Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Unidentified malware on Admin user account

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Unidentified malware on Admin user account

Unread postby Dakeyras » August 7th, 2010, 3:15 pm

Hi. :)

Before we proceed any further I have two questions if I may.

1 - Does Norton AntiVirus still have a active subscription?

2 - When you re-ran the RSIT scan was a internet connection active?
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

Re: Unidentified malware on Admin user account

Unread postby helpintoledo » August 8th, 2010, 3:01 pm

1.) NAV shows 707 more days of active subscription, with definition list updated yesterday.
2.) Apparently LAN connection was set to use an unspecified proxy server, so while my router saw the box, the box didn't see the internet. Internet connection was reestablished, RSIT logs are re-run and will be in the following two posts.
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Unidentified malware on Admin user account

Unread postby helpintoledo » August 8th, 2010, 3:21 pm

Logfile of random's system information tool 1.08 (written by random/random)
Run by Mark Young at 2010-08-08 14:59:05
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 87 GB (57%) free of 153 GB
Total RAM: 1021 MB (31% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:03:35 PM, on 8/8/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\WerCon.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Users\Mark Young\Desktop\rsit.exe
C:\Program Files\trend micro\Mark Young.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
R3 - URLSearchHook: MapQuest Toolbar Search Class - {2731C719-B8C5-4282-993D-B5AD0E77531D} - C:\Program Files\MapQuest Toolbar\mqtb.dll
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: MapQuest Toolbar Loader - {E34F0E11-AB79-487c-9773-36C594DFF5AA} - C:\Program Files\MapQuest Toolbar\mqtb.dll
O3 - Toolbar: MapQuest Toolbar - {57ABF0DD-577C-4ec6-855C-8DC29768C2B0} - C:\Program Files\MapQuest Toolbar\mqtb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [pjpjscti] C:\Users\Mark Young\AppData\Local\swbjxyfqp\fdqvffktssd.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &MapQuest Toolbar Search - C:\ProgramData\MapQuest Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_57E73FA0B01DF7F6.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1ca6bd597e4aa80) (gupdate1ca6bd597e4aa80) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 8991 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}]
PC Tools Browser Guard BHO - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll [2010-07-19 649168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [2010-03-11 329312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.DLL [2010-01-20 107896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-28 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-05-18 278128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll [2010-05-18 814648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
MSN Toolbar Helper - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll [2008-12-04 83800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-28 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E34F0E11-AB79-487c-9773-36C594DFF5AA}]
MapQuest Toolbar Loader - C:\Program Files\MapQuest Toolbar\mqtb.dll [2008-03-18 1267040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{57ABF0DD-577C-4ec6-855C-8DC29768C2B0} - MapQuest Toolbar - C:\Program Files\MapQuest Toolbar\mqtb.dll [2008-03-18 1267040]
{1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - MSN Toolbar - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll [2008-12-04 83800]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-05-18 278128]
{472734EA-242A-422B-ADF8-83D1E48CC825} - PC Tools Browser Guard - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll [2010-07-19 649168]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-28 136600]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [2010-04-13 47392]
"DLCXCATS"=rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16 []
"FaxCenterServer"=C:\Program Files\Dell PC Fax\fm3032.exe [2006-11-03 312200]
"dlcxmon.exe"=C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe [2007-01-12 292336]
"MemoryCardManager"=C:\Program Files\Dell Photo AIO Printer 926\memcard.exe [2006-11-03 304008]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2009-04-14 13687328]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2009-04-14 92704]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2010-03-11 202256]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [2007-05-06 405504]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-03-17 421888]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-04-28 142120]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-04-29 1090952]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-05-17 68856]
"pjpjscti"=C:\Users\Mark Young\AppData\Local\swbjxyfqp\fdqvffktssd.exe []

C:\Users\Mark Young\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SymEFA.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"legalnoticecaption"=
"legalnoticetext"=
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149
"NoActiveDesktopChanges"=0
"NoSetActiveDesktop"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=0
"NoActiveDesktopChanges"=0
"NoSetActiveDesktop"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 3 months======

2010-08-04 22:43:09 ----D---- C:\rsit
2010-08-03 12:15:47 ----A---- C:\Windows\system32\shell32.dll
2010-07-28 19:22:34 ----D---- C:\Program Files\Trend Micro
2010-07-28 19:03:04 ----A---- C:\Windows\system32\drivers\mbamswissarmy.sys
2010-07-28 19:03:01 ----D---- C:\ProgramData\Malwarebytes
2010-07-28 19:03:01 ----A---- C:\Windows\system32\drivers\mbam.sys
2010-07-28 19:03:00 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-07-28 18:54:23 ----ASH---- C:\hiberfil.sys
2010-07-28 18:46:27 ----A---- C:\Windows\ntbtlog.txt
2010-07-20 09:48:11 ----D---- C:\ProgramData\Sun
2010-07-17 17:19:38 ----AS---- C:\Windows\system32\drivers\TfSysMon.sys
2010-07-17 17:19:38 ----AS---- C:\Windows\system32\drivers\TfNetMon.sys
2010-07-17 17:19:38 ----AS---- C:\Windows\system32\drivers\TfFsMon.sys
2010-07-17 15:34:32 ----A---- C:\Windows\BDTSupport.dll.old
2010-07-17 15:34:32 ----A---- C:\Windows\BDTSupport.dll
2010-07-17 15:34:30 ----A---- C:\Windows\SGDetectionTool.dll
2010-07-17 15:34:30 ----A---- C:\Windows\PCTBDRes.dll
2010-07-17 15:34:30 ----A---- C:\Windows\PCTBDCore.dll.old
2010-07-17 15:34:30 ----A---- C:\Windows\PCTBDCore.dll
2010-07-17 15:31:06 ----A---- C:\Windows\system32\drivers\pctwfpfilter.sys
2010-07-17 15:31:06 ----A---- C:\Windows\system32\drivers\pctgntdi.sys
2010-07-17 15:30:17 ----A---- C:\Windows\system32\drivers\PCTCore.sys
2010-07-17 15:30:17 ----A---- C:\Windows\system32\drivers\PCTAppEvent.sys
2010-07-17 15:29:29 ----A---- C:\Windows\system32\drivers\pctplsg.sys
2010-07-17 15:29:08 ----D---- C:\ProgramData\PC Tools
2010-07-17 15:29:08 ----D---- C:\Program Files\Spyware Doctor
2010-07-17 15:29:08 ----D---- C:\Program Files\Common Files\PC Tools
2010-07-17 15:28:40 ----AD---- C:\ProgramData\TEMP
2010-07-15 10:54:34 ----D---- C:\ProgramData\Visan
2010-07-15 10:52:06 ----D---- C:\ProgramData\HP Photo Creations Meijer
2010-07-15 10:52:06 ----D---- C:\Program Files\HP Photo Creations Meijer
2010-07-14 17:48:03 ----RA---- C:\Windows\system32\drivers\SymIMV.sys
2010-07-14 17:47:53 ----D---- C:\Program Files\Symantec
2010-07-14 17:47:53 ----D---- C:\Program Files\Common Files\Symantec Shared
2010-07-14 17:47:53 ----A---- C:\Windows\system32\drivers\SYMEVENT.SYS
2010-07-14 17:47:21 ----D---- C:\Windows\system32\drivers\NAV
2010-07-14 17:47:19 ----D---- C:\Program Files\Norton AntiVirus
2010-07-14 17:47:09 ----D---- C:\Program Files\NortonInstaller
2010-06-24 09:39:53 ----A---- C:\Windows\system32\PresentationHostProxy.dll
2010-06-24 09:39:53 ----A---- C:\Windows\system32\PresentationHost.exe
2010-06-24 09:39:52 ----A---- C:\Windows\system32\netfxperf.dll
2010-06-24 09:39:52 ----A---- C:\Windows\system32\mscoree.dll
2010-06-24 09:39:52 ----A---- C:\Windows\system32\dfshim.dll
2010-06-23 21:41:44 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2010-06-23 21:41:44 ----A---- C:\Windows\system32\Apphlpdm.dll
2010-06-10 03:10:03 ----A---- C:\Windows\system32\asycfilt.dll
2010-06-10 03:10:02 ----A---- C:\Windows\system32\atmfd.dll
2010-06-10 03:10:01 ----A---- C:\Windows\system32\atmlib.dll
2010-06-10 03:09:50 ----A---- C:\Windows\system32\mshtml.dll
2010-06-10 03:09:49 ----A---- C:\Windows\system32\ieframe.dll
2010-06-10 03:09:48 ----A---- C:\Windows\system32\iertutil.dll
2010-06-10 03:09:47 ----A---- C:\Windows\system32\wininet.dll
2010-06-10 03:09:47 ----A---- C:\Windows\system32\urlmon.dll
2010-06-10 03:09:46 ----A---- C:\Windows\system32\occache.dll
2010-06-10 03:09:46 ----A---- C:\Windows\system32\mstime.dll
2010-06-10 03:09:46 ----A---- C:\Windows\system32\msfeeds.dll
2010-06-10 03:09:46 ----A---- C:\Windows\system32\iedkcs32.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\msfeedssync.exe
2010-06-10 03:09:45 ----A---- C:\Windows\system32\msfeedsbs.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\jsproxy.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\ieUnatt.exe
2010-06-10 03:09:45 ----A---- C:\Windows\system32\ieui.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\iesysprep.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\iesetup.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\iernonce.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\iepeers.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\ie4uinit.exe
2010-06-10 03:09:40 ----A---- C:\Windows\system32\win32k.sys
2010-05-25 21:12:45 ----A---- C:\Windows\system32\tzres.dll
2010-05-21 22:04:25 ----D---- C:\Program Files\Microsoft Silverlight
2010-05-18 21:49:09 ----A---- C:\ProgramData\SPLE271.tmp
2010-05-12 03:03:26 ----D---- C:\22f02d5cdfbca0f853c381
2010-05-11 19:36:12 ----A---- C:\Windows\system32\inetcomm.dll

======List of files/folders modified in the last 3 months======

2010-08-08 15:01:32 ----D---- C:\Windows\Temp
2010-08-08 14:59:24 ----D---- C:\Windows\Prefetch
2010-08-08 14:54:57 ----SD---- C:\Windows\Tasks
2010-08-08 14:54:43 ----D---- C:\Windows\System32
2010-08-08 14:54:43 ----D---- C:\Windows\inf
2010-08-08 14:54:43 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-08-08 14:50:59 ----D---- C:\ProgramData\Google Updater
2010-08-08 14:48:08 ----D---- C:\Windows
2010-08-06 21:40:03 ----A---- C:\Windows\SchedLgU.Txt
2010-08-06 21:16:53 ----D---- C:\Windows\system32\LogFiles
2010-08-04 03:01:37 ----D---- C:\Windows\winsxs
2010-08-04 03:00:59 ----SHD---- C:\System Volume Information
2010-08-03 13:21:16 ----D---- C:\Windows\system32\Tasks
2010-08-03 11:52:33 ----D---- C:\Windows\system32\catroot
2010-08-01 21:09:40 ----HD---- C:\ProgramData
2010-07-30 19:55:13 ----D---- C:\Program Files\dl_Cats
2010-07-29 05:57:12 ----RD---- C:\Program Files
2010-07-28 19:22:35 ----SHD---- C:\Windows\Installer
2010-07-28 19:03:04 ----D---- C:\Windows\system32\drivers
2010-07-28 18:20:36 ----D---- C:\Users\Mark Young\AppData\Roaming\Apple Computer
2010-07-26 21:54:16 ----D---- C:\Windows\system32\catroot2
2010-07-20 19:04:01 ----D---- C:\Windows\system32\Msdtc
2010-07-20 19:03:52 ----D---- C:\Windows\system32\wbem
2010-07-20 19:03:09 ----D---- C:\Windows\system32\config
2010-07-20 19:02:06 ----D---- C:\Windows\system32\spool
2010-07-20 19:02:06 ----D---- C:\Windows\system32\restore
2010-07-20 19:02:06 ----D---- C:\Windows\system32\oobe
2010-07-20 19:02:06 ----D---- C:\Windows\system32\drivers\UMDF
2010-07-20 19:02:05 ----RSD---- C:\Windows\Media
2010-07-20 19:02:05 ----D---- C:\Windows\system32\drivers\etc
2010-07-20 19:02:05 ----D---- C:\Windows\system32\CodeIntegrity
2010-07-20 19:01:56 ----RSD---- C:\Windows\Fonts
2010-07-20 19:01:56 ----RSD---- C:\Windows\assembly
2010-07-20 19:01:45 ----RD---- C:\Users
2010-07-20 19:01:43 ----D---- C:\ProgramData\Microsoft Help
2010-07-20 19:01:38 ----D---- C:\Program Files\Microsoft Works
2010-07-20 19:01:32 ----D---- C:\Program Files\Abbyy FineReader 6.0 Sprint
2010-07-20 19:00:57 ----D---- C:\Windows\registration
2010-07-20 09:48:04 ----D---- C:\Program Files\Common Files\Java
2010-07-20 09:47:22 ----D---- C:\Program Files\Java
2010-07-17 15:29:08 ----D---- C:\Program Files\Common Files
2010-07-14 22:31:36 ----D---- C:\Program Files\Windows Mail
2010-07-14 17:49:34 ----D---- C:\ProgramData\Symantec
2010-07-14 17:48:24 ----D---- C:\ProgramData\Norton
2010-07-14 17:27:49 ----SD---- C:\Users\Mark Young\AppData\Roaming\Microsoft
2010-07-14 17:27:43 ----D---- C:\ProgramData\avg9
2010-07-13 17:03:56 ----D---- C:\Windows\Logs
2010-07-02 15:39:05 ----A---- C:\Windows\system32\mrt.exe
2010-06-26 15:30:32 ----D---- C:\Windows\Microsoft.NET
2010-06-26 03:12:58 ----D---- C:\Windows\ehome
2010-06-26 03:03:08 ----D---- C:\Windows\system32\en-US
2010-06-26 03:03:03 ----D---- C:\Program Files\Microsoft.NET
2010-06-24 10:00:03 ----D---- C:\Windows\AppPatch
2010-06-11 03:29:27 ----D---- C:\Windows\system32\migration
2010-06-11 03:29:27 ----D---- C:\Program Files\Internet Explorer
2010-06-09 09:41:18 ----D---- C:\Program Files\Safari
2010-05-26 19:12:32 ----D---- C:\Windows\rescache
2010-05-21 22:04:43 ----SD---- C:\ProgramData\Microsoft
2010-05-20 15:44:52 ----D---- C:\Program Files\Google

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 iaStor;Intel RAID Controller; C:\Windows\system32\drivers\iastor.sys [2006-05-11 247808]
R0 PCTCore;PCTools KDS; C:\Windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
R0 PxHelp20;PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [2005-05-12 20576]
R0 SymEFA;Symantec Extended File Attributes; C:\Windows\system32\drivers\NAV\1008000.029\SYMEFA.SYS [2010-01-20 310320]
R0 TfFsMon;TfFsMon; C:\Windows\system32\drivers\TfFsMon.sys [2010-02-02 51984]
R0 TfSysMon;TfSysMon; C:\Windows\system32\drivers\TfSysMon.sys [2010-02-02 59664]
R1 BHDrvx86;Symantec Heuristics Driver; C:\Windows\System32\Drivers\NAV\1008000.029\BHDrvx86.sys [2010-01-20 259632]
R1 ccHP;Symantec Hash Provider; C:\Windows\System32\Drivers\NAV\1008000.029\ccHPx86.sys [2010-07-15 482432]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2010-07-14 371248]
R1 IDSVix86;IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100805.004\IDSvix86.sys [2010-07-06 344112]
R1 pctgntdi;pctgntdi; \??\C:\Windows\System32\drivers\pctgntdi.sys [2010-02-05 233136]
R1 SRTSP;Symantec Real Time Storage Protection; C:\Windows\System32\Drivers\NAV\1008000.029\SRTSP.SYS [2010-01-20 308272]
R1 SRTSPX;Symantec Real Time Storage Protection (PEL); C:\Windows\system32\drivers\NAV\1008000.029\SRTSPX.SYS [2010-01-20 43696]
R1 SymIM;Symantec Network Security Intermediate Filter Driver; C:\Windows\system32\DRIVERS\SymIMv.sys [2010-01-20 25648]
R1 SYMTDI;Symantec Network Dispatch Driver; C:\Windows\System32\Drivers\NAV\1008000.029\SYMTDI.SYS [2010-01-20 217136]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2008-01-19 220672]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-07-14 102448]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2009-05-18 26600]
R3 NAVENG;NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100808.003\NAVENG.SYS [2010-07-20 85424]
R3 NAVEX15;NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100808.003\NAVEX15.SYS [2010-07-20 1362608]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-04-14 7766464]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2007-05-06 326656]
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [2010-07-15 124976]
R3 SYMFW;Symantec Network Filter Driver; C:\Windows\System32\Drivers\NAV\1008000.029\SYMFW.SYS [2010-01-20 89904]
R3 SYMNDISV;Symantec Network Filter Driver; C:\Windows\System32\Drivers\NAV\1008000.029\SYMNDISV.SYS [2010-01-20 48688]
R3 VST_DPV;VST_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2; C:\Windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2006-11-02 654336]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 MHNDRV;MHN driver; C:\Windows\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 pctplsg;pctplsg; \??\C:\Windows\System32\drivers\pctplsg.sys [2010-04-08 63360]
S3 SYMDNS;SYMDNS; \??\C:\Windows\system32\drivers\NAV\1002000.007\SYMDNS.SYS []
S3 SYMREDRV;SYMREDRV; \??\C:\Windows\system32\drivers\NAV\1002000.007\SYMREDRV.SYS []
S3 TfNetMon;TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys [2010-02-02 33552]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-04-16 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-04-08 345376]
R2 Browser Defender Update Service;Browser Defender Update Service; C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-07-19 198608]
R2 dlcx_device;dlcx_device; C:\Windows\system32\dlcxcoms.exe [2006-11-03 537480]
R2 Norton AntiVirus;Norton AntiVirus; C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [2010-01-20 117640]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-04-14 207392]
R2 STacSV;SigmaTel Audio Service; C:\Windows\system32\STacSV.exe [2007-05-06 94208]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-04-28 545576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 gupdate1ca6bd597e4aa80;Google Update Service (gupdate1ca6bd597e4aa80); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-11-22 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-28 183280]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [2009-03-05 16680]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-01-19 21504]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2010-03-15 1142224]
S3 ThreatFire;ThreatFire; C:\Program Files\Spyware Doctor\TFEngine\TFService.exe [2010-02-02 70928]
S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S4 TlntSvr;@%SystemRoot%\system32\tlntsvr.exe,-119; C:\Windows\System32\tlntsvr.exe [2009-04-11 71168]

-----------------EOF-----------------
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Unidentified malware on Admin user account

Unread postby helpintoledo » August 8th, 2010, 3:21 pm

info.txt logfile of random's system information tool 1.08 2010-08-08 15:03:45

======Uninstall list======

360Share Pro(remove only)-->"C:\Program Files\360Share Pro\bt-uninst.exe"
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe Acrobat Reader 3.0-->C:\Windows\uninst.exe -fC:\Acrobat3\Reader\DeIsL1.isu
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A92000000001}
Adobe Shockwave Player 11-->C:\Windows\system32\adobe\SHOCKW~1\UNWISE.EXE C:\Windows\system32\Adobe\SHOCKW~1\Install.log
Apple Application Support-->MsiExec.exe /I{B2D328BE-45AD-4D92-96F9-2151490A203E}
Apple Mobile Device Support-->MsiExec.exe /I{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bonjour-->MsiExec.exe /X{8A253629-0511-4854-8B4E-46E57E66005C}
Browser Defender 3.0.0.11-->"C:\Program Files\Spyware Doctor\BDT\unins000.exe"
CDBurnerXP Pro 3-->MsiExec.exe /I{896D642C-7125-44F0-AC49-A23ABF82209C}
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Dell PC Fax-->C:\Program Files\Dell PC Fax\Install\x86\Uninst.exe /R:faxunst
Dell Photo AIO Printer 926-->C:\Program Files\Dell Photo AIO Printer 926\Install\x86\Uninst.exe
ESPNMotion-->C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
Fisher-Price® Ready for School Family Resource Center-->C:\Windows\uninst.exe -f"C:\Program Files\Fisher-Price\Family Resource Center\DeIsL1.isu"
Fisher-Price® Ready for School Kindergarten-->D:\setup.exe -funkinder.ins
GemMaster Mystic-->"C:\Program Files\GemMaster\uninstallgemmaster.exe"
Google Chrome-->"C:\Program Files\Google\Chrome\Application\5.0.375.125\Installer\setup.exe" --uninstall --system-level
Google Earth-->MsiExec.exe /X{F7B0939E-58DF-11DF-B3A6-005056806466}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_29ABD4AA06EBA92A.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GoToAssist 8.0.0.514-->C:\Program Files\Citrix\GoToAssist\514\G2AUninstaller.exe /uninstall
HiJackThis-->MsiExec.exe /X{45A66726-69BC-466B-A7A4-12FCBA4883D7}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
HP Photo Creations Meijer-->"C:\Program Files\HP Photo Creations Meijer\uninst.exe"
iPhone Configuration Utility-->MsiExec.exe /I{FA54AFB1-5745-4389-B8C1-9F7509672ED1}
iTunes-->MsiExec.exe /I{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kindergarten v1.0-->C:\Windows\IsUninst.exe -fC:\DLCS\KG\DeIsL1.isu
Lyra Jukebox Applications-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3374B4A6-5595-4667-882D-755ABE093806}\Setup.exe" -l0x9 -remove
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapQuest Toolbar for Internet Explorer-->"C:\Program Files\MapQuest Toolbar\uninstall.exe"
Microsoft .NET Framework 1.1 Security Update (KB979906)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M979906\M979906Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft .NET Framework 4 Client Profile-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /parameterfolder Client
Microsoft .NET Framework 4 Client Profile-->MsiExec.exe /X{3C3901C5-3455-3E0A-A214-0B093A5070A6}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
MobileMe Control Panel-->MsiExec.exe /I{BA165460-FCF7-4D6C-A7A2-F2321700720F}
MSN Toolbar-->MsiExec.exe /I{94D16248-E39A-46A4-8CBD-0DAE9C7444B4}
My Fantasy Wedding-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3AC8DD1-A754-46D6-A777-6155D627D196}\setup.exe" -l0x9
Norton AntiVirus-->C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV\562C4DD5\16.8.0.41\InstStub.exe /X
NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe UninstallGUI
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
Otto-->"C:\Program Files\EnglishOtto\uninstallotto.exe"
QuickTime-->MsiExec.exe /I{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
RealUpgrade 1.0-->MsiExec.exe /I{F4F4F84E-804F-4E9A-84D7-C34283F0088F}
Safari-->MsiExec.exe /I{AFAC914D-9E83-4A89-8ABE-427521C82CCF}
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB976321)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7F207DCA-3399-40CB-A968-6E5991B1421A}
Security Update for 2007 Microsoft Office System (KB982312)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B0EC5722-241F-4CDA-83B4-AA5846B6F9F4}
Security Update for 2007 Microsoft Office System (KB982331)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {E8766951-2B6C-4022-86E8-80D2D1762B76}
Security Update for Microsoft Office Excel 2007 (KB982308)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C3F9A0DC-A5D1-4BB6-870E-2953E5A2487B}
Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8CCB781A-CF6B-4FCB-B6D8-59C64DF5C6DB}
Security Update for Microsoft Office PowerPoint 2007 (KB982158)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F5B70033-E79C-4569-90BF-BC9B4E4F3F46}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB982135)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0112C750-A06F-4F92-9C40-E5C1EA9A70EB}
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Spyware Doctor 7.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office OneNote 2007 (KB980729)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {329050A9-EF80-40F9-B633-74508F54C1FF}
Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
VideoLAN VLC media player 0.8.6c-->C:\Program Files\VideoLAN\VLC\uninstall.exe

======Security center information======

AS: Windows Defender

======System event log======

Computer Name: mark-cadb77fa37
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Record Number: 299093
Source Name: Tcpip
Time Written: 20091129211117.773800-000
Event Type: Warning
User:

Computer Name: mark-cadb77fa37
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0019D106F861. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 299084
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20091129205755.000000-000
Event Type: Warning
User:

Computer Name: mark-cadb77fa37
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0019D106F861. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 299069
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20091129185902.000000-000
Event Type: Warning
User:

Computer Name: mark-cadb77fa37
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
Record Number: 299047
Source Name: Microsoft-Windows-Time-Service
Time Written: 20091129154114.000000-000
Event Type: Warning
User:

Computer Name: mark-cadb77fa37
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
Record Number: 299046
Source Name: Microsoft-Windows-Time-Service
Time Written: 20091129154112.000000-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: mark-cadb77fa37
Event Code: 1030
Message: Product: Microsoft .NET Framework 1.1. The application tried to install a more recent version of the protected Windows file C:\Windows\Microsoft.NET\Framework\sbs_iehost.dll. You may need to update your operating system for this application to work correctly. (Package Version: 1.0.0.0, Operating System Protected Version: 1.0.0.0).
Record Number: 25
Source Name: MsiInstaller
Time Written: 20080501042225.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: mark-cadb77fa37
Event Code: 1030
Message: Product: Microsoft .NET Framework 1.1. The application tried to install a more recent version of the protected Windows file C:\Windows\Microsoft.NET\Framework\sbs_diasymreader.dll. You may need to update your operating system for this application to work correctly. (Package Version: 1.0.0.0, Operating System Protected Version: 1.0.0.0).
Record Number: 24
Source Name: MsiInstaller
Time Written: 20080501042225.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: mark-cadb77fa37
Event Code: 1534
Message: Profile notification of event Delete for component {D63AA156-D534-4BAC-9BF1-55359CF5EC30} failed, error code is -2147024893.


Record Number: 13
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20080501042203.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: mark-cadb77fa37
Event Code: 1534
Message: Profile notification of event Delete for component {DE3F3560-3032-41B4-B6CF-F703B1B95640} failed, error code is -2147023838.


Record Number: 12
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20080501042203.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: mark-cadb77fa37
Event Code: 2
Message: Unable to remove Windows Search Service indexed data for user 'MARK-CADB77FA37\Administrator' in response to user profile deletion. Error code 0x80070422.

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
.
Record Number: 11
Source Name: Microsoft-Windows-Search-ProfileNotify
Time Written: 20080501042203.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: mark-cadb77fa37
Event Code: 4616
Message: The system time was changed.

Subject:
Security ID: S-1-5-18
Account Name: MARK-CADB77FA37$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Process Information:
Process ID: 0x388
Name: C:\Windows\System32\oobe\msoobe.exe

Previous Time: 12:47:29 AM 5/1/2008
New Time: 9:47:29 PM 4/30/2008

This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Record Number: 5
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20080501014729.323600-000
Event Type: Audit Success
User:

Computer Name: mark-cadb77fa37
Event Code: 1108
Message: The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.
Record Number: 4
Source Name: Microsoft-Windows-Eventlog
Time Written: 20080501043138.430600-000
Event Type: Audit Success
User:

Computer Name: mark-cadb77fa37
Event Code: 1100
Message: The event logging service has shut down.
Record Number: 3
Source Name: Microsoft-Windows-Eventlog
Time Written: 20080501043138.087779-000
Event Type: Audit Success
User:

Computer Name: mark-cadb77fa37
Event Code: 1100
Message: The event logging service has shut down.
Record Number: 2
Source Name: Microsoft-Windows-Eventlog
Time Written: 20080501042656.119949-000
Event Type: Audit Success
User:

Computer Name: mark-cadb77fa37
Event Code: 4647
Message: User initiated logoff:

Subject:
Security ID: S-1-5-21-2152478756-3922319563-605102323-500
Account Name: Administrator
Account Domain: 26L2233B2-11
Logon ID: 0x8496a

This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Record Number: 1
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20061102130954.400000-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0407
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"asl.log"=Destination=file;OnFirstLog=command,environment
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Unidentified malware on Admin user account

Unread postby helpintoledo » August 8th, 2010, 3:25 pm

I did restart Windows after running RSIT and gathering the logfiles again, just to see if the connection settings reset to using a proxy server, and they did not. Internet connection remained active. Not sure if that info helps, but I figured I would check just to be sure.
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Unidentified malware on Admin user account

Unread postby Dakeyras » August 8th, 2010, 5:12 pm

Hi. :)

NAV shows 707 more days of active subscription, with definition list updated yesterday.
OK.

Apparently LAN connection was set to use an unspecified proxy server, so while my router saw the box, the box didn't see the internet. Internet connection was reestablished, RSIT logs are re-run and will be in the following two posts.
Fair play.

I did restart Windows after running RSIT and gathering the logfiles again, just to see if the connection settings reset to using a proxy server, and they did not. Internet connection remained active. Not sure if that info helps, but I figured I would check just to be sure.
Thanks for the update.

Next:

Out of date Adobe and Java installations pose a security risk. They can be used by malware as a means to infect a computer and or re-infect. We will update both in due course.

The PC Tools related software is not particular effective at all in my humble opinion and being active in system memory will actually lesson overall online protection and may cause a conflict.

Now please go to Start >> Control Panel >> Programs and Features and remove the following (if present):

Adobe Reader 9.2
Browser Defender 3.0.0.11
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Spyware Doctor 7.0


To do so click once on each of the above and click on Uninstall/Change and follow the prompts.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Right-click on erunt-setup.exe and select Run as Administrator to Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Next:

Please download OTM to your Desktop.

  • Right-click OTM and select Run as Administrator to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + B (or, after highlighting, right-click and choose Copy):
Code: Select all
:Processes

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"=-
[-HKEY_CLASSES_ROOT\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pjpjscti"=-

:Files
C:\ProgramData\SPLE271.tmp
C:\ProgramData\avg9
C:\ProgramData\PC Tools
C:\Program Files\Spyware Doctor
C:\Program Files\Common Files\PC Tools
C:\Users\Mark Young\AppData\Local\swbjxyfqp\fdqvffktssd.ex

:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]
  • Return to OTM, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
  • Then click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next response.
  • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTM.

Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform a Quick Scan
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Reset Host File:

  • Open Notepad.
  • Copy and Paste everything from the Code Box below into Notepad:
Code: Select all
@Echo off
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
del %0
  • Go to File >> Save As
  • Save File name as "Dakeyras.bat" <-- Make sure to include the quotes.
  • Change Save as Type to All Files and save the file to your Desktop.
  • It should look similiar to this: Image

Now right-click on the desktop Dakeyras.bat and select Run as Administrator to run the batch file. It will self-delete when completed.

When completed the above, please post back the following:

  • Inform myself how the computer is running. Any problems encountered and or further symptoms?
  • OTM Log.
  • Malwarebytes Anti-Malware Log.
  • A new RSIT Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Unidentified malware on Admin user account

Unread postby helpintoledo » August 8th, 2010, 10:06 pm

The computer is still running much better than when I first encountered it, which is to say it was crawling at first, but processing at seemingly normal speeds as soon as I got it to my house, as I may have mentioned previously. There are no new or newly noticed symptoms. One thing to note, the link provided for ERUNT in your last post, downloads a file that is being reported (I am assuming most likely a false-positive) as TR/Dropper.Gen by Avira AntiVir Personal, which I have running on my own computer, the details for Avira follow if you wish to evaluate this situation:
Product version 10.0.0.567 4/19/2010
Search engine 8.02.04.34 8/6/2010
Virus definition file 7.10.10.105 8/8/2010
Control Center 10.00.12.28 2/22/2010
Config Center 10.00.13.15 4/20/2010
Luke Filewalker 10.00.03.00 4/20/2010
AntiVir Guard 10.00.01.44 4/20/2010
Filter 10.00.02.02 2/16/2010
Scheduler 10.00.00.17 2/24/2010
Updater 10.00.00.29 4/20/2010

I did go to aumha.org and used the file search function and downloaded erunt-setup.exe, from there, which had a file path of http:__aumha.org_downloads_erunt-setup.exe instead of the http:__www.aumha.org_downloads_erunt-setup.exe that was posted, and the file downloaded without complaint from Avira. Again, I am assuming false positive but I decided not to take a chance. Anyhow, requested logs to follow.
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Unidentified malware on Admin user account

Unread postby helpintoledo » August 8th, 2010, 10:13 pm

One other note, I meant to leave with the previous post, OTM crashed on the first run, I am not sure what point of the process it had reached, but Windows was completely frozen and a hard restart was necessary from task manager. I will post the small log file generated by the unsuccessful OTM run first, and follow that up with the subsequent successful run log file.

##Failed run:
Files moved on Reboot...
File C:\Windows\temp\JETCA11.tmp not found!

Registry entries deleted on Reboot...


##Successful run:
All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry key HKEY_CLASSES_ROOT\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\pjpjscti not found.
========== FILES ==========
File/Folder C:\ProgramData\SPLE271.tmp not found.
File/Folder C:\ProgramData\avg9 not found.
File/Folder C:\ProgramData\PC Tools not found.
File/Folder C:\Program Files\Spyware Doctor not found.
File/Folder C:\Program Files\Common Files\PC Tools not found.
File/Folder C:\Users\Mark Young\AppData\Local\swbjxyfqp\fdqvffktssd.ex not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Jacob Young
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Julie Young
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Marissa Young
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mark Young
->Temp folder emptied: 31832 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 3708345863 bytes

Total Files Cleaned = 3,537.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 08082010_204929

Files moved on Reboot...
File C:\Windows\temp\JETCABD.tmp not found!

Registry entries deleted on Reboot...
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Unidentified malware on Admin user account

Unread postby helpintoledo » August 8th, 2010, 10:15 pm

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4408

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

8/8/2010 9:34:43 PM
mbam-log-2010-08-08 (21-34-43).txt

Scan type: Quick scan
Objects scanned: 163969
Time elapsed: 9 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Unidentified malware on Admin user account

Unread postby helpintoledo » August 8th, 2010, 10:16 pm

Logfile of random's system information tool 1.08 (written by random/random)
Run by Mark Young at 2010-08-08 21:40:51
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 91 GB (60%) free of 153 GB
Total RAM: 1021 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:41:03 PM, on 8/8/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\WerCon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Mark Young\Desktop\rsit.exe
C:\Program Files\trend micro\Mark Young.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
R3 - URLSearchHook: MapQuest Toolbar Search Class - {2731C719-B8C5-4282-993D-B5AD0E77531D} - C:\Program Files\MapQuest Toolbar\mqtb.dll
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: MapQuest Toolbar Loader - {E34F0E11-AB79-487c-9773-36C594DFF5AA} - C:\Program Files\MapQuest Toolbar\mqtb.dll
O3 - Toolbar: MapQuest Toolbar - {57ABF0DD-577C-4ec6-855C-8DC29768C2B0} - C:\Program Files\MapQuest Toolbar\mqtb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &MapQuest Toolbar Search - C:\ProgramData\MapQuest Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_57E73FA0B01DF7F6.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1ca6bd597e4aa80) (gupdate1ca6bd597e4aa80) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe

--
End of file - 7351 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [2010-03-11 329312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.DLL [2010-01-20 107896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-05-18 278128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll [2010-05-18 814648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
MSN Toolbar Helper - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll [2008-12-04 83800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E34F0E11-AB79-487c-9773-36C594DFF5AA}]
MapQuest Toolbar Loader - C:\Program Files\MapQuest Toolbar\mqtb.dll [2008-03-18 1267040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{57ABF0DD-577C-4ec6-855C-8DC29768C2B0} - MapQuest Toolbar - C:\Program Files\MapQuest Toolbar\mqtb.dll [2008-03-18 1267040]
{1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - MSN Toolbar - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll [2008-12-04 83800]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-05-18 278128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [2010-04-13 47392]
"DLCXCATS"=rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16 []
"FaxCenterServer"=C:\Program Files\Dell PC Fax\fm3032.exe [2006-11-03 312200]
"dlcxmon.exe"=C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe [2007-01-12 292336]
"MemoryCardManager"=C:\Program Files\Dell Photo AIO Printer 926\memcard.exe [2006-11-03 304008]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2009-04-14 13687328]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2009-04-14 92704]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2010-03-11 202256]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [2007-05-06 405504]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-03-17 421888]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-04-28 142120]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-04-29 1090952]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-05-17 68856]

C:\Users\Mark Young\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SymEFA.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"legalnoticecaption"=
"legalnoticetext"=
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149
"NoActiveDesktopChanges"=0
"NoSetActiveDesktop"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=0
"NoActiveDesktopChanges"=0
"NoSetActiveDesktop"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 3 months======

2010-08-08 20:58:05 ----D---- C:\Users\Mark Young\AppData\Roaming\Malwarebytes
2010-08-08 20:07:48 ----D---- C:\_OTM
2010-08-08 20:00:25 ----D---- C:\Windows\ERDNT
2010-08-08 19:58:24 ----D---- C:\Program Files\ERUNT
2010-08-08 18:17:19 ----SHD---- C:\Config.Msi
2010-08-04 22:43:09 ----D---- C:\rsit
2010-08-03 12:15:47 ----A---- C:\Windows\system32\shell32.dll
2010-07-28 19:22:34 ----D---- C:\Program Files\Trend Micro
2010-07-28 19:03:04 ----A---- C:\Windows\system32\drivers\mbamswissarmy.sys
2010-07-28 19:03:01 ----D---- C:\ProgramData\Malwarebytes
2010-07-28 19:03:01 ----A---- C:\Windows\system32\drivers\mbam.sys
2010-07-28 19:03:00 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-07-28 18:54:23 ----ASH---- C:\hiberfil.sys
2010-07-28 18:46:27 ----A---- C:\Windows\ntbtlog.txt
2010-07-20 09:48:11 ----D---- C:\ProgramData\Sun
2010-07-17 15:34:32 ----A---- C:\Windows\BDTSupport.dll.old
2010-07-17 15:34:30 ----A---- C:\Windows\PCTBDCore.dll.old
2010-07-17 15:28:40 ----AD---- C:\ProgramData\TEMP
2010-07-15 10:54:34 ----D---- C:\ProgramData\Visan
2010-07-15 10:52:06 ----D---- C:\ProgramData\HP Photo Creations Meijer
2010-07-15 10:52:06 ----D---- C:\Program Files\HP Photo Creations Meijer
2010-07-14 17:48:03 ----RA---- C:\Windows\system32\drivers\SymIMV.sys
2010-07-14 17:47:53 ----D---- C:\Program Files\Symantec
2010-07-14 17:47:53 ----D---- C:\Program Files\Common Files\Symantec Shared
2010-07-14 17:47:53 ----A---- C:\Windows\system32\drivers\SYMEVENT.SYS
2010-07-14 17:47:21 ----D---- C:\Windows\system32\drivers\NAV
2010-07-14 17:47:19 ----D---- C:\Program Files\Norton AntiVirus
2010-07-14 17:47:09 ----D---- C:\Program Files\NortonInstaller
2010-06-24 09:39:53 ----A---- C:\Windows\system32\PresentationHostProxy.dll
2010-06-24 09:39:53 ----A---- C:\Windows\system32\PresentationHost.exe
2010-06-24 09:39:52 ----A---- C:\Windows\system32\netfxperf.dll
2010-06-24 09:39:52 ----A---- C:\Windows\system32\mscoree.dll
2010-06-24 09:39:52 ----A---- C:\Windows\system32\dfshim.dll
2010-06-23 21:41:44 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2010-06-23 21:41:44 ----A---- C:\Windows\system32\Apphlpdm.dll
2010-06-10 03:10:03 ----A---- C:\Windows\system32\asycfilt.dll
2010-06-10 03:10:02 ----A---- C:\Windows\system32\atmfd.dll
2010-06-10 03:10:01 ----A---- C:\Windows\system32\atmlib.dll
2010-06-10 03:09:50 ----A---- C:\Windows\system32\mshtml.dll
2010-06-10 03:09:49 ----A---- C:\Windows\system32\ieframe.dll
2010-06-10 03:09:48 ----A---- C:\Windows\system32\iertutil.dll
2010-06-10 03:09:47 ----A---- C:\Windows\system32\wininet.dll
2010-06-10 03:09:47 ----A---- C:\Windows\system32\urlmon.dll
2010-06-10 03:09:46 ----A---- C:\Windows\system32\occache.dll
2010-06-10 03:09:46 ----A---- C:\Windows\system32\mstime.dll
2010-06-10 03:09:46 ----A---- C:\Windows\system32\msfeeds.dll
2010-06-10 03:09:46 ----A---- C:\Windows\system32\iedkcs32.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\msfeedssync.exe
2010-06-10 03:09:45 ----A---- C:\Windows\system32\msfeedsbs.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\jsproxy.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\ieUnatt.exe
2010-06-10 03:09:45 ----A---- C:\Windows\system32\ieui.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\iesysprep.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\iesetup.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\iernonce.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\iepeers.dll
2010-06-10 03:09:45 ----A---- C:\Windows\system32\ie4uinit.exe
2010-06-10 03:09:40 ----A---- C:\Windows\system32\win32k.sys
2010-05-25 21:12:45 ----A---- C:\Windows\system32\tzres.dll
2010-05-21 22:04:25 ----D---- C:\Program Files\Microsoft Silverlight
2010-05-12 03:03:26 ----D---- C:\22f02d5cdfbca0f853c381
2010-05-11 19:36:12 ----A---- C:\Windows\system32\inetcomm.dll

======List of files/folders modified in the last 3 months======

2010-08-08 21:40:46 ----D---- C:\Windows\Temp
2010-08-08 20:56:51 ----SD---- C:\Windows\Tasks
2010-08-08 20:53:02 ----A---- C:\Windows\SchedLgU.Txt
2010-08-08 20:12:43 ----D---- C:\Windows
2010-08-08 20:07:52 ----RD---- C:\Program Files
2010-08-08 20:07:52 ----HD---- C:\ProgramData
2010-08-08 19:59:55 ----D---- C:\Windows\Prefetch
2010-08-08 18:31:53 ----D---- C:\Program Files\Common Files
2010-08-08 18:29:43 ----D---- C:\Windows\system32\drivers
2010-08-08 18:28:15 ----SHD---- C:\Windows\Installer
2010-08-08 18:28:08 ----D---- C:\Program Files\Java
2010-08-08 18:28:08 ----D---- C:\Program Files\Common Files\Java
2010-08-08 18:27:55 ----D---- C:\Windows\System32
2010-08-08 18:26:58 ----SHD---- C:\System Volume Information
2010-08-08 18:17:31 ----D---- C:\ProgramData\Adobe
2010-08-08 15:06:15 ----D---- C:\Windows\inf
2010-08-08 15:06:15 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-08-08 14:51:00 ----D---- C:\ProgramData\Google Updater
2010-08-06 21:16:53 ----D---- C:\Windows\system32\LogFiles
2010-08-04 03:01:37 ----D---- C:\Windows\winsxs
2010-08-03 13:21:16 ----D---- C:\Windows\system32\Tasks
2010-08-03 11:52:33 ----D---- C:\Windows\system32\catroot
2010-07-30 19:55:13 ----D---- C:\Program Files\dl_Cats
2010-07-28 18:20:36 ----D---- C:\Users\Mark Young\AppData\Roaming\Apple Computer
2010-07-26 21:54:16 ----D---- C:\Windows\system32\catroot2
2010-07-20 19:04:01 ----D---- C:\Windows\system32\Msdtc
2010-07-20 19:03:52 ----D---- C:\Windows\system32\wbem
2010-07-20 19:03:09 ----D---- C:\Windows\system32\config
2010-07-20 19:02:06 ----D---- C:\Windows\system32\spool
2010-07-20 19:02:06 ----D---- C:\Windows\system32\restore
2010-07-20 19:02:06 ----D---- C:\Windows\system32\oobe
2010-07-20 19:02:06 ----D---- C:\Windows\system32\drivers\UMDF
2010-07-20 19:02:05 ----RSD---- C:\Windows\Media
2010-07-20 19:02:05 ----D---- C:\Windows\system32\drivers\etc
2010-07-20 19:02:05 ----D---- C:\Windows\system32\CodeIntegrity
2010-07-20 19:01:56 ----RSD---- C:\Windows\Fonts
2010-07-20 19:01:56 ----RSD---- C:\Windows\assembly
2010-07-20 19:01:45 ----RD---- C:\Users
2010-07-20 19:01:43 ----D---- C:\ProgramData\Microsoft Help
2010-07-20 19:01:38 ----D---- C:\Program Files\Microsoft Works
2010-07-20 19:01:32 ----D---- C:\Program Files\Abbyy FineReader 6.0 Sprint
2010-07-20 19:00:57 ----D---- C:\Windows\registration
2010-07-14 22:31:36 ----D---- C:\Program Files\Windows Mail
2010-07-14 17:49:34 ----D---- C:\ProgramData\Symantec
2010-07-14 17:48:24 ----D---- C:\ProgramData\Norton
2010-07-14 17:27:49 ----SD---- C:\Users\Mark Young\AppData\Roaming\Microsoft
2010-07-13 17:03:56 ----D---- C:\Windows\Logs
2010-07-02 15:39:05 ----A---- C:\Windows\system32\mrt.exe
2010-06-26 15:30:32 ----D---- C:\Windows\Microsoft.NET
2010-06-26 03:12:58 ----D---- C:\Windows\ehome
2010-06-26 03:03:08 ----D---- C:\Windows\system32\en-US
2010-06-26 03:03:03 ----D---- C:\Program Files\Microsoft.NET
2010-06-24 10:00:03 ----D---- C:\Windows\AppPatch
2010-06-11 03:29:27 ----D---- C:\Windows\system32\migration
2010-06-11 03:29:27 ----D---- C:\Program Files\Internet Explorer
2010-06-09 09:41:18 ----D---- C:\Program Files\Safari
2010-05-26 19:12:32 ----D---- C:\Windows\rescache
2010-05-21 22:04:43 ----SD---- C:\ProgramData\Microsoft
2010-05-20 15:44:52 ----D---- C:\Program Files\Google

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 iaStor;Intel RAID Controller; C:\Windows\system32\drivers\iastor.sys [2006-05-11 247808]
R0 PxHelp20;PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [2005-05-12 20576]
R0 SymEFA;Symantec Extended File Attributes; C:\Windows\system32\drivers\NAV\1008000.029\SYMEFA.SYS [2010-01-20 310320]
R1 BHDrvx86;Symantec Heuristics Driver; C:\Windows\System32\Drivers\NAV\1008000.029\BHDrvx86.sys [2010-01-20 259632]
R1 ccHP;Symantec Hash Provider; C:\Windows\System32\Drivers\NAV\1008000.029\ccHPx86.sys [2010-07-15 482432]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2010-07-14 371248]
R1 IDSVix86;IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100805.004\IDSvix86.sys [2010-07-06 344112]
R1 SRTSPX;Symantec Real Time Storage Protection (PEL); C:\Windows\system32\drivers\NAV\1008000.029\SRTSPX.SYS [2010-01-20 43696]
R1 SymIM;Symantec Network Security Intermediate Filter Driver; C:\Windows\system32\DRIVERS\SymIMv.sys [2010-01-20 25648]
R1 SYMTDI;Symantec Network Dispatch Driver; C:\Windows\System32\Drivers\NAV\1008000.029\SYMTDI.SYS [2010-01-20 217136]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2008-01-19 220672]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-07-14 102448]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2009-05-18 26600]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-04-14 7766464]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2007-05-06 326656]
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [2010-07-15 124976]
R3 SYMFW;Symantec Network Filter Driver; C:\Windows\System32\Drivers\NAV\1008000.029\SYMFW.SYS [2010-01-20 89904]
R3 SYMNDISV;Symantec Network Filter Driver; C:\Windows\System32\Drivers\NAV\1008000.029\SYMNDISV.SYS [2010-01-20 48688]
R3 VST_DPV;VST_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2; C:\Windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2006-11-02 654336]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S0 TfFsMon;TfFsMon; C:\Windows\system32\drivers\TfFsMon.sys []
S0 TfSysMon;TfSysMon; C:\Windows\system32\drivers\TfSysMon.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 MHNDRV;MHN driver; C:\Windows\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NAVENG;NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100808.003\NAVENG.SYS [2010-07-20 85424]
S3 NAVEX15;NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100808.003\NAVEX15.SYS [2010-07-20 1362608]
S3 SRTSP;Symantec Real Time Storage Protection; C:\Windows\System32\Drivers\NAV\1008000.029\SRTSP.SYS [2010-01-20 308272]
S3 SYMDNS;SYMDNS; \??\C:\Windows\system32\drivers\NAV\1002000.007\SYMDNS.SYS []
S3 SYMREDRV;SYMREDRV; \??\C:\Windows\system32\drivers\NAV\1002000.007\SYMREDRV.SYS []
S3 TfNetMon;TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-04-16 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-04-08 345376]
R2 dlcx_device;dlcx_device; C:\Windows\system32\dlcxcoms.exe [2006-11-03 537480]
R2 Norton AntiVirus;Norton AntiVirus; C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [2010-01-20 117640]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-04-14 207392]
R2 STacSV;SigmaTel Audio Service; C:\Windows\system32\STacSV.exe [2007-05-06 94208]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-04-28 545576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 gupdate1ca6bd597e4aa80;Google Update Service (gupdate1ca6bd597e4aa80); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-11-22 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-28 183280]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [2009-03-05 16680]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-01-19 21504]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S4 TlntSvr;@%SystemRoot%\system32\tlntsvr.exe,-119; C:\Windows\System32\tlntsvr.exe [2009-04-11 71168]

-----------------EOF-----------------
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Unidentified malware on Admin user account

Unread postby helpintoledo » August 8th, 2010, 10:18 pm

info.txt logfile of random's system information tool 1.08 2010-08-08 21:41:07

======Uninstall list======

360Share Pro(remove only)-->"C:\Program Files\360Share Pro\bt-uninst.exe"
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe Acrobat Reader 3.0-->C:\Windows\uninst.exe -fC:\Acrobat3\Reader\DeIsL1.isu
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player 11-->C:\Windows\system32\adobe\SHOCKW~1\UNWISE.EXE C:\Windows\system32\Adobe\SHOCKW~1\Install.log
Apple Application Support-->MsiExec.exe /I{B2D328BE-45AD-4D92-96F9-2151490A203E}
Apple Mobile Device Support-->MsiExec.exe /I{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bonjour-->MsiExec.exe /X{8A253629-0511-4854-8B4E-46E57E66005C}
CDBurnerXP Pro 3-->MsiExec.exe /I{896D642C-7125-44F0-AC49-A23ABF82209C}
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Dell PC Fax-->C:\Program Files\Dell PC Fax\Install\x86\Uninst.exe /R:faxunst
Dell Photo AIO Printer 926-->C:\Program Files\Dell Photo AIO Printer 926\Install\x86\Uninst.exe
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
ESPNMotion-->C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
Fisher-Price® Ready for School Family Resource Center-->C:\Windows\uninst.exe -f"C:\Program Files\Fisher-Price\Family Resource Center\DeIsL1.isu"
Fisher-Price® Ready for School Kindergarten-->D:\setup.exe -funkinder.ins
GemMaster Mystic-->"C:\Program Files\GemMaster\uninstallgemmaster.exe"
Google Chrome-->"C:\Program Files\Google\Chrome\Application\5.0.375.125\Installer\setup.exe" --uninstall --system-level
Google Earth-->MsiExec.exe /X{F7B0939E-58DF-11DF-B3A6-005056806466}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_29ABD4AA06EBA92A.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GoToAssist 8.0.0.514-->C:\Program Files\Citrix\GoToAssist\514\G2AUninstaller.exe /uninstall
HiJackThis-->MsiExec.exe /X{45A66726-69BC-466B-A7A4-12FCBA4883D7}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
HP Photo Creations Meijer-->"C:\Program Files\HP Photo Creations Meijer\uninst.exe"
iPhone Configuration Utility-->MsiExec.exe /I{FA54AFB1-5745-4389-B8C1-9F7509672ED1}
iTunes-->MsiExec.exe /I{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}
Kindergarten v1.0-->C:\Windows\IsUninst.exe -fC:\DLCS\KG\DeIsL1.isu
Lyra Jukebox Applications-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3374B4A6-5595-4667-882D-755ABE093806}\Setup.exe" -l0x9 -remove
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapQuest Toolbar for Internet Explorer-->"C:\Program Files\MapQuest Toolbar\uninstall.exe"
Microsoft .NET Framework 1.1 Security Update (KB979906)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M979906\M979906Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft .NET Framework 4 Client Profile-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /parameterfolder Client
Microsoft .NET Framework 4 Client Profile-->MsiExec.exe /X{3C3901C5-3455-3E0A-A214-0B093A5070A6}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
MobileMe Control Panel-->MsiExec.exe /I{BA165460-FCF7-4D6C-A7A2-F2321700720F}
MSN Toolbar-->MsiExec.exe /I{94D16248-E39A-46A4-8CBD-0DAE9C7444B4}
My Fantasy Wedding-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3AC8DD1-A754-46D6-A777-6155D627D196}\setup.exe" -l0x9
Norton AntiVirus-->C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV\562C4DD5\16.8.0.41\InstStub.exe /X
NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe UninstallGUI
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
Otto-->"C:\Program Files\EnglishOtto\uninstallotto.exe"
QuickTime-->MsiExec.exe /I{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
RealUpgrade 1.0-->MsiExec.exe /I{F4F4F84E-804F-4E9A-84D7-C34283F0088F}
Safari-->MsiExec.exe /I{AFAC914D-9E83-4A89-8ABE-427521C82CCF}
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB976321)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7F207DCA-3399-40CB-A968-6E5991B1421A}
Security Update for 2007 Microsoft Office System (KB982312)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B0EC5722-241F-4CDA-83B4-AA5846B6F9F4}
Security Update for 2007 Microsoft Office System (KB982331)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {E8766951-2B6C-4022-86E8-80D2D1762B76}
Security Update for Microsoft Office Excel 2007 (KB982308)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C3F9A0DC-A5D1-4BB6-870E-2953E5A2487B}
Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8CCB781A-CF6B-4FCB-B6D8-59C64DF5C6DB}
Security Update for Microsoft Office PowerPoint 2007 (KB982158)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F5B70033-E79C-4569-90BF-BC9B4E4F3F46}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB982135)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0112C750-A06F-4F92-9C40-E5C1EA9A70EB}
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office OneNote 2007 (KB980729)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {329050A9-EF80-40F9-B633-74508F54C1FF}
Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
VideoLAN VLC media player 0.8.6c-->C:\Program Files\VideoLAN\VLC\uninstall.exe

======Hosts File======

127.0.0.1 localhost

======Security center information======

AS: Windows Defender

======System event log======

Computer Name: mark-cadb77fa37
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB974455(Security Update) into Install Requested(Install Requested) state
Record Number: 299825
Source Name: Microsoft-Windows-Servicing
Time Written: 20091206145529.000000-000
Event Type: Warning
User: MARK-CADB77FA37\Jacob Young

Computer Name: mark-cadb77fa37
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB973874(Update) into Install Requested(Install Requested) state
Record Number: 299710
Source Name: Microsoft-Windows-Servicing
Time Written: 20091206145407.000000-000
Event Type: Warning
User: MARK-CADB77FA37\Jacob Young

Computer Name: mark-cadb77fa37
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB973874(Update) into Install Requested(Install Requested) state
Record Number: 299708
Source Name: Microsoft-Windows-Servicing
Time Written: 20091206145407.000000-000
Event Type: Warning
User: MARK-CADB77FA37\Jacob Young

Computer Name: mark-cadb77fa37
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB973874(Update) into Install Requested(Install Requested) state
Record Number: 299706
Source Name: Microsoft-Windows-Servicing
Time Written: 20091206145407.000000-000
Event Type: Warning
User: MARK-CADB77FA37\Jacob Young

Computer Name: mark-cadb77fa37
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB973874(Update) into Install Requested(Install Requested) state
Record Number: 299704
Source Name: Microsoft-Windows-Servicing
Time Written: 20091206145407.000000-000
Event Type: Warning
User: MARK-CADB77FA37\Jacob Young

=====Application event log=====

Computer Name: mark-cadb77fa37
Event Code: 1030
Message: Product: Microsoft .NET Framework 1.1. The application tried to install a more recent version of the protected Windows file C:\Windows\Microsoft.NET\Framework\sbs_iehost.dll. You may need to update your operating system for this application to work correctly. (Package Version: 1.0.0.0, Operating System Protected Version: 1.0.0.0).
Record Number: 25
Source Name: MsiInstaller
Time Written: 20080501042225.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: mark-cadb77fa37
Event Code: 1030
Message: Product: Microsoft .NET Framework 1.1. The application tried to install a more recent version of the protected Windows file C:\Windows\Microsoft.NET\Framework\sbs_diasymreader.dll. You may need to update your operating system for this application to work correctly. (Package Version: 1.0.0.0, Operating System Protected Version: 1.0.0.0).
Record Number: 24
Source Name: MsiInstaller
Time Written: 20080501042225.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: mark-cadb77fa37
Event Code: 1534
Message: Profile notification of event Delete for component {D63AA156-D534-4BAC-9BF1-55359CF5EC30} failed, error code is -2147024893.


Record Number: 13
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20080501042203.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: mark-cadb77fa37
Event Code: 1534
Message: Profile notification of event Delete for component {DE3F3560-3032-41B4-B6CF-F703B1B95640} failed, error code is -2147023838.


Record Number: 12
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20080501042203.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: mark-cadb77fa37
Event Code: 2
Message: Unable to remove Windows Search Service indexed data for user 'MARK-CADB77FA37\Administrator' in response to user profile deletion. Error code 0x80070422.

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
.
Record Number: 11
Source Name: Microsoft-Windows-Search-ProfileNotify
Time Written: 20080501042203.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: mark-cadb77fa37
Event Code: 4616
Message: The system time was changed.

Subject:
Security ID: S-1-5-18
Account Name: MARK-CADB77FA37$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Process Information:
Process ID: 0x388
Name: C:\Windows\System32\oobe\msoobe.exe

Previous Time: 12:47:29 AM 5/1/2008
New Time: 9:47:29 PM 4/30/2008

This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Record Number: 5
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20080501014729.323600-000
Event Type: Audit Success
User:

Computer Name: mark-cadb77fa37
Event Code: 1108
Message: The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.
Record Number: 4
Source Name: Microsoft-Windows-Eventlog
Time Written: 20080501043138.430600-000
Event Type: Audit Success
User:

Computer Name: mark-cadb77fa37
Event Code: 1100
Message: The event logging service has shut down.
Record Number: 3
Source Name: Microsoft-Windows-Eventlog
Time Written: 20080501043138.087779-000
Event Type: Audit Success
User:

Computer Name: mark-cadb77fa37
Event Code: 1100
Message: The event logging service has shut down.
Record Number: 2
Source Name: Microsoft-Windows-Eventlog
Time Written: 20080501042656.119949-000
Event Type: Audit Success
User:

Computer Name: mark-cadb77fa37
Event Code: 4647
Message: User initiated logoff:

Subject:
Security ID: S-1-5-21-2152478756-3922319563-605102323-500
Account Name: Administrator
Account Domain: 26L2233B2-11
Logon ID: 0x8496a

This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Record Number: 1
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20061102130954.400000-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0407
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"asl.log"=Destination=file;OnFirstLog=command,environment
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Unidentified malware on Admin user account

Unread postby Dakeyras » August 9th, 2010, 7:22 am

Hi. :)

With regard to what you have mentioned about the Erunt set up file that does indeed appear to be a false positive. I use Avira AntiVir Personal on this my main workhorse machine and downloaded the setup file and scanned(just a portion of the report as it is quite large):-
Start of the scan: 09 August 2010 11:21

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Owner\Desktop\erunt-setup.exe'


End of the scan: 09 August 2010 11:21
Used time: 00:00 Minute(s)

The scan has been done completely.

0 Scanned directories
2 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
2 Files not concerned
0 Archives were scanned
0 Warnings
0 Notes
Out of interest I scanned the executable online also, results can be viewed here.

One other note, I meant to leave with the previous post, OTM crashed on the first run, I am not sure what point of the process it had reached, but Windows was completely frozen and a hard restart was necessary from task manager. I will post the small log file generated by the unsuccessful OTM run first, and follow that up with the subsequent successful run log file.

##Failed run:
Files moved on Reboot...
File C:\Windows\temp\JETCA11.tmp not found!

Registry entries deleted on Reboot...
OK and thank you for bringing this to my attention.

F-Secure Blacklight:

Please download Blacklight from here

or

Link to it from the ftp site: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

Save it to C:\ with a name of fsbl.exe

  • Open an Elevated Command Prompt
    • Open the Start Menu.
    • In the white line (Start Search) area, type cmd
    • Press CTRL+SHIFT+ENTER.
    • Click on Continue in the UAC prompt
    • Type the following line onto the command prompt
      C:\fsbl.exe /expert
  • Hit Enter
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log.
  • Post the contents of that log as a reply to this topic.

Custom Batch File:

  • Open Notepad.
  • Copy and Paste everything from the Code Box below into Notepad:
Code: Select all
@Echo off
reg delete "HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\{A3BC75A2-1F87-4686-AA43-5347D756017C}" /f
reg delete "HKCR\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}" /f
cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"
del %0
  • Go to File >> Save As
  • Save File name as "Dakeyras.bat" <-- Make sure to include the quotes.
  • Change Save as Type to All Files and save the file to your Desktop.
  • It should look similar to this: Image

Now right-click on the desktop Dakeyras.bat and select Run as Administrator to run the batch file. It will self-delete when completed.

A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file in your next reply.

  • How is the computer performing now? Any problems encountered and or any further symptoms?
  • BlackLight Log.
  • checkhd.txt.
  • A new RSIT Log. <-- I only require one log this time.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Unidentified malware on Admin user account

Unread postby helpintoledo » August 9th, 2010, 10:55 pm

Two notes: First, the Blacklight log is apparently too large, I am splitting it into two posts due to this message. "The submitted form was invalid. Try submitting again.
Your message contains 1676881 characters. The maximum number of allowed characters is 100000."

Second the batch file did not run properly. The log file will be in the last post. I did run the batch twice, the second time I fixed what appeared to be a minor typo before I ran it, the closing curly brace in the Registry Key listed for the Current User. Both ways worked exactly the same unfortunately. Also, browsing with Regedit, I determined the HKLM key existed but the HKCU did not. I left the HKLM key untouched.
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Unidentified malware on Admin user account

Unread postby helpintoledo » August 9th, 2010, 10:59 pm

OK, apparently I misread the error message. The log is 168 times too big. Obviously a problem. Please advise.
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Unidentified malware on Admin user account

Unread postby Dakeyras » August 10th, 2010, 4:57 am

Hi. :)

Two notes: First, the Blacklight log is apparently too large, I am splitting it into two posts due to this message. "The submitted form was invalid. Try submitting again.
Your message contains 1676881 characters. The maximum number of allowed characters is 100000."
OK no problem we will try a alternative scan shortly.

Second the batch file did not run properly. The log file will be in the last post. I did run the batch twice, the second time I fixed what appeared to be a minor typo before I ran it, the closing curly brace in the Registry Key listed for the Current User. Both ways worked exactly the same unfortunately. Also, browsing with Regedit, I determined the HKLM key existed but the HKCU did not. I left the HKLM key untouched.
My apologies for omitting part of the parenthesis I have since rectified that in-case we do need to run the batch file again, do not however do so again unless I advice so, thank you.

OK, apparently I misread the error message. The log is 168 times too big. Obviously a problem. Please advise.
OK that in itself informs myself quite a lot and we can come back to this due course.

Next:

Please download ATF Cleaner to your desktop.

  • Right-click ATF-Cleaner.exe and select Run as Administrator to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Scan with GMER:

Please download GMER Rootkit Scanner from here.
  • Right-click the (randomly named).exe file and select Run as Administrator If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image

    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware