This topic is lockedEdited by bbirali, 06 June 2010 - 10:36 AM.
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
rootkit.tdss
Started by
bbirali
, Jun 03 2010 12:22 PM
45 replies to this topic
#16
bbirali
-
- Authentic Member
-
- 32 posts
Authentic Member
Posted 06 June 2010 - 10:13 AM
Register to Remove
#17
SweetTech
-
- Authentic Member
-
- 3,368 posts
MalwareTeam Emeritus
#18
bbirali
-
- Authentic Member
-
- 32 posts
Authentic Member
Posted 06 June 2010 - 10:52 AM
Hi SweetTech,
Here is the log of the combofix
ComboFix 10-06-05.03 - Savitha Birali 06/06/2010 11:50:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1346 [GMT -4:00]
Running from: c:\documents and settings\Savitha Birali\Desktop\wfdhowod.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\Savitha Birali\Local Settings\Temporary Internet Files\FishTank.gg
c:\windows\jestertb.dll
c:\windows\setup.exe
c:\windows\system32\PRAGMAerrors.log
c:\windows\system32\Thumbs.db
c:\windows\system32\Vb40032.dll
J:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))
.
2010-06-05 12:29 . 2010-06-05 12:29 73728 ----a-r- c:\documents and settings\Savitha Birali\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut6_6EA2867D4E8340A5A3471FF71A363544.exe
2010-06-05 12:29 . 2010-06-05 12:29 73728 ----a-r- c:\documents and settings\Savitha Birali\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut5_6EA2867D4E8340A5A3471FF71A363544.exe
2010-06-05 12:29 . 2010-06-05 12:29 73728 ----a-r- c:\documents and settings\Savitha Birali\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe
2010-06-05 12:29 . 2010-06-05 12:29 30894 ----a-r- c:\documents and settings\Savitha Birali\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\ARPPRODUCTICON.exe
2010-06-05 12:28 . 2010-06-05 12:28 -------- d-----w- c:\program files\Common Files\eSellerate
2010-06-05 12:28 . 2010-06-05 12:28 -------- d-----w- c:\program files\Memeo
2010-06-05 12:28 . 2010-06-05 12:28 -------- d-s---w- c:\documents and settings\Savitha Birali\Local Settings\Application Data\Memeo
2010-06-05 12:28 . 2010-06-05 12:28 -------- d-s---w- c:\documents and settings\All Users\Application Data\Memeo
2010-06-05 12:28 . 2010-06-05 12:28 -------- d-----w- c:\documents and settings\Savitha Birali\Local Settings\Application Data\{73DF8C24-FEEC-41AF-B020-3FABC7890954}
2010-06-05 12:19 . 2010-06-05 12:19 -------- d-----w- C:\Process Explorer
2010-06-05 01:10 . 2006-11-01 17:06 162616 ----a-w- c:\windows\RegDelNull.exe
2010-06-05 00:08 . 2010-06-05 11:44 -------- d-----w- C:\ComboFix
2010-06-02 02:36 . 2010-06-02 02:36 -------- d-----w- c:\documents and settings\Savitha Birali\Local Settings\Application Data\Threat Expert
2010-06-02 02:35 . 2010-06-02 02:35 -------- d-----w- c:\documents and settings\Savitha Birali\Application Data\PC Tools
2010-06-02 02:34 . 2010-06-06 15:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-31 23:33 . 2010-05-31 23:33 -------- d-----w- c:\documents and settings\Savitha Birali\Tracing
2010-05-31 23:31 . 2010-05-31 23:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-05-31 23:27 . 2010-05-31 23:33 -------- d-----w- c:\program files\Microsoft
2010-05-31 23:26 . 2010-05-31 23:26 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-05-31 23:26 . 2010-05-31 23:32 -------- d-----w- c:\program files\Windows Live
2010-05-31 23:22 . 2010-05-31 23:22 -------- d-----w- c:\program files\Common Files\Windows Live
2010-05-28 00:57 . 2010-05-28 00:57 -------- d-----w- c:\program files\SiteAdvisor
2010-05-28 00:56 . 2010-04-14 16:50 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-05-27 17:10 . 2010-05-27 17:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-05-24 20:54 . 2010-05-24 20:54 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple
2010-05-24 12:08 . 2010-05-24 12:08 862872 ----a-w- c:\documents and settings\Guest\Application Data\yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-05-22 11:34 . 2010-05-22 11:34 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2010-05-22 11:33 . 2010-05-22 11:33 503808 ----a-w- c:\documents and settings\Savitha Birali\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4c3e92e6-n\msvcp71.dll
2010-05-22 11:33 . 2010-05-22 11:33 499712 ----a-w- c:\documents and settings\Savitha Birali\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4c3e92e6-n\jmc.dll
2010-05-22 11:33 . 2010-05-22 11:33 348160 ----a-w- c:\documents and settings\Savitha Birali\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4c3e92e6-n\msvcr71.dll
2010-05-17 10:41 . 2010-04-14 16:50 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-05-17 10:41 . 2010-04-14 16:50 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-05-17 10:41 . 2010-04-14 16:50 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-05-17 10:41 . 2010-04-14 16:50 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-05-17 10:41 . 2010-04-14 16:50 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-05-17 10:41 . 2010-04-14 16:50 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-05-17 10:41 . 2010-04-14 16:50 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-05-13 00:05 . 2010-05-13 00:05 -------- d-----w- c:\documents and settings\Savitha Birali\Application Data\Uniblue
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 15:32 . 2010-06-02 02:35 -------- d-----w- c:\program files\Spyware Doctor
2010-06-06 14:43 . 2010-06-02 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-05 17:00 . 2008-11-15 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-05 12:29 . 2005-04-26 02:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 23:52 . 2008-04-06 20:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 23:34 . 2008-08-09 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-04 23:12 . 2004-08-03 22:59 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-06-02 02:36 . 2010-06-02 02:35 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-01 00:15 . 2010-03-31 22:55 -------- d-----w- c:\documents and settings\Savitha Birali\Application Data\vlc
2010-05-28 10:24 . 2005-09-11 20:24 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-28 00:56 . 2007-07-24 03:47 -------- d-----w- c:\program files\Common Files\McAfee
2010-05-22 11:37 . 2009-11-06 17:25 -------- d--h--r- c:\documents and settings\Guest\Application Data\yahoo!
2010-05-21 18:14 . 2009-10-02 18:51 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-17 16:57 . 2005-09-08 22:57 -------- d-----w- c:\program files\Creative
2010-05-17 16:41 . 2007-07-24 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-17 16:41 . 2007-07-24 03:47 -------- d-----w- c:\program files\McAfee
2010-05-17 16:25 . 2008-07-07 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-05-09 14:33 . 2007-11-20 04:02 -------- d-----w- c:\documents and settings\Savitha Birali\Application Data\LimeWire
2010-05-09 02:32 . 2005-04-26 23:33 -------- d-----w- c:\program files\Google
2010-05-05 12:53 . 2010-05-05 12:52 -------- d-----w- c:\program files\iTunes
2010-05-05 12:52 . 2010-05-05 12:52 -------- d-----w- c:\program files\iPod
2010-05-05 12:52 . 2007-07-05 19:09 -------- d-----w- c:\program files\Common Files\Apple
2010-05-05 12:41 . 2010-05-05 12:41 -------- d-----w- c:\program files\Bonjour
2010-05-05 12:37 . 2010-05-05 12:37 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-05 12:27 . 2005-09-19 23:55 1848 ----a-w- c:\documents and settings\Savitha Birali\Application Data\wklnhst.dat
2010-04-19 18:59 . 2010-04-19 18:59 255472 ----a-w- c:\documents and settings\Savitha Birali\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-18 14:02 . 2010-04-18 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-18 13:54 . 2010-04-18 13:53 -------- d-----w- c:\program files\QuickTime
2010-04-17 04:04 . 2010-04-17 04:04 306032 ----a-w- c:\windows\WLXPGSS.SCR
2010-04-17 02:12 . 2010-04-17 02:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-14 16:50 . 2010-04-14 16:50 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-14 16:50 . 2010-04-14 16:50 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-10 23:51 . 2010-03-31 22:56 -------- d-----w- c:\documents and settings\Savitha Birali\Application Data\dvdcss
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-08 18:29 . 2010-06-02 02:35 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-29 14:06 . 2010-06-02 02:35 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-16 02:13 . 2010-03-16 02:13 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-12 19:56 . 2010-03-12 19:56 0 ----a-w- c:\windows\ativpsrm.bin
2010-03-10 06:15 . 2005-04-26 02:17 420352 ----a-w- c:\windows\system32\vbscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-14 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-03-09 139264]
"SoundMan"="SOUNDMAN.EXE" [2005-04-07 90112]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-07 2805248]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-23 5406720]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"LXBLKsk"="c:\progra~1\Lexmark\PHOTOC~1\LXBLKsk.exe" [2003-03-26 294912]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-20 149280]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 36864]
"VAIO Update 3"="c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-01-24 546936]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-02 292152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-21 1193336]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
c:\documents and settings\Savitha Birali\Start Menu\Programs\Startup\
Memeo AutoBackup Launcher.lnk - c:\documents and settings\Savitha Birali\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [2010-6-5 73728]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-11-29 66864]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer for HDD Camcorder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer for HDD Camcorder.lnk
backup=c:\windows\pss\ImageMixer for HDD Camcorder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Savitha Birali^Start Menu^Programs^Startup^SIGMA Photo Pro AutoLaunch.lnk]
path=c:\documents and settings\Savitha Birali\Start Menu\Programs\Startup\SIGMA Photo Pro AutoLaunch.lnk
backup=c:\windows\pss\SIGMA Photo Pro AutoLaunch.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Savitha Birali^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Savitha Birali\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 04:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-02-01 14:59 133104 ----atw- c:\documents and settings\Savitha Birali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 17:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2010-05-11 15:51 1287120 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
2003-04-28 21:29 122880 ----a-w- c:\program files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-05-12 20:04 196608 ----a-w- c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2007-02-23 04:31 25388584 ----a-w- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-14 19:40 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-11-10 20:39 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Savitha Birali\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Savitha Birali\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\LimeWire_5.4.8\\LimeWire.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/1/2010 10:35 PM 218592]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/17/2010 6:41 AM 82952]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [6/1/2010 10:36 PM 112592]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/27/2010 8:56 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/27/2010 8:56 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/27/2010 8:56 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/27/2010 8:56 PM 141792]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [7/14/2007 10:37 PM 27992]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/17/2010 6:41 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/17/2010 6:41 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/17/2010 6:41 AM 88480]
R4 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [6/1/2010 10:35 PM 233136]
R4 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
R4 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
R4 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 7:47 AM 98304]
S2 gupdate1c8e3bc171de0d0;Google Update Service (gupdate1c8e3bc171de0d0);c:\program files\Google\Update\GoogleUpdate.exe [7/11/2008 9:10 PM 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/27/2010 8:56 PM 271480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/17/2010 6:41 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/17/2010 6:41 AM 83496]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/1/2010 10:35 PM 366840]
S3 SecBulk;SECBULK.sys, SEC SOC USBD Driver;c:\windows\system32\drivers\secbulk.sys [4/26/2008 2:36 PM 10430]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S4 0105461188904383mcinstcleanup;McAfee Application Installer Cleanup (0105461188904383);c:\windows\TEMP\010546~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\010546~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [6/1/2010 10:35 PM 63360]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - PCTGNTDI
*NewlyCreated* - PCTPLSG
*NewlyCreated* - TFFSMON
*NewlyCreated* - TFNETMON
*NewlyCreated* - TFSYSMON
*Deregistered* - mfeavfk01
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder
2010-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
2010-06-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-30 16:22]
2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-12 22:42]
2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-12 22:42]
2010-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2848521378-568687814-882485259-1006Core.job
- c:\documents and settings\Savitha Birali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-01 14:59]
2010-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2848521378-568687814-882485259-1006UA.job
- c:\documents and settings\Savitha Birali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-01 14:59]
2010-06-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: WMP10ctrl - hxxp://www.cinemanow.com/WMP10ctrl.CAB
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://neovpn.wellington.com/llclient/netscreen2/winxp/,DanaInfo=confidence.wellmanage.com,CT=java+AXXPEE.dll
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
SafeBoot-klmdb.sys
SafeBoot-svcWRSSSDK
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0600 - c:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0600\HXFSETUP.EXE -U -IHDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_104D0600
AddRemove-Modules - c:\docume~1\SAVITH~1\LOCALS~1\Temp\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 12:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2848521378-568687814-882485259-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:0000000b
[HKEY_USERS\S-1-5-21-2848521378-568687814-882485259-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000003
"State"=dword:00000007
[HKEY_USERS\S-1-5-21-2848521378-568687814-882485259-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000002
"State"=dword:0000000b
[HKEY_USERS\S-1-5-21-2848521378-568687814-882485259-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1252)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll
c:\program files\Spyware Doctor\TFEngine\TFMon.dll
c:\program files\Spyware Doctor\TFEngine\TFRK.dll
.
Completion time: 2010-06-06 12:43:20
ComboFix-quarantined-files.txt 2010-06-06 16:42
Pre-Run: 90,151,661,568 bytes free
Post-Run: 94,891,384,832 bytes free
- - End Of File - - E07D70F38F15E2F1BE82E1C9EFB30940
Here is the log of the combofix
ComboFix 10-06-05.03 - Savitha Birali 06/06/2010 11:50:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1346 [GMT -4:00]
Running from: c:\documents and settings\Savitha Birali\Desktop\wfdhowod.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\Savitha Birali\Local Settings\Temporary Internet Files\FishTank.gg
c:\windows\jestertb.dll
c:\windows\setup.exe
c:\windows\system32\PRAGMAerrors.log
c:\windows\system32\Thumbs.db
c:\windows\system32\Vb40032.dll
J:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))
.
2010-06-05 12:29 . 2010-06-05 12:29 73728 ----a-r- c:\documents and settings\Savitha Birali\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut6_6EA2867D4E8340A5A3471FF71A363544.exe
2010-06-05 12:29 . 2010-06-05 12:29 73728 ----a-r- c:\documents and settings\Savitha Birali\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut5_6EA2867D4E8340A5A3471FF71A363544.exe
2010-06-05 12:29 . 2010-06-05 12:29 73728 ----a-r- c:\documents and settings\Savitha Birali\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe
2010-06-05 12:29 . 2010-06-05 12:29 30894 ----a-r- c:\documents and settings\Savitha Birali\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\ARPPRODUCTICON.exe
2010-06-05 12:28 . 2010-06-05 12:28 -------- d-----w- c:\program files\Common Files\eSellerate
2010-06-05 12:28 . 2010-06-05 12:28 -------- d-----w- c:\program files\Memeo
2010-06-05 12:28 . 2010-06-05 12:28 -------- d-s---w- c:\documents and settings\Savitha Birali\Local Settings\Application Data\Memeo
2010-06-05 12:28 . 2010-06-05 12:28 -------- d-s---w- c:\documents and settings\All Users\Application Data\Memeo
2010-06-05 12:28 . 2010-06-05 12:28 -------- d-----w- c:\documents and settings\Savitha Birali\Local Settings\Application Data\{73DF8C24-FEEC-41AF-B020-3FABC7890954}
2010-06-05 12:19 . 2010-06-05 12:19 -------- d-----w- C:\Process Explorer
2010-06-05 01:10 . 2006-11-01 17:06 162616 ----a-w- c:\windows\RegDelNull.exe
2010-06-05 00:08 . 2010-06-05 11:44 -------- d-----w- C:\ComboFix
2010-06-02 02:36 . 2010-06-02 02:36 -------- d-----w- c:\documents and settings\Savitha Birali\Local Settings\Application Data\Threat Expert
2010-06-02 02:35 . 2010-06-02 02:35 -------- d-----w- c:\documents and settings\Savitha Birali\Application Data\PC Tools
2010-06-02 02:34 . 2010-06-06 15:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-31 23:33 . 2010-05-31 23:33 -------- d-----w- c:\documents and settings\Savitha Birali\Tracing
2010-05-31 23:31 . 2010-05-31 23:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-05-31 23:27 . 2010-05-31 23:33 -------- d-----w- c:\program files\Microsoft
2010-05-31 23:26 . 2010-05-31 23:26 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-05-31 23:26 . 2010-05-31 23:32 -------- d-----w- c:\program files\Windows Live
2010-05-31 23:22 . 2010-05-31 23:22 -------- d-----w- c:\program files\Common Files\Windows Live
2010-05-28 00:57 . 2010-05-28 00:57 -------- d-----w- c:\program files\SiteAdvisor
2010-05-28 00:56 . 2010-04-14 16:50 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-05-27 17:10 . 2010-05-27 17:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-05-24 20:54 . 2010-05-24 20:54 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple
2010-05-24 12:08 . 2010-05-24 12:08 862872 ----a-w- c:\documents and settings\Guest\Application Data\yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-05-22 11:34 . 2010-05-22 11:34 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2010-05-22 11:33 . 2010-05-22 11:33 503808 ----a-w- c:\documents and settings\Savitha Birali\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4c3e92e6-n\msvcp71.dll
2010-05-22 11:33 . 2010-05-22 11:33 499712 ----a-w- c:\documents and settings\Savitha Birali\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4c3e92e6-n\jmc.dll
2010-05-22 11:33 . 2010-05-22 11:33 348160 ----a-w- c:\documents and settings\Savitha Birali\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4c3e92e6-n\msvcr71.dll
2010-05-17 10:41 . 2010-04-14 16:50 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-05-17 10:41 . 2010-04-14 16:50 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-05-17 10:41 . 2010-04-14 16:50 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-05-17 10:41 . 2010-04-14 16:50 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-05-17 10:41 . 2010-04-14 16:50 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-05-17 10:41 . 2010-04-14 16:50 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-05-17 10:41 . 2010-04-14 16:50 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-05-13 00:05 . 2010-05-13 00:05 -------- d-----w- c:\documents and settings\Savitha Birali\Application Data\Uniblue
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 15:32 . 2010-06-02 02:35 -------- d-----w- c:\program files\Spyware Doctor
2010-06-06 14:43 . 2010-06-02 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-05 17:00 . 2008-11-15 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-05 12:29 . 2005-04-26 02:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 23:52 . 2008-04-06 20:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 23:34 . 2008-08-09 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-04 23:12 . 2004-08-03 22:59 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-06-02 02:36 . 2010-06-02 02:35 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-01 00:15 . 2010-03-31 22:55 -------- d-----w- c:\documents and settings\Savitha Birali\Application Data\vlc
2010-05-28 10:24 . 2005-09-11 20:24 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-28 00:56 . 2007-07-24 03:47 -------- d-----w- c:\program files\Common Files\McAfee
2010-05-22 11:37 . 2009-11-06 17:25 -------- d--h--r- c:\documents and settings\Guest\Application Data\yahoo!
2010-05-21 18:14 . 2009-10-02 18:51 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-17 16:57 . 2005-09-08 22:57 -------- d-----w- c:\program files\Creative
2010-05-17 16:41 . 2007-07-24 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-17 16:41 . 2007-07-24 03:47 -------- d-----w- c:\program files\McAfee
2010-05-17 16:25 . 2008-07-07 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-05-09 14:33 . 2007-11-20 04:02 -------- d-----w- c:\documents and settings\Savitha Birali\Application Data\LimeWire
2010-05-09 02:32 . 2005-04-26 23:33 -------- d-----w- c:\program files\Google
2010-05-05 12:53 . 2010-05-05 12:52 -------- d-----w- c:\program files\iTunes
2010-05-05 12:52 . 2010-05-05 12:52 -------- d-----w- c:\program files\iPod
2010-05-05 12:52 . 2007-07-05 19:09 -------- d-----w- c:\program files\Common Files\Apple
2010-05-05 12:41 . 2010-05-05 12:41 -------- d-----w- c:\program files\Bonjour
2010-05-05 12:37 . 2010-05-05 12:37 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-05 12:27 . 2005-09-19 23:55 1848 ----a-w- c:\documents and settings\Savitha Birali\Application Data\wklnhst.dat
2010-04-19 18:59 . 2010-04-19 18:59 255472 ----a-w- c:\documents and settings\Savitha Birali\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-18 14:02 . 2010-04-18 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-18 13:54 . 2010-04-18 13:53 -------- d-----w- c:\program files\QuickTime
2010-04-17 04:04 . 2010-04-17 04:04 306032 ----a-w- c:\windows\WLXPGSS.SCR
2010-04-17 02:12 . 2010-04-17 02:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-14 16:50 . 2010-04-14 16:50 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-14 16:50 . 2010-04-14 16:50 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-10 23:51 . 2010-03-31 22:56 -------- d-----w- c:\documents and settings\Savitha Birali\Application Data\dvdcss
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-08 18:29 . 2010-06-02 02:35 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-29 14:06 . 2010-06-02 02:35 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-16 02:13 . 2010-03-16 02:13 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-12 19:56 . 2010-03-12 19:56 0 ----a-w- c:\windows\ativpsrm.bin
2010-03-10 06:15 . 2005-04-26 02:17 420352 ----a-w- c:\windows\system32\vbscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-14 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-03-09 139264]
"SoundMan"="SOUNDMAN.EXE" [2005-04-07 90112]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-07 2805248]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-23 5406720]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"LXBLKsk"="c:\progra~1\Lexmark\PHOTOC~1\LXBLKsk.exe" [2003-03-26 294912]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-20 149280]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 36864]
"VAIO Update 3"="c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-01-24 546936]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-02 292152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-21 1193336]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
c:\documents and settings\Savitha Birali\Start Menu\Programs\Startup\
Memeo AutoBackup Launcher.lnk - c:\documents and settings\Savitha Birali\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [2010-6-5 73728]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-11-29 66864]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer for HDD Camcorder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer for HDD Camcorder.lnk
backup=c:\windows\pss\ImageMixer for HDD Camcorder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Savitha Birali^Start Menu^Programs^Startup^SIGMA Photo Pro AutoLaunch.lnk]
path=c:\documents and settings\Savitha Birali\Start Menu\Programs\Startup\SIGMA Photo Pro AutoLaunch.lnk
backup=c:\windows\pss\SIGMA Photo Pro AutoLaunch.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Savitha Birali^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Savitha Birali\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 04:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-02-01 14:59 133104 ----atw- c:\documents and settings\Savitha Birali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 17:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2010-05-11 15:51 1287120 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
2003-04-28 21:29 122880 ----a-w- c:\program files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-05-12 20:04 196608 ----a-w- c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2007-02-23 04:31 25388584 ----a-w- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-14 19:40 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-11-10 20:39 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Savitha Birali\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Savitha Birali\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\LimeWire_5.4.8\\LimeWire.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/1/2010 10:35 PM 218592]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/17/2010 6:41 AM 82952]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [6/1/2010 10:36 PM 112592]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/27/2010 8:56 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/27/2010 8:56 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/27/2010 8:56 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/27/2010 8:56 PM 141792]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [7/14/2007 10:37 PM 27992]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/17/2010 6:41 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/17/2010 6:41 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/17/2010 6:41 AM 88480]
R4 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [6/1/2010 10:35 PM 233136]
R4 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
R4 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
R4 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 7:47 AM 98304]
S2 gupdate1c8e3bc171de0d0;Google Update Service (gupdate1c8e3bc171de0d0);c:\program files\Google\Update\GoogleUpdate.exe [7/11/2008 9:10 PM 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/27/2010 8:56 PM 271480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/17/2010 6:41 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/17/2010 6:41 AM 83496]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/1/2010 10:35 PM 366840]
S3 SecBulk;SECBULK.sys, SEC SOC USBD Driver;c:\windows\system32\drivers\secbulk.sys [4/26/2008 2:36 PM 10430]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S4 0105461188904383mcinstcleanup;McAfee Application Installer Cleanup (0105461188904383);c:\windows\TEMP\010546~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\010546~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [6/1/2010 10:35 PM 63360]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - PCTGNTDI
*NewlyCreated* - PCTPLSG
*NewlyCreated* - TFFSMON
*NewlyCreated* - TFNETMON
*NewlyCreated* - TFSYSMON
*Deregistered* - mfeavfk01
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder
2010-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
2010-06-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-30 16:22]
2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-12 22:42]
2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-12 22:42]
2010-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2848521378-568687814-882485259-1006Core.job
- c:\documents and settings\Savitha Birali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-01 14:59]
2010-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2848521378-568687814-882485259-1006UA.job
- c:\documents and settings\Savitha Birali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-01 14:59]
2010-06-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: WMP10ctrl - hxxp://www.cinemanow.com/WMP10ctrl.CAB
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://neovpn.wellington.com/llclient/netscreen2/winxp/,DanaInfo=confidence.wellmanage.com,CT=java+AXXPEE.dll
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
SafeBoot-klmdb.sys
SafeBoot-svcWRSSSDK
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0600 - c:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0600\HXFSETUP.EXE -U -IHDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_104D0600
AddRemove-Modules - c:\docume~1\SAVITH~1\LOCALS~1\Temp\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 12:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2848521378-568687814-882485259-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:0000000b
[HKEY_USERS\S-1-5-21-2848521378-568687814-882485259-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000003
"State"=dword:00000007
[HKEY_USERS\S-1-5-21-2848521378-568687814-882485259-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000002
"State"=dword:0000000b
[HKEY_USERS\S-1-5-21-2848521378-568687814-882485259-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1252)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll
c:\program files\Spyware Doctor\TFEngine\TFMon.dll
c:\program files\Spyware Doctor\TFEngine\TFRK.dll
.
Completion time: 2010-06-06 12:43:20
ComboFix-quarantined-files.txt 2010-06-06 16:42
Pre-Run: 90,151,661,568 bytes free
Post-Run: 94,891,384,832 bytes free
- - End Of File - - E07D70F38F15E2F1BE82E1C9EFB30940
#19
SweetTech
-
- Authentic Member
-
- 3,368 posts
MalwareTeam Emeritus
Posted 06 June 2010 - 11:06 AM
PragmaFix
- Go to Start -> Run, copy and paste the following command in the run Box and Click OK (Vista or Windows 7, click on the Vista or Windows 7 Orb, copy and paste the following command in the Search box and press Enter.
PragmaFix -auto
- It will produce PragmaFix.log in the C:\ folder.
- Please post the results here.
Proud Graduate of the WTT Classroom
#20
bbirali
-
- Authentic Member
-
- 32 posts
Authentic Member
Posted 06 June 2010 - 11:22 AM
Hi SweetTech,
i dont see anything in the log.
But i want to say that after all these things we did, i still see this from my win patrol
Run a DLL as an APP
c"\windows\system32\rundll32.exe c:\windows\system32.ieframe.dll, open url %I
to
rundll32.exe shdocvw.dll, openURL %I
what is this and why am i getting this.
Thanks
-Balaji
#21
SweetTech
-
- Authentic Member
-
- 3,368 posts
MalwareTeam Emeritus
Posted 06 June 2010 - 11:28 AM
I believe this is being changed because of some of the tools we are using.
PragmaFix
NEXT:
Scanning with MalwareBytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
NEXT:
ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan
Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.
NEXT:
OTL Custom Scan
We need to run an OTL Custom Scan
NEXT:
Please make sure you include the following items in your next post:
Cheers,
SweetTech.
PragmaFix
- Go to Start -> Run, copy and paste the following command in the run Box and Click OK (Vista or Windows 7, click on the Vista or Windows 7 Orb, copy and paste the following command in the Search box and press Enter.
PragmaFix -cleanup
NEXT:
Scanning with MalwareBytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
NEXT:
ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan
Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.
- Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan - Click the
button. - For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on
to download the ESET Smart Installer. Save it to your desktop. - Double click on the
icon on your desktop.
- Click on
- Check
- Click the
button. - Accept any security warnings from your browser.
- Check
- Make sure that the option "Remove found threats" is Unchecked
- Push the Start button.
- ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time. - When the scan completes, push
- Push
, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply. - Push the
button. - Push
NEXT:
OTL Custom Scan
We need to run an OTL Custom Scan
- Please reopen
on your desktop. - Copy and Paste the following bolded text into the
textbox.
netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /180
- Push
- A report will open. Copy and Paste that report in your next reply.
NEXT:
Please make sure you include the following items in your next post:
1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. The log that was produced after running the OTL fix.
3. The log that was produced after running the MalwareBytes' Anti-Malware scan.
4. The log that was produced after running the ESET Online Virus Scanner.
5. The log that was produced after running the OTL scan.
6. An update on how your computer is currently running.
Cheers,
SweetTech.
Proud Graduate of the WTT Classroom
#22
bbirali
-
- Authentic Member
-
- 32 posts
Authentic Member
Posted 07 June 2010 - 09:09 AM
Hi SweetTech,
I didnot get a chance to do the clean up last night. I will do it tonight, as i am in the office now 
I will send all the logs tonight.
By the way, where should i get the OTL from, you didnot send me the link to me
thanks for all the help !!!!!
-Balaji
I will send all the logs tonight.
By the way, where should i get the OTL from, you didnot send me the link to me
thanks for all the help !!!!!
-Balaji
Edited by bbirali, 07 June 2010 - 09:19 AM.
#23
SweetTech
-
- Authentic Member
-
- 3,368 posts
MalwareTeam Emeritus
Posted 07 June 2010 - 09:15 AM
Okay.
Thanks for letting me know. 
Proud Graduate of the WTT Classroom
#24
bbirali
-
- Authentic Member
-
- 32 posts
Authentic Member
Posted 07 June 2010 - 09:21 AM
Can you please direct me to the link for OTL, so that i can down load and do the necessary.
-Balaji
#25
SweetTech
-
- Authentic Member
-
- 3,368 posts
MalwareTeam Emeritus
Posted 07 June 2010 - 09:24 AM
Sorry about that. Here is the link. Link
Proud Graduate of the WTT Classroom
Register to Remove
#26
bbirali
-
- Authentic Member
-
- 32 posts
Authentic Member
Posted 07 June 2010 - 09:38 AM
No Problem SweetTech
#27
bbirali
-
- Authentic Member
-
- 32 posts
Authentic Member
Posted 07 June 2010 - 08:58 PM
HI SweetTech,
Sorry it is late (almost 11PM EST ) and i dont know where you are from. In any case, you asked me the send the log from OTL fix, but you never told me to run the OTL fix in your post, you said, run the PragmaFix - cleanup.
Can you please let me know what should i do.
Thanks
-Balaji
#28
bbirali
-
- Authentic Member
-
- 32 posts
Authentic Member
Posted 07 June 2010 - 09:06 PM
this is the log from the MBAM log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4177
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6/7/2010 11:03:40 PM
mbam-log-2010-06-07 (23-03-40).txt
Scan type: Quick scan
Objects scanned: 203759
Time elapsed: 39 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
#29
SweetTech
-
- Authentic Member
-
- 3,368 posts
MalwareTeam Emeritus
Posted 07 June 2010 - 09:12 PM
That should have been removed. Were you able to run ESET successfully?Can you please let me know what should i do.
Proud Graduate of the WTT Classroom
#30
bbirali
-
- Authentic Member
-
- 32 posts
Authentic Member
Posted 07 June 2010 - 09:18 PM
I am running it right now !!!!
is it going to scan my entire file system or just some folders of interested .. if it is going to scan my file system, i better goto bed as it is already 11 15 PM haha,
I can do it tomorrow
-Balaji
Edited by bbirali, 07 June 2010 - 09:20 PM.
3 user(s) are reading this topic
0 members, 3 guests, 0 anonymous users
