Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HijackThis log. Need Help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: HijackThis log. Need Help

Unread postby Wingman » June 11th, 2010, 9:38 am

Hello forza

We're almost done... there are some programs that need to updated, as they pose a security risk when out-of-date. Then we'll need to get rid of the files referenced in the online scans and some entries in the HJT log. Please stay with me, until we're finished. :)

Please do not make any changes to your system: do not add or remove any software, run any scans or "fix" programs and/or remove any files unless instructed to do so, by me. Please read these instructions carefully before executing and then perform the steps, in the order given. If you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
    VISTA - W7 users: right-click on ERUNT from the menu, select "Run As Administrator", to run the process.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
Update Adobe Reader
Your version (8.1.0) of Adobe Reader is out-of-date. There are serious security issues with older versions of Adobe Reader.
I'm not asking you to update the Adobe Acrobat installation... this can be quite costly. I am going to insist that you update your Adobe Reader software.
Then use the Reader for viewing PDF files... you can use the Acrobat software for your other needs.

Please download the current version of Adobe Reader...Copyright © Adobe Systems Inc.
Please UNCHECK the box for the: Free McAfee Security Scan.
  1. Click the yellow "Download now"... button. If you don't already have Adobe DLM... you may receive a prompt...
  2. If prompted to install "Adobe DLM" This software is not a requirement to obtain the latest Adobe Reader software...so the choice is yours.
    The Adobe (DLM) Download Manager... allows you to "pick up where you left off", if your download process is interrupted. A good idea if you are using dial-up.
    If you choose to install Adobe DLM, it will start the download automatically. Adobe DLM software removal instructions available here...if wanted.
  3. If not using Adobe DLM...click on the highlighted "click here to download" text, to begin the Reader download.
    Save the file to your desktop.
    Uninstall OLD Adobe Reader
  4. Click on Start...then... Click the Start Search box on the Start Menu.
  5. Copy and paste control appwiz.cpl into the open text entry box.
      Depending on your current view setting ...
    • Double click on Programs and Features.
    • Under Programs, click on Uninstall a program.
  6. Locate the following program(s):
    Adobe Reader 8.1.0
  7. Select the program and click on Uninstall to uninstall it.
  8. When finished... Close the Control Panel window.
    Install NEW Adobe Reader
  9. Click on the Adobe Acrobat Reader (AdbeRdrxx_en_US.exe) icon, on your desktop... to install the new (free) version.
    The Adobe Reader download file name will be different, depending on the language or OS chosen. xx in the name = version numbers.
  10. The Adobe installer will check your system and begin the installation process. Use the default installation parameters.
  11. When the installation is complete... Close and re-open your Internet browser.
An alternate to Adobe Reader, you could try the free (for personal use) Foxit-Reader. It's a smaller download and when installed, uses less resources than Adobe Reader. Note: Let me know if interested in Foxit-Reader and I will provide safe download and installation instructions.

Step 3.
Java Update Needed!
Your Java is out of date. Java(TM) 6 Update 18
Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older versions of Java components and update:

Attention: Print these instructions or copy them. You will be closing your browser!!

DOWNLOAD UPDATED VERSION
  1. Get the latest version of Java Runtime Environment (JRE)... © Sun Microsystems, Inc.
  2. Look for "JDK 6 Update 20 (JDK or JRE)"
  3. Click the "Download JRE" button to the right.
  4. Select your Platform: "Windows"... then check "I agree to the (current update version) License Agreement.".
  5. Click Continue and the page will refresh.
  6. Locate the entry for Windows Offline Installation and click on the file name, save the file to your desktop.
    Dial-up users: You may want to check the "Windows Offline Installation" box and opt to use...
    "Download Selected with Sun Download Manager". The download can be restarted, in case it's interrupted.
<STOP> Do not install the new version of Java yet. We need to do some cleanup first!

REMOVE OLD JAVA VERSIONS
  1. Click on Start...then... Click the Start Search box on the Start Menu.
  2. Copy and paste control appwiz.cpl into the open text entry box.
      Depending on your current view setting ...
    • Double click on Programs and Features.
    • Under Programs, click on Uninstall a program.
  3. Locate the following program(s):
    Java(TM) 6 Update 18
  4. Select the program and click on Uninstall to uninstall it.
  5. Repeat steps 3 - 4 for each program in the list. When finished... Close the Control Panel window.
    Delete old Java Folder
    • Right click on the Start...button.
    • Using the Start Search box on the Start Menu.
    • Navigate to and find the following folder: if found, delete it.
      It's possible it may have been removed by the uninstall steps
      C:\Program Files\Java\ <==== delete this entire folder
    • When finished, exit Search.

INSTALL UPDATED VERSION
  1. Close all open applications (standard), especially your browser.
  2. From desktop... Right-click on jre-6u20-windows-i586.exe select "Run As Administrator" to install the newest version.
  3. Follow the on-screen directions...when installation is completed successfully, reboot your computer normally.
  4. Once the computer has been restarted, you can delete the "downloaded" installation file from your desktop.
OPTIONAL:
To prevent some unnecessary JAVA components from running when you boot your computer each time...
  1. Go to Control Panel... click on the JAVA icon.
  2. Press the Update tab... UNCHECK "Check for Updates Automatically". (You can check for updates manually.)
      Reply "Never Check" to the warning prompt.
  3. Now press the Advanced tab. Press the [+] to expand the "Miscellaneous" options.
  4. UNCHECK "Java Quick Starter".
  5. Press Apply and OK... then close the Java Control Panel. close and exit Control Panel.

Step 4.
Re-run - RSIT (Random's System Information Tool)
You should still have this program on your desktop.
  1. Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
  2. Please read the disclaimer... click on Continue.
    RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced.<<will be maximized
  3. Please post ONLY the "log.txt", file contents in your next reply.

Step 5.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. Adobe and Java Updated OK?
  3. New RSIT log.txt file contents.
  4. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove

Re: HijackThis log. Need Help

Unread postby forza » June 11th, 2010, 4:44 pm

1. No problems executing the instructions.


2. Adobe and Java Updated are OK.


3. New RSIT log.txt file contents.


Logfile of random's system information tool 1.07 (written by random/random)
Run by @k3yM at 2010-06-11 16:38:07
Microsoft® Windows Vista™ Home Basic Service Pack 2
System drive C: has 8 GB (12%) free of 71 GB
Total RAM: 2813 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:38:42 PM, on 6/11/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Users\@k3yM\Downloads\RSIT.exe
C:\Program Files\trend micro\@k3yM.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: DYXPPQO - Unknown owner - C:\Users\@k3yM\AppData\Local\Temp\DYXPPQO.exe (file missing)
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: GMYZBU - Unknown owner - C:\Users\@k3yM\AppData\Local\Temp\GMYZBU.exe (file missing)
O23 - Service: HRU - Unknown owner - C:\Users\@k3yM\AppData\Local\Temp\HRU.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8011 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2506131056-3247040052-1697288011-1000Core1cac652556b953c.job
C:\Windows\tasks\McDefragTask.job
C:\Windows\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mcapbho.dll [2007-11-26 324936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll [2009-11-11 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}]
ShowBarObj Class - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll [2008-03-05 312880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-11-23 204048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-06-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll [2008-03-05 142896]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-11-23 204048]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
C:\Program Files\Acer\Acer Assist\launcher.exe [2007-11-19 1261568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcadeDeluxeAgent]
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe [2008-05-12 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Athan]
C:\Program Files\Athan\Athan.exe [2009-08-22 1114112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe [2008-04-26 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe [2008-05-12 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe [2008-03-05 526896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe [2008-05-09 397312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Users\@k3yM\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-06 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
C:\Windows\KHALMNPR.EXE [2009-06-17 55824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE [2008-06-05 821768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe [2008-05-12 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
C:\Windows\RtHDVCpl.exe [2008-05-19 6139904]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-02-14 1033512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTTray.exe [2008-04-23 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
C:\PROGRA~1\Logitech\SetPoint\SetPoint.exe [2009-07-20 813584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2010-06-11 16:30:25 ----D---- C:\Program Files\Common Files\Java
2010-06-11 16:29:53 ----A---- C:\Windows\system32\javaws.exe
2010-06-11 16:29:53 ----A---- C:\Windows\system32\javaw.exe
2010-06-11 16:29:53 ----A---- C:\Windows\system32\java.exe
2010-06-11 16:29:53 ----A---- C:\Windows\system32\deployJava1.dll
2010-06-11 16:29:23 ----D---- C:\Program Files\Java
2010-06-11 15:27:18 ----D---- C:\Program Files\Adobe
2010-06-11 15:24:39 ----SHD---- C:\Config.Msi
2010-06-11 01:36:06 ----N---- C:\Windows\system32\MpSigStub.exe
2010-06-11 00:20:30 ----D---- C:\rsit
2010-06-10 13:20:09 ----D---- C:\Program Files\ESET
2010-06-09 13:56:44 ----A---- C:\ComboFix.txt
2010-06-09 13:56:04 ----SHD---- C:\$RECYCLE.BIN
2010-06-09 13:46:20 ----A---- C:\Windows\zip.exe
2010-06-09 13:46:20 ----A---- C:\Windows\SWSC.exe
2010-06-09 13:46:20 ----A---- C:\Windows\SWREG.exe
2010-06-09 13:46:20 ----A---- C:\Windows\sed.exe
2010-06-09 13:46:20 ----A---- C:\Windows\PEV.exe
2010-06-09 13:46:20 ----A---- C:\Windows\NIRCMD.exe
2010-06-09 13:46:20 ----A---- C:\Windows\MBR.exe
2010-06-09 13:46:20 ----A---- C:\Windows\grep.exe
2010-06-09 13:45:23 ----D---- C:\Qoobox
2010-06-09 13:45:03 ----A---- C:\Windows\SWXCACLS.exe
2010-06-04 17:09:40 ----D---- C:\Windows\ERDNT
2010-06-04 17:07:47 ----D---- C:\Program Files\ERUNT
2010-05-31 14:29:42 ----D---- C:\Program Files\Sports Interactive
2010-05-31 14:20:56 ----D---- C:\Program Files\DAEMON Tools Lite
2010-05-25 22:49:51 ----A---- C:\Windows\system32\tzres.dll
2010-05-16 22:16:13 ----A---- C:\ProgramData\xml49B8.tmp
2010-05-16 22:16:13 ----A---- C:\ProgramData\xml47F3.tmp
2010-05-16 22:16:07 ----A---- C:\ProgramData\xml2F44.tmp
2010-05-15 15:39:44 ----A---- C:\ProgramData\xml205E.tmp
2010-05-15 15:39:44 ----A---- C:\ProgramData\xml205D.tmp
2010-05-15 15:39:44 ----A---- C:\ProgramData\xml204D.tmp
2010-05-15 15:39:41 ----A---- C:\ProgramData\xml16BB.tmp
2010-05-15 15:38:19 ----D---- C:\Windows\system32\directx
2010-05-15 15:37:47 ----D---- C:\Program Files\SiSoftware

======List of files/folders modified in the last 1 months======

2010-06-11 16:38:22 ----D---- C:\Windows\Temp
2010-06-11 16:38:15 ----D---- C:\Program Files\Trend Micro
2010-06-11 16:34:14 ----D---- C:\Windows\Prefetch
2010-06-11 16:32:36 ----D---- C:\Windows
2010-06-11 16:30:26 ----SHD---- C:\Windows\Installer
2010-06-11 16:30:25 ----D---- C:\Program Files\Common Files
2010-06-11 16:29:53 ----D---- C:\Windows\System32
2010-06-11 16:29:23 ----RD---- C:\Program Files
2010-06-11 16:29:13 ----SHD---- C:\System Volume Information
2010-06-11 15:28:24 ----D---- C:\ProgramData\Adobe
2010-06-11 15:27:53 ----D---- C:\Program Files\Common Files\Adobe
2010-06-11 15:25:02 ----D---- C:\Windows\winsxs
2010-06-11 13:53:18 ----D---- C:\Windows\system32\catroot2
2010-06-11 13:53:18 ----D---- C:\Windows\system32\catroot
2010-06-10 13:20:10 ----SD---- C:\Windows\Downloaded Program Files
2010-06-09 13:54:30 ----A---- C:\Windows\system.ini
2010-06-09 13:50:44 ----D---- C:\Windows\system32\drivers
2010-06-09 13:50:44 ----D---- C:\Windows\AppPatch
2010-06-07 21:16:40 ----SD---- C:\ProgramData\Microsoft
2010-06-05 04:38:18 ----D---- C:\Windows\Minidump
2010-06-02 13:19:14 ----SD---- C:\Users\@k3yM\AppData\Roaming\Microsoft
2010-06-02 12:55:30 ----AD---- C:\ProgramData\TEMP
2010-06-01 22:56:17 ----D---- C:\Windows\inf
2010-06-01 22:56:17 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-05-31 15:09:52 ----D---- C:\Users\@k3yM\AppData\Roaming\Sports Interactive
2010-05-31 14:37:17 ----RSD---- C:\Windows\assembly
2010-05-31 14:20:34 ----D---- C:\ProgramData\DAEMON Tools Lite
2010-05-30 04:21:16 ----D---- C:\Windows\system32\WDI
2010-05-27 09:18:10 ----D---- C:\Windows\rescache
2010-05-26 03:02:42 ----D---- C:\Windows\system32\en-US
2010-05-16 22:16:40 ----D---- C:\ProgramData
2010-05-13 00:18:04 ----D---- C:\ProgramData\Microsoft Help
2010-05-12 03:13:08 ----D---- C:\Program Files\Windows Mail

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2009-11-11 214664]
R1 MPFP;MPFP; C:\Windows\System32\Drivers\Mpfp.sys [2009-07-16 130424]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; \??\C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-05-09 61424]
R2 int15;int15; \??\C:\Windows\system32\drivers\int15.sys [2008-03-21 15392]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2008-05-05 12672]
R2 NTIPPKernel;NTIPPKernel; \??\C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-16 122368]
R2 PSDNServ;PSDNServ; C:\Windows\system32\DRIVERS\PSDNServ.sys [2008-03-05 16944]
R2 psdvdisk;PSDVdisk; C:\Windows\system32\DRIVERS\PSDVdisk.sys [2008-03-05 60464]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2008-05-05 8704]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2008-05-18 761856]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2008-04-09 210432]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2006-11-02 21264]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2008-05-05 980992]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2008-05-05 207872]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-05-19 2136920]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\Windows\system32\DRIVERS\LHidFilt.Sys [2009-06-17 35472]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\Windows\system32\DRIVERS\LMouFilt.Sys [2009-06-17 37392]
R3 LUsbFilt;Logitech SetPoint KMDF USB Filter; C:\Windows\System32\Drivers\LUsbFilt.Sys [2009-06-17 28560]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\Windows\system32\drivers\mfeavfk.sys [2009-11-11 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\Windows\system32\drivers\mfebopk.sys [2009-11-11 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\Windows\system32\drivers\mfesmfk.sys [2009-11-11 40552]
R3 NTIDrvr;Upper Class Filter Driver; C:\Windows\system32\DRIVERS\NTIDrvr.sys [2008-01-30 14848]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-05-18 7446656]
R3 nvsmu;nvsmu; C:\Windows\system32\DRIVERS\nvsmu.sys [2008-05-06 14848]
R3 RTSTOR;Realtek USB 2.0 Card Reader; C:\Windows\system32\drivers\RTSTOR.SYS [2008-05-06 62976]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-02-14 196784]
R3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-20 134016]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2008-05-05 661504]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264]
S3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-04-11 22528]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-20 92160]
S3 BthPort;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2009-04-11 507904]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2009-04-11 29696]
S3 btwaudio;Bluetooth Audio Device Service; C:\Windows\system32\drivers\btwaudio.sys [2008-05-05 80424]
S3 btwavdt;Bluetooth AVDT; C:\Windows\system32\drivers\btwavdt.sys [2008-05-05 80936]
S3 btwrchid;btwrchid; C:\Windows\system32\DRIVERS\btwrchid.sys [2008-05-05 16168]
S3 catchme;catchme; \??\C:\Users\@k3yM\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-20 200704]
S3 mferkdk;McAfee Inc. mferkdk; C:\Windows\system32\drivers\mferkdk.sys [2009-11-11 34248]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-04-11 148992]
S3 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\WNt500x86\Sandra.sys [2009-08-07 23112]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]
S4 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [2010-05-08 691696]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
R2 CLHNService;CLHNService; C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-16 81504]
R2 eDataSecurity Service;eDataSecurity Service; C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe [2008-03-05 500784]
R2 ETService;Empowering Technology Service; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-01-17 61440]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2010-02-11 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-11-11 144704]
R2 MobilityService;MobilityService; C:\Acer\Mobility Center\MobilityService.exe [2007-12-06 110592]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
R2 MSK80Service;McAfee Anti-Spam Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2007-11-26 23880]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-26 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-26 131072]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-05-18 196608]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\Cyberlink\Shared files\RichVideo.exe [2007-01-08 272024]
R2 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2009-12-23 370688]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2008-05-05 386560]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-11-11 606736]
S3 DYXPPQO;DYXPPQO; C:\Users\@k3yM\AppData\Local\Temp\DYXPPQO.exe []
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S3 GMYZBU;GMYZBU; C:\Users\@k3yM\AppData\Local\Temp\GMYZBU.exe []
S3 HRU;HRU; C:\Users\@k3yM\AppData\Local\Temp\HRU.exe []
S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe [2009-07-20 121360]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2010-01-25 365072]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe [2009-08-24 93336]

-----------------EOF-----------------




4. Like I said before, my computer is performing good. 8)
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: HijackThis log. Need Help

Unread postby Wingman » June 12th, 2010, 7:19 am

Hello forza
Good job getting the programs updated. :thumbup:
Let's take care of the bad files found by the previous scans, clean up some HJT entries... then run some final scans.


Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
    VISTA - W7 users: right-click on ERUNT from the menu, select "Run As Administrator", to run the process.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
OTM
  1. Please download OTM.exe...by Old Timer. Save it to your desktop.
  2. Right click on OTM.exe and select Run As Administrator to run it. If Windows UAC prompts, please allow it.
  3. Please copy and paste the text in the Code box below, into OTM (1).
    Please refer to the OTM screen image below, for reference.
    Warning: Do not type it out... errors could damage your machine.
    Code: Select all
    :Processes
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"=-
    "Adobe ARM"=-
    "SunJavaUpdateSched"=-
    :Files
    C:\Users\@k3yM\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\175c55de-445e2d3e
    D:\Documents and Settings\installer\BugdoctorSetup.exe 
    D:\Documents and Settings\installer\msoff\! INSTALLER !\G. Chinese Software and Translator Tools\Babylon Pro 6 R32+Add-Ons\babylon.pro.6.xx-patch.exe
    D:\Documents and Settings\installer\msoff\! INSTALLER !\I. Internet Tools\FlashGet v1.72\KEYGEN.EXE 
    C:\ACER\Preload\Command\AlaunchX\LaunchAlaunchX.exe 
    C:\Users\@k3yM\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\32931bd7-210d3b54
    D:\Documents and Settings\installer\msoff\! INSTALLER !\D. Burning Tools\Alcohol 120% v1.9.6.3923\alcohol120 1_9_5_3823.exe 
    D:\Documents and Settings\installer\msoff\! INSTALLER !\I. Internet Tools\MIRC 6.17\mirc617.exe
    D:\Documents and Settings\installer\msoff\! INSTALLER !\I. Internet Tools\RaidenFTPD 2.4.2065\raidenftpd2.exe 
    D:\Documents and Settings\installer\msoff\! INSTALLER !\J. Multimedia Converter Tools\Magic DVD Ripper 4.1+ key\Magic DVD Ripper 4.1.exe 
    D:\Documents and Settings\installer\msoff\! INSTALLER !\K. Gaming and Virtual Tools\DAEMON Tools v4.03 X64\daemon403-x64.exe
    D:\Documents and Settings\installer\msoff\! INSTALLER !\K. Gaming and Virtual Tools\DAEMON Tools v4.03 X86\daemon403-x86.exe
    :Commands
    [EmptyTemp]
    [Start Explorer]


    Please refer to this image to use OTM.

    Image
  4. Click on MoveIt! (2)
  5. The end results of the processing will be in 2 places:
    • The Results window on the right side of the OTM screen.
    • A log (text) file created in "C:\_OTM\MovedFiles\mmddyyyy_hhmmss.log"
  6. Copy all the text from the Results window... Open Notepad, paste the OTM results into the Notepad file, save it on your desktop.
  7. Click Exit (3) when done.
  8. Please paste the entire content from the OTM (Results) window (Notepad file) or the OTM log file, in your next reply.
NOTE: If your computer did not automatically reboot... please reboot it (normally) now!
Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.


Step 3.
Malwarebytes' Anti-Malware
  1. Please start MBAM (Malwarebytes' Anti-Malware) again.
  2. Press the Update tab.. then press the Check for Updates...button. <<---Important!
    Once any updates are installed or you get the message that you are up-to-date
  3. Press the Scanner tab...
  4. Select FULL SCAN this time... then press the Scan...button. This scan will take a while, so please be patient.
    When the scan finishes...
  5. Check all items except any items (if present) in the C:\System Volume Information folder... then click on Remove Selected.
  6. Let MBAM remove what it can... if there are files to be deleted on reboot... please reboot the machine so MBAM can finish the removal.
    If you rebooted, then you'll need to start MBAM again.
  7. Press the LOG... tab. Locate the most current log file.
    Please copy and paste the most recent log (from this new run) in your next reply.

Step 4.
Panda ActiveScan
Vista - W7 users: Close your browser, right-click on the IE icon on the Start Menu or Quick Launch and select "Run as Administrator".
Please go to Panda ActiveScan © Panda Security... to perform a free online scan.
You must use Internet Explorer as the scan requires ActiveX.
  1. Click on the Scan your PC now button.
    A new window will open.
  2. Make sure the "Full scan" scan type is CHECKED.
  3. Press the "Scan Now" button.
  4. You will be prompted to install an ActiveX module. Please allow it.
    If your browser blocks pop-ups, you may see a bar at the top of the window asking you to click, to allow ... please allow it.
    Panda Active scan will update itself... this may also be a pop-up...please allow also.
  5. Once the program is updated, it will begin to scan your computer. This will take a long time, so be patient, let it run.
  6. Once done, click on Export to:... save it to your Desktop.
  7. A file named "ActiveScan.txt" will be created on your desktop.
  8. Please copy and paste the contents of the ActiveScan.txt file in your next reply.

Step 5.
Re-run - RSIT (Random's System Information Tool)
You should still have this program on your desktop.
  1. Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
  2. Please read the disclaimer... click on Continue.
    RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced.<<will be maximized
  3. Please post ONLY the "log.txt", file contents in your next reply.

Step 6.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. OTM scan output.
  3. MBAM scan results.
  4. Panda Active scan results.
  5. New RSIT log.txt contents.
  6. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: HijackThis log. Need Help

Unread postby forza » June 13th, 2010, 12:46 am

1. No problems executing the instructions.


2. OTM scan output.



All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe Reader Speed Launcher deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe ARM deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched deleted successfully.
========== FILES ==========
C:\Users\@k3yM\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\175c55de-445e2d3e moved successfully.
D:\Documents and Settings\installer\BugdoctorSetup.exe moved successfully.
D:\Documents and Settings\installer\msoff\! INSTALLER !\G. Chinese Software and Translator Tools\Babylon Pro 6 R32+Add-Ons\babylon.pro.6.xx-patch.exe moved successfully.
D:\Documents and Settings\installer\msoff\! INSTALLER !\I. Internet Tools\FlashGet v1.72\KEYGEN.EXE moved successfully.
C:\ACER\Preload\Command\AlaunchX\LaunchAlaunchX.exe moved successfully.
C:\Users\@k3yM\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\32931bd7-210d3b54 moved successfully.
D:\Documents and Settings\installer\msoff\! INSTALLER !\D. Burning Tools\Alcohol 120% v1.9.6.3923\alcohol120 1_9_5_3823.exe moved successfully.
D:\Documents and Settings\installer\msoff\! INSTALLER !\I. Internet Tools\MIRC 6.17\mirc617.exe moved successfully.
D:\Documents and Settings\installer\msoff\! INSTALLER !\I. Internet Tools\RaidenFTPD 2.4.2065\raidenftpd2.exe moved successfully.
D:\Documents and Settings\installer\msoff\! INSTALLER !\J. Multimedia Converter Tools\Magic DVD Ripper 4.1+ key\Magic DVD Ripper 4.1.exe moved successfully.
D:\Documents and Settings\installer\msoff\! INSTALLER !\K. Gaming and Virtual Tools\DAEMON Tools v4.03 X64\daemon403-x64.exe moved successfully.
D:\Documents and Settings\installer\msoff\! INSTALLER !\K. Gaming and Virtual Tools\DAEMON Tools v4.03 X86\daemon403-x86.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: @k3yM
->Temp folder emptied: 296994 bytes
->Temporary Internet Files folder emptied: 11190109 bytes
->Java cache emptied: 56476994 bytes
->FireFox cache emptied: 36383156 bytes
->Flash cache emptied: 251092 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 12616 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 100.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 06122010_164818

Files moved on Reboot...
File C:\Windows\temp\mcmsc_3n7eaRrEj5yJhxk not found!
File C:\Windows\temp\mcmsc_d2rFZjwb9neYUPJ not found!
C:\Windows\temp\sqlite_Bt5iZ77xyxMK5pi moved successfully.
C:\Windows\temp\sqlite_ML9DEqGjJMXX0xJ moved successfully.

Registry entries deleted on Reboot...





3. MBAM scan results (no infection found)






Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4192

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

6/12/2010 7:42:04 PM
mbam-log-2010-06-12 (19-42-04).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 290748
Time elapsed: 2 hour(s), 44 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





4. Panda Active scan results.




;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-06-12 23:57:34
PROTECTIONS: 1
MALWARE: 35
SUSPECTS: 5
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@trafficmp[2].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@casalemedia[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@atdmt[3].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@atdmt[2].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@tradedoubler[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@247realmedia[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@247realmedia[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@tribalfusion[3].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@mediaplex[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@mediaplex[1].txt
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@linksynergy[2].txt
00147796 Cookie/Entrepreneur TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@entrepreneur[2].txt
00167744 Cookie/GoStats TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@gostats[2].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@azjmp[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@statcounter[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@statcounter[2].txt
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@counter.hitslink[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@burstnet[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@serving-sys[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@bs.serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@www.burstbeacon[1].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@adtech[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@server.iad.liveperson[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@advertising[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@statse.webtrendslive[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@ads.pointroll[3].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@ads.pointroll[7].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@ads.pointroll[8].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@ads.pointroll[5].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@ads.pointroll[6].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@ads.pointroll[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@ads.pointroll[4].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@ads.pointroll[9].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@ads.pointroll[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@overture[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@questionmarket[9].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@questionmarket[8].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@questionmarket[7].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@questionmarket[6].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@questionmarket[5].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@questionmarket[4].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@questionmarket[3].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@questionmarket[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@zedo[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@go[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\low\@k3ym@target[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@target[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@ads.addynamix[1].txt
01196325 Cookie/Enhance TrackingCookie No 0 Yes No c:\users\@k3ym\appdata\roaming\microsoft\windows\cookies\@k3ym@enhance[1].txt
03587590 Adware/Yassist Adware No 0 No No d:\documents and settings\installer\divxbundle.exe[²çç\y_toolbar.exe][²èç]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\_otm\movedfiles\06122010_164818\d_documents and settings\installer\msoff\! installer !\g. chinese software and translator tools\babylon pro 6 r32+add-ons\babylon.pro.6.xx-patch.exe
No c:\_otm\movedfiles\06122010_164818\d_documents and settings\installer\msoff\! installer !\i. internet tools\flashget v1.72\keygen.exe
No c:\_otm\movedfiles\06122010_164818\d_documents and settings\installer\msoff\! installer !\k. gaming and virtual tools\daemon tools v4.03 x64\daemon403-x64.exe
No d:\documents and settings\installer\iphone\iphonevideoconverter.exe[install.dll]
No d:\documents and settings\installer\msoff\! installer !\k. gaming and virtual tools\winimage 6.1\keygen\keygen_winimage.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================







5. New RSIT log.txt contents.





Logfile of random's system information tool 1.07 (written by random/random)
Run by @k3yM at 2010-06-13 00:41:34
Microsoft® Windows Vista™ Home Basic Service Pack 2
System drive C: has 6 GB (8%) free of 71 GB
Total RAM: 2813 MB (41% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:42:21 AM, on 6/13/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Acer\Empowering Technology\NotificationCenter\Framework.NotificationCenter.exe
C:\Program Files\Electronic Arts\EADownloadManager\EACoreServer.exe
C:\Program Files\Electronic Arts\EADownloadManager\EADownloadManager\EADownloadManager.exe
C:\Users\@k3yM\Downloads\RSIT.exe
C:\Program Files\trend micro\@k3yM.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: DYXPPQO - Unknown owner - C:\Users\@k3yM\AppData\Local\Temp\DYXPPQO.exe (file missing)
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: GMYZBU - Unknown owner - C:\Users\@k3yM\AppData\Local\Temp\GMYZBU.exe (file missing)
O23 - Service: HRU - Unknown owner - C:\Users\@k3yM\AppData\Local\Temp\HRU.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7910 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2506131056-3247040052-1697288011-1000Core1cac652556b953c.job
C:\Windows\tasks\McDefragTask.job
C:\Windows\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mcapbho.dll [2007-11-26 324936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll [2009-11-11 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}]
ShowBarObj Class - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll [2008-03-05 312880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-11-23 204048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-06-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll [2008-03-05 142896]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-11-23 204048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
C:\Program Files\Acer\Acer Assist\launcher.exe [2007-11-19 1261568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcadeDeluxeAgent]
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe [2008-05-12 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Athan]
C:\Program Files\Athan\Athan.exe [2009-08-22 1114112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe [2008-04-26 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe [2008-05-12 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe [2008-03-05 526896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe [2008-05-09 397312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Users\@k3yM\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-06 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
C:\Windows\KHALMNPR.EXE [2009-06-17 55824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE [2008-06-05 821768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe [2008-05-12 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
C:\Windows\RtHDVCpl.exe [2008-05-19 6139904]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-02-14 1033512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTTray.exe [2008-04-23 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
C:\PROGRA~1\Logitech\SetPoint\SetPoint.exe [2009-07-20 813584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2010-06-12 19:47:29 ----D---- C:\Program Files\Panda Security
2010-06-12 16:48:18 ----D---- C:\_OTM
2010-06-11 16:30:25 ----D---- C:\Program Files\Common Files\Java
2010-06-11 16:29:53 ----A---- C:\Windows\system32\javaws.exe
2010-06-11 16:29:53 ----A---- C:\Windows\system32\javaw.exe
2010-06-11 16:29:53 ----A---- C:\Windows\system32\java.exe
2010-06-11 16:29:53 ----A---- C:\Windows\system32\deployJava1.dll
2010-06-11 16:29:23 ----D---- C:\Program Files\Java
2010-06-11 15:27:18 ----D---- C:\Program Files\Adobe
2010-06-11 15:24:39 ----SHD---- C:\Config.Msi
2010-06-11 13:56:12 ----A---- C:\Windows\system32\asycfilt.dll
2010-06-11 13:55:58 ----A---- C:\Windows\system32\atmfd.dll
2010-06-11 13:55:57 ----A---- C:\Windows\system32\atmlib.dll
2010-06-11 13:55:38 ----A---- C:\Windows\system32\wininet.dll
2010-06-11 13:55:38 ----A---- C:\Windows\system32\urlmon.dll
2010-06-11 13:55:38 ----A---- C:\Windows\system32\mshtml.dll
2010-06-11 13:55:36 ----A---- C:\Windows\system32\ieui.dll
2010-06-11 13:55:36 ----A---- C:\Windows\system32\ieframe.dll
2010-06-11 13:55:35 ----A---- C:\Windows\system32\mshtmled.dll
2010-06-11 13:55:35 ----A---- C:\Windows\system32\iepeers.dll
2010-06-11 13:55:35 ----A---- C:\Windows\system32\ieencode.dll
2010-06-11 13:55:35 ----A---- C:\Windows\system32\ieapfltr.dll
2010-06-11 01:36:06 ----N---- C:\Windows\system32\MpSigStub.exe
2010-06-11 00:20:30 ----D---- C:\rsit
2010-06-10 13:20:09 ----D---- C:\Program Files\ESET
2010-06-09 13:56:44 ----A---- C:\ComboFix.txt
2010-06-09 13:56:04 ----SHD---- C:\$RECYCLE.BIN
2010-06-09 13:46:20 ----A---- C:\Windows\zip.exe
2010-06-09 13:46:20 ----A---- C:\Windows\SWSC.exe
2010-06-09 13:46:20 ----A---- C:\Windows\SWREG.exe
2010-06-09 13:46:20 ----A---- C:\Windows\sed.exe
2010-06-09 13:46:20 ----A---- C:\Windows\PEV.exe
2010-06-09 13:46:20 ----A---- C:\Windows\NIRCMD.exe
2010-06-09 13:46:20 ----A---- C:\Windows\MBR.exe
2010-06-09 13:46:20 ----A---- C:\Windows\grep.exe
2010-06-09 13:45:23 ----D---- C:\Qoobox
2010-06-09 13:45:03 ----A---- C:\Windows\SWXCACLS.exe
2010-06-04 17:09:40 ----D---- C:\Windows\ERDNT
2010-06-04 17:07:47 ----D---- C:\Program Files\ERUNT
2010-05-31 14:29:42 ----D---- C:\Program Files\Sports Interactive
2010-05-31 14:20:56 ----D---- C:\Program Files\DAEMON Tools Lite
2010-05-25 22:49:51 ----A---- C:\Windows\system32\tzres.dll
2010-05-16 22:16:13 ----A---- C:\ProgramData\xml49B8.tmp
2010-05-16 22:16:13 ----A---- C:\ProgramData\xml47F3.tmp
2010-05-16 22:16:07 ----A---- C:\ProgramData\xml2F44.tmp
2010-05-15 15:39:44 ----A---- C:\ProgramData\xml205E.tmp
2010-05-15 15:39:44 ----A---- C:\ProgramData\xml205D.tmp
2010-05-15 15:39:44 ----A---- C:\ProgramData\xml204D.tmp
2010-05-15 15:39:41 ----A---- C:\ProgramData\xml16BB.tmp
2010-05-15 15:38:19 ----D---- C:\Windows\system32\directx
2010-05-15 15:37:47 ----D---- C:\Program Files\SiSoftware

======List of files/folders modified in the last 1 months======

2010-06-13 00:41:52 ----D---- C:\Windows\Temp
2010-06-13 00:41:45 ----D---- C:\Program Files\Trend Micro
2010-06-13 00:36:08 ----SHD---- C:\System Volume Information
2010-06-12 19:52:07 ----D---- C:\Windows\system32\drivers
2010-06-12 19:47:56 ----D---- C:\Windows\Prefetch
2010-06-12 19:47:29 ----RD---- C:\Program Files
2010-06-12 19:47:21 ----SD---- C:\Windows\Downloaded Program Files
2010-06-12 14:26:44 ----D---- C:\Windows\Microsoft.NET
2010-06-12 14:26:36 ----RSD---- C:\Windows\assembly
2010-06-12 14:25:13 ----D---- C:\Windows\winsxs
2010-06-12 14:15:08 ----D---- C:\Windows
2010-06-12 14:15:00 ----D---- C:\Windows\system32\catroot
2010-06-12 03:32:08 ----D---- C:\Windows\System32
2010-06-12 03:32:04 ----D---- C:\Program Files\Windows Mail
2010-06-12 03:09:47 ----SHD---- C:\Windows\Installer
2010-06-12 03:02:18 ----D---- C:\Windows\system32\wbem
2010-06-11 17:03:58 ----AD---- C:\ProgramData\TEMP
2010-06-11 16:30:25 ----D---- C:\Program Files\Common Files
2010-06-11 15:28:24 ----D---- C:\ProgramData\Adobe
2010-06-11 15:27:53 ----D---- C:\Program Files\Common Files\Adobe
2010-06-11 13:53:18 ----D---- C:\Windows\system32\catroot2
2010-06-09 13:54:30 ----A---- C:\Windows\system.ini
2010-06-09 13:50:44 ----D---- C:\Windows\AppPatch
2010-06-07 21:16:40 ----SD---- C:\ProgramData\Microsoft
2010-06-05 04:38:18 ----D---- C:\Windows\Minidump
2010-06-02 13:19:14 ----SD---- C:\Users\@k3yM\AppData\Roaming\Microsoft
2010-06-01 22:56:17 ----D---- C:\Windows\inf
2010-06-01 22:56:17 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-05-31 15:09:52 ----D---- C:\Users\@k3yM\AppData\Roaming\Sports Interactive
2010-05-31 14:20:34 ----D---- C:\ProgramData\DAEMON Tools Lite
2010-05-30 04:21:16 ----D---- C:\Windows\system32\WDI
2010-05-28 15:37:34 ----A---- C:\Windows\system32\mrt.exe
2010-05-27 09:18:10 ----D---- C:\Windows\rescache
2010-05-26 03:02:42 ----D---- C:\Windows\system32\en-US
2010-05-16 22:16:40 ----D---- C:\ProgramData

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2009-11-11 214664]
R1 MPFP;MPFP; C:\Windows\System32\Drivers\Mpfp.sys [2009-07-16 130424]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; \??\C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-05-09 61424]
R2 int15;int15; \??\C:\Windows\system32\drivers\int15.sys [2008-03-21 15392]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2008-05-05 12672]
R2 NTIPPKernel;NTIPPKernel; \??\C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-16 122368]
R2 PSDNServ;PSDNServ; C:\Windows\system32\DRIVERS\PSDNServ.sys [2008-03-05 16944]
R2 psdvdisk;PSDVdisk; C:\Windows\system32\DRIVERS\PSDVdisk.sys [2008-03-05 60464]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2008-05-05 8704]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2008-05-18 761856]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2008-04-09 210432]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2006-11-02 21264]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2008-05-05 980992]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2008-05-05 207872]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-05-19 2136920]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\Windows\system32\DRIVERS\LHidFilt.Sys [2009-06-17 35472]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\Windows\system32\DRIVERS\LMouFilt.Sys [2009-06-17 37392]
R3 LUsbFilt;Logitech SetPoint KMDF USB Filter; C:\Windows\System32\Drivers\LUsbFilt.Sys [2009-06-17 28560]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\Windows\system32\drivers\mfeavfk.sys [2009-11-11 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\Windows\system32\drivers\mfebopk.sys [2009-11-11 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\Windows\system32\drivers\mfesmfk.sys [2009-11-11 40552]
R3 NTIDrvr;Upper Class Filter Driver; C:\Windows\system32\DRIVERS\NTIDrvr.sys [2008-01-30 14848]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-05-18 7446656]
R3 nvsmu;nvsmu; C:\Windows\system32\DRIVERS\nvsmu.sys [2008-05-06 14848]
R3 RTSTOR;Realtek USB 2.0 Card Reader; C:\Windows\system32\drivers\RTSTOR.SYS [2008-05-06 62976]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-02-14 196784]
R3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-20 134016]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2008-05-05 661504]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264]
S3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-04-11 22528]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-20 92160]
S3 BthPort;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2009-04-11 507904]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2009-04-11 29696]
S3 btwaudio;Bluetooth Audio Device Service; C:\Windows\system32\drivers\btwaudio.sys [2008-05-05 80424]
S3 btwavdt;Bluetooth AVDT; C:\Windows\system32\drivers\btwavdt.sys [2008-05-05 80936]
S3 btwrchid;btwrchid; C:\Windows\system32\DRIVERS\btwrchid.sys [2008-05-05 16168]
S3 catchme;catchme; \??\C:\Users\@k3yM\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-20 200704]
S3 mferkdk;McAfee Inc. mferkdk; C:\Windows\system32\drivers\mferkdk.sys [2009-11-11 34248]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-04-11 148992]
S3 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\WNt500x86\Sandra.sys [2009-08-07 23112]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]
S4 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [2010-05-08 691696]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
R2 CLHNService;CLHNService; C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-16 81504]
R2 eDataSecurity Service;eDataSecurity Service; C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe [2008-03-05 500784]
R2 ETService;Empowering Technology Service; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-01-17 61440]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2010-02-11 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-11-11 144704]
R2 MobilityService;MobilityService; C:\Acer\Mobility Center\MobilityService.exe [2007-12-06 110592]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
R2 MSK80Service;McAfee Anti-Spam Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2007-11-26 23880]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-26 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-26 131072]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-05-18 196608]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\Cyberlink\Shared files\RichVideo.exe [2007-01-08 272024]
R2 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2009-12-23 370688]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2008-05-05 386560]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-11-11 606736]
S3 DYXPPQO;DYXPPQO; C:\Users\@k3yM\AppData\Local\Temp\DYXPPQO.exe []
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S3 GMYZBU;GMYZBU; C:\Users\@k3yM\AppData\Local\Temp\GMYZBU.exe []
S3 HRU;HRU; C:\Users\@k3yM\AppData\Local\Temp\HRU.exe []
S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe [2009-07-20 121360]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2010-01-25 365072]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe [2009-08-24 93336]

-----------------EOF-----------------






6. My computer is performing good.
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: HijackThis log. Need Help

Unread postby Wingman » June 13th, 2010, 10:18 am

Hello forza
Good job getting the programs updated. :thumbup:
Let's take care of the bad files found by the previous scans, clean up some HJT entries... then run some final scans.


Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
    VISTA - W7 users: right-click on ERUNT from the menu, select "Run As Administrator", to run the process.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
CKScanner
Please download CKScanner ... Save it to your desktop.
Make sure that CKScanner.exe is on the your desktop before running the application!
  1. Double-click on the CKScanner.exe icon... then click the Search For Files button.
    If using Vista, you must right click the (CKScanner.exe) icon and choose "Run As Administrator", then click the "Search For Files" button.
  2. When the scan is finished (the cursor hourglass disappears) click the Save List To File button.
    A text file will be created on your desktop named "ckfiles.txt"
  3. Click OK at the file saved message box. Double-click on the ckfiles.txt icon on your desktop.
  4. Please copy/paste the contents of ckfiles.txt in your next reply.

Step 3.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. ckfiles.txt file contents.
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: HijackThis log. Need Help

Unread postby forza » June 13th, 2010, 4:25 pm

1. No problem executing the instructions.

2. CKScanner - Additional Security Risks - These are not necessarily bad
c:\_otm\movedfiles\06122010_164818\d_documents and settings\installer\msoff\! installer !\i. internet tools\flashget v1.72\keygen.exe
scanner sequence 3.NA.11
----- EOF -----



One thing I noticed is that the free space on my C: has decreased by about 1GB. This always happen to my computer even before I join this forum. Any particular attention should I pay to this issue?
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: HijackThis log. Need Help

Unread postby Wingman » June 14th, 2010, 8:27 am

Hello forza

As far as the decrease in free space... this can be caused by the creation of System Restore points, by accumulation of temporary Internet files, etc...
You can use the CCleaner application, below, that can take care of cleaning up leftover files from running applications and from your Internet sessions.

Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
    VISTA - W7 users: right-click on ERUNT from the menu, select "Run As Administrator", to run the process.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

IMPORTANT NOTE: Your scan log results indicate the presence of keygens/crack tools.

The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.
trendmicro.com/vinfo

...warez and crack web pages are being used by cyber criminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...
Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.
University of Washington spyware study

...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.
Bad Web Sites: Malware

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

I strongly recommend that you remove all such programs to reduce the risk of infection and keep your system clean. Using these programs or the websites you visited to get them is very likely how your computer got infected!!


Step 2.
CCleaner
Please download CCleaner ... © Piriform Ltd. (slim version) and save it to your desktop. CCleaner documentation can be found here...if needed.
To Install CCleaner:
  1. Click the ccsetup???_slim.exe...icon on your desktop. (??? = version #'s)
  2. Press the "Run"...(Security prompt). Select a language...Press "OK" ...button.
  3. Click "Next"...(Welcome screen). Click "I Agree"...(License Agreement).
  4. Click "Next" for default install location.
    The default is set to C:\Program Files\CCleaner. Unless you want it installed elsewhere, just leave it.
  5. Check the "Install Options", you want.
  6. Click "Install". Click "Finish" when prompted.

To Run CCleaner:
  1. Click CCleaner desktop icon or Start Menu item...(depending on install options)
  2. Before first use, check under Options, Advanced, and UNCHECK "Only delete files in Windows Temp folder older than 48 hours".
  3. A pop up box will appear advising this process will permanently delete files from your system.
  4. Select the items to clean up.
      In the Windows Tab:
    • Clean all entries in the "Internet Explorer".
      Note: "Cookies"...box. If checked will require re-entry of user names, passwords on "next" visit to sites that require users log in.
    • Clean all the entries in the "Windows Explorer" section.
    • Clean all entries in the "System" section...except "Start Menu Shortcuts" and "Desktop Shortcuts" uncheck these 2 items.
    • *Uncheck* the "Advanced" section.

      In the Applications Tab:
    • Clean all in the "Firefox/Mozilla" section. (if you use it)
      Firefox Caution: "Saved Form Information"...box. If checked will remove all your saved passwords, if you use that feature.
    • Clean all in the "Opera" section. (if you use it)
    • Clean all in the "Applications" section.
    • Clean all in the "Internet" Section.
    • Clean all in the "Multimedia" section. (if you use them)
    • Clean all in the "Utilities" section. (if you use them)
    • Clean all in the "Windows" section.
  5. Then click the "Run Cleaner" button and it will scan and clean your system.
  6. Close CCleaner when finished.
FYI...You may see some files "marked" for deletion when Windows restarts...this is because they are "in use" by the system and can't be removed until restart.
CAUTION: Please do NOT use the "Issues" button in the left pane.
This is a built-in registry cleaner. Removing certain entries can render your computer inoperable!

Step 3.
ESET NOD32 Online Scan
Please note change in instructions...
Vista - W7 users: You will need to to right-click on the IE or FF icons on the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
Note: If using Mozilla Firefox you will need to download "esetsmartinstaller_enu.exe" when prompted... then double click on it to install.

Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.
Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.
** Make sure you are using an account that has Administrative privileges **
    Press the "ESET Online Scanner" button.
  1. Check the box next to "YES, I accept the Terms of Use."
  2. Click "Start"... a window will open... it may appear nothing is happening... please be patient.
  3. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
    Once installed, the scanner will be initialized.
  4. Click "Start". Make sure that the options:
    • Remove found threats is CHECKED <-- change!
    • Leave the "default" settings under Advanced as they are, if not set , please check:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
  5. Click "Start"... ESET scanner will begin to download the virus signatures database.
    When the signatures have been downloaded, the scan will start automatically.
  6. Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
  7. Use Notepad to open the log file located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  8. Copy and paste the contents of log.txt in your next reply.
Remember to enable your Anti-virus protection... before continuing!

Step 4.
Malwarebytes' Anti-Malware
  1. Please start MBAM (Malwarebytes' Anti-Malware) again.
  2. Press the Update tab.. then press the Check for Updates...button. <<---Important!
    Once any updates are installed or you get the message that you are up-to-date
  3. Press the Scanner tab...
  4. Select FULL SCAN this time... then press the Scan...button. This scan will take a while, so please be patient.
    When the scan finishes...
  5. Check all items except any items (if present) in the C:\System Volume Information folder... then click on Remove Selected.
  6. Let MBAM remove what it can... if there are files to be deleted on reboot... please reboot the machine so MBAM can finish the removal.
    If you rebooted, then you'll need to start MBAM again.
  7. Press the LOG... tab. Locate the most current log file.
    Please copy and paste the most recent log (from this new run) in your next reply.

Step 5.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. ESET scan results.
  3. MBAM scan results.
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: HijackThis log. Need Help

Unread postby forza » June 14th, 2010, 11:31 pm

As for the cracking tools, keygens, warez or any pirated software, can you give the list of softwares that need to be uninstalled?




1. No problems executing the instructions.


2. ESET scan results.




ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=97fd995e3286ed4784a1a7cd0003f64e
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-06-10 06:51:00
# local_time=2010-06-10 02:51:00 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 410410 410410 0 0
# compatibility_mode=5121 16776893 100 96 6469881 28199372 0 0
# compatibility_mode=5892 16776574 100 95 19660593 112798220 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=174324
# found=4
# cleaned=0
# scan_time=5211
C:\Users\@k3yM\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\175c55de-445e2d3e probably a variant of Java/TrojanDownloader.Agent.AB trojan 00000000000000000000000000000000 I
D:\Documents and Settings\installer\BugdoctorSetup.exe Win32/Adware.BugDoctor application 00000000000000000000000000000000 I
D:\Documents and Settings\installer\msoff\! INSTALLER !\G. Chinese Software and Translator Tools\Babylon Pro 6 R32+Add-Ons\babylon.pro.6.xx-patch.exe a variant of Win32/HackTool.Patcher.A application 00000000000000000000000000000000 I
D:\Documents and Settings\installer\msoff\! INSTALLER !\I. Internet Tools\FlashGet v1.72\KEYGEN.EXE probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=97fd995e3286ed4784a1a7cd0003f64e
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-06-14 09:49:09
# local_time=2010-06-14 05:49:09 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776893 100 96 6825021 28554512 0 0
# compatibility_mode=5892 16776638 100 100 0 113153360 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=173210
# found=4
# cleaned=4
# scan_time=6361
C:\_OTM\MovedFiles\06122010_164818\C_Users\@k3yM\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\175c55de-445e2d3e probably a variant of Java/TrojanDownloader.Agent.AB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTM\MovedFiles\06122010_164818\D_Documents and Settings\installer\BugdoctorSetup.exe Win32/Adware.BugDoctor application (deleted - quarantined) 00000000000000000000000000000000 C
C:\_OTM\MovedFiles\06122010_164818\D_Documents and Settings\installer\msoff\! INSTALLER !\G. Chinese Software and Translator Tools\Babylon Pro 6 R32+Add-Ons\babylon.pro.6.xx-patch.exe a variant of Win32/HackTool.Patcher.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTM\MovedFiles\06122010_164818\D_Documents and Settings\installer\msoff\! INSTALLER !\I. Internet Tools\FlashGet v1.72\KEYGEN.EXE probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C





3. MBAM scan results (no infection found)




Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4198

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

6/14/2010 11:28:23 PM
mbam-log-2010-06-14 (23-28-23).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 288624
Time elapsed: 2 hour(s), 18 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: HijackThis log. Need Help

Unread postby Wingman » June 15th, 2010, 10:24 am

Hello forza

The programs referenced may not be installed any longer, I don't see them in the Uninstall list:
Flashget v1.72
Winimage 6.1

Even if these programs are not installed... the point in my mentioning using keygens, is the risk involved in using these kinds of files. They are notoriuosly full of infections, some of which could steal personal information, bank account info, credit card information etc.
The other users of this computer need to made aware of the dangers... not to mention the fact that bypassing product or activation codes for any software product is illegal.

How is the computer behaving now? Any problems?

Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: HijackThis log. Need Help

Unread postby forza » June 15th, 2010, 11:35 am

I'm glad to hear that.

As for my computer, it is good enough for me. I'm satisfied with the progress that we make since the first post.
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: HijackThis log. Need Help

Unread postby Wingman » June 15th, 2010, 12:14 pm

Hello forza,

Your scans are coming back clean now... your computer now appears to be malware free! :) Let's perform some clean and I give some recommendations for keeping the computer more secure in the future.

Step 1.
ComboFix - Cleanup
Make sure ComboFix.exe is on your desktop! <<--- Important!
  1. Press the Windows Key + R or Click Start...select Run from the menu.
  2. Copy and paste the following into the text entry box:
    Combofix /Uninstall
  3. Click the OK button. (See image below as reference.)
Image

Step 2.
OTC
Let's perform some housekeeping and cleanup some of the tools we used.
Please download OTC.exe... by OldTimer. Save it to your desktop.
  1. Right click on OTC.exe and select Run As Administrator.
  2. Click on Allow, then click on CleanUp!.
  3. Click "Yes" to the Begin cleanup process? prompt.
  4. Click "Yes" ... when prompted to reboot the computer to remove files.
    Your computer should restart automatically. If it doesn't, please do so manually.

Step 3.
Defogger
Enable Drivers
You should still have this program on your desktop, just ignore the download instructions, provided for convenience.
Please download DeFogger... by jpshortstuff. Save it to your desktop.
To enable your Emulation drivers again, only when instructed to do so by your helper.
  1. Double click DeFogger.exe to run the tool. The application window will appear.
    Vista - W7 users: Right-click on Defogger.exe and choose "Run As Administrator". If UAC prompted, allow it.
  2. Click the Re-enable button to re-enable your CD Emulation drivers.
  3. Click Yes to continue. A 'Finished!' message will appear. Click OK
  4. Click OK when DeFogger asks to reboot the machine.
Your Emulation drivers are now enabled.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Any remaiing programs we downloaded for scans can be removed, as well as any associated reports.

You ERUNT... this is a nice utility to sue for creating backups of yor registry... can be setup to create a backup each day, when you log on.

Create a System Restore Point
  1. Right-click on Computer ... select Properties.
  2. In the left pane under Tasks ... click System protection.
    If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
  3. Select System Protection ...then choose Create.
  4. In the System Restore dialog box, type a description for the restore point ... click Create, again.
    A window will pop up with "The Restore Point was created successfully" confirmation message.
  5. Click OK ...then close the System Restore dialog.
    Now you have a clean restore point to use if you need to restore your system.
Perform Disk Cleanup
Note: You have to have administrative rights to run Disk Cleanup for "All" users.
  1. Click the Vista Start... button. Type disk in the Start Search text entry box.
  2. Double click the Disk Cleanup entry, from the matching program list.
  3. In the Disk Cleanup options...select "Files from all users on this computer"
    If the Disk Cleanup: Drive Selection dialog box appears:
    • Select the drive where Windows Vista is installed. (Normally, this would be C:\ drive)
    • Press the "OK"...button.
    Disk Cleanup will begin space saving calculations.
  4. When the calculations are finished... Press the More Options tab.
  5. In the "System Restore and Shadow Copies" section... select "Clean up" button.
  6. Press the "Delete"... button, at the "Are you sure..." prompt.
    Disk Cleanup will begin cleaning up old files and restore points.
  7. Exit Disk Cleanup.
    This will remove all restore points except the one you just created.

Please follow these simple guidelines in order to help keep your computer more secure:

Update your Antivirus programs and other programs regularly.
Secunia Personal Software Inspector - Copyright © Secunia. F-secure Health Check - Copyright © F-Secure Corporation.

Visit Microsoft often.
Keep on top of critical updates , as well as other updates for your computer.
Using Windows Update in Windows Vista
What is Windows Update?
Microsoft Update Home

Install additional (free) programs, that can help improve security.
Many feel that having a "layered" protection scheme is beneficial, you'll have to decide what works best for your situation.
Here are a few you can look into, if you want. :)

Malwarebytes' Anti-Malware
You already have this instaled... continue using this on a regular basis, remember to check for updates before running scans.
Download it from Malewarebytes © Malwarebytes Corporation.
Tutorials are available for installing and running, Malwarebytes' Anti-Malware.
Powerful, easy to use and free. For real-time protection you will have to purchase the product.

SpywareBlaster
If you decide to use Internet Explorer 8 and using the SmartScreen Filter, do not install. Can inhibit browser performance.
Download it from © Javacool Software LLC.
A SpywareBlaster knowledgebase can be found Here.

WinPatrol
Do not install if you have installed Spybot Search & Destroy and enabled Teatimer protection. System conflicts can occur.
Download it from Copyright © BillP Studios
Information about how WinPatrol works, is available Here
(The free version of WinPatrol... provides limited real-time protection)


Read - stay informed.
Please check out these articles:
Tony Klein's "How did I get infected in the first place?"
How to prevent Malware:© miekiemoes - Microsoft MVP - Consumer Security .

Please let me know that you completed the cleanup steps, the create/purge System Restore point steps and reviewed the rest of the post. Once I receive your reply, unless there are other malware questions or concerns, I will have this topic closed as resolved.

Stay Safe! ;)
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: HijackThis log. Need Help

Unread postby forza » June 15th, 2010, 3:58 pm

1. There is no Combofix.exe on my desktop. I'm not sure if I have uninstalled it. Is this a big concern?


OTC was successfully run.


DeFogger was also not on my desktop, so I downloaded it. Emulation Drivers was successfully re-enabled.



System Restore Point was successfully created. But I do not yet removed the applications that we used throughout this cleaning process. I will remove them later and create a new System Restore Point.
If I just install a new software, do I need to create a new System Restore Point?



Disk Cleanup was successfully performed.
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: HijackThis log. Need Help

Unread postby Wingman » June 16th, 2010, 9:19 am

Hello forza,

Running the uninstall for ComboFix is not critical... although, when receiving help at this or any other forum, you should not add or remove any software unless your helper instructs you.

You should remove the remaining programs from your desktop that were used during the cleaning... these programs are not for everyday use and some if used incorrectly, could cause problems with our computer. I strongly suggest these be removed/uninstalled.

If I just install a new software, do I need to create a new System Restore Point?
During some software installations, a new restore point is created automatically.
I would suggest creating a new restore point when installing new software... that way if there are problems after the installation, you can uninstall and restore back to before the installation. Creating a new restore point doesn't take that long and can make recovery much easier, if needed.

I would suggest performing the Disk Cleanup function on a regular (bi-weekly to monthly) basis, depending on the amount of changes taking place.

If you have no other malware concerns or issues, let me know you've seen this post, at which time I'll ask for it to be closed, as resolved.

Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: HijackThis log. Need Help

Unread postby forza » June 16th, 2010, 12:33 pm

Alright then, Wingman. Thank you very much for your help.
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: HijackThis log. Need Help

Unread postby Wingman » June 17th, 2010, 7:45 am

Glad we could help. :)
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 305 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware