Solved Google redirect/can't update virus signature

jjabo7 · 2009/04/16

Juliet,
PC running much better..I can finally connect to mcafee.com and redirect seems to be gone. However I still cannot run the Kaspersky online scan. The same error "Starting Java Applet has failed! Please go online to use this program" still pops up when the downloading of the latest updates is being started. I did include the ComboFix and HJT logs below.

ComboFix

ComboFix 09-04-17.01 - Jon 04/16/2009 21:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2021 [GMT -5:00]
Running from: c:\documents and settings\Jon\Desktop\jon091969.exe
Command switches used :: c:\documents and settings\Jon\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_W3KSRVMI
-------\Legacy_WMBPLERVICR
-------\Service_W3ksrvmi
-------\Service_Wmbplervicr

((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 )))))))))))))))))))))))))))))))
.

2009-04-16 20:47 . 2008-06-19 21:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-16 20:46 . 2009-04-16 20:46 -------- d-----w c:\program files\Panda Security
2009-04-16 18:28 . 2009-04-16 18:27 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-16 18:28 . 2009-04-16 18:27 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-16 18:22 . 2009-04-16 18:29 -------- d-----w c:\documents and settings\Jon\.SunDownloadManager
2009-04-16 13:21 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 13:21 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 13:21 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 13:21 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 13:21 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 13:21 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 13:21 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 13:21 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 13:21 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 13:21 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 13:20 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 13:20 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 13:20 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 21:13 . 2009-04-13 21:13 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-13 18:28 . 2009-04-13 18:28 -------- d-----w c:\documents and settings\Jon\Application Data\True Sword
2009-04-13 18:28 . 2009-04-13 19:11 -------- d-----w c:\program files\True Sword 5
2009-04-13 15:50 . 2009-04-13 15:50 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-13 15:50 . 2009-04-13 15:50 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-13 15:50 . 2009-04-13 15:50 -------- d-----w c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com
2009-04-13 14:12 . 2009-04-16 16:15 -------- d-----w c:\program files\Trend Micro
2009-04-12 07:03 . 2009-04-12 07:03 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-11 23:51 . 2009-04-17 02:25 210208 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-11 23:51 . 2009-04-17 02:25 7811360 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-11 23:51 . 2009-04-17 02:23 22796 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-11 23:51 . 2009-04-17 02:23 110864 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-11 23:51 . 2009-04-13 20:31 3117 ----a-w C:\rollback.ini
2009-04-11 23:42 . 2009-04-11 23:42 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-11 23:42 . 2009-04-11 23:42 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-04-11 23:42 . 2009-04-11 23:42 -------- d-----w c:\program files\ParetoLogic
2009-04-11 23:42 . 2009-04-11 23:42 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-11 19:19 . 2009-04-11 19:19 -------- d-----w c:\documents and settings\Jon\Application Data\Malwarebytes
2009-04-11 19:19 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-11 19:18 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 19:18 . 2009-04-11 19:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-11 19:18 . 2009-04-11 19:19 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-11 03:19 . 2009-04-12 06:04 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-02 04:24 . 2009-04-02 04:25 -------- d-----w c:\documents and settings\Jon\Application Data\Move Networks
2009-03-24 03:40 . 2009-03-24 03:40 -------- d-----w C:\NIKONCORPORATION
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 01:37 . 2009-04-17 01:37 29825 ----a-w C:\ComboFix_2.txt
2009-04-16 18:27 . 2003-10-28 13:24 -------- d-----w c:\program files\Java
2009-04-16 18:12 . 2009-04-16 18:12 10384 ----a-w C:\JavaRa.log
2009-04-16 17:51 . 2004-10-30 14:40 -------- d-----w c:\program files\McAfee
2009-04-15 17:00 . 2006-01-11 06:25 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-04-13 19:43 . 2006-01-02 18:29 -------- d-----w c:\program files\Advanced System Optimizer
2009-04-13 18:42 . 2009-04-13 18:29 0 ----a-w C:\log2.txt
2009-04-13 18:42 . 2009-04-13 18:29 0 ----a-w C:\log1.txt
2009-04-13 17:33 . 2004-04-07 15:08 -------- d-----w c:\program files\Lavasoft
2009-04-13 17:25 . 2005-03-13 00:38 -------- d-----w c:\documents and settings\Jon\Application Data\Shareaza
2009-04-13 17:22 . 2003-12-11 05:47 -------- d-----w c:\program files\PokerRoom.com
2009-04-13 15:49 . 2006-01-03 16:31 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-13 14:18 . 2006-03-22 17:10 -------- d-----w c:\program files\Dexster
2009-04-13 14:18 . 2007-12-11 00:23 -------- d-----w c:\program files\Avanquest update
2009-04-12 14:16 . 2004-02-12 21:09 -------- d-----w c:\program files\PIXELA
2009-04-12 14:15 . 2003-10-28 13:33 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-12 14:14 . 2004-02-12 21:07 -------- d-----w c:\program files\FinePixViewer
2009-04-12 06:39 . 2006-01-01 15:53 111544 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 14:37 . 2007-02-24 14:36 -------- d-----w c:\documents and settings\Jon\Application Data\SiteAdvisor
2009-04-07 21:23 . 2007-07-07 01:04 -------- d-----w c:\documents and settings\Jon\Application Data\Vso
2009-04-07 21:23 . 2008-05-28 12:05 -------- d-----w c:\program files\DVDFab 5
2009-03-25 16:06 . 2007-02-24 14:33 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 16:06 . 2007-02-24 14:33 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 16:06 . 2007-02-24 14:33 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 16:06 . 2007-02-24 14:33 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 16:05 . 2007-02-24 14:33 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-07 21:31 . 2009-02-09 04:30 -------- d-----w c:\documents and settings\Jon\Application Data\Imagenomic
2009-03-07 21:29 . 2009-02-09 02:38 -------- d-----w c:\program files\Imagenomic
2009-03-07 20:44 . 2009-03-07 20:44 -------- d-----w c:\documents and settings\Jon\Application Data\Thinstall
2009-03-06 14:22 . 2002-08-29 11:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-02-26 02:55 . 2009-02-26 02:55 -------- d-----w c:\documents and settings\Jon\Application Data\Alien Skin
2009-02-26 02:53 . 2009-02-26 02:53 -------- d-----w c:\program files\Alien Skin
2009-02-18 19:43 . 2009-02-18 19:43 243024 ----a-w c:\windows\SYSTEM32\LSPInstall.dll
2009-02-18 19:43 . 2009-02-18 19:43 111960 ----a-w c:\windows\SYSTEM32\INetHTTPFilter.dll
2009-02-16 16:20 . 2009-02-16 16:20 -------- d-----w c:\program files\Vertus Fluid Mask 3
2009-02-16 16:20 . 2009-02-16 16:20 -------- d-----w c:\documents and settings\All Users\Application Data\VertusTech
2009-02-09 12:10 . 2002-08-29 11:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2004-04-13 20:14 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 11:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 11:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-15 19:41 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2002-08-29 11:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-08 00:02 . 2008-10-15 19:41 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-06 11:11 . 2002-08-29 11:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-15 19:41 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 19:41 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 11:06 . 1980-01-01 06:00 2145280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 10:39 . 2002-08-29 11:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:32 . 2008-10-15 19:41 2023936 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-06 10:32 . 1980-01-01 06:00 2023936 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\DLLCACHE\secur32.dll
2009-02-03 19:59 . 2002-08-29 11:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2009-01-24 01:47 . 2006-03-03 05:17 92 ----a-w C:\ResumeOmgApDeliveryMgrCntrl_SonicStage_EmdDownloadObj.dmf
2008-12-24 18:02 . 2003-11-09 19:37 111544 ----a-w c:\documents and settings\Jana\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-21 23:06 . 2003-11-09 18:11 111544 ----a-w c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-07-30 04:07 . 2007-07-07 01:04 47360 ----a-w c:\documents and settings\Jon\Application Data\pcouffin.sys
2008-04-29 03:55 . 2008-04-29 03:34 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbz.DAT
2007-12-11 02:26 . 2007-01-23 22:08 9232 ----a-w c:\documents and settings\Jon\mqdmmdfl.sys
2007-12-11 02:26 . 2007-01-23 22:08 92064 ----a-w c:\documents and settings\Jon\mqdmmdm.sys
2007-12-11 02:26 . 2007-01-23 22:08 79328 ----a-w c:\documents and settings\Jon\mqdmserd.sys
2007-12-11 02:26 . 2007-01-23 22:08 66656 ----a-w c:\documents and settings\Jon\mqdmbus.sys
2007-12-11 02:26 . 2007-01-23 22:08 6208 ----a-w c:\documents and settings\Jon\mqdmcmnt.sys
2007-12-11 02:26 . 2007-01-23 22:08 5936 ----a-w c:\documents and settings\Jon\mqdmwhnt.sys
2007-12-11 02:26 . 2007-01-23 22:08 4048 ----a-w c:\documents and settings\Jon\mqdmcr.sys
2007-12-11 02:26 . 2006-02-12 20:13 25600 ----a-w c:\documents and settings\Jon\usbsermptxp.sys
2007-12-11 02:26 . 2006-02-12 20:13 22768 ----a-w c:\documents and settings\Jon\usbsermpt.sys
2007-11-30 16:55 . 2007-11-30 16:55 0 ----a-w c:\documents and settings\Jon\hayhayall.zip
2007-11-18 01:25 . 2006-08-14 02:20 284 ----a-w c:\documents and settings\Jana\Application Data\ViewerApp.dat
2004-10-01 15:32 . 2004-10-01 15:32 13824 ----a-w c:\documents and settings\Jon\atwbxdet.dll
2004-05-17 16:42 . 2006-10-14 03:29 3889374 ----a-w c:\documents and settings\Jon\ShowBiz.exe
2003-11-29 23:57 . 2003-11-27 04:02 103871345 ------w c:\documents and settings\GameSpot DLX Secure Delivery\tiger2004demo.exe
2003-11-29 23:18 . 2003-11-27 14:00 139727532 ------w c:\documents and settings\GameSpot DLX Secure Delivery\bf1942spdemo.zip
2003-11-29 23:11 . 2003-11-27 14:00 136512494 ------w c:\documents and settings\GameSpot DLX Secure Delivery\bf1942_mp_demo.exe
2003-11-09 19:41 . 2003-11-09 19:41 127 ----a-w c:\documents and settings\Jana\Local Settings\Application Data\fusioncache.dat
2003-11-09 19:34 . 2003-11-09 19:34 126 ----a-w c:\documents and settings\Jon\Local Settings\Application Data\fusioncache.dat
2003-10-28 13:33 . 2004-04-25 22:31 12328 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2003-02-21 10:42 . 2003-02-21 10:42 348160 ----a-w c:\program files\msvcr71.dll
2007-02-16 14:2006-10-07 15:07 37:59 . c:\program files\mozilla firefox\components\jar50.dll
2007-02-16 14:2006-10-07 15:07 37:59 . c:\program files\mozilla firefox\components\jsd3250.dll
2007-02-16 14:2006-10-07 15:07 37:59 . c:\program files\mozilla firefox\components\xpinstal.dll
2008-04-30 21:07 . 2008-04-30 20:48 72 --sh--w c:\windows\SC6E38F9E.tmp
2008-03-17 21:41 . 2007-07-25 16:43 1056 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
2008-09-19 01:55 . 2008-09-19 01:55 32768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008091820080919\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-17_01.33.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-17 02:24 . 2009-04-17 02:24 16384 c:\windows\Temp\Perflib_Perfdata_5f0.dat
- 2009-04-17 01:06 . 2009-04-17 01:06 16384 c:\windows\Temp\Perflib_Perfdata_5f0.dat
+ 2009-04-17 02:24 . 2009-04-17 02:24 16384 c:\windows\Temp\Perflib_Perfdata_504.dat
+ 2009-04-17 02:24 . 2009-04-17 02:24 16384 c:\windows\Temp\Perflib_Perfdata_254.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"PinnacleDriverCheck "= "c:\windows\system32\\PSDrvCheck.exe" [2004-03-10 406016]
"SiteAdvisor "= "c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-09 36904]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"StxTrayMenu "= "c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-31 185896]
"Adobe Photo Downloader "= "c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-04-16 148888]
"WD Button Manager "= "WDBtnMgr.exe" - c:\windows\SYSTEM32\WDBtnMgr.exe [2006-08-14 339968]
"Logitech Utility "= "Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

c:\documents and settings\Jana\Start Menu\Programs\Startup\
Picaboo.lnk - c:\program files\Picaboo\Picaboo\PicabooMain.exe [2007-6-22 577536]

c:\documents and settings\Jon\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-4-14 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-9-5 169472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3 "= c:\windows\System32\ctmp3.acm
"vidc.3iv2 "= 3ivxVfWCodec.dll
"VIDC.HFYU "= huffyuv.dll
"VIDC.VP31 "= vp31vfw.dll
"msacm.dvacm "= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm "= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm "= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"VIDC.MJPX "= PICVideo MJPEG Codec

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Picaboo.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Picaboo.lnk
backup=c:\windows\pss\Picaboo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-13 09:51 1450096 ------w c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-19 18:10 267048 ----a-w c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE "=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe "=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe "=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe "=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe "=
"c:\\Program Files\\LeechFTP\\Leechftp.exe "=
"c:\\Documents and Settings\\Jon\\Local Settings\\Application Data\\Abacast\\Abaclient.exe "=
"c:\\WINDOWS\\SYSTEM32\\ftp.exe "=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

R0 ntcdrdrv;ntcdrdrv; [x]
R2 0279701239904340mcinstcleanup;McAfee Application Installer Cleanup (0279701239904340); [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-06-20 17920]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-24 7680]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-05-04 42112]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-20 23680]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2007-12-14 3768]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]
S2 ZeppelinService;plasservice;c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [2009-02-18 587216]

.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-24 15:53]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-24 15:53]

2009-04-13 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 19:43]

2009-04-16 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 19:43]

2009-04-16 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25]

2009-04-13 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=cache.midco.net:3128
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\INetHTTPFilter.dll
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\cyvl7iz7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\program files\SiteAdvisor\6261\FF\components\FFHook.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.cookie.p3plevel ", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.enablePad ", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.default ", "chrome://branding/content/searchconfig.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.custom ", "chrome://branding/content/searchconfig.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "signon.prefillForms ", true);
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 21:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-137204461-1868627130-1733552116-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-137204461-1868627130-1733552116-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.** "*%\OpenWithList]
@Class= "Shell "

[HKEY_USERS\S-1-5-21-137204461-1868627130-1733552116-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4*Y%€%]
@Class= "Shell "
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-137204461-1868627130-1733552116-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4*Y%€%\OpenWithList]
@Class= "Shell "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version "=hex:d5,13,3c,50,5e,a6,de,51,56,e1,d4,4c,4f,47,d4,f3,20,8e,51,9b,67,
09,45,31,55,28,76,18,d2,bf,5a,76,a2,ae,d8,07,06,bd,7f,a3,2f,42,b4,d2,11,9c,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT]
@DACL=(02 0000)
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS]
@DACL=(02 0000)
@=" "
"iexplore.exe "=dword:00000001
"explorer.exe "=dword:00000001
"msimn.exe "=dword:00000001
"* "=dword:00000001
"infopath.exe "=dword:00000000
"msn6.exe "=dword:00000000
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL]
@DACL=(02 0000)
@=" "
"SAPLOGON.exe "=dword:00000000
"SAPfewgsrv.exe "=dword:00000000
"iexplore.exe "=dword:00000001
"explorer.exe "=dword:00000001
"msimn.exe "=dword:00000001
"* "=dword:00000001
"WMPlayer.exe "=dword:00000001
"SAPGUI.exe "=dword:00000000
"SAPGuiIT.exe "=dword:00000000
"SAPLgPad.exe "=dword:00000000
"Scale_for_R3.exe "=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_SQM_UPLOAD_FOR_APP]
@DACL=(02 0000)
"ieuser.exe "=dword:00000001
"iexplore.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK]
@DACL=(02 0000)
"YahooMusicEngine.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT]
@DACL=(02 0000)
"devenv.exe "=dword:00000001
"dexplore.exe "=dword:00000001
"helppane.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
@DACL=(02 0000)
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_XML_PROLOG]
@DACL=(02 0000)
"msiexec.exe "=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS]
@DACL=(02 0000)
"iexplore.exe "=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS]
@DACL=(02 0000)
"helppane.exe "=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
@DACL=(02 0000)
@=" "
"iexplore.exe "=dword:00000001
"explorer.exe "=dword:00000001
"msimn.exe "=dword:00000001
"wmplayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING]
@DACL=(02 0000)
@=" "
"iexplore.exe "=dword:00000001
"explorer.exe "=dword:00000001
"msimn.exe "=dword:00000001
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING]
@DACL=(02 0000)
@=" "
"iexplore.exe "=dword:00000001
"explorer.exe "=dword:00000001
"msimn.exe "=dword:00000001
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING]
@DACL=(02 0000)
@=" "
"iexplore.exe "=dword:00000001
"explorer.exe "=dword:00000001
"msimn.exe "=dword:00000001
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
@DACL=(02 0000)
@=" "
"iexplore.exe "=dword:00000000
"explorer.exe "=dword:00000000
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL]
@DACL=(02 0000)
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]
@DACL=(02 0000)
"WMPlayer.exe "=dword:00000001
"msimn.exe "=dword:00000001
"winmail.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT]
@DACL=(02 0000)
@=" "
"iexplore.exe "=dword:00000001
"explorer.exe "=dword:00000001
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND]
@DACL=(02 0000)
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN]
@DACL=(02 0000)
"msimn.exe "=dword:00000001
"outlook.exe "=dword:00000001
"winmail.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK]
@DACL=(02 0000)
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL]
@DACL=(02 0000)
"excel.exe "=dword:00000001
"infopath.exe "=dword:00000001
"powerpnt.exe "=dword:00000001
"winword.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL]
@DACL=(02 0000)
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD]
@DACL=(02 0000)
"msn.exe "=dword:00000001
"msn6.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT]
@DACL=(02 0000)
@=" "
"iexplore.exe "=dword:00000001
"explorer.exe "=dword:00000001
"msimn.exe "=dword:00000001
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS]
@DACL=(02 0000)
@=" "
"iexplore.exe "=dword:00000001
"explorer.exe "=dword:00000001
"msimn.exe "=dword:00000001
"WMPlayer.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION]
@DACL=(02 0000)
@=" "
"iexplore.exe "=dword:00000001
"explorer.exe "=dword:00000001
"msimn.exe "=dword:00000001
"WMPlayer.exe "=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\INetHTTPFilter.dll

- - - - - - - > 'explorer.exe'(1628)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\SiteAdvisor\6253\saHook.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\IOGEAR\Bluetooth Software\bin\btwdins.exe
c:\windows\SYSTEM32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
.
**************************************************************************
.
Completion time: 2009-04-17 21:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-17 02:37

Pre-Run: 19,687,075,840 bytes free
Post-Run: 19,555,209,216 bytes free

500 --- E O F --- 2009-04-16 13:35

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:16 PM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=cache.midco.net:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://remote.nisc.coop/XTSAC.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.nisc.coop/msrdp.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.cardbox.net/download/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nisc.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: McAfee Application Installer Cleanup (0279701239904340) (0279701239904340mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\027970~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Mqdfm2vc - McAfee, Inc. - (no file)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 13941 bytes

Juliet · 2009/04/17

Welcome back

Logs certainly look better.

I'd love to smack Kaspersky around, becoming unreliable lately.

We'll use this one instead.

Perform an online scan with Panda ActiveScan
* Click on Scan Your PC Now
* A "pop up" window will appear, or a new tab will open.
* Click on Register
* Choose the option you like most, but we recommend the Free Registration.

Click on Register
# Enter your e-mail address, and create a password.
# Select "I do not want to receive any type of information ". (unless you want to receive such information)
# Click on Send
# Confirm registration, and continue by entering your user name and password, then click on Enter
# Select Full Scan, then Click on Scan Now
# Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.

# Please ignore the offer to buy the program. Click on Export To

* Export the log and save it to your desktop.
* Please post the contents of that log in your next reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

In your next reply post:
Panda log
new HJT log

jjabo7 · 2009/04/17

Here are the latest logs:

Juliet,

Here are the latest logs:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-04-16 18:39:59
PROTECTIONS: 1
MALWARE: 24
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00005468 dialer.bb Dialers No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0191ABF4-9421-435E-9FFD-CD827A2A82D8}
00018331 adware/gator Adware No 0 Yes No c:\documents and settings\all users\start menu\programs\gain
00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0878B424-1F95-4e26-B5AB-F0D349D89650}
00029459 spyware/betterinet Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740}
00034463 adware/wupd Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
00034463 adware/wupd Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}
00040415 adware/wintools Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}
00046490 adware/azesearch Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7bf3304-138b-4dd5-86ee-491bb6a2286c}
00047863 adware/ieplugin Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E955-11D0-A707-000000521958}
00047863 adware/ieplugin Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E585-11D0-A707-000000521958}
00048485 spyware/bundleware Spyware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}
00048498 adware/topconvert Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C}
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Cookies\jon@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Cookies\jon@atdmt[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Cookies\jon@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Cookies\jon@tribalfusion[2].txt
00145770 Cookie/CentrPort TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.centrport.net/]
00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\cyvl7iz7.default\cookies.txt[.7search.com/]
00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\cyvl7iz7.default\cookies.txt[.7search.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.com.com/]
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.landing.domainsponsor.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Cookies\jon@ad.yieldmanager[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.go.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.target.com/]
01692698 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Jana\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181\Groove.x32
01692698 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Jon\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181\Groove.x32
02990320 Application/BoontyGames HackTools Yes 0 Yes No C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\WebEx\ieatgpc.dll
03919041 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\SlySoft\Slysoft.exe
03919041 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\SlySoft\AnyDVD\Slysoft.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location Ux
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description Ux
;===================================================================================================================================================================================
;===================================================================================================================================================================================

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:54 AM, on 4/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=cache.midco.net:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://remote.nisc.coop/XTSAC.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.nisc.coop/msrdp.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.cardbox.net/download/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nisc.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: McAfee Application Installer Cleanup (0279701239904340) (0279701239904340mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\027970~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Mqdfm2vc - McAfee, Inc. - (no file)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 13949 bytes

Juliet · 2009/04/17

Welcome back

Go to My Computer->Tools->Folder Options->View tab:

Under the Hidden files and folders heading:

Select - Show hidden files and folders.

Uncheck- Hide protected operating system files (recommended) option.

Also, make sure there is no checkmark beside Hide file extensions for known file types.

Click OK. (Remember to Hide files and folders once done)

Please go to: VirusTotal

Click the Browse button and search for the following file: C:\Program Files\SlySoft\Slysoft.exe

Click Open

Then click Send File

Please be patient while the file is scanned.

Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now "

Also please have the next files scanned.
C:\Program Files\SlySoft\AnyDVD\Slysoft.exe
C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NEXT**
Please download OTMoveIt3 by OldTimer and save it to your desktop

Double-click OTMoveIt3.exe to run it.

Copy the lines in the codebox below. ( Make sure you include rocesses )
Code:
:Processes
explorer.exe
:Files
c:\documents and settings\all users\start menu\programs\gain
C:\Program Files\WebEx\ieatgpc.dll
C:\Windows\System32\pushow11.dll
C:\Documents and Settings\Jana\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance
C:\Documents and Settings\Jon\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance
:reg
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0878 B424-1F95-4e26-B5AB-F0D349D89650}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A5 9337-6EEF-40AE-94B1-ED443A0C4740}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD 4789-CDB4-47E1-A9DA-992EE8E6BAD6}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD 6789-CDB4-47E1-A9DA-992EE8E6BAD6}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8706 7F04-DE4C-4688-BC3C-4FCF39D609E7}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7bf 3304-138b-4dd5-86ee-491bb6a2286c}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886D DE35-E955-11D0-A707-000000521958}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFF A75A-E81D-4454-89FC-B9FD0631E726}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7984 9612-A98F-45B8-95E9-4D13C7B6B35C}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
 "AppInit_DLLs "=" " 
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]
Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

- Close ALL open windows (especially Internet Explorer!)-

Click the red Moveit! button.

Copy everything in the Results window (under the green bar), and paste it in your next reply.

Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

In your next reply post:
OTMoveIt log
Requested file info

How's your computer now?

jjabo7 · 2009/04/17

Juiet,

PC is performing better. I may have included more than one file info for the second slysoft.exe scan you requested if so I apologize for any confusion it may cause.

OTMoveit log

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\documents and settings\all users\start menu\programs\GAIN moved successfully.
C:\Program Files\WebEx\ieatgpc.dll unregistered successfully.
C:\Program Files\WebEx\ieatgpc.dll moved successfully.
File/Folder C:\Windows\System32\pushow11.dll not found.
C:\Documents and Settings\Jana\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181 moved successfully.
C:\Documents and Settings\Jana\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance moved successfully.
C:\Documents and Settings\Jon\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181 moved successfully.
C:\Documents and Settings\Jon\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance moved successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0878 B424-1F95-4e26-B5AB-F0D349D89650}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A5 9337-6EEF-40AE-94B1-ED443A0C4740}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD 4789-CDB4-47E1-A9DA-992EE8E6BAD6}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD 6789-CDB4-47E1-A9DA-992EE8E6BAD6}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8706 7F04-DE4C-4688-BC3C-4FCF39D609E7}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7bf 3304-138b-4dd5-86ee-491bb6a2286c}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886D DE35-E955-11D0-A707-000000521958}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFF A75A-E81D-4454-89FC-B9FD0631E726}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7984 9612-A98F-45B8-95E9-4D13C7B6B35C}\\ not found.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\ "AppInit_DLLs "|" " /E : value set successfully!
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcafee_bJYSOV3Sh6xj8uz scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_MNRCvfCjgO14Rhd scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_bbd1fHGw38v2wO8 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_Fw6ei8SAPFjBXfD scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_qKQu7Nggqed7ez0 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_254.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_504.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5f0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04172009_123448

Fist Slysoft.exe:

File Slysoft.exe received on 04.17.2009 19:42:45 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.17 Riskware.Hacktool.Patch.anydvd!IK
AhnLab-V3 5.0.0.2 2009.04.17 -
AntiVir 7.9.0.143 2009.04.17 -
Antiy-AVL 2.0.3.1 2009.04.17 -
Authentium 5.1.2.4 2009.04.17 -
Avast 4.8.1335.0 2009.04.17 -
AVG 8.5.0.287 2009.04.17 -
BitDefender 7.2 2009.04.17 -
CAT-QuickHeal 10.00 2009.04.17 -
ClamAV 0.94.1 2009.04.17 -
Comodo 1117 2009.04.17 -
DrWeb 4.44.0.09170 2009.04.17 -
eSafe 7.0.17.0 2009.04.13 Suspicious File
eTrust-Vet 31.6.6455 2009.04.14 -
F-Prot 4.4.4.56 2009.04.17 -
F-Secure 8.0.14470.0 2009.04.17 -
Fortinet 3.117.0.0 2009.04.17 Spy/Soft
GData 19 2009.04.17 -
Ikarus T3.1.1.49.0 2009.04.17 not-a-Virus.Hacktool.Patch.anydvd
K7AntiVirus 7.10.707 2009.04.17 -
Kaspersky 7.0.0.125 2009.04.17 -
McAfee 5587 2009.04.17 -
McAfee+Artemis 5587 2009.04.17 -
McAfee-GW-Edition 6.7.6 2009.04.17 -
Microsoft 1.4502 2009.04.17 -
NOD32 4017 2009.04.17 -
Norman 6.00.06 2009.04.17 -
nProtect 2009.1.8.0 2009.04.17 -
Panda 10.0.0.14 2009.04.17 Generic Malware
PCTools 4.4.2.0 2009.04.17 -
Prevx1 V2 2009.04.17 High Risk Worm
Rising 21.25.44.00 2009.04.17 -
Sophos 4.40.0 2009.04.17 -
Sunbelt 3.2.1858.2 2009.04.17 -
Symantec 1.4.4.12 2009.04.17 -
TheHacker 6.3.4.0.309 2009.04.16 -
TrendMicro 8.700.0.1004 2009.04.17 PAK_Generic.001
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.17.1698 2009.04.17 -
VirusBuster 4.6.5.0 2009.04.17 -

Additional information
File size: 126976 bytes
MD5...: a9ea0204d9895d709c865a4b55f090b2
SHA1..: 7d8c0a9af3a456bf4bc9ad72baa92b86cd5043ed
SHA256: 76f02e8722049d849b492cf5111b2a8d47bd50a6e351761b1a32be91270c0737
SHA512: 961524e549a4ec7e9e377ce142bc2af8bbad76938ecdbfaf36d1de1a28d841e1 41898b67355b5548a371fe4c2a509a0a1d4df8682574454dbd282961d6968916
ssdeep: 1536:cvHIzqDEw1jfb3/CHYNF5SQsYRJrR5KOf+eVh/NGj6G/MmCANZl67DYlEYo zgKlk:a+qDVTjVaQsQJ/KOJ7OCD/zzLoh8s5 
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x35f50 timedatestamp.....: 0x42b47c05 (Sat Jun 18 19:54:45 2005) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x17000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x18000 0x1f000 0x1e200 7.91 4119a069aa5dc0d9f5128521870c16d8 .rsrc 0x37000 0x1000 0xa00 4.46 4f8c0f0a166e7b449fc7602452dae759 ( 5 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > advapi32.dll: RegOpenKeyA > comctl32.dll: InitCommonControls > user32.dll: LoadIconA > winmm.dll: waveOutOpen ( 0 exports ) 
RDS...: NSRL Reference Data Set -
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73</a>
packers (Kaspersky): UPX
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a9ea0204d9895d709c865a4b55f090b2' target='_blank'>http://research.sunbelt-software.co...d5=a9ea0204d9895d709c865a4b55f090b2</a>
packers (F-Prot): UPX

Antivirus;Version;Last Update;Result
a-squared;4.0.0.101;2009.04.17;Riskware.Hacktool.Patch.anydvd!IK
AhnLab-V3;5.0.0.2;2009.04.17;-
AntiVir;7.9.0.143;2009.04.17;-
Antiy-AVL;2.0.3.1;2009.04.17;-
Authentium;5.1.2.4;2009.04.17;-
Avast;4.8.1335.0;2009.04.17;-
AVG;8.5.0.287;2009.04.17;-
BitDefender;7.2;2009.04.17;-
CAT-QuickHeal;10.00;2009.04.17;-
ClamAV;0.94.1;2009.04.17;-
Comodo;1117;2009.04.17;-
DrWeb;4.44.0.09170;2009.04.17;-
eSafe;7.0.17.0;2009.04.13;Suspicious File
eTrust-Vet;31.6.6455;2009.04.14;-
F-Prot;4.4.4.56;2009.04.17;-
F-Secure;8.0.14470.0;2009.04.17;-
Fortinet;3.117.0.0;2009.04.17;Spy/Soft
GData;19;2009.04.17;-
Ikarus;T3.1.1.49.0;2009.04.17;not-a-Virus.Hacktool.Patch.anydvd
K7AntiVirus;7.10.707;2009.04.17;-
Kaspersky;7.0.0.125;2009.04.17;-
McAfee;5587;2009.04.17;-
McAfee+Artemis;5587;2009.04.17;-
McAfee-GW-Edition;6.7.6;2009.04.17;-
Microsoft;1.4502;2009.04.17;-
NOD32;4017;2009.04.17;-
Norman;6.00.06;2009.04.17;-
nProtect;2009.1.8.0;2009.04.17;-
Panda;10.0.0.14;2009.04.17;Generic Malware
PCTools;4.4.2.0;2009.04.17;-
Prevx1;V2;2009.04.17;High Risk Worm
Rising;21.25.44.00;2009.04.17;-
Sophos;4.40.0;2009.04.17;-
Sunbelt;3.2.1858.2;2009.04.17;-
Symantec;1.4.4.12;2009.04.17;-
TheHacker;6.3.4.0.309;2009.04.16;-
TrendMicro;8.700.0.1004;2009.04.17;PAK_Generic.001
VBA32;3.12.10.2;2009.04.12;-
ViRobot;2009.4.17.1698;2009.04.17;-
VirusBuster;4.6.5.0;2009.04.17;-

Additional information
File size: 126976 bytes
MD5...: a9ea0204d9895d709c865a4b55f090b2
SHA1..: 7d8c0a9af3a456bf4bc9ad72baa92b86cd5043ed
SHA256: 76f02e8722049d849b492cf5111b2a8d47bd50a6e351761b1a32be91270c0737
SHA512: 961524e549a4ec7e9e377ce142bc2af8bbad76938ecdbfaf36d1de1a28d841e1 41898b67355b5548a371fe4c2a509a0a1d4df8682574454dbd282961d6968916
ssdeep: 1536:cvHIzqDEw1jfb3/CHYNF5SQsYRJrR5KOf+eVh/NGj6G/MmCANZl67DYlEYo zgKlk:a+qDVTjVaQsQJ/KOJ7OCD/zzLoh8s5 
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x35f50 timedatestamp.....: 0x42b47c05 (Sat Jun 18 19:54:45 2005) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x17000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x18000 0x1f000 0x1e200 7.91 4119a069aa5dc0d9f5128521870c16d8 .rsrc 0x37000 0x1000 0xa00 4.46 4f8c0f0a166e7b449fc7602452dae759 ( 5 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > advapi32.dll: RegOpenKeyA > comctl32.dll: InitCommonControls > user32.dll: LoadIconA > winmm.dll: waveOutOpen ( 0 exports ) 
RDS...: NSRL Reference Data Set -
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73</a>
packers (Kaspersky): UPX
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a9ea0204d9895d709c865a4b55f090b2' target='_blank'>http://research.sunbelt-software.co...d5=a9ea0204d9895d709c865a4b55f090b2</a>
packers (F-Prot): UPX

Second Slysoft.exe:

File Slysoft.exe received on 04.17.2009 19:48:20 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.17 Riskware.Hacktool.Patch.anydvd!IK
AhnLab-V3 5.0.0.2 2009.04.17 -
AntiVir 7.9.0.143 2009.04.17 -
Antiy-AVL 2.0.3.1 2009.04.17 -
Authentium 5.1.2.4 2009.04.17 -
Avast 4.8.1335.0 2009.04.17 -
AVG 8.5.0.287 2009.04.17 -
BitDefender 7.2 2009.04.17 -
CAT-QuickHeal 10.00 2009.04.17 -
ClamAV 0.94.1 2009.04.17 -
Comodo 1117 2009.04.17 -
DrWeb 4.44.0.09170 2009.04.17 -
eSafe 7.0.17.0 2009.04.13 Suspicious File
eTrust-Vet 31.6.6455 2009.04.14 -
F-Prot 4.4.4.56 2009.04.17 -
F-Secure 8.0.14470.0 2009.04.17 -
Fortinet 3.117.0.0 2009.04.17 Spy/Soft
GData 19 2009.04.17 -
Ikarus T3.1.1.49.0 2009.04.17 not-a-Virus.Hacktool.Patch.anydvd
K7AntiVirus 7.10.707 2009.04.17 -
Kaspersky 7.0.0.125 2009.04.17 -
McAfee 5587 2009.04.17 -
McAfee+Artemis 5587 2009.04.17 -
McAfee-GW-Edition 6.7.6 2009.04.17 -
Microsoft 1.4502 2009.04.17 -
NOD32 4017 2009.04.17 -
Norman 6.00.06 2009.04.17 -
nProtect 2009.1.8.0 2009.04.17 -
Panda 10.0.0.14 2009.04.17 Generic Malware
PCTools 4.4.2.0 2009.04.17 -
Prevx1 V2 2009.04.17 High Risk Worm
Rising 21.25.44.00 2009.04.17 -
Sophos 4.40.0 2009.04.17 -
Sunbelt 3.2.1858.2 2009.04.17 -
Symantec 1.4.4.12 2009.04.17 -
TheHacker 6.3.4.0.309 2009.04.16 -
TrendMicro 8.700.0.1004 2009.04.17 PAK_Generic.001
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.17.1698 2009.04.17 -
VirusBuster 4.6.5.0 2009.04.17 -

Additional information
File size: 126976 bytes
MD5...: a9ea0204d9895d709c865a4b55f090b2
SHA1..: 7d8c0a9af3a456bf4bc9ad72baa92b86cd5043ed
SHA256: 76f02e8722049d849b492cf5111b2a8d47bd50a6e351761b1a32be91270c0737
SHA512: 961524e549a4ec7e9e377ce142bc2af8bbad76938ecdbfaf36d1de1a28d841e1 41898b67355b5548a371fe4c2a509a0a1d4df8682574454dbd282961d6968916
ssdeep: 1536:cvHIzqDEw1jfb3/CHYNF5SQsYRJrR5KOf+eVh/NGj6G/MmCANZl67DYlEYo zgKlk:a+qDVTjVaQsQJ/KOJ7OCD/zzLoh8s5 
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x35f50 timedatestamp.....: 0x42b47c05 (Sat Jun 18 19:54:45 2005) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x17000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x18000 0x1f000 0x1e200 7.91 4119a069aa5dc0d9f5128521870c16d8 .rsrc 0x37000 0x1000 0xa00 4.46 4f8c0f0a166e7b449fc7602452dae759 ( 5 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > advapi32.dll: RegOpenKeyA > comctl32.dll: InitCommonControls > user32.dll: LoadIconA > winmm.dll: waveOutOpen ( 0 exports ) 
RDS...: NSRL Reference Data Set -
packers (Kaspersky): UPX
packers (F-Prot): UPX
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73</a>
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a9ea0204d9895d709c865a4b55f090b2' target='_blank'>http://research.sunbelt-software.co...d5=a9ea0204d9895d709c865a4b55f090b2</a>

Antivirus;Version;Last Update;Result
a-squared;4.0.0.101;2009.04.17;Riskware.Hacktool.Patch.anydvd!IK
AhnLab-V3;5.0.0.2;2009.04.17;-
AntiVir;7.9.0.143;2009.04.17;-
Antiy-AVL;2.0.3.1;2009.04.17;-
Authentium;5.1.2.4;2009.04.17;-
Avast;4.8.1335.0;2009.04.17;-
AVG;8.5.0.287;2009.04.17;-
BitDefender;7.2;2009.04.17;-
CAT-QuickHeal;10.00;2009.04.17;-
ClamAV;0.94.1;2009.04.17;-
Comodo;1117;2009.04.17;-
DrWeb;4.44.0.09170;2009.04.17;-
eSafe;7.0.17.0;2009.04.13;Suspicious File
eTrust-Vet;31.6.6455;2009.04.14;-
F-Prot;4.4.4.56;2009.04.17;-
F-Secure;8.0.14470.0;2009.04.17;-
Fortinet;3.117.0.0;2009.04.17;Spy/Soft
GData;19;2009.04.17;-
Ikarus;T3.1.1.49.0;2009.04.17;not-a-Virus.Hacktool.Patch.anydvd
K7AntiVirus;7.10.707;2009.04.17;-
Kaspersky;7.0.0.125;2009.04.17;-
McAfee;5587;2009.04.17;-
McAfee+Artemis;5587;2009.04.17;-
McAfee-GW-Edition;6.7.6;2009.04.17;-
Microsoft;1.4502;2009.04.17;-
NOD32;4017;2009.04.17;-
Norman;6.00.06;2009.04.17;-
nProtect;2009.1.8.0;2009.04.17;-
Panda;10.0.0.14;2009.04.17;Generic Malware
PCTools;4.4.2.0;2009.04.17;-
Prevx1;V2;2009.04.17;High Risk Worm
Rising;21.25.44.00;2009.04.17;-
Sophos;4.40.0;2009.04.17;-
Sunbelt;3.2.1858.2;2009.04.17;-
Symantec;1.4.4.12;2009.04.17;-
TheHacker;6.3.4.0.309;2009.04.16;-
TrendMicro;8.700.0.1004;2009.04.17;PAK_Generic.001
VBA32;3.12.10.2;2009.04.12;-
ViRobot;2009.4.17.1698;2009.04.17;-
VirusBuster;4.6.5.0;2009.04.17;-

Additional information
File size: 126976 bytes
MD5...: a9ea0204d9895d709c865a4b55f090b2
SHA1..: 7d8c0a9af3a456bf4bc9ad72baa92b86cd5043ed
SHA256: 76f02e8722049d849b492cf5111b2a8d47bd50a6e351761b1a32be91270c0737
SHA512: 961524e549a4ec7e9e377ce142bc2af8bbad76938ecdbfaf36d1de1a28d841e1 41898b67355b5548a371fe4c2a509a0a1d4df8682574454dbd282961d6968916
ssdeep: 1536:cvHIzqDEw1jfb3/CHYNF5SQsYRJrR5KOf+eVh/NGj6G/MmCANZl67DYlEYo zgKlk:a+qDVTjVaQsQJ/KOJ7OCD/zzLoh8s5 
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x35f50 timedatestamp.....: 0x42b47c05 (Sat Jun 18 19:54:45 2005) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x17000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x18000 0x1f000 0x1e200 7.91 4119a069aa5dc0d9f5128521870c16d8 .rsrc 0x37000 0x1000 0xa00 4.46 4f8c0f0a166e7b449fc7602452dae759 ( 5 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > advapi32.dll: RegOpenKeyA > comctl32.dll: InitCommonControls > user32.dll: LoadIconA > winmm.dll: waveOutOpen ( 0 exports ) 
RDS...: NSRL Reference Data Set -
packers (Kaspersky): UPX
packers (F-Prot): UPX
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73</a>
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a9ea0204d9895d709c865a4b55f090b2' target='_blank'>http://research.sunbelt-software.co...d5=a9ea0204d9895d709c865a4b55f090b2</a>

File Slysoft.exe received on 04.17.2009 19:48:20 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.17 Riskware.Hacktool.Patch.anydvd!IK
AhnLab-V3 5.0.0.2 2009.04.17 -
AntiVir 7.9.0.143 2009.04.17 -
Antiy-AVL 2.0.3.1 2009.04.17 -
Authentium 5.1.2.4 2009.04.17 -
Avast 4.8.1335.0 2009.04.17 -
AVG 8.5.0.287 2009.04.17 -
BitDefender 7.2 2009.04.17 -
CAT-QuickHeal 10.00 2009.04.17 -
ClamAV 0.94.1 2009.04.17 -
Comodo 1117 2009.04.17 -
DrWeb 4.44.0.09170 2009.04.17 -
eSafe 7.0.17.0 2009.04.13 Suspicious File
eTrust-Vet 31.6.6455 2009.04.14 -
F-Prot 4.4.4.56 2009.04.17 -
F-Secure 8.0.14470.0 2009.04.17 -
Fortinet 3.117.0.0 2009.04.17 Spy/Soft
GData 19 2009.04.17 -
Ikarus T3.1.1.49.0 2009.04.17 not-a-Virus.Hacktool.Patch.anydvd
K7AntiVirus 7.10.707 2009.04.17 -
Kaspersky 7.0.0.125 2009.04.17 -
McAfee 5587 2009.04.17 -
McAfee+Artemis 5587 2009.04.17 -
McAfee-GW-Edition 6.7.6 2009.04.17 -
Microsoft 1.4502 2009.04.17 -
NOD32 4017 2009.04.17 -
Norman 6.00.06 2009.04.17 -
nProtect 2009.1.8.0 2009.04.17 -
Panda 10.0.0.14 2009.04.17 Generic Malware
PCTools 4.4.2.0 2009.04.17 -
Prevx1 V2 2009.04.17 High Risk Worm
Rising 21.25.44.00 2009.04.17 -
Sophos 4.40.0 2009.04.17 -
Sunbelt 3.2.1858.2 2009.04.17 -
Symantec 1.4.4.12 2009.04.17 -
TheHacker 6.3.4.0.309 2009.04.16 -
TrendMicro 8.700.0.1004 2009.04.17 PAK_Generic.001
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.17.1698 2009.04.17 -
VirusBuster 4.6.5.0 2009.04.17 -

Additional information
File size: 126976 bytes
MD5...: a9ea0204d9895d709c865a4b55f090b2
SHA1..: 7d8c0a9af3a456bf4bc9ad72baa92b86cd5043ed
SHA256: 76f02e8722049d849b492cf5111b2a8d47bd50a6e351761b1a32be91270c0737
SHA512: 961524e549a4ec7e9e377ce142bc2af8bbad76938ecdbfaf36d1de1a28d841e1 41898b67355b5548a371fe4c2a509a0a1d4df8682574454dbd282961d6968916
ssdeep: 1536:cvHIzqDEw1jfb3/CHYNF5SQsYRJrR5KOf+eVh/NGj6G/MmCANZl67DYlEYo zgKlk:a+qDVTjVaQsQJ/KOJ7OCD/zzLoh8s5 
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x35f50 timedatestamp.....: 0x42b47c05 (Sat Jun 18 19:54:45 2005) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x17000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x18000 0x1f000 0x1e200 7.91 4119a069aa5dc0d9f5128521870c16d8 .rsrc 0x37000 0x1000 0xa00 4.46 4f8c0f0a166e7b449fc7602452dae759 ( 5 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > advapi32.dll: RegOpenKeyA > comctl32.dll: InitCommonControls > user32.dll: LoadIconA > winmm.dll: waveOutOpen ( 0 exports ) 
RDS...: NSRL Reference Data Set -
packers (Kaspersky): UPX
packers (F-Prot): UPX
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73</a>
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a9ea0204d9895d709c865a4b55f090b2' target='_blank'>http://research.sunbelt-software.co...d5=a9ea0204d9895d709c865a4b55f090b2</a>

Antivirus;Version;Last Update;Result
a-squared;4.0.0.101;2009.04.17;Riskware.Hacktool.Patch.anydvd!IK
AhnLab-V3;5.0.0.2;2009.04.17;-
AntiVir;7.9.0.143;2009.04.17;-
Antiy-AVL;2.0.3.1;2009.04.17;-
Authentium;5.1.2.4;2009.04.17;-
Avast;4.8.1335.0;2009.04.17;-
AVG;8.5.0.287;2009.04.17;-
BitDefender;7.2;2009.04.17;-
CAT-QuickHeal;10.00;2009.04.17;-
ClamAV;0.94.1;2009.04.17;-
Comodo;1117;2009.04.17;-
DrWeb;4.44.0.09170;2009.04.17;-
eSafe;7.0.17.0;2009.04.13;Suspicious File
eTrust-Vet;31.6.6455;2009.04.14;-
F-Prot;4.4.4.56;2009.04.17;-
F-Secure;8.0.14470.0;2009.04.17;-
Fortinet;3.117.0.0;2009.04.17;Spy/Soft
GData;19;2009.04.17;-
Ikarus;T3.1.1.49.0;2009.04.17;not-a-Virus.Hacktool.Patch.anydvd
K7AntiVirus;7.10.707;2009.04.17;-
Kaspersky;7.0.0.125;2009.04.17;-
McAfee;5587;2009.04.17;-
McAfee+Artemis;5587;2009.04.17;-
McAfee-GW-Edition;6.7.6;2009.04.17;-
Microsoft;1.4502;2009.04.17;-
NOD32;4017;2009.04.17;-
Norman;6.00.06;2009.04.17;-
nProtect;2009.1.8.0;2009.04.17;-
Panda;10.0.0.14;2009.04.17;Generic Malware
PCTools;4.4.2.0;2009.04.17;-
Prevx1;V2;2009.04.17;High Risk Worm
Rising;21.25.44.00;2009.04.17;-
Sophos;4.40.0;2009.04.17;-
Sunbelt;3.2.1858.2;2009.04.17;-
Symantec;1.4.4.12;2009.04.17;-
TheHacker;6.3.4.0.309;2009.04.16;-
TrendMicro;8.700.0.1004;2009.04.17;PAK_Generic.001
VBA32;3.12.10.2;2009.04.12;-
ViRobot;2009.4.17.1698;2009.04.17;-
VirusBuster;4.6.5.0;2009.04.17;-

Additional information
File size: 126976 bytes
MD5...: a9ea0204d9895d709c865a4b55f090b2
SHA1..: 7d8c0a9af3a456bf4bc9ad72baa92b86cd5043ed
SHA256: 76f02e8722049d849b492cf5111b2a8d47bd50a6e351761b1a32be91270c0737
SHA512: 961524e549a4ec7e9e377ce142bc2af8bbad76938ecdbfaf36d1de1a28d841e1 41898b67355b5548a371fe4c2a509a0a1d4df8682574454dbd282961d6968916
ssdeep: 1536:cvHIzqDEw1jfb3/CHYNF5SQsYRJrR5KOf+eVh/NGj6G/MmCANZl67DYlEYo zgKlk:a+qDVTjVaQsQJ/KOJ7OCD/zzLoh8s5 
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x35f50 timedatestamp.....: 0x42b47c05 (Sat Jun 18 19:54:45 2005) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x17000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x18000 0x1f000 0x1e200 7.91 4119a069aa5dc0d9f5128521870c16d8 .rsrc 0x37000 0x1000 0xa00 4.46 4f8c0f0a166e7b449fc7602452dae759 ( 5 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > advapi32.dll: RegOpenKeyA > comctl32.dll: InitCommonControls > user32.dll: LoadIconA > winmm.dll: waveOutOpen ( 0 exports ) 
RDS...: NSRL Reference Data Set -
packers (Kaspersky): UPX
packers (F-Prot): UPX
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73</a>
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a9ea0204d9895d709c865a4b55f090b2' target='_blank'>http://research.sunbelt-software.co...d5=a9ea0204d9895d709c865a4b55f090b2</a>

File Slysoft.exe received on 04.17.2009 19:48:20 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.17 Riskware.Hacktool.Patch.anydvd!IK
AhnLab-V3 5.0.0.2 2009.04.17 -
AntiVir 7.9.0.143 2009.04.17 -
Antiy-AVL 2.0.3.1 2009.04.17 -
Authentium 5.1.2.4 2009.04.17 -
Avast 4.8.1335.0 2009.04.17 -
AVG 8.5.0.287 2009.04.17 -
BitDefender 7.2 2009.04.17 -
CAT-QuickHeal 10.00 2009.04.17 -
ClamAV 0.94.1 2009.04.17 -
Comodo 1117 2009.04.17 -
DrWeb 4.44.0.09170 2009.04.17 -
eSafe 7.0.17.0 2009.04.13 Suspicious File
eTrust-Vet 31.6.6455 2009.04.14 -
F-Prot 4.4.4.56 2009.04.17 -
F-Secure 8.0.14470.0 2009.04.17 -
Fortinet 3.117.0.0 2009.04.17 Spy/Soft
GData 19 2009.04.17 -
Ikarus T3.1.1.49.0 2009.04.17 not-a-Virus.Hacktool.Patch.anydvd
K7AntiVirus 7.10.707 2009.04.17 -
Kaspersky 7.0.0.125 2009.04.17 -
McAfee 5587 2009.04.17 -
McAfee+Artemis 5587 2009.04.17 -
McAfee-GW-Edition 6.7.6 2009.04.17 -
Microsoft 1.4502 2009.04.17 -
NOD32 4017 2009.04.17 -
Norman 6.00.06 2009.04.17 -
nProtect 2009.1.8.0 2009.04.17 -
Panda 10.0.0.14 2009.04.17 Generic Malware
PCTools 4.4.2.0 2009.04.17 -
Prevx1 V2 2009.04.17 High Risk Worm
Rising 21.25.44.00 2009.04.17 -
Sophos 4.40.0 2009.04.17 -
Sunbelt 3.2.1858.2 2009.04.17 -
Symantec 1.4.4.12 2009.04.17 -
TheHacker 6.3.4.0.309 2009.04.16 -
TrendMicro 8.700.0.1004 2009.04.17 PAK_Generic.001
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.17.1698 2009.04.17 -
VirusBuster 4.6.5.0 2009.04.17 -

Additional information
File size: 126976 bytes
MD5...: a9ea0204d9895d709c865a4b55f090b2
SHA1..: 7d8c0a9af3a456bf4bc9ad72baa92b86cd5043ed
SHA256: 76f02e8722049d849b492cf5111b2a8d47bd50a6e351761b1a32be91270c0737
SHA512: 961524e549a4ec7e9e377ce142bc2af8bbad76938ecdbfaf36d1de1a28d841e1 41898b67355b5548a371fe4c2a509a0a1d4df8682574454dbd282961d6968916
ssdeep: 1536:cvHIzqDEw1jfb3/CHYNF5SQsYRJrR5KOf+eVh/NGj6G/MmCANZl67DYlEYo zgKlk:a+qDVTjVaQsQJ/KOJ7OCD/zzLoh8s5 
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x35f50 timedatestamp.....: 0x42b47c05 (Sat Jun 18 19:54:45 2005) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x17000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x18000 0x1f000 0x1e200 7.91 4119a069aa5dc0d9f5128521870c16d8 .rsrc 0x37000 0x1000 0xa00 4.46 4f8c0f0a166e7b449fc7602452dae759 ( 5 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > advapi32.dll: RegOpenKeyA > comctl32.dll: InitCommonControls > user32.dll: LoadIconA > winmm.dll: waveOutOpen ( 0 exports ) 
RDS...: NSRL Reference Data Set -
packers (Kaspersky): UPX
packers (F-Prot): UPX
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73</a>
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a9ea0204d9895d709c865a4b55f090b2' target='_blank'>http://research.sunbelt-software.co...d5=a9ea0204d9895d709c865a4b55f090b2</a>

Antivirus;Version;Last Update;Result
a-squared;4.0.0.101;2009.04.17;Riskware.Hacktool.Patch.anydvd!IK
AhnLab-V3;5.0.0.2;2009.04.17;-
AntiVir;7.9.0.143;2009.04.17;-
Antiy-AVL;2.0.3.1;2009.04.17;-
Authentium;5.1.2.4;2009.04.17;-
Avast;4.8.1335.0;2009.04.17;-
AVG;8.5.0.287;2009.04.17;-
BitDefender;7.2;2009.04.17;-
CAT-QuickHeal;10.00;2009.04.17;-
ClamAV;0.94.1;2009.04.17;-
Comodo;1117;2009.04.17;-
DrWeb;4.44.0.09170;2009.04.17;-
eSafe;7.0.17.0;2009.04.13;Suspicious File
eTrust-Vet;31.6.6455;2009.04.14;-
F-Prot;4.4.4.56;2009.04.17;-
F-Secure;8.0.14470.0;2009.04.17;-
Fortinet;3.117.0.0;2009.04.17;Spy/Soft
GData;19;2009.04.17;-
Ikarus;T3.1.1.49.0;2009.04.17;not-a-Virus.Hacktool.Patch.anydvd
K7AntiVirus;7.10.707;2009.04.17;-
Kaspersky;7.0.0.125;2009.04.17;-
McAfee;5587;2009.04.17;-
McAfee+Artemis;5587;2009.04.17;-
McAfee-GW-Edition;6.7.6;2009.04.17;-
Microsoft;1.4502;2009.04.17;-
NOD32;4017;2009.04.17;-
Norman;6.00.06;2009.04.17;-
nProtect;2009.1.8.0;2009.04.17;-
Panda;10.0.0.14;2009.04.17;Generic Malware
PCTools;4.4.2.0;2009.04.17;-
Prevx1;V2;2009.04.17;High Risk Worm
Rising;21.25.44.00;2009.04.17;-
Sophos;4.40.0;2009.04.17;-
Sunbelt;3.2.1858.2;2009.04.17;-
Symantec;1.4.4.12;2009.04.17;-
TheHacker;6.3.4.0.309;2009.04.16;-
TrendMicro;8.700.0.1004;2009.04.17;PAK_Generic.001
VBA32;3.12.10.2;2009.04.12;-
ViRobot;2009.4.17.1698;2009.04.17;-
VirusBuster;4.6.5.0;2009.04.17;-

Additional information
File size: 126976 bytes
MD5...: a9ea0204d9895d709c865a4b55f090b2
SHA1..: 7d8c0a9af3a456bf4bc9ad72baa92b86cd5043ed
SHA256: 76f02e8722049d849b492cf5111b2a8d47bd50a6e351761b1a32be91270c0737
SHA512: 961524e549a4ec7e9e377ce142bc2af8bbad76938ecdbfaf36d1de1a28d841e1 41898b67355b5548a371fe4c2a509a0a1d4df8682574454dbd282961d6968916
ssdeep: 1536:cvHIzqDEw1jfb3/CHYNF5SQsYRJrR5KOf+eVh/NGj6G/MmCANZl67DYlEYo zgKlk:a+qDVTjVaQsQJ/KOJ7OCD/zzLoh8s5 
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x35f50 timedatestamp.....: 0x42b47c05 (Sat Jun 18 19:54:45 2005) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x17000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x18000 0x1f000 0x1e200 7.91 4119a069aa5dc0d9f5128521870c16d8 .rsrc 0x37000 0x1000 0xa00 4.46 4f8c0f0a166e7b449fc7602452dae759 ( 5 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > advapi32.dll: RegOpenKeyA > comctl32.dll: InitCommonControls > user32.dll: LoadIconA > winmm.dll: waveOutOpen ( 0 exports ) 
RDS...: NSRL Reference Data Set -
packers (Kaspersky): UPX
packers (F-Prot): UPX
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7BB9D85C000ABD98F065012EE015FE00EBBABE73</a>
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a9ea0204d9895d709c865a4b55f090b2' target='_blank'>http://research.sunbelt-software.co...d5=a9ea0204d9895d709c865a4b55f090b2</a>

FILE LICENCE_MANAGER_ESD.exe:

File Licence_Manager_ESD.exe received on 04.17.2009 20:01:46 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.17 -
AhnLab-V3 5.0.0.2 2009.04.17 -
AntiVir 7.9.0.143 2009.04.17 -
Antiy-AVL 2.0.3.1 2009.04.17 Backdoor/Win32.Agent
Authentium 5.1.2.4 2009.04.17 -
Avast 4.8.1335.0 2009.04.17 -
AVG 8.5.0.287 2009.04.17 -
BitDefender 7.2 2009.04.17 -
CAT-QuickHeal 10.00 2009.04.17 -
ClamAV 0.94.1 2009.04.17 -
Comodo 1117 2009.04.17 Unclassified Malware
DrWeb 4.44.0.09170 2009.04.17 -
eSafe 7.0.17.0 2009.04.13 -
eTrust-Vet 31.6.6455 2009.04.14 -
F-Prot 4.4.4.56 2009.04.17 -
F-Secure 8.0.14470.0 2009.04.17 -
Fortinet 3.117.0.0 2009.04.17 -
GData 19 2009.04.17 -
Ikarus T3.1.1.49.0 2009.04.17 -
K7AntiVirus 7.10.707 2009.04.17 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.04.17 -
McAfee 5587 2009.04.17 -
McAfee+Artemis 5587 2009.04.17 -
McAfee-GW-Edition 6.7.6 2009.04.17 -
Microsoft 1.4502 2009.04.17 -
NOD32 4017 2009.04.17 -
Norman 6.00.06 2009.04.17 -
nProtect 2009.1.8.0 2009.04.17 -
Panda 10.0.0.14 2009.04.17 -
PCTools 4.4.2.0 2009.04.17 -
Prevx1 V2 2009.04.17 -
Rising 21.25.44.00 2009.04.17 -
Sophos 4.40.0 2009.04.17 -
Sunbelt 3.2.1858.2 2009.04.17 -
Symantec 1.4.4.12 2009.04.17 -
TheHacker 6.3.4.0.309 2009.04.16 -
TrendMicro 8.700.0.1004 2009.04.17 -
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.17.1698 2009.04.17 -
VirusBuster 4.6.5.0 2009.04.17 -

Additional information
File size: 69120 bytes
MD5...: 4c1a177f07cff8dee3bdbedb9f8713e5
SHA1..: a3a2c661eb0cec8b1f5f0c056f5689ef1f5e8e66
SHA256: 06b7521dae3aab997b3a5e9b71c1abc86c616f585091cc901f20a5b94705c603
SHA512: 97367a2f5adb33a9683cbf4094f2812181c11e4ee6bc2400b06ba0df7629c82c 9b393164a6271ef778e8aae88b30a3dacda1c9fc65ac41f1457fa9d809b857f9
ssdeep: 1536:JpRD0f8eRPm2wdoIw/SSLTLwv6E4xLbFRT4eSocXsiLm:JAfZR+2wdTw6Yp z5FRT4eSocXsem 
PEiD..: Armadillo v1.71
TrID..: File type identification Win64 Executable Generic (59.6%) Win32 Executable MS Visual C++ (generic) (26.2%) Win32 Executable Generic (5.9%) Win32 Dynamic Link Library (generic) (5.2%) Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x5300 timedatestamp.....: 0x406164ee (Wed Mar 24 10:37:34 2004) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xbc5a 0xbe00 6.60 f0e8256080c2f07e025d5e685773b03b .rdata 0xd000 0x13a0 0x1400 5.35 8834cb9bef0f0ec2a506acea8d1e2833 .data 0xf000 0x524c 0x3400 1.51 3628767aeb025aa36b73ce03a88dfcfe .rsrc 0x15000 0x1000 0x400 3.64 bb5472a41f62bc79ec6149678ddbd0f2 ( 3 imports ) > KERNEL32.dll: GetOverlappedResult, WaitForMultipleObjectsEx, ConnectNamedPipe, GetTickCount, ReleaseMutex, FindClose, FindNextFileA, FindFirstFileA, CreateDirectoryA, ResumeThread, DisconnectNamedPipe, EnterCriticalSection, WaitForSingleObject, OpenProcess, GetModuleFileNameA, QueryDosDeviceA, SetWaitableTimer, CreateWaitableTimerA, SuspendThread, SetEvent, InitializeCriticalSection, LoadLibraryA, CreateEventA, CreateMutexA, CreateNamedPipeA, CreateThread, FreeLibrary, WaitForSingleObjectEx, WriteFile, GetVersionExA, GetLastError, GetSystemDirectoryA, SetFilePointer, ReadFile, lstrlenA, CreateFileA, LeaveCriticalSection, GetProcAddress, HeapFree, CloseHandle, DeviceIoControl, HeapAlloc, RtlUnwind, InterlockedDecrement, InterlockedIncrement, GetTimeZoneInformation, GetSystemTime, GetLocalTime, GetCommandLineA, GetVersion, ExitProcess, GetModuleHandleA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, HeapSize, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, CompareStringW, SetEnvironmentVariableA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetCPInfo, GetACP, GetOEMCP, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetStringTypeA, GetStringTypeW, SetStdHandle, FlushFileBuffers, CompareStringA > USER32.dll: wsprintfA > ADVAPI32.dll: QueryServiceConfigA, RegDeleteValueA, RegSetValueExA, RegCreateKeyExA, RegOpenKeyExA, RegEnumKeyExA, RegCloseKey, RegDeleteKeyA, RegisterEventSourceA, ReportEventA, DeregisterEventSource, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenSCManagerA, OpenServiceA, CloseServiceHandle, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, StartServiceCtrlDispatcherA, GetLengthSid, RegQueryValueExA ( 0 exports ) 
RDS...: NSRL Reference Data Set -
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=4c1a177f07cff8dee3bdbedb9f8713e5' target='_blank'>http://research.sunbelt-software.co...d5=4c1a177f07cff8dee3bdbedb9f8713e5</a>

Antivirus;Version;Last Update;Result
a-squared;4.0.0.101;2009.04.17;-
AhnLab-V3;5.0.0.2;2009.04.17;-
AntiVir;7.9.0.143;2009.04.17;-
Antiy-AVL;2.0.3.1;2009.04.17;Backdoor/Win32.Agent
Authentium;5.1.2.4;2009.04.17;-
Avast;4.8.1335.0;2009.04.17;-
AVG;8.5.0.287;2009.04.17;-
BitDefender;7.2;2009.04.17;-
CAT-QuickHeal;10.00;2009.04.17;-
ClamAV;0.94.1;2009.04.17;-
Comodo;1117;2009.04.17;Unclassified Malware
DrWeb;4.44.0.09170;2009.04.17;-
eSafe;7.0.17.0;2009.04.13;-
eTrust-Vet;31.6.6455;2009.04.14;-
F-Prot;4.4.4.56;2009.04.17;-
F-Secure;8.0.14470.0;2009.04.17;-
Fortinet;3.117.0.0;2009.04.17;-
GData;19;2009.04.17;-
Ikarus;T3.1.1.49.0;2009.04.17;-
K7AntiVirus;7.10.707;2009.04.17;Trojan.Win32.Malware.1
Kaspersky;7.0.0.125;2009.04.17;-
McAfee;5587;2009.04.17;-
McAfee+Artemis;5587;2009.04.17;-
McAfee-GW-Edition;6.7.6;2009.04.17;-
Microsoft;1.4502;2009.04.17;-
NOD32;4017;2009.04.17;-
Norman;6.00.06;2009.04.17;-
nProtect;2009.1.8.0;2009.04.17;-
Panda;10.0.0.14;2009.04.17;-
PCTools;4.4.2.0;2009.04.17;-
Prevx1;V2;2009.04.17;-
Rising;21.25.44.00;2009.04.17;-
Sophos;4.40.0;2009.04.17;-
Sunbelt;3.2.1858.2;2009.04.17;-
Symantec;1.4.4.12;2009.04.17;-
TheHacker;6.3.4.0.309;2009.04.16;-
TrendMicro;8.700.0.1004;2009.04.17;-
VBA32;3.12.10.2;2009.04.12;-
ViRobot;2009.4.17.1698;2009.04.17;-
VirusBuster;4.6.5.0;2009.04.17;-

Additional information
File size: 69120 bytes
MD5...: 4c1a177f07cff8dee3bdbedb9f8713e5
SHA1..: a3a2c661eb0cec8b1f5f0c056f5689ef1f5e8e66
SHA256: 06b7521dae3aab997b3a5e9b71c1abc86c616f585091cc901f20a5b94705c603
SHA512: 97367a2f5adb33a9683cbf4094f2812181c11e4ee6bc2400b06ba0df7629c82c 9b393164a6271ef778e8aae88b30a3dacda1c9fc65ac41f1457fa9d809b857f9
ssdeep: 1536:JpRD0f8eRPm2wdoIw/SSLTLwv6E4xLbFRT4eSocXsiLm:JAfZR+2wdTw6Yp z5FRT4eSocXsem 
PEiD..: Armadillo v1.71
TrID..: File type identification Win64 Executable Generic (59.6%) Win32 Executable MS Visual C++ (generic) (26.2%) Win32 Executable Generic (5.9%) Win32 Dynamic Link Library (generic) (5.2%) Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x5300 timedatestamp.....: 0x406164ee (Wed Mar 24 10:37:34 2004) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xbc5a 0xbe00 6.60 f0e8256080c2f07e025d5e685773b03b .rdata 0xd000 0x13a0 0x1400 5.35 8834cb9bef0f0ec2a506acea8d1e2833 .data 0xf000 0x524c 0x3400 1.51 3628767aeb025aa36b73ce03a88dfcfe .rsrc 0x15000 0x1000 0x400 3.64 bb5472a41f62bc79ec6149678ddbd0f2 ( 3 imports ) > KERNEL32.dll: GetOverlappedResult, WaitForMultipleObjectsEx, ConnectNamedPipe, GetTickCount, ReleaseMutex, FindClose, FindNextFileA, FindFirstFileA, CreateDirectoryA, ResumeThread, DisconnectNamedPipe, EnterCriticalSection, WaitForSingleObject, OpenProcess, GetModuleFileNameA, QueryDosDeviceA, SetWaitableTimer, CreateWaitableTimerA, SuspendThread, SetEvent, InitializeCriticalSection, LoadLibraryA, CreateEventA, CreateMutexA, CreateNamedPipeA, CreateThread, FreeLibrary, WaitForSingleObjectEx, WriteFile, GetVersionExA, GetLastError, GetSystemDirectoryA, SetFilePointer, ReadFile, lstrlenA, CreateFileA, LeaveCriticalSection, GetProcAddress, HeapFree, CloseHandle, DeviceIoControl, HeapAlloc, RtlUnwind, InterlockedDecrement, InterlockedIncrement, GetTimeZoneInformation, GetSystemTime, GetLocalTime, GetCommandLineA, GetVersion, ExitProcess, GetModuleHandleA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, HeapSize, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, CompareStringW, SetEnvironmentVariableA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetCPInfo, GetACP, GetOEMCP, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetStringTypeA, GetStringTypeW, SetStdHandle, FlushFileBuffers, CompareStringA > USER32.dll: wsprintfA > ADVAPI32.dll: QueryServiceConfigA, RegDeleteValueA, RegSetValueExA, RegCreateKeyExA, RegOpenKeyExA, RegEnumKeyExA, RegCloseKey, RegDeleteKeyA, RegisterEventSourceA, ReportEventA, DeregisterEventSource, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenSCManagerA, OpenServiceA, CloseServiceHandle, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, StartServiceCtrlDispatcherA, GetLengthSid, RegQueryValueExA ( 0 exports ) 
RDS...: NSRL Reference Data Set -
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource

jjabo7 · 2009/04/17

Juliet,

OTMoveIt looked froze, so I copied the log file from the directory on the C: drive. Then I noticed the box that propted a reboot. Here is the log that came up after reboot.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\documents and settings\all users\start menu\programs\GAIN moved successfully.
C:\Program Files\WebEx\ieatgpc.dll unregistered successfully.
C:\Program Files\WebEx\ieatgpc.dll moved successfully.
File/Folder C:\Windows\System32\pushow11.dll not found.
C:\Documents and Settings\Jana\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181 moved successfully.
C:\Documents and Settings\Jana\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance moved successfully.
C:\Documents and Settings\Jon\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181 moved successfully.
C:\Documents and Settings\Jon\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance moved successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0878 B424-1F95-4e26-B5AB-F0D349D89650}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A5 9337-6EEF-40AE-94B1-ED443A0C4740}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD 4789-CDB4-47E1-A9DA-992EE8E6BAD6}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD 6789-CDB4-47E1-A9DA-992EE8E6BAD6}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8706 7F04-DE4C-4688-BC3C-4FCF39D609E7}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7bf 3304-138b-4dd5-86ee-491bb6a2286c}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886D DE35-E955-11D0-A707-000000521958}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFF A75A-E81D-4454-89FC-B9FD0631E726}\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7984 9612-A98F-45B8-95E9-4D13C7B6B35C}\\ not found.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\ "AppInit_DLLs "|" " /E : value set successfully!
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcafee_bJYSOV3Sh6xj8uz scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_MNRCvfCjgO14Rhd scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_bbd1fHGw38v2wO8 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_Fw6ei8SAPFjBXfD scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_qKQu7Nggqed7ez0 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_254.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_504.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5f0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04172009_123448

Files moved on Reboot...
File C:\WINDOWS\temp\mcafee_bJYSOV3Sh6xj8uz not found!
File C:\WINDOWS\temp\mcafee_MNRCvfCjgO14Rhd not found!
File C:\WINDOWS\temp\mcmsc_bbd1fHGw38v2wO8 not found!
File C:\WINDOWS\temp\mcmsc_Fw6ei8SAPFjBXfD not found!
File C:\WINDOWS\temp\mcmsc_qKQu7Nggqed7ez0 not found!
File C:\WINDOWS\temp\Perflib_Perfdata_254.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_504.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_5f0.dat not found!

Juliet · 2009/04/17

PC is performing better.
Click to expand...

Good deal.

We need to remove the files that came back as infected.

Double click on OTMoveIt3 by OldTimer to open the program.

Copy the lines in the codebox below. ( Make sure you include rocesses )
Code:
:Processes
explorer.exe
:Files
C:\Program Files\SlySoft\Slysoft.exe
C:\Program Files\SlySoft\AnyDVD\Slysoft.exe
C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]
Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

- Close ALL open windows (especially Internet Explorer!)-

Click the red Moveit! button.

Copy everything in the Results window (under the green bar), and paste it in your next reply.

Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Post:
OTMoveIt log
new HJT log

jjabo7 · 2009/04/17

Juliet,
Thank you for all of your help.

Latest logs below:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\Program Files\SlySoft\Slysoft.exe moved successfully.
C:\Program Files\SlySoft\AnyDVD\Slysoft.exe moved successfully.
C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcafee_2g4X3aLQyCS9ST8 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_kTcJleMyxiIiQ1S scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_KJOomcO6aOfvYi0 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_KJOomcO6aOfvYi0-journal scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_QDBiqRqxGeSYqYJ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_YQrmOTEBcPeWvri scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_258.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4e8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_624.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04172009_174732

Files moved on Reboot...
File C:\WINDOWS\temp\mcafee_2g4X3aLQyCS9ST8 not found!
File C:\WINDOWS\temp\mcafee_kTcJleMyxiIiQ1S not found!
File C:\WINDOWS\temp\mcmsc_KJOomcO6aOfvYi0 not found!
File C:\WINDOWS\temp\mcmsc_KJOomcO6aOfvYi0-journal not found!
File C:\WINDOWS\temp\mcmsc_QDBiqRqxGeSYqYJ not found!
File C:\WINDOWS\temp\mcmsc_YQrmOTEBcPeWvri not found!
File C:\WINDOWS\temp\Perflib_Perfdata_258.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_4e8.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_624.dat not found!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:45 PM, on 4/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=cache.midco.net:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://remote.nisc.coop/XTSAC.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.nisc.coop/msrdp.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.cardbox.net/download/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://nisc.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: McAfee Application Installer Cleanup (0279701239904340) (0279701239904340mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\027970~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Mqdfm2vc - McAfee, Inc. - (no file)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 14123 bytes

Juliet · 2009/04/18

Logs look good now, how's the computer?

Let's close an exploit on your computer.

Your version of Adobe is out of date.

You can obtain the latest version of Adobe Reader from [color= "red"]here[/color], and the latest version of Flash Player from [color= "red"]here[/color].
For more information and links to Adobe updates and downloads click [color= "red"]here[/color].

NEXT**
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [TkBellExe] \ "C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe "

O4 - HKLM\..\Run: [SunJavaUpdateSched] \ "C:\Program Files\Java\jre6\bin\jusched.exe\ "
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 9.0\Reader\reader_sl.exe
(Description: Adobe reader startup - unnecessarily uses system resources.)

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)

You need to reboot the computer to set the registry.

Post back and let me know if we're ready for final clean up.

jjabo7 · 2009/04/18

Juliet,

I have updated with latest version of Acrobat and Flash Player. HJT has been ran to fix the specified processes and pc has been rebooted. I think I'm ready for the final cleanup.

Juliet · 2009/04/18

"jjabo7 said: ↑

Juliet,

I have updated with latest version of Acrobat and Flash Player. HJT has been ran to fix the specified processes and pc has been rebooted. I think I'm ready for the final cleanup.
Click to expand...

Good deal.

You can delete the below
RegQuery
RegQuery log

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

Click START then RUN

Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below

NEXT**
Next open OTMoveIt, then click on "CleanUp! ".
If you receive a warning from your Firewall please allow...
In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present. They are not needed anymore, so OTMoveIt will delete them.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.

Then reboot your computer.

Your good to go, good job!

Please take the time to read over a few of my preventive tips.

Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.

Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

jjabo7 · 2009/04/18

Juliet,

Thank you for you time and patience. You have saved me months of work by getting things back on track. I work for a software company that focuses on the telecom industry and our Techincal Support people told me to reformat!! You provide a priceless service and I commend you and the others that give your own time to help others expecting nothing in return, well you all have my respect and gratitude. If there is any way to donate to windowsbbs please let me know....again thank you.

jjabo7

Juliet · 2009/04/18

"jjabo7 said: ↑

Juliet,

Thank you for you time and patience. You have saved me months of work by getting things back on track. I work for a software company that focuses on the telecom industry and our Techincal Support people told me to reformat!! You provide a priceless service and I commend you and the others that give your own time to help others expecting nothing in return, well you all have my respect and gratitude. If there is any way to donate to windowsbbs please let me know....again thank you.

jjabo7
Click to expand...

Well now!
You tell those Nincompoops they didn't know what they were talking about!

It pleases me to know I was able to help.

http://www.windowsbbs.com/subscribe.php
The above link will allow you to donate money to help us pay for computer hardware, the internet connection, server software, and other fees that apply directly to running the site.

jjabo7 , safe surfing.

Log in or Sign up

Solved Google redirect/can't update virus signature

jjabo7 Inactive Thread Starter

Juliet Well-Known Member

jjabo7 Inactive Thread Starter

Juliet Well-Known Member

jjabo7 Inactive Thread Starter

jjabo7 Inactive Thread Starter

Juliet Well-Known Member

jjabo7 Inactive Thread Starter

Juliet Well-Known Member

jjabo7 Inactive Thread Starter

Juliet Well-Known Member

jjabo7 Inactive Thread Starter

Juliet Well-Known Member

Share This Page

Log in or Sign up

Solved Google redirect/can't update virus signature

jjabo7 Inactive Thread Starter

Juliet Well-Known Member

jjabo7 Inactive Thread Starter

Juliet Well-Known Member

jjabo7 Inactive Thread Starter

jjabo7 Inactive Thread Starter

Juliet Well-Known Member

jjabo7 Inactive Thread Starter

Juliet Well-Known Member

jjabo7 Inactive Thread Starter

Juliet Well-Known Member

jjabo7 Inactive Thread Starter

Juliet Well-Known Member

Share This Page

Useful Searches