other computer

RocketMan531 · 19th June 2008

this is my other computer

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:58 PM, on 6/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\logon.scr
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: BhoApp Class - {BBEEBE4F-3EDA-40F4-A0AB-87593EE49C56} - C:\WINDOWS\system32\winview2.dll
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{819B69D9-01A4-4A97-826D-65239AE8C972}: NameServer = 4.2.2.1,67.138.54.100
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 6289 bytes

noahdfear · 19th June 2008

If you are not/have not run ComboFix on this machine, download Deckard's System Scanner (dss.exe) and save it to your desktop.

Close all applications and windows.
Double click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

Otherwise, post the ComboFix log.

RocketMan531 · 20th June 2008

Deckard's System Scanner crashed three times

I will run combofix

noahdfear · 20th June 2008

That's fine. Create and post a fresh HijackThis log after running CF too please.

RocketMan531 · 20th June 2008

ComboFix 08-06-19.1 - Jon 2008-06-19 18:36:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.609 [GMT -5:00]
Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jon\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.

2008-06-19 18:07 . 2008-06-19 18:07 <DIR> d-------- C:\Deckard
2008-06-19 17:27 . 2008-06-19 17:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-17 22:16 . 2008-06-17 22:16 13,312 --a------ C:\WINDOWS\system32\winview2.dll
2008-06-15 11:54 . 2008-06-15 11:54 <DIR> d-------- C:\WINDOWS\system32\logs
2008-06-10 16:32 . 2008-04-14 07:30 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 16:32 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-08 20:20 . 2008-04-13 13:46 61,696 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-06-08 20:20 . 2008-04-13 13:46 61,696 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2008-06-08 20:20 . 2008-04-13 13:46 53,376 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2008-06-08 20:20 . 2008-04-13 13:46 53,376 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-06-08 20:20 . 2008-04-13 13:40 43,904 --a------ C:\WINDOWS\system32\drivers\sbp2port.sys
2008-06-08 20:20 . 2008-04-13 13:40 43,904 --a--c--- C:\WINDOWS\system32\dllcache\sbp2port.sys
2008-06-08 20:20 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-06-08 20:20 . 2001-08-17 13:46 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2008-06-08 18:25 . 2008-06-08 18:25 <DIR> d-------- C:\Documents and Settings\Jon\Program Files
2008-06-08 18:25 . 2008-06-19 17:26 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\uTorrent
2008-05-24 13:13 . 2008-06-08 18:25 <DIR> d-------- C:\Program Files\TagSmart
2008-05-24 00:09 . 2008-06-08 18:25 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\uTorrent(2)
2008-05-22 17:22 . 2008-05-22 17:22 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 17:22 . 2008-05-22 17:22 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-22 17:22 . 2008-05-22 17:22 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-22 17:20 . 2008-05-22 17:20 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-22 17:20 . 2008-05-22 17:20 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-22 17:19 . 2008-05-22 17:19 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2008-05-22 17:19 . 2008-05-22 17:19 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 17:19 . 2008-05-22 17:19 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2008-05-22 17:19 . 2008-05-22 17:19 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-05-22 17:19 . 2008-05-22 17:19 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-05-22 17:18 . 2008-05-22 17:18 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-19 14:42 . 2008-05-22 10:49 <DIR> d-------- C:\Program Files\PeerGuardian2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 22:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-19 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-17 23:07 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-17 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-06-11 19:40 --------- d-----w C:\Program Files\DivX
2008-06-10 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-28 06:55 --------- d-----w C:\Program Files\uTorrent
2008-05-22 01:36 --------- d-----w C:\Documents and Settings\Jon\Application Data\Vso
2008-05-17 17:58 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-17 17:58 47,360 ----a-w C:\Documents and Settings\Jon\Application Data\pcouffin.sys
2008-05-17 17:58 --------- d-----w C:\Program Files\VSO
2008-05-17 01:59 --------- d-----w C:\Documents and Settings\Jon\Application Data\vlc
2008-05-17 01:54 --------- d-----w C:\Program Files\VideoLAN
2008-05-14 19:23 --------- d-----w C:\Program Files\Microsoft Works
2008-05-14 19:18 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-13 03:13 --------- d-----w C:\Program Files\Memorex exPressit Label Design Studio
2008-05-13 03:11 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-05-12 23:19 --------- d-----w C:\Documents and Settings\Jon\Application Data\Sonic
2008-05-12 17:20 --------- d-----w C:\Program Files\Sonic
2008-05-12 03:08 --------- d-----w C:\Documents and Settings\Jon\Application Data\HP
2008-05-12 02:53 --------- d-----w C:\Program Files\HP
2008-05-12 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-12 02:47 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-05-12 02:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-05-12 02:46 --------- d-----w C:\Program Files\Common Files\HP
2008-05-12 02:40 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-12 02:38 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-11 16:31 --------- d-----w C:\Documents and Settings\Jon\Application Data\InterVideo
2008-05-11 14:37 --------- d-----w C:\Documents and Settings\Jon\Application Data\DivX
2008-05-11 07:31 --------- d-----w C:\Program Files\NeroInstall.bak
2008-05-11 01:04 --------- d-----w C:\Program Files\RegCleaner
2008-05-10 18:36 --------- d-----w C:\Documents and Settings\Jon\Application Data\Talkback
2008-05-10 16:59 --------- d-----w C:\Documents and Settings\God\Application Data\InterVideo
2008-05-10 16:36 --------- d-----w C:\Documents and Settings\God\Application Data\Talkback
2008-05-10 05:24 --------- d-----w C:\Documents and Settings\Jon\Application Data\Nero
2008-05-10 05:22 --------- d-----w C:\Documents and Settings\Jon\Application Data\Intel
2008-05-10 05:14 --------- d-----w C:\Documents and Settings\God\Application Data\Nero
2008-05-10 03:33 --------- d-----w C:\Documents and Settings\God\Application Data\uTorrent
2008-05-10 03:29 --------- d-----w C:\Documents and Settings\God\Application Data\Intel
2008-05-10 03:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-09 17:31 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-09 02:52 --------- d-----w C:\Program Files\McAfee
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 04:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-05 04:36 --------- d-----w C:\Program Files\Common Files\McAfee
2008-05-05 04:33 --------- d-----w C:\Program Files\McAfee.com
2008-05-04 18:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InterVideo
2008-05-03 11:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-03 11:27 --------- d-----w C:\Program Files\MSBuild
2008-05-03 11:23 --------- d-----w C:\Program Files\Reference Assemblies
2008-05-03 11:21 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-03 11:20 --------- d-----w C:\Program Files\MSXML 6.0
2008-05-03 03:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-03 03:29 --------- d-----w C:\Program Files\InterVideo
2008-05-03 03:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Intel
2008-05-03 03:27 17,119 ------w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-03 03:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-05-03 03:21 --------- d-----w C:\Program Files\Intel
2008-05-03 03:19 15,890 ------w C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-05-03 03:19 --------- d-----w C:\Program Files\Atheros
2008-05-03 03:15 --------- d-----w C:\Program Files\TOSHIBA
2008-05-03 03:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-03 02:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"combofix"="C:\WINDOWS\system32\CF5127.exe" [2008-04-13 19:12 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Documents and Settings\\Jon\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-13 19:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 06:00:02 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-01 06:00:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 18:48:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2008-06-19 18:53:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-19 23:52:12

Pre-Run: 6,285,778,944 bytes free
Post-Run: 6,929,895,424 bytes free

208 --- E O F --- 2008-06-11 08:08:50

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:57 PM, on 6/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\rdpclip.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{819B69D9-01A4-4A97-826D-65239AE8C972}: NameServer = 4.2.2.1,67.138.54.100
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 5808 bytes

noahdfear · 20th June 2008

Please upload the following file to my submission channel for analysis. Leave a link back to this topic.

C:\WINDOWS\system32\winview2.dll

Thanks!

RocketMan531 · 20th June 2008

it's been uploaded

noahdfear · 20th June 2008

Quote:

Kaspersky Anti-Virus Results: winview2.dll Packed PE_Patch.UPX
winview2.dll Packed UPX
winview2.dll Trojan.Win32.BHO.edv

Antivir Results: winview2.dll TR/Dldr.Agent.dzy

Trend Micro Results: Nothing Detected

Avast Results: winview2.dll-15353 Win32:Vapsup-EB [Adw]

VBA32 Results: Nothing Detected

AVG Results: winview2.dll Trojan horse Generic10.AQKD

NOD32 Results: Nothing Detected

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:


http://www.windowsbbs.com/showthread.php?t=74450

Collect::
C:\Windows\System32\winview2.dll

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect the file. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned file. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the file for removal in future updates. Thanks!

RocketMan531 · 20th June 2008

combo fix crashed on the first run then the computer didnt restart after the second run and the third run didn't pop up a website to upload a file.

now what?

noahdfear · 21st June 2008

That's odd. Please have a look at C:\ComboFix.txt
Look at the header and determine if the section I've bolded below differs from what is posted.

ComboFix 08-06-19.1 - Jon 2008-06-19 18:36:25.1

If it is different, please post it's contents.

RocketMan531 · 21st June 2008

the entire first line is:

ComboFix 08-06-19.1 - Jon 2008-06-20 13:45:57.3 - NTFSx86

noahdfear · 21st June 2008

Post that log and the C:\Qoobox\ComboFix2.txt log.

RocketMan531 · 21st June 2008

ComboFix 08-06-19.1 - Jon 2008-06-19 21:52:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.629 [GMT -5:00]
Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\winview2.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-19 18:07 . 2008-06-19 18:07 <DIR> d-------- C:\Deckard
2008-06-19 17:27 . 2008-06-19 17:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-15 11:54 . 2008-06-15 11:54 <DIR> d-------- C:\WINDOWS\system32\logs
2008-06-10 16:32 . 2008-04-14 07:30 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 16:32 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-08 20:20 . 2008-04-13 13:46 61,696 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-06-08 20:20 . 2008-04-13 13:46 61,696 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2008-06-08 20:20 . 2008-04-13 13:46 53,376 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2008-06-08 20:20 . 2008-04-13 13:46 53,376 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-06-08 20:20 . 2008-04-13 13:40 43,904 --a------ C:\WINDOWS\system32\drivers\sbp2port.sys
2008-06-08 20:20 . 2008-04-13 13:40 43,904 --a--c--- C:\WINDOWS\system32\dllcache\sbp2port.sys
2008-06-08 20:20 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-06-08 20:20 . 2001-08-17 13:46 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2008-06-08 18:25 . 2008-06-08 18:25 <DIR> d-------- C:\Documents and Settings\Jon\Program Files
2008-06-08 18:25 . 2008-06-19 17:26 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\uTorrent
2008-05-24 13:13 . 2008-06-08 18:25 <DIR> d-------- C:\Program Files\TagSmart
2008-05-24 00:09 . 2008-06-08 18:25 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\uTorrent(2)
2008-05-22 17:22 . 2008-05-22 17:22 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 17:22 . 2008-05-22 17:22 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-22 17:22 . 2008-05-22 17:22 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-22 17:20 . 2008-05-22 17:20 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-22 17:20 . 2008-05-22 17:20 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-22 17:19 . 2008-05-22 17:19 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2008-05-22 17:19 . 2008-05-22 17:19 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 17:19 . 2008-05-22 17:19 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2008-05-22 17:19 . 2008-05-22 17:19 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-05-22 17:19 . 2008-05-22 17:19 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-05-22 17:18 . 2008-05-22 17:18 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 22:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-19 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-17 23:07 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-17 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-06-11 19:40 --------- d-----w C:\Program Files\DivX
2008-06-10 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-28 06:55 --------- d-----w C:\Program Files\uTorrent
2008-05-22 15:49 --------- d-----w C:\Program Files\PeerGuardian2
2008-05-22 01:36 --------- d-----w C:\Documents and Settings\Jon\Application Data\Vso
2008-05-17 17:58 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-17 17:58 47,360 ----a-w C:\Documents and Settings\Jon\Application Data\pcouffin.sys
2008-05-17 17:58 --------- d-----w C:\Program Files\VSO
2008-05-17 01:59 --------- d-----w C:\Documents and Settings\Jon\Application Data\vlc
2008-05-17 01:54 --------- d-----w C:\Program Files\VideoLAN
2008-05-14 19:23 --------- d-----w C:\Program Files\Microsoft Works
2008-05-14 19:18 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-13 03:13 --------- d-----w C:\Program Files\Memorex exPressit Label Design Studio
2008-05-13 03:11 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-05-12 23:19 --------- d-----w C:\Documents and Settings\Jon\Application Data\Sonic
2008-05-12 17:20 --------- d-----w C:\Program Files\Sonic
2008-05-12 03:08 --------- d-----w C:\Documents and Settings\Jon\Application Data\HP
2008-05-12 02:53 --------- d-----w C:\Program Files\HP
2008-05-12 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-12 02:47 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-05-12 02:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-05-12 02:46 --------- d-----w C:\Program Files\Common Files\HP
2008-05-12 02:40 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-12 02:38 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-11 16:31 --------- d-----w C:\Documents and Settings\Jon\Application Data\InterVideo
2008-05-11 14:37 --------- d-----w C:\Documents and Settings\Jon\Application Data\DivX
2008-05-11 07:31 --------- d-----w C:\Program Files\NeroInstall.bak
2008-05-11 01:04 --------- d-----w C:\Program Files\RegCleaner
2008-05-10 18:36 --------- d-----w C:\Documents and Settings\Jon\Application Data\Talkback
2008-05-10 16:59 --------- d-----w C:\Documents and Settings\God\Application Data\InterVideo
2008-05-10 16:36 --------- d-----w C:\Documents and Settings\God\Application Data\Talkback
2008-05-10 05:24 --------- d-----w C:\Documents and Settings\Jon\Application Data\Nero
2008-05-10 05:22 --------- d-----w C:\Documents and Settings\Jon\Application Data\Intel
2008-05-10 05:14 --------- d-----w C:\Documents and Settings\God\Application Data\Nero
2008-05-10 03:33 --------- d-----w C:\Documents and Settings\God\Application Data\uTorrent
2008-05-10 03:29 --------- d-----w C:\Documents and Settings\God\Application Data\Intel
2008-05-10 03:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-09 17:31 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-09 02:52 --------- d-----w C:\Program Files\McAfee
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 04:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-05 04:36 --------- d-----w C:\Program Files\Common Files\McAfee
2008-05-05 04:33 --------- d-----w C:\Program Files\McAfee.com
2008-05-04 18:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InterVideo
2008-05-03 11:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-03 11:27 --------- d-----w C:\Program Files\MSBuild
2008-05-03 11:23 --------- d-----w C:\Program Files\Reference Assemblies
2008-05-03 11:21 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-03 11:20 --------- d-----w C:\Program Files\MSXML 6.0
2008-05-03 03:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-03 03:29 --------- d-----w C:\Program Files\InterVideo
2008-05-03 03:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Intel
2008-05-03 03:27 17,119 ------w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-03 03:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-05-03 03:21 --------- d-----w C:\Program Files\Intel
2008-05-03 03:19 15,890 ------w C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-05-03 03:19 --------- d-----w C:\Program Files\Atheros
2008-05-03 03:15 --------- d-----w C:\Program Files\TOSHIBA
2008-05-03 03:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-03 02:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-19_18.51.37.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-19 23:44:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 03:00:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"combofix"="C:\WINDOWS\system32\CF8780.exe" [2008-04-13 19:12 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Documents and Settings\\Jon\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-13 19:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 06:00:02 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-06-01 06:00:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 22:20:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2008-06-19 22:25:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-20 03:24:46
ComboFix2.txt 2008-06-19 23:53:20

Pre-Run: 6,943,182,848 bytes free
Post-Run: 6,930,436,096 bytes free

215 --- E O F --- 2008-06-11 08:08:50

noahdfear · 21st June 2008

And the log from C:\ComboFix.txt ?

How's the system running now?

RocketMan531 · 21st June 2008

ComboFix 08-06-19.1 - Jon 2008-06-20 13:45:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.530 [GMT -5:00]
Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-19 18:07 . 2008-06-19 18:07 <DIR> d-------- C:\Deckard
2008-06-19 17:27 . 2008-06-19 17:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-15 11:54 . 2008-06-15 11:54 <DIR> d-------- C:\WINDOWS\system32\logs
2008-06-10 16:32 . 2008-04-14 07:30 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 16:32 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-08 20:20 . 2008-04-13 13:46 61,696 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-06-08 20:20 . 2008-04-13 13:46 61,696 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2008-06-08 20:20 . 2008-04-13 13:46 53,376 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2008-06-08 20:20 . 2008-04-13 13:46 53,376 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-06-08 20:20 . 2008-04-13 13:40 43,904 --a------ C:\WINDOWS\system32\drivers\sbp2port.sys
2008-06-08 20:20 . 2008-04-13 13:40 43,904 --a--c--- C:\WINDOWS\system32\dllcache\sbp2port.sys
2008-06-08 20:20 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-06-08 20:20 . 2001-08-17 13:46 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2008-06-08 18:25 . 2008-06-08 18:25 <DIR> d-------- C:\Documents and Settings\Jon\Program Files
2008-06-08 18:25 . 2008-06-19 17:26 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\uTorrent
2008-05-24 13:13 . 2008-06-08 18:25 <DIR> d-------- C:\Program Files\TagSmart
2008-05-24 00:09 . 2008-06-08 18:25 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\uTorrent(2)
2008-05-22 17:22 . 2008-05-22 17:22 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 17:22 . 2008-05-22 17:22 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-22 17:22 . 2008-05-22 17:22 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-22 17:20 . 2008-05-22 17:20 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-22 17:20 . 2008-05-22 17:20 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-22 17:19 . 2008-05-22 17:19 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2008-05-22 17:19 . 2008-05-22 17:19 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 17:19 . 2008-05-22 17:19 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2008-05-22 17:19 . 2008-05-22 17:19 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-05-22 17:19 . 2008-05-22 17:19 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-05-22 17:18 . 2008-05-22 17:18 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 22:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-19 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-17 23:07 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-17 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-06-11 19:40 --------- d-----w C:\Program Files\DivX
2008-06-10 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-28 06:55 --------- d-----w C:\Program Files\uTorrent
2008-05-22 15:49 --------- d-----w C:\Program Files\PeerGuardian2
2008-05-22 01:36 --------- d-----w C:\Documents and Settings\Jon\Application Data\Vso
2008-05-17 17:58 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-17 17:58 47,360 ----a-w C:\Documents and Settings\Jon\Application Data\pcouffin.sys
2008-05-17 17:58 --------- d-----w C:\Program Files\VSO
2008-05-17 01:59 --------- d-----w C:\Documents and Settings\Jon\Application Data\vlc
2008-05-17 01:54 --------- d-----w C:\Program Files\VideoLAN
2008-05-14 19:23 --------- d-----w C:\Program Files\Microsoft Works
2008-05-14 19:18 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-13 03:13 --------- d-----w C:\Program Files\Memorex exPressit Label Design Studio
2008-05-13 03:11 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-05-12 23:19 --------- d-----w C:\Documents and Settings\Jon\Application Data\Sonic
2008-05-12 17:20 --------- d-----w C:\Program Files\Sonic
2008-05-12 03:08 --------- d-----w C:\Documents and Settings\Jon\Application Data\HP
2008-05-12 02:53 --------- d-----w C:\Program Files\HP
2008-05-12 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-12 02:47 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-05-12 02:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-05-12 02:46 --------- d-----w C:\Program Files\Common Files\HP
2008-05-12 02:40 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-12 02:38 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-11 16:31 --------- d-----w C:\Documents and Settings\Jon\Application Data\InterVideo
2008-05-11 14:37 --------- d-----w C:\Documents and Settings\Jon\Application Data\DivX
2008-05-11 07:31 --------- d-----w C:\Program Files\NeroInstall.bak
2008-05-11 01:04 --------- d-----w C:\Program Files\RegCleaner
2008-05-10 18:36 --------- d-----w C:\Documents and Settings\Jon\Application Data\Talkback
2008-05-10 16:59 --------- d-----w C:\Documents and Settings\God\Application Data\InterVideo
2008-05-10 16:36 --------- d-----w C:\Documents and Settings\God\Application Data\Talkback
2008-05-10 05:24 --------- d-----w C:\Documents and Settings\Jon\Application Data\Nero
2008-05-10 05:22 --------- d-----w C:\Documents and Settings\Jon\Application Data\Intel
2008-05-10 05:14 --------- d-----w C:\Documents and Settings\God\Application Data\Nero
2008-05-10 03:33 --------- d-----w C:\Documents and Settings\God\Application Data\uTorrent
2008-05-10 03:29 --------- d-----w C:\Documents and Settings\God\Application Data\Intel
2008-05-10 03:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-09 17:31 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-09 02:52 --------- d-----w C:\Program Files\McAfee
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 04:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-05 04:36 --------- d-----w C:\Program Files\Common Files\McAfee
2008-05-05 04:33 --------- d-----w C:\Program Files\McAfee.com
2008-05-04 18:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InterVideo
2008-05-03 11:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-03 11:27 --------- d-----w C:\Program Files\MSBuild
2008-05-03 11:23 --------- d-----w C:\Program Files\Reference Assemblies
2008-05-03 11:21 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-03 11:20 --------- d-----w C:\Program Files\MSXML 6.0
2008-05-03 03:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-03 03:29 --------- d-----w C:\Program Files\InterVideo
2008-05-03 03:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Intel
2008-05-03 03:27 17,119 ------w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-03 03:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-05-03 03:21 --------- d-----w C:\Program Files\Intel
2008-05-03 03:19 15,890 ------w C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-05-03 03:19 --------- d-----w C:\Program Files\Atheros
2008-05-03 03:15 --------- d-----w C:\Program Files\TOSHIBA
2008-05-03 03:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-03 02:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-19_18.51.37.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-19 23:44:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 18:53:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"combofix"="C:\WINDOWS\system32\CF1227.exe" [2008-04-13 19:12 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Documents and Settings\\Jon\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-13 19:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 06:00:02 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-01 06:00:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 13:56:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2008-06-20 14:01:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-20 19:00:08
ComboFix2.txt 2008-06-20 03:25:53
ComboFix3.txt 2008-06-19 23:53:20

Pre-Run: 6,936,518,656 bytes free
Post-Run: 6,920,278,016 bytes free

211 --- E O F --- 2008-06-11 08:08:50