:\program files\AOL 9.0\shellmon.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\program files\McAfee\MSC\mcuimgr.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\servicing\TrustedInstaller.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-01-31 21:00:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 01:59:30
ComboFix2.txt 2009-01-30 02:52:14
Pre-Run: 395,517,079,552 bytes free
Post-Run: 396,243,271,680 bytes free
385 --- E O F --- 2009-01-15 17:45:18
So far the clean-up has gone well. Thank you for your clear instructions. What's next?
Best regards,
Cheryl
ComboFix 09-01-21.04 - Charlee 2009-01-31 20:53:57.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2165 [GMT -5:00]
Running from: c:\users\Charlee\Desktop\ComboFix.exe
Command switches used :: c:\users\Charlee\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
FILE ::
c:\windows\system32\Q2rDBaih.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.
2009-01-28 20:07 . 2009-01-28 20:07 <DIR> d-------- C:\rsit
2009-01-28 20:04 . 2009-01-28 20:04 <DIR> d-------- c:\program files\Trend Micro
2009-01-28 19:33 . 2009-01-28 19:33 <DIR> d-------- c:\users\Charlee\AppData\Roaming\Malwarebytes
2009-01-28 19:32 . 2009-01-28 19:32 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-01-28 19:32 . 2009-01-28 19:32 <DIR> d-------- c:\programdata\Malwarebytes
2009-01-28 19:32 . 2009-01-28 19:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-28 19:32 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-28 19:32 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-21 22:04 . 2009-01-21 22:04 <DIR> d-------- c:\users\All Users\Word Whomp Underground
2009-01-21 22:04 . 2009-01-21 22:04 <DIR> d-------- c:\programdata\Word Whomp Underground
2009-01-20 22:58 . 2009-01-20 22:58 2,560 --a------ c:\windows\_MSRSTRT.EXE
2009-01-16 20:27 . 2009-01-16 20:27 <DIR> d-------- c:\program files\AOL Toolbar
2009-01-15 12:43 . 2009-01-15 12:42 410,984 --a------ c:\windows\System32\deploytk.dll
2009-01-14 19:37 . 2008-12-15 21:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-14 17:36 . 2009-01-14 17:36 <DIR> d-------- c:\users\All Users\Office Genuine Advantage
2009-01-14 17:36 . 2009-01-14 17:36 <DIR> d-------- c:\programdata\Office Genuine Advantage
2009-01-12 12:34 . 2009-01-12 12:34 <DIR> d-------- c:\users\All Users\Intenium
2009-01-12 12:34 . 2009-01-12 12:34 <DIR> d-------- c:\programdata\Intenium
2009-01-10 15:21 . 2009-01-10 15:21 <DIR> d-------- c:\users\All Users\Symantec
2009-01-10 15:21 . 2009-01-10 15:21 <DIR> d-------- c:\programdata\Symantec
2009-01-09 15:50 . 2009-01-09 15:51 <DIR> d-------- c:\program files\Mystery Case Files - Ravenhearst
2009-01-09 15:48 . 2009-01-09 15:48 <DIR> d-------- c:\program files\bfgclient
2009-01-09 15:46 . 2009-01-09 15:50 <DIR> d-------- C:\BigFishGamesCache
2009-01-07 15:45 . 2009-01-07 15:45 <DIR> dr------- c:\windows\System32\config\systemprofile\Music
2009-01-07 15:13 . 2009-01-07 18:46 <DIR> d-------- c:\program files\Trillian
2009-01-04 14:25 . 2009-01-18 23:15 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-03 13:34 . 2009-01-03 14:41 <DIR> d-------- c:\users\Charlee\AppData\Roaming\Pharaohs Secret
2009-01-03 12:55 . 2009-01-03 12:56 <DIR> d-------- c:\windows\System32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 00:57 --------- d---a-w c:\programdata\TEMP
2009-01-29 00:52 --------- d-----w c:\program files\McAfee
2009-01-28 03:30 --------- d-----w c:\program files\Oberon Media
2009-01-23 00:17 --------- d-----w c:\programdata\Yahoo!
2009-01-22 20:00 --------- d-----w c:\program files\Google
2009-01-22 03:04 --------- d-----w c:\users\Charlee\AppData\Roaming\Pogo Games
2009-01-21 19:04 --------- d-----w c:\programdata\Apple Computer
2009-01-21 04:10 --------- d-----w c:\program files\Astro Gemini Software
2009-01-17 01:27 --------- d-----w c:\programdata\AOL
2009-01-17 01:26 --------- d-----w c:\program files\Common Files\AOL
2009-01-15 17:45 --------- d-----w c:\program files\Windows Mail
2009-01-15 17:42 --------- d-----w c:\program files\Java
2009-01-12 17:32 --------- d-----w c:\program files\Gateway Games
2009-01-12 17:25 --------- d-----w c:\program files\RealArcade
2009-01-09 19:20 --------- d-----w c:\program files\Yahoo!
2008-12-25 22:39 --------- d-----w c:\programdata\WildTangent
2008-12-24 18:08 --------- d-----w c:\users\Charlee\AppData\Roaming\Geneforge 3 Saved Games
2008-12-23 22:57 --------- d-----w c:\program files\QuickTime
2008-12-22 03:50 --------- d-----w c:\users\Charlee\AppData\Roaming\SecretIslandEng
2008-12-20 03:49 --------- d-----w c:\users\Charlee\AppData\Roaming\PlayFirst
2008-12-20 03:49 --------- d-----w c:\programdata\PlayFirst
2008-12-11 15:53 --------- d-----w c:\programdata\Microsoft Help
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-06-26 02:58 174 --sha-w c:\program files\desktop.ini
2008-01-12 01:06 100,640 ----a-w c:\users\Safari Island Deluxe\safariisland.dll
2008-01-12 01:06 1,697,048 ----a-w c:\users\Safari Island Deluxe\SafariIsland.exe
2007-12-04 21:02 152,064 ----a-w c:\users\Safari Island Deluxe\UNWISE.EXE
2007-11-05 20:07 222,536 ----a-w c:\users\Safari Island Deluxe\GDF.dll
2007-07-03 19:58 577,536 ----a-w c:\users\Safari Island Deluxe\EbAdServingT25.dll
2007-06-25 20:25 162,304 ----a-w c:\users\Safari Island Deluxe\fmod.dll
2007-02-02 18:23 57,344 ----a-w c:\users\Safari Island Deluxe\GDFUninstall.exe
2007-02-02 18:17 106,496 ----a-w c:\users\Safari Island Deluxe\GameuxInstallHelper.dll
2006-10-05 11:51 532,480 ----a-w c:\users\Safari Island Deluxe\js32T.dll
2006-10-05 11:28 155,750 ----a-w c:\users\Safari Island Deluxe\nspr4T.dll
2008-09-19 20:42 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-09-19 20:42 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-09-19 20:42 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-29_21.50.31.05 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-30 02:49:54 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-01 01:56:13 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-01 01:56:13 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-01-29 21:49:38 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-01-31 22:54:15 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-01-29 21:49:38 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-31 22:54:15 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-29 21:49:38 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-31 22:54:15 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-01-30 02:49:37 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-01 01:56:13 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-01 01:56:13 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-01-30 02:40:17 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-01 01:32:41 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-01-30 02:40:17 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-01 01:32:41 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-30 02:40:17 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-01 01:32:41 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-01-29 22:43:48 101,144 ----a-w c:\windows\System32\perfc009.dat
+ 2009-01-31 16:49:26 101,144 ----a-w c:\windows\System32\perfc009.dat
- 2009-01-29 22:43:48 595,446 ----a-w c:\windows\System32\perfh009.dat
+ 2009-01-31 16:49:26 595,446 ----a-w c:\windows\System32\perfh009.dat
- 2009-01-29 20:29:52 10,120 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3267972482-450216133-219477661-1000_UserData.bin
+ 2009-01-31 16:45:14 10,300 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3267972482-450216133-219477661-1000_UserData.bin
- 2009-01-29 22:41:18 61,454 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-01-31 16:45:13 61,668 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-01-29 22:41:15 51,622 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-01-31 16:45:09 51,638 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MoneyBackgoundBanking"="c:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]
"AOL Fast Start"="c:\program files\AOL 9.0\AOL.EXE" [2006-11-10 50736]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-05-21 26112]
"HostManager"="c:\program files\Common Files\AOL\1211411712\ee\AOLSoftware.exe" [2008-06-24 41824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-15 136600]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DelayShred"="c:\progra~1\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CDA9DF3C-1BE0-410F-B092-449CE2BE990D}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{10AD40BB-3FC5-43AB-BCCC-89FA419282C7}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{05268DE9-AD68-445F-AF3D-BBCE762E74EB}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{4DCAB73F-B138-4D16-AC41-44773B66B5CE}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{90829CD5-8A3F-4E9F-958C-31830DB4271C}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{7F95EF16-AF00-4FB0-9C07-171C3916BBFD}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL
"{F012869B-1E85-4922-B9DB-ACA0115CA84A}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{3D17761F-351F-4167-BF0B-C0193660923D}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL
"{8A0E48A8-7923-430D-A72E-3B37E698F310}"= UDP:c:\program files\Common Files\AOL\1211411712\ee\aolsoftware.exe:AOL Shared Components
"{B221D1F3-8FBC-4C15-8778-B653B347D1A7}"= TCP:c:\program files\Common Files\AOL\1211411712\ee\aolsoftware.exe:AOL Shared Components
"{D61DB296-5506-4F56-90A5-CF74A521D47C}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
"{D7B702FF-882E-4D9C-B65F-EBF0329AE61F}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
"{9FCBB4CD-3A8A-4753-9112-D17B7CC1B8DC}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{CF2AB7A0-7F86-41ED-A4CE-35E3693FD873}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{3CF3C4C5-35C8-4054-8651-9928858F541F}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{07B538F2-AB8B-4C98-A357-45330C3D8268}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{6CAA4765-65B8-4F0C-AEBB-ABE3A1F232DE}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{43979D9B-1F57-4240-BDB1-47A95950281D}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{461F5302-0076-4AF1-8A0C-6DB7E3978BEF}"= UDP:c:\program files\AOL 9.1\waol.exe:AOL
"{5B0C958A-2604-4513-9A4F-1505D59AE2C1}"= TCP:c:\program files\AOL 9.1\waol.exe:AOL
"{413B6479-94D5-4D9A-AF26-23A9EE4FA848}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{667E9DF6-05FC-496A-9BF5-866F5AB29EE9}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{63D864C3-3448-4C9B-8439-27755EED7BA5}c:\\program files\\aol 9.1\\waol.exe"= UDP:c:\program files\aol 9.1\waol.exe:AOL Software
"UDP Query User{A1B91E61-34D0-403D-A2E1-76A434B833BB}c:\\program files\\aol 9.1\\waol.exe"= TCP:c:\program files\aol 9.1\waol.exe:AOL Software
"{903485E5-6424-4A23-8C87-AB2FAD66B6DB}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{40EA6CA3-BE37-4562-8D40-26AB5621924B}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A1A4E592-65ED-4615-A666-2D187CDEBFC2}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{FE320E5D-5D78-43A6-B4DB-3CA55E511A08}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{19A1DD1C-8F3C-4F70-B107-D2B372F8B43B}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{B7F03BD1-4A21-42CC-AD3D-42E70BF6BC56}"= UDP:c:\program files\AOL\RC\regclient.exe:AOL
"{E7FF4913-0CE6-4339-BE02-4218A1E8683C}"= TCP:c:\program files\AOL\RC\regclient.exe:AOL
"{366E7B90-5700-49CC-BDF5-D3774F570A66}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{5858D9AB-FDEF-4122-B246-3CD015952DF0}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{C992398A-6BDA-44CA-BC9C-01E6CEFCD2D0}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{83F8AF88-8ED0-43FB-94DF-C085CCF84BC1}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{249378AD-9C31-47B6-923F-5B121F7A4006}"= UDP:c:\program files\AOL 9.0a\waol.exe:AOL
"{89388B76-081E-4123-A878-949F6045C3A3}"= TCP:c:\program files\AOL 9.0a\waol.exe:AOL
"{C8A80B56-B34F-4637-853A-9E7E58979394}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{32DBE7A6-83D6-4EC5-BE39-A4CB80A11C9E}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{A97C1227-C607-49E1-ACC4-50E1FB9F6B8D}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{457EF4B9-8A94-4AB7-B357-07E8A9D25771}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{4497F8DD-2D29-45E5-9E60-047A71F40081}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL
"{BDB05111-24BA-46A4-A396-1B485198EEFA}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL
"{38950C16-4B90-454C-BA92-BB1E631F4675}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
"{9F79FD6A-765D-48AE-B48C-D168BF24FEB8}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
"{D4D282AB-3430-452E-B2C2-B2CE8F23F1FA}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1A9EA78C-D358-4840-9D76-76EA2740B845}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\System32\drivers\xcbda.sys [2007-12-07 158336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c1507fe-b028-11dd-8fc4-8ad2b2b5f9be}]
\shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-01-31 c:\windows\Tasks\User_Feed_Synchronization-{E5AC5E40-5F43-436C-B883-256FC03BA0F0}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-US\local\search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\users\Charlee\AppData\Roaming\Mozilla\Firefox\Profiles\eney0i65.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ab&query=
FF - component: c:\users\Charlee\AppData\Roaming\Mozilla\Firefox\Profiles\eney0i65.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 20:56:16
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(12264)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\combofix\hidec.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AOL 9.0\waol.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehrecvr.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
c:\program files\AOL 9.0\shellmon.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\program files\McAfee\MSC\mcuimgr.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\servicing\TrustedInstaller.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-01-31 21:00:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 01:59:30
ComboFix2.txt 2009-01-30 02:52:14
Pre-Run: 395,517,079,552 bytes free
Post-Run: 396,243,271,680 bytes free
385 --- E O F --- 2009-01-15 17:45:18
Open Adobe's Acrobat -- if you have the Full Version installed. Click Help and run the Upgrade applet found there. If no update is offered:
Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.
Whether you had the Full Version of Acrobat or not, download and install Adobe Reader 9 and use this as the integrated PDF Reader insider your
browser: http://www.adobe.com/products/acrobat/readstep2.html
Check to make sure your Sun Java version is the most current, Release 1.6.0_11, please use the Sun Web site to update your version of Java JRE for Windows if necessary;
instructions can be found here: http://aumha.net/viewtopic.php?f=26&t=37284
_______________________________________________________________
Clean-up & Housekeeping Steps:
- Remove RSIT, if I asked you to install this utility.
Delete the file rsit.exe and the folder C:\rsit. That's all there is to it! - Do a formal removal of Combofix if I asked you to use this utility.
Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
:!: If you renamed this file, use the new name in following this instruction rather than "Combofix.exe".
Note: you must insert a blank space between the end of the word "combofix" and its
parameter "/u" or it will not work. For Vista, you need to use an Elevated Command Prompt.
. - If I did not ask you to download OTMOVEIT previously, please download the
OTMoveIt3 by OldTimer. and save it to your Desktop.
Please double-click OTMoveIt3.exe to run the utility. - Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your
firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the small list has been downloaded you'll be asked if
you want to Begin cleanup process? Select Yes.\ - This step removes the files, folders, and shortcuts created by the tools I had you download and run.
QUOTE
For Windows XP (only):
Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives.
Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again
click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean
system state.
For Vista (only):
To clear infected Windows Vista System Restore points:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
Now turn on Windows Vista System Restore:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Place a checkmark in the box for any drive you wish to enable System Restore on
7. Click OK
Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives.
Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again
click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean
system state.
For Vista (only):
To clear infected Windows Vista System Restore points:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
Now turn on Windows Vista System Restore:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Place a checkmark in the box for any drive you wish to enable System Restore on
7. Click OK
.
- Run ATF Cleaner
, and checkmark "Empty Recycle Bin", click "Empty
Selected" and exit the program. You can delete or keep this utility as you wish.
. - If Malwarebytes' Anti-Malware was installed you may choose to keep it or remove it. To remove it, use Add or Remove Programs and uninstall it. I recommend that you leave MBAM installed and run it regularly.
. - Use the Add or Remove installed programs feature of Windows to Uninstall any on-line scanner you might have used.
_______________________________________________________________
Concluding Thoughts About Security
My personal rules, thoughts, and suggestions, for you as to what to do next are very simple -- and note, that they are for the most part personal suggestions and not
requirements:
- Make sure your firewall is enabled, and in good working order. The native XP or Vista firewalls are fine although many people prefer to use a third party firewall. I recommend TallEmu's Online Armour : http://www.tallemu.com/, either the full, paid version, or the free version. There are also several good alternative choices.
:!: Note: If your Antivirus software Suite includes a firewall, you likely have no other option than the included firewall. Check with the Vendor.
- If using Broadband Internet -- Cable or some variation of DSL, or FIOS -- use a NAT router;
- Have a good, current, antivirus installed. For freeware antivirus products, I can recommend either Antivir or AVAST. There are other choices. Schedule any automatic updates for a period of time during the day when you know the computer is regularly on and connected to the internet.
- Stay current at Microsft Windows Upates -- to me this means setting Automatic Updates to on.
- If Vista, do not disable UAC; it is the best antimalware protection in Windows;
- Use a Secunia scan, free, to remain current for all Application software: http://secunia.com/vulnerability_scanning/online/
- If using XP: Install Microsoft's Windows Defender (free). It is good now, and gets better over time; http://www.microsoft.com/downloads/details.aspx?
FamilyId=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D
- Optional: Consider using "passive" protections, such as SpywareBlaster ( http://www.javacoolsoftware.com/spywareblaster.html ), or a HOSTS-blocking approach --
one good HOSTS blocking example: http://www.mvps.org/winhelp2002/hosts.htm Again, this is a suggestion. They require no system resources, and do not "scan", but
passively block known malware agents.
- Optional: Consider adding a heuristics-based active antimalware agent. These take little resources, do not "scan" your file system; but act as watchdogs. Comodo's
BOClean ( http://www.comodo.com/boclean/CBO_download.html ) , or PC-Tools' ThreatFire ( http://www.threatfire.com/ ) are both well considered. Install only
one.
- Do not over due it. SpyBot is a reasonable on-demand scanner, but do not install any "active" components. For example, SpyBot's TeaTimer protection. Microsoft's
free WIndows Defender handles the entire job with greater features and more elegance. Ad-aware is a reasonable adware scanner; but do not install any "active"
components. You are well covered by items, and in better form, by the earlier items in the list.
- Never install more than one active antivirus program, or more than one firewall. You would be less protected as a result. I am confident you know better; but you
would be surprised how many logs we see with folks have two, three, four full antivirus suites installed.
- If your antivirus or any other protections show warnings about an issue, contact your subscription vendor for that product and ask for help. That is what you paid money for.
- If you went all "freeware", or the vendor does not help, rather than download everything you can Google to "fix" the issue, head to a malware removal site and ask for help.
Every Helper here will tell you the same thing: I would rather see in an structured way a very infected machine, then puzzle over the left overs by the member's use of inept or
inappropriate removal tools. The logs returned from the utilities we ask you to download and run are less interesting for what they found, then what they reveal about what is still
there. If none of the previous 11 suggestions did not resolve the problem; start with a good malware removal site and ask for help. AumHa is just one of several excellent
Forums providing this level of support without charge.
- Please read: Should You Use a Registry Cleaner in Windows?
http://aumha.net/viewtopic.php?t=28099
(I vote rather strongly No.)
You can find arguments about all the points above, but I wanted to give a personal answer to you about my own thoughts about the issue. I honestly, however, have no interest
in debating any of them. It is just my honest view of reasonable security steps you should take; with a focus on how to do this inexpensively, with very low resource usage, few
annoyances, and well.
Thanks for helping to keep your computer clean...
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.