Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Don't know what else is wrong


  • This topic is locked This topic is locked
36 replies to this topic

#1 user111

user111

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 12 February 2009 - 02:04 PM

I've used SuperAntiSpyware to remove what it could find, but I'm still getting popups and still get redirected and if I try to run SuperAntispyware not in safe mode, after about 15 min, I get a blue screen about a serious error and the computer shuts down
Please help!


DDS (Ver_09-02-01.01) - NTFSx86
Run by Alex at 13:59:55.15 on Thu 02/12/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.504 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Alex\Application Data\cogad\cogad.exe
C:\Documents and Settings\Alex\Application Data\Twain\Twain.exe
C:\Documents and Settings\Alex\Application Data\SpeedRunner\SpeedRunner.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alex\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/myway
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {26e00195-f57d-412c-a85d-9f5973bae303} - c:\windows\system32\gubebusi.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: {8615ed77-71f7-3388-8564-ea6cbe577925}: {529775eb-c6ae-4658-8833-7f1777de5168} - c:\windows\system32\qhfewa.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.2.0.7\IPSBHO.DLL
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkLDWQh.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: worldadmarketplace: {dcbbb21b-8cc8-dd70-51c4-571b7f9aa9ba} - c:\windows\system32\nsqD.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fa06e0cd-9007-4de3-a50d-ab62886860dc} - c:\windows\system32\vtUmkiiI.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: SpeedRunner Bar: {cafb2180-ba09-11dc-95ff-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [cogad] "c:\documents and settings\alex\application data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [Twain] c:\documents and settings\alex\application data\twain\Twain.exe
uRun: [VnrPack23] "c:\program files\vnrpack\VnrPack23.exe"
uRun: [SpeedRunner] c:\documents and settings\alex\application data\speedrunner\SpeedRunner.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [c4d5fdce] rundll32.exe "c:\windows\system32\suhwcdcf.dll",b
mRun: [garifawusu] Rundll32.exe "c:\windows\system32\bubopoyu.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} - hxxp://zone.msn.com/bingame/rock/default/popcaploader1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4933/mcfscan.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: jkkLDWQh - jkkLDWQh.dll
AppInit_DLLs: qhfewa.dll,c:\windows\system32\yoguyutu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkLDWQh.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\yoguyutu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alex\applic~1\mozilla\firefox\profiles\1owjswi1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www13.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www13.yoog.com/search.php?q=
FF - component: c:\program files\mozilla firefox\components\24fa051d-bc40-ca68-ac30-3e58e8c4c3cd.dll
FF - component: c:\program files\mozilla firefox\components\srff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www13.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www13.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: google.toolbar.linkdoctor.enabled - false

============= SERVICES / DRIVERS ===============

R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [2004-10-6 10368]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2005-7-15 6097]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1002000.007\SymEFA.sys [2009-2-12 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1002000.007\BHDrvx86.sys [2009-2-12 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1002000.007\cchpx86.sys [2009-2-12 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20080826.006\IDSxpx86.sys [2009-2-12 274808]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-16 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-16 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2007-2-16 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-1 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-12 99376]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-16 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-16 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-16 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-16 40488]
S0 gqojmjal;gqojmjal;c:\windows\system32\drivers\jgxlomei.sys [2009-2-7 25088]
S0 ljbiugbl;ljbiugbl;c:\windows\system32\drivers\atycikgl.sys []
S0 uomrutkg;uomrutkg;c:\windows\system32\drivers\uduyiqiv.sys --> c:\windows\system32\drivers\uduyiqiv.sys [?]
S1 $sys$crater;$sys$crater;\??\c:\windows\system32\$sys$filesystem\crater.sys --> c:\windows\system32\$sys$filesystem\crater.sys [?]
S2 CD_Proxy;XCP CD Proxy;c:\windows\CDProxyServ.exe [2004-6-22 167936]
S3 20910;20910;\??\c:\docume~1\michael\locals~1\temp\20910.sys --> c:\docume~1\michael\locals~1\temp\20910.sys [?]
S3 krdpdre;krdpdre;\??\c:\docume~1\luba\locals~1\temp\krdpdre.sys --> c:\docume~1\luba\locals~1\temp\krdpdre.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-16 33832]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090211.048\NAVENG.SYS [2009-2-12 89104]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090211.048\NAVEX15.SYS [2009-2-12 876112]
S3 Pptportfill;Pptportfill;c:\windows\system32\drivers\isapnp.sys [2001-8-17 37248]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2005-7-15 299923]
S3 XDva189;XDva189;\??\c:\windows\system32\xdva189.sys --> c:\windows\system32\XDva189.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\xdva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\xdva224.sys --> c:\windows\system32\XDva224.sys [?]
S4 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.2.0.7\ccSvcHst.exe [2009-2-12 115560]

=============== Created Last 30 ================

2009-02-12 13:48 <DIR> --d----- c:\docume~1\alex\applic~1\SUPERAntiSpyware.com
2009-02-12 13:19 71,168 a------- c:\windows\system32\~.exe
2009-02-12 12:18 <DIR> --d----- C:\backups
2009-02-12 11:27 <DIR> --d----- c:\program files\Norton Support
2009-02-12 09:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-02-12 09:52 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-02-12 09:51 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-12 09:51 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-12 09:51 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-12 09:51 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-02-12 09:51 <DIR> --d----- c:\program files\Symantec
2009-02-12 09:51 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-02-12 09:51 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-02-12 09:51 <DIR> --d----- c:\program files\Norton AntiVirus
2009-02-12 09:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-02-12 09:50 <DIR> --d----- c:\program files\NortonInstaller
2009-02-12 09:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-02-11 23:52 125,440 a------- c:\windows\system32\qhfewa.dll
2009-02-11 23:52 125,440 a------- c:\windows\system32\niidwuxp.dll
2009-02-11 23:52 <DIR> --d----- c:\windows\zoui
2009-02-11 23:52 <DIR> --d----- c:\program files\common files\zoui
2009-02-11 23:51 1,537,181 ---sh--- c:\windows\system32\fcdcwhus.ini
2009-02-11 23:51 83,456 a------- c:\windows\system32\suhwcdcf.dll
2009-02-11 00:28 552 a------- c:\windows\system32\d3d8caps.dat
2009-02-10 23:54 24,064 a------- c:\windows\system32\998.exe
2009-02-10 23:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-10 23:50 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-10 23:00 1 a------- c:\windows\system32\uniq.tll
2009-02-10 22:59 24,064 a------- c:\windows\system32\frmwrk32.exe
2009-02-10 22:59 48,128 a------- c:\windows\system32\efcCVLET.dll
2009-02-10 22:39 126,464 a------- c:\windows\system32\zecdae.dll
2009-02-10 22:39 126,464 a------- c:\windows\system32\hrobrmbt.dll
2009-02-10 22:39 1,530,380 ---sh--- c:\windows\system32\coovkbts.ini
2009-02-10 22:39 86,016 a------- c:\windows\system32\stbkvooc.dll
2009-02-10 19:13 42,320 a------- c:\windows\system32\xfcodec.dll
2009-02-09 21:27 85,637 a------- c:\windows\system32\2162dd62-c61d-2ae2-dd89-e79775f1d47b.exe
2009-02-09 21:27 48,266 a------- c:\windows\system32\bqxrqtolfouccdgu.exe
2009-02-08 19:12 <DIR> --d----- c:\docume~1\alex\applic~1\SpeedRunner
2009-02-08 18:42 1,989 a------- c:\windows\uninstall_nmon.vbs
2009-02-08 18:42 <DIR> --dsh--- c:\windows\TmF0YWxpeWEgQm9nb3BvbHNrYXlh
2009-02-08 18:32 <DIR> --d----- c:\docume~1\alex\applic~1\Twain
2009-02-08 18:27 <DIR> --d----- c:\program files\WebShow
2009-02-08 18:22 <DIR> --d----- c:\program files\Mjcore
2009-02-07 22:04 383 a--sh--- c:\windows\system32\lTEgPqru.ini2
2009-02-07 22:04 383 a--sh--- c:\windows\system32\lTEgPqru.ini
2009-02-07 22:04 25,088 a------- c:\windows\system32\drivers\jgxlomei.sys
2009-02-07 18:16 <DIR> --d----- c:\docume~1\alex\applic~1\cogad
2009-02-07 18:09 48,640 a------- c:\windows\system32\byXQKdAT.dll
2009-02-07 18:07 89,510 a--sh--- c:\windows\system32\IiikmUtv.ini2
2009-02-07 18:07 89,510 a--sh--- c:\windows\system32\IiikmUtv.ini
2009-02-07 18:07 3,024 a------- c:\windows\ljbiugbl
2009-02-07 18:01 51,200 a------- c:\windows\system32\jkkLDWQh.dll
2009-02-05 16:05 673,280 a------- c:\windows\system32\nsqD.dll
2009-01-31 13:00 <DIR> --d----- C:\BS1pr20085
2009-01-31 12:40 <DIR> --d----- c:\docume~1\alex\applic~1\ICAClient
2009-01-31 12:40 <DIR> --d----- c:\docume~1\alex\applic~1\Runaware
2009-01-31 11:13 <DIR> --d----- c:\program files\Yahoo!
2009-01-21 07:45 <DIR> --d----- c:\program files\iTunes
2009-01-21 07:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-21 07:43 <DIR> --d----- c:\program files\Bonjour
2009-01-21 00:24 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-01-21 00:21 <DIR> --d----- c:\program files\Skype
2009-01-19 08:30 <DIR> --d----- c:\windows\system32\IOSUBSYS

==================== Find3M ====================

2009-01-22 12:57 81,888 ac------ c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-01-11 14:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-17 15:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-10-13 12:00 486,128 a------- c:\documents and settings\all users\ChromeSetup.exe
2005-12-16 20:37 3,656,557 a------- c:\documents and settings\all users\LimeWireWin.zip
2005-12-09 07:23 347,690 ---sh--- c:\windows\system32\acbeg.bak1
2006-01-11 19:40 326,406 ---sh--- c:\windows\system32\acbeg.bak2
2006-01-11 21:00 384,946 ---sh--- c:\windows\system32\acbeg.ini2
0000-00-00 00:00 71,168 a--sh--- c:\windows\system32\bubopoyu.dll
2005-12-09 07:23 557,108 a--sh--- c:\windows\system32\gebca.dll
0000-00-00 00:00 71,168 a--sh--- c:\windows\system32\gubebusi.dll
2007-02-05 14:48 10,856 ac-sh--- c:\windows\system32\KGyGaAvL.sys
0000-00-00 00:00 71,168 a--sh--- c:\windows\system32\yoguyutu.dll
2008-05-10 16:59 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051020080511\index.dat
2005-08-02 16:46 187,904 a--shr-- c:\windows\tmf0ywxpewegqm9nb3bvbhnryxlh\asappsrv.dll
2005-08-02 16:58 293,888 a--shr-- c:\windows\tmf0ywxpewegqm9nb3bvbhnryxlh\command.exe
2005-07-29 16:24 472 a--shr-- c:\windows\tmf0ywxpewegqm9nb3bvbhnryxlh\nAIXsqUDyqH0kA6Bva1SvJhOsr51.vbs

============= FINISH: 14:02:02.40 ===============

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:29 PM

Posted 16 February 2009 - 12:18 AM

Hello user111,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 user111

user111
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 16 February 2009 - 05:03 PM

Hi, thank you for the reply
this is the log

P.S. I could only run it in safe mode, because none of the antivirus works in normal mode
also, now I keep getting new popups every few seconds about the Generic Dropper trojan, popups are from McAfee saying the trojen was removed

Malwarebytes' Anti-Malware 1.34
Database version: 1766
Windows 5.1.2600 Service Pack 3

2/16/2009 4:29:33 PM
mbam-log-2009-02-16 (16-29-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 378845
Time elapsed: 1 hour(s), 39 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 30
Registry Values Infected: 8
Registry Data Items Infected: 6
Folders Infected: 5
Files Infected: 87

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\yoguyutu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\crypts.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\hs78344kjkfd.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26e00195-f57d-412c-a85d-9f5973bae303} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{26e00195-f57d-412c-a85d-9f5973bae303} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atldistrib.atldistrib (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atldistrib.atldistrib.1 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_cpv.workhorse (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_cpv.workhorse.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b1e22eb8-2ae8-4e8e-96ae-74f2a1764533} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gqojmjal (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\gqojmjal (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gqojmjal (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\DLP.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\garifawusu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4d5fdce (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnugu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.Backdoor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\yoguyutu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yoguyutu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\yoguyutu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\TmF0YWxpeWEgQm9nb3BvbHNrYXlh (Adware.CommAd) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\cogad (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\gebca.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\acbeg.bak1 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\acbeg.bak2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\acbeg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\acbeg.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\stbkvooc.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\coovkbts.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bubopoyu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\gubebusi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hs78344kjkfd.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yoguyutu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\crypts.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Kwohodowurafoxos.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temp\winlognn.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\cwxwwgtl.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\dykhyp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\jttgds.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\backups\backup-20090212-121904-606.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\backups\backup-20090212-121904-939.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\backups\backup-20090212-122109-475.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\backups\backup-20090212-122109-652.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\axercnowms.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\banner_220.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\carmxoesnw.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\cmdinst.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\__15.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\__5E.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\__5F.tmp (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\Temporary Internet Files\Content.IE5\U3XVDDYP\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\Temporary Internet Files\Content.IE5\U3XVDDYP\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\2Q8IQH7M\xgRhMeSX[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\5O1MOFOA\103[1].net (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\AYQFDTAD\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\CCU2NIK8\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temp\350084154.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temp\bj9qky6.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temp\qffrkj5rajc9.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temp\ukj5imc2b.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temp\urpn86qfhrb.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temp\ydeiplv.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temporary Internet Files\Content.IE5\2AOEJHMU\bbsuper2[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temporary Internet Files\Content.IE5\2AOEJHMU\surboccgqn[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temporary Internet Files\Content.IE5\ADAF89AB\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temporary Internet Files\Content.IE5\AQ2PD5CY\bluivja[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temporary Internet Files\Content.IE5\KT2Z01MB\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temporary Internet Files\Content.IE5\UJSYN19K\khreff[1].htm (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temporary Internet Files\Content.IE5\WISWZNCD\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Entertainment\Local Settings\Temporary Internet Files\Content.IE5\YLFSXOF6\pifccddur[1].txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\A0NWHB21\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nataliya\Local Settings\Temporary Internet Files\Content.IE5\KTAFG1IN\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\zoui\zouid\zouic.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\srff.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\WebShow\WebShow.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\instsp1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\aoubkg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\byXQKdAT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\clickfile.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\efcCVLET.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\efcYQHWm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fwyfcffs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jkkLDWQh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\msktll.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\niidwuxp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\qhfewa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wphhvmsm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xhfqloil.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\~.exe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\jgxlomei.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\TmF0YWxpeWEgQm9nb3BvbHNrYXlh\asappsrv.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\WINDOWS\TmF0YWxpeWEgQm9nb3BvbHNrYXlh\command.exe (Adware.CommAd) -> Quarantined and deleted successfully.
C:\WINDOWS\TmF0YWxpeWEgQm9nb3BvbHNrYXlh\nAIXsqUDyqH0kA6Bva1SvJhOsr51.vbs (Adware.CommAd) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\speedrunner\SRUninstall.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rs32net.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\cxfagn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\xyephkl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\uninstall_nmon.vbs (Malware.Trace) -> Quarantined and deleted successfully.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:29 PM

Posted 16 February 2009 - 06:10 PM

Hi

This computer is really infected so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee Antivirus before running ComboFix, as it will prevent it from running.

To disable McAfee Virusscan:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 user111

user111
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 16 February 2009 - 07:27 PM

ComboFix 09-02-15.01 - Administrator 2009-02-16 18:50:28.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.812 [GMT -5:00]
Running from: c:\documents and settings\Entertainment\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
.
ADS - svchost.exe: deleted 32256 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alex\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Alex\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Alex\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Michael\Local Settings\Temporary Internet Files\CPV.stt
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\program files\Mozilla Firefox\components\24fa051d-bc40-ca68-ac30-3e58e8c4c3cd.dll
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\music\mainmenumusic.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\areabomb.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\beetlezap.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\bonusrow.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\bonustimer.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\bucketfilled.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\clearpyramid.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle1a.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle1b.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle1c.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle2a.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle2b.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle2c.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\colorchain.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\dialogbox.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\drumbeat.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\fillrow.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\gateopen.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\helptip.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\powerup.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\rotateboardleft.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\timerup.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\warning.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\warning2.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\artifacts-bb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\bar.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\chamber0.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\chamber1.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\circledoor.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\full_screen_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\global-hs-bb_large.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\global-hs-bb_small.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\help-bb_large.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\help-bb_small.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\hexfield.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\hidden-artifact_icon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\large_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\local-hs-bb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\mainmenu.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\small_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\textfield.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\trifield.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetlehover1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetlehover2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetlehover3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetlehover4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetleshock1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetleshock2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetleshock3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetleshock4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetletatoo.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\dirt.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\scarabpost.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\scarabpostovr.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\tritop.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowdown_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowdown_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowdown_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowup_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowup_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowup_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\checkdown.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\checkup.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\long_button_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\long_button_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\long_button_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\orange-button_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\orange-button_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\orange-button_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\simplebutton_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\simplebutton_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\simplebutton_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\sliderknob.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\sliderknobover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\sliderrail.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\characters\anwar\look\pl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\characters\bast\look\bl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\characters\kristine\look\kl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\crackedstopper.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\cursor.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\doorlights.txt
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\fonts\jackarmstrong.mvec
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\fonts\lithos.mvec
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\greybomb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\helptips\arrowkeys.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\helptips\helptip.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\levels\levels.dat
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\disk.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\equilateraltriangle.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\flattri.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\pyramid.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\quad.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\rotatingpyramid.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\scarabpanel.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\p1icon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\scenes\page1-0.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\scenes\page1-1.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\scenes\panel1-0-1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\scenes\panel1-1-1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\scorecloud.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\setup.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\areashockwave.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_starter.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_tail.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\flash.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\rubble.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\smoke.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\smoke2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\smoke3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\splash\aol_logo.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\splash\playfirst_logo.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\statues\statue0\snake_dirty.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\statues\statue1\arm01_dirty.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\statues\statue1\mask01_1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\statues\statue1\statue01_dirty.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\stopper.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\timer.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\timerglow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\timericon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\tm.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseblue1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseblue2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseblue3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousegreen1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousegreen2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousegreen3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousered1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousered2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousered3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseyellow1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseyellow2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseyellow3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\areabomb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\areabombrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\blue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\bluerollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\boardfill.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\brick.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\brick1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\brick2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\brick3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\bricktip.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared5.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared6.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\eye1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\eye2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\eye3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\eye4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\green.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\greenrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-blue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-bluerollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-green.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-greenrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-red.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-redrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-yellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-yellowrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\red.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\redrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\wild.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\wildrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\yellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\yellowrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\upsell\image0.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\upsell\image1.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\upsell\image2.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\upsell\image3.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\bluebucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\buckettriangle.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\chainlink.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\chaintip.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\genericbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\greenbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\redbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\smallblue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\smallgreen.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\smallred.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\smallyellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\urnglow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\urnplatform.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\yellowbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\warning.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\error.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\game.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\gameover.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\hiscore.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\hiscoreinfo.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\hiscoresubmit.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\instructions.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\leveldesign.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\levelover.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\mainarcade.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\mainconfirm.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\maincontinue.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\maingames.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\mainpuzzle.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\maphelptip.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\options.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\pause.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\quitconfirm.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\start.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\storyplayer.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\style.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\upsell.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\strings.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\TriJinx.exe
c:\windows\IE4 Error Log.txt
c:\windows\SYSTEM32\998.exe
c:\windows\system32\agmvvufj.dll
c:\windows\system32\bszip.dll
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_0_0_106800.htm
c:\windows\system32\cache329\B_329_1_0_449200.htm
c:\windows\system32\cache329\B_329_1_0_449600.htm
c:\windows\system32\cache329\B_329_1_0_454300.htm
c:\windows\system32\cache329\B_329_2_0_105300.htm
c:\windows\system32\cache329\B_329_2_0_106800.htm
c:\windows\system32\cache329\B_329_2_0_107400.htm
c:\windows\system32\cache329\B_329_3_0_106800.htm
c:\windows\system32\cache329\B_329_4_0_111600.htm
c:\windows\system32\cache329\B_329_4_0_152400.htm
c:\windows\system32\cache329\B_329_4_0_155300.htm
c:\windows\system32\cache329\B_329_4_0_164100.htm
c:\windows\system32\cache329\t_B_329_0_0_106800.htm
c:\windows\system32\cache329\t_B_329_1_0_449200.htm
c:\windows\system32\cache329\t_B_329_1_0_449600.htm
c:\windows\system32\cache329\t_B_329_1_0_454300.htm
c:\windows\system32\cache329\t_B_329_2_0_105300.htm
c:\windows\system32\cache329\t_B_329_2_0_106800.htm
c:\windows\system32\cache329\t_B_329_2_0_107400.htm
c:\windows\system32\cache329\t_B_329_3_0_106800.htm
c:\windows\system32\cache329\t_B_329_4_0_111600.htm
c:\windows\system32\cache329\t_B_329_4_0_152400.htm
c:\windows\system32\cache329\t_B_329_4_0_155300.htm
c:\windows\system32\cache329\t_B_329_4_0_164100.htm
c:\windows\system32\dalaexr.dll
c:\windows\system32\drivers\ati3aixx.sys
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekapxdpxwpu.sys
c:\windows\system32\fcdcwhus.ini
c:\windows\system32\fombwnku.ini
c:\windows\system32\gobgsrla.dll
c:\windows\system32\hrobrmbt.dll
c:\windows\system32\hzwdgj.dll
c:\windows\SYSTEM32\IiikmUtv.ini
c:\windows\system32\IiikmUtv.ini2
c:\windows\system32\lTEgPqru.ini
c:\windows\system32\lTEgPqru.ini2
c:\windows\system32\ntos.exe
c:\windows\system32\osm3of8s3njd.dll
c:\windows\system32\senekacqwqhwbr.dll
c:\windows\system32\senekanvmykmoy.dll
c:\windows\system32\senekatofyxiqh.dat
c:\windows\system32\senekavhowxlvm.dll
c:\windows\system32\senekaxjknujpu.dat
c:\windows\system32\sqpvxtsl.ini
c:\windows\system32\tlumtafp.ini
c:\windows\system32\uniq.tll
c:\windows\system32\wqshlu.dll
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\audio.dll.cla
c:\windows\system32\wsnpoem\video.dll
c:\windows\system32\zecdae.dll
c:\windows\Tasks\cnvzkztv.job
c:\windows\Tasks\vopkfhbt.job
c:\windows\Temp\4071018030.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_$SYS$ARIES
-------\Legacy_$SYS$DRMSERVER
-------\Legacy_ATI3AIXX
-------\Legacy_CD_PROXY
-------\Legacy_FCI
-------\Legacy_TCPSR
-------\Service_ati3aixx
-------\Service_CD_Proxy
-------\Service_fci
-------\Service_tcpsr


((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-16 14:47 . 2009-02-16 14:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-16 14:41 . 2009-02-16 14:41 <DIR> d-------- c:\documents and settings\Entertainment\Application Data\Malwarebytes
2009-02-16 14:40 . 2009-02-16 14:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-16 14:40 . 2009-02-16 14:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-16 14:40 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-16 14:40 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-16 14:39 . 2009-02-16 14:39 <DIR> d-------- c:\windows\LastGood.Tmp
2009-02-16 14:39 . 2009-02-16 19:11 89,388 --a------ c:\windows\SYSTEM32\DRIVERS\ac9c00.sys
2009-02-16 14:37 . 2009-02-16 14:37 66,560 ---hs---- C:\pfkik.exe
2009-02-16 14:37 . 2009-02-16 14:37 42,496 --a------ c:\windows\SYSTEM32\jreg32.dll
2009-02-16 14:37 . 2009-02-16 14:38 2 --a------ C:\-992608927
2009-02-12 13:48 . 2009-02-12 13:48 <DIR> d-------- c:\documents and settings\Alex\Application Data\SUPERAntiSpyware.com
2009-02-12 12:18 . 2009-02-16 16:29 <DIR> d-------- C:\backups
2009-02-12 11:27 . 2009-02-12 11:27 <DIR> d-------- c:\program files\Norton Support
2009-02-12 10:53 . 2009-02-12 10:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-02-12 09:55 . 2009-02-12 09:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-02-12 09:52 . 2009-02-12 09:51 36,272 -ra------ c:\windows\SYSTEM32\DRIVERS\SymIM.sys
2009-02-12 09:51 . 2009-02-12 09:51 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\NAV
2009-02-12 09:51 . 2009-02-12 09:51 <DIR> d-------- c:\program files\Windows Sidebar
2009-02-12 09:51 . 2009-02-12 09:51 <DIR> d-------- c:\program files\Symantec
2009-02-12 09:51 . 2009-02-12 09:51 <DIR> d-------- c:\program files\Norton AntiVirus
2009-02-12 09:51 . 2009-02-12 09:56 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-02-12 09:51 . 2009-02-12 09:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-02-12 09:51 . 2009-02-12 09:51 124,464 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
2009-02-12 09:51 . 2009-02-12 09:51 60,808 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
2009-02-12 09:51 . 2009-02-12 09:51 10,635 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.CAT
2009-02-12 09:51 . 2009-02-12 09:51 806 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.INF
2009-02-12 09:50 . 2009-02-12 09:50 <DIR> d-------- c:\program files\NortonInstaller
2009-02-12 09:50 . 2009-02-12 09:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-11 23:52 . 2009-02-11 23:52 <DIR> d-------- c:\windows\zoui
2009-02-11 23:52 . 2009-02-12 10:03 <DIR> d-------- c:\program files\Common Files\zoui
2009-02-11 08:20 . 2009-02-11 08:20 <DIR> d-------- c:\documents and settings\Entertainment\Application Data\SUPERAntiSpyware.com
2009-02-11 00:28 . 2009-02-11 00:28 552 --a------ c:\windows\SYSTEM32\d3d8caps.dat
2009-02-10 23:54 . 2009-02-10 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-10 23:50 . 2009-02-10 23:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-10 19:13 . 2009-02-10 19:13 42,320 --a------ c:\windows\SYSTEM32\xfcodec.dll
2009-02-09 21:27 . 2009-02-09 21:27 85,637 --a------ c:\windows\SYSTEM32\2162dd62-c61d-2ae2-dd89-e79775f1d47b.exe
2009-02-09 21:27 . 2009-02-09 21:27 48,266 --a------ c:\windows\SYSTEM32\bqxrqtolfouccdgu.exe
2009-02-08 18:32 . 2009-02-13 07:13 <DIR> d-------- c:\documents and settings\Alex\Application Data\Twain
2009-02-08 18:27 . 2009-02-16 16:29 <DIR> d-------- c:\program files\WebShow
2009-02-07 18:07 . 2009-02-16 19:11 3,024 --a------ c:\windows\ljbiugbl
2009-02-05 16:05 . 2009-02-05 16:05 673,280 --a------ c:\windows\SYSTEM32\nsqD.dll
2009-02-01 11:06 . 2009-02-01 11:07 <DIR> d-------- c:\documents and settings\Alex\Application Data\Apple Computer
2009-01-31 13:00 . 2009-02-07 19:47 <DIR> d-------- C:\BS1pr20085
2009-01-31 12:40 . 2009-01-31 12:40 <DIR> d-------- c:\documents and settings\Alex\Application Data\Runaware
2009-01-31 12:40 . 2009-01-31 12:40 <DIR> d-------- c:\documents and settings\Alex\Application Data\ICAClient
2009-01-31 11:14 . 2009-01-31 11:14 <DIR> d-------- c:\documents and settings\Alex\Application Data\Yahoo!
2009-01-31 11:13 . 2009-02-07 19:50 <DIR> d-------- c:\program files\Yahoo!
2009-01-31 11:13 . 2009-02-07 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-22 17:30 . 2009-01-29 14:43 <DIR> d-------- c:\documents and settings\Entertainment\Application Data\Apple Computer
2009-01-22 14:22 . 2009-01-22 14:23 <DIR> d-------- c:\documents and settings\Entertainment\Application Data\Money Manager Ex
2009-01-21 07:45 . 2009-01-21 07:45 <DIR> d-------- c:\program files\iTunes
2009-01-21 07:45 . 2009-01-21 07:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-21 07:43 . 2009-01-21 07:43 <DIR> d-------- c:\program files\Bonjour
2009-01-21 07:40 . 2009-01-21 07:40 <DIR> d-------- c:\program files\Apple Software Update
2009-01-21 00:24 . 2009-01-21 00:24 56 --ah----- c:\windows\SYSTEM32\ezsidmv.dat
2009-01-21 00:21 . 2009-01-21 00:21 <DIR> d-------- c:\program files\Skype
2009-01-21 00:21 . 2009-01-21 00:21 <DIR> d-------- c:\program files\Common Files\Skype
2009-01-21 00:21 . 2009-01-21 00:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-01-19 08:30 . 2009-01-19 08:30 <DIR> d-------- c:\windows\SYSTEM32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 12:15 --------- d-----w c:\program files\McAfee
2009-02-11 04:50 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-11 03:57 --------- d-----w c:\documents and settings\Michael\Application Data\Xfire
2009-02-08 00:48 --------- d-----w c:\program files\LimeWire
2009-02-08 00:44 --------- d-----w c:\program files\Common Files\Apple
2009-01-21 12:45 --------- d-----w c:\program files\iPod
2009-01-21 12:43 --------- d-----w c:\program files\QuickTime
2009-01-19 13:30 --------- d-----w c:\program files\Google
2009-01-12 20:14 --------- d-----w c:\program files\Common Files\Adobe
2009-01-12 19:41 --------- d-----w c:\program files\uTorrent
2009-01-11 19:43 --------- d-----w c:\program files\Java
2008-10-13 17:00 486,128 ----a-w c:\documents and settings\All Users\ChromeSetup.exe
2008-06-14 01:34 61,224 ----a-w c:\documents and settings\Michael\GoToAssistDownloadHelper.exe
2007-02-17 04:36 439,296 ----a-w c:\documents and settings\Michael\GoToAssist_phone__317_en.exe
2005-12-17 01:37 3,656,557 ----a-w c:\documents and settings\All Users\LimeWireWin.zip
2005-10-21 21:59 863 ----a-w c:\documents and settings\Incomplete\downloads.dat
2007-02-05 19:48 10,856 -csha-w c:\windows\SYSTEM32\KGyGaAvL.sys
2008-05-10 21:59 32,768 -csha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008051020080511\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NeroHomeFirstStart"="c:\program files\Common Files\Ahead\Lib\NeroScoutOptions.exe" [2005-09-04 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-01-12 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=hzwdgj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.WMV3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Luba^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Luba\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Luba^Start Menu^Programs^Startup^AOL OpenRide.lnk]
path=c:\documents and settings\Luba\Start Menu\Programs\Startup\AOL OpenRide.lnk
backup=c:\windows\pss\AOL OpenRide.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Michael\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=c:\documents and settings\Michael\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^V CAST Music Monitor.lnk]
path=c:\documents and settings\Michael\Start Menu\Programs\Startup\V CAST Music Monitor.lnk
backup=c:\windows\pss\V CAST Music Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Philips Intelligent Agent]
NOT_IN_USE_DUMMY_PATH [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2007-03-09 10:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-13 21:42 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2004-08-25 12:52 339968 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-09-03 15:18 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a--c--- 2005-12-10 09:57 133016 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 10:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-11-16 01:05 127035 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2004-10-12 16:54 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-11-15 12:12 473928 c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 19:52 50736 c:\program files\Common Files\AOL\1140756379\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2004-05-12 14:18 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2004-02-12 12:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2004-06-29 10:23 135168 c:\program files\Intel\Intel Application Accelerator\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2006-07-12 17:40 36864 c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2007-08-04 01:33 582992 c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2007-12-06 13:10 419152 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-03-15 07:58 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2006-07-29 18:34 5354792 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a--c--- 2001-07-09 11:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 11:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
--a------ 2006-08-30 11:46 183367 c:\program files\Plaxo\2.11.1.5\PlaxoHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2004-10-14 15:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-09-27 06:59 81920 c:\docume~1\Michael\MYDOCU~1\MYPROG~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a--c--- 2008-01-21 11:17 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2004-01-07 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a--c--- 2005-07-22 23:25 28160 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPTISRV"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\Steam.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\SteamApps\\berserk_fury89\\counter-strike source\\hl2.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\SteamApps\\berserk_fury89\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\SteamApps\\berserk_fury89\\half-life 2\\hl2.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP 7 Home\\cuteftp.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"c:\\Program Files\\Army Operations\\System\\ArmyOps.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\FileZilla\\FileZilla.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\FileZilla\\FzSFtp.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\SteamApps\\berserk_fury89\\dedicated server\\hlds.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140756379\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140756379\\ee\\aim6.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140756379\\ee\\AOLOpenRide.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\SteamApps\\genemech\\condition zero\\hl.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15491:TCP"= 15491:TCP:BitComet 15491 TCP
"15491:UDP"= 15491:UDP:BitComet 15491 UDP

R0 $sys$cor;$sys$cor;c:\windows\SYSTEM32\DRIVERS\$sys$cor.sys [2004-10-06 10368]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\SYSTEM32\DRIVERS\sonyhcb.sys [2005-07-15 6097]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NAV\1002000.007\SymEFA.sys [2009-02-12 309296]
S0 ljbiugbl;ljbiugbl;c:\windows\SYSTEM32\DRIVERS\atycikgl.sys []
S0 uomrutkg;uomrutkg;c:\windows\system32\drivers\uduyiqiv.sys --> c:\windows\system32\drivers\uduyiqiv.sys [?]
S1 $sys$crater;$sys$crater;\??\c:\windows\system32\$sys$filesystem\crater.sys --> c:\windows\system32\$sys$filesystem\crater.sys [?]
S1 ac9c00;ac9c00;c:\windows\SYSTEM32\DRIVERS\ac9c00.sys [2009-02-16 89388]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\NAV\1002000.007\BHDrvx86.sys [2009-02-12 255536]
S1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\NAV\1002000.007\cchpx86.sys [2009-02-12 362544]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20080826.006\IDSxpx86.sys [2009-02-12 274808]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-04-01 24652]
S3 20910;20910;\??\c:\docume~1\Michael\LOCALS~1\Temp\20910.sys --> c:\docume~1\Michael\LOCALS~1\Temp\20910.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-12 99376]
S3 krdpdre;krdpdre;\??\c:\docume~1\Luba\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\Luba\LOCALS~1\Temp\krdpdre.sys [?]
S3 Pptportfill;Pptportfill;c:\windows\SYSTEM32\DRIVERS\isapnp.sys [2001-08-17 37248]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\SYSTEM32\DRIVERS\sonyhcs.sys [2005-07-15 299923]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]
S4 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe [2009-02-12 115560]
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2293484338-3401942740-572667067-1006.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-13 11:51]

2009-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2293484338-3401942740-572667067-1008.job
- c:\documents and settings\Nataliya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-13 12:01]

2009-02-06 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DIMENSION8400-Nataliya).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2007-02-17 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C5AF42A3-94F3-42BD-F634-3604832C897D} - c:\windows\system32\osm3of8s3njd.dll
HKU-Default-Run-h9hzk5dgqlqabcfs2xgytn23c61hnwke6xk348zrl4qr7 - c:\windows\TEMP\d2qvu25.exe
HKU-Default-Run-tx8p78vm4lnmwamtzzqyzre4s2djjv0x3 - c:\windows\TEMP\bnh3in7ckzf4w.exe
HKU-Default-Run-ngzpiblben - c:\windows\TEMP\x783kvf.exe
HKU-Default-Run-xzffiiqnlguuh1 - c:\windows\TEMP\k58fnh.exe
SharedTaskScheduler-{C5AF42A3-94F3-42BD-F634-3604832C897D} - c:\windows\system32\osm3of8s3njd.dll
MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
MSConfigStartUp-IPHSend - c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
MSConfigStartUp-Magaya Communication Server - c:\program files\Magaya Corp\Magaya Cargo System\CS.exe
MSConfigStartUp-Magaya Database Server - c:\program files\Magaya Corp\Magaya Cargo System\MagayaDb.exe
MSConfigStartUp-Motive SmartBridge - c:\progra~1\Verizon\SMARTB~1\MotiveSB.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MPSExe - c:\progra~1\mcafee.com\mps\mscifapp.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe
MSConfigStartUp-Verizon Custom Uninstall Tracking - c:\docume~1\Michael\LOCALS~1\Temp\InstallHelper.exe
MSConfigStartUp-Verizon_McciTrayApp - c:\program files\Verizon\McciTrayApp.exe
MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/virusInfo/default.asp?affid=105-37&dtag=cnqz671
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 19:15:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\atycikgl.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\InprocServer32]
@DACL=(02 0000)
@="c:\\Program Files\\WebShow\\WebShow.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\ProgID]
@DACL=(02 0000)
@="BHO_CPV.WorkHorse.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\TypeLib]
@DACL=(02 0000)
@="{208CA45C-EB93-49AA-A353-CFE1FE3A6BD5}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\VersionIndependentProgID]
@DACL=(02 0000)
@="BHO_CPV.WorkHorse"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\TypeLib]
@DACL=(02 0000)
@="{63334394-3DA3-4B29-A041-03535909D361}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{63334394-3DA3-4B29-A041-03535909D361}\1.0]
@DACL=(02 0000)
@="BHO_CPV 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(312)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\alf2cd.acm
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-02-16 19:19:39 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2009-02-17 00:19:36

Pre-Run: 36,952,809,472 bytes free
Post-Run: 39,234,007,040 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
738 --- E O F --- 2009-01-17 20:27:15

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:29 PM

Posted 17 February 2009 - 12:02 AM

Hi user111,

How did you get this infected? :thumbup2:
Is this your computer?
I think you deserve the prize for the most infected computer of the month. :)

You have some suspicious files we need to check.

You will need to see hidden files, so follow these directions:
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\pfkik.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

c:\windows\SYSTEM32\DRIVERS\ac9c00.sys
c:\windows\SYSTEM32\jreg32.dll
C:\-992608927
c:\windows\SYSTEM32\2162dd62-c61d-2ae2-dd89-e79775f1d47b.exe
c:\windows\ljbiugbl
c:\windows\SYSTEM32\nsqD.dll



Once scanned, copy and paste the results in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 user111

user111
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 17 February 2009 - 08:08 AM

That is so great .. NOT!! :) Is it really that bad? Is it fixable?
I have no idea how it was infected! There are 4 people using this computer, about 2 weeks ago, there appeared a virusscanner 2008 file on the desktop that I don't remember downloading and from then, there were nonstop ads and google was being redirected.
Thank you so much for helping!

this is what the online scanner showed
some files for some reason gave an error message and then when the result was shown, it said that the file was already scanned and the result log had a different name of the file, but I posted the log anyway
I don't know if that's a problem
also on every restart I'm getting a buffer overflow notice from c:\windows\system32\services.exe
there are no folder options under tools menu, so I used safe mode with networking, hope that won't mess up the computer even more if that's even possible?? :thumbup2:


File pfkik.exe received on 02.17.2009 13:48:00 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 11/39 (28.21%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 56 and 80 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.17 -
AhnLab-V3 2009.2.16.2 2009.02.17 -
AntiVir 7.9.0.79 2009.02.17 -
Authentium 5.1.0.4 2009.02.17 -
Avast 4.8.1335.0 2009.02.16 -
AVG 8.0.0.237 2009.02.17 -
BitDefender 7.2 2009.02.17 Trojan.Crypt.FE
CAT-QuickHeal 10.00 2009.02.17 -
ClamAV 0.94.1 2009.02.17 -
Comodo 982 2009.02.17 -
DrWeb 4.44.0.09170 2009.02.17 -
eSafe 7.0.17.0 2009.02.17 Suspicious File
eTrust-Vet 31.6.6361 2009.02.17 -
F-Prot 4.4.4.56 2009.02.17 -
F-Secure 8.0.14470.0 2009.02.17 Argechi.A
Fortinet 3.117.0.0 2009.02.17 -
GData 19 2009.02.17 Trojan.Crypt.FE
Ikarus T3.1.1.45.0 2009.02.17 -
K7AntiVirus 7.10.582 2009.01.09 -
Kaspersky 7.0.0.125 2009.02.17 -
McAfee 5528 2009.02.16 -
McAfee+Artemis 5528 2009.02.16 -
Microsoft 1.4306 2009.02.17 Backdoor:Win32/Argech.A
NOD32 3861 2009.02.17 -
Norman 6.00.06 2009.02.16 Argechi.A
nProtect 2009.1.8.0 2009.02.17 Trojan.Crypt.FE
Panda 9.4.3.20 2009.02.17 -
PCTools 4.4.2.0 2009.02.17 -
Prevx1 V2 2009.02.17 Cloaked Malware
Rising 21.17.12.00 2009.02.17 -
SecureWeb-Gateway 6.7.6 2009.02.17 -
Sophos 4.38.0 2009.02.17 Mal/Behav-104
Sunbelt 3.2.1855.2 2009.02.17 BehavesLike.Win32.Malware (v)
Symantec 10 2009.02.17 -
TheHacker 6.3.2.2.259 2009.02.17 -
TrendMicro 8.700.0.1004 2009.02.17 PAK_Generic.001
VBA32 3.12.8.13 2009.02.17 -
ViRobot 2009.2.17.1611 2009.02.17 -
VirusBuster 4.5.11.0 2009.02.16 -
Additional information
File size: 66560 bytes
MD5...: f0384d25e5a68f19ea44ab45b5a65248
SHA1..: ec3ffcfc9356f3c25982d49f0c0ea3ef52c2fc8a
SHA256: 72f6cf235d707364543101dea0bd5278bef3f117e72e688f99a211fdf5a0c81f
SHA512: f557f9b494534f223e67770b117f98c23ce40b9c3efe99703d465e8eb663d373
4d82fc2affb7d6c8906ff3aa2706e11d2941eac20e6780de1dd6092cac1b09d7
ssdeep: 1536:G7U4BdIQfaqW/3390XyDz2+Nxb/1Wh5h:sfdfaqW/3t082kY5
PEiD..: Crypto-Lock v2.02 (Eng) -> Ryan Thian
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x418b10
timedatestamp.....: 0x49896ff6 (Wed Feb 04 10:37:42 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x8000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x9000 0x10000 0xfe00 7.83 d16005f56ce5265903577456d862cbde
.rsrc 0x19000 0x1000 0x200 3.91 b847348389c4758b7ca324676a140312

( 3 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
> ADVAPI32.dll: RegCloseKey
> SHLWAPI.dll: StrStrIA

( 0 exports )
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=B9288E04003EE62C04BE015DB46B7B006A22131F' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=B9288E04003EE62C04BE015DB46B7B006A22131F</a>
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch.UPX, UPX
packers (F-Prot): UPX









==============================








File 137ae3f3.sys received on 02.16.2009 21:29:05 (CET)
Current status: finished
Result: 2/39 (5.13%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.16 -
AhnLab-V3 2009.2.16.2 2009.02.16 -
AntiVir 7.9.0.79 2009.02.16 -
Authentium 5.1.0.4 2009.02.16 -
Avast 4.8.1335.0 2009.02.16 -
AVG 8.0.0.237 2009.02.16 -
BitDefender 7.2 2009.02.16 -
CAT-QuickHeal 10.00 2009.02.16 -
ClamAV 0.94.1 2009.02.16 -
Comodo 978 2009.02.16 -
DrWeb 4.44.0.09170 2009.02.16 -
eSafe 7.0.17.0 2009.02.15 -
eTrust-Vet 31.6.6360 2009.02.16 -
F-Prot 4.4.4.56 2009.02.16 -
F-Secure 8.0.14470.0 2009.02.16 -
Fortinet 3.117.0.0 2009.02.16 -
GData 19 2009.02.16 -
Ikarus T3.1.1.45.0 2009.02.16 -
K7AntiVirus 7.10.582 2009.01.09 -
Kaspersky 7.0.0.125 2009.02.16 -
McAfee 5528 2009.02.16 -
McAfee+Artemis 5528 2009.02.16 -
Microsoft 1.4306 2009.02.16 Backdoor:WinNT/Rustock.E
NOD32 3857 2009.02.16 -
Norman 6.00.06 2009.02.16 -
nProtect 2009.1.8.0 2009.02.16 -
Panda 9.4.3.20 2009.02.16 -
PCTools 4.4.2.0 2009.02.16 -
Prevx1 V2 2009.02.16 -
Rising 21.17.02.00 2009.02.16 -
SecureWeb-Gateway 6.7.6 2009.02.16 -
Sophos 4.38.0 2009.02.16 -
Sunbelt 3.2.1851.2 2009.02.12 -
Symantec 10 2009.02.16 -
TheHacker 6.3.2.2.258 2009.02.16 -
TrendMicro 8.700.0.1004 2009.02.16 -
VBA32 3.12.8.12 2009.02.16 suspected of Malware-Cryptor.Win32.General.3
ViRobot 2009.2.16.1609 2009.02.16 -
VirusBuster 4.5.11.0 2009.02.16 -
Additional information
File size: 89388 bytes
MD5...: e49bb4bd2f353f96fd7c17359375a19c
SHA1..: c11c12bc18b32d6166eeabd6bdf60e4ce4a3eedd
SHA256: 7d38e7391649cdb3fc8c64bf34c03441081a42134292773304297d2ca3c6e289
SHA512: b2bc8736d2110b7aca91f59776bab541a85d5f99298cbcc784fb44fa530a4d15
6049c5aff87c91053a9d2f512209199554d96754f7c695bba218a7a6d86fed9a
ssdeep: 1536:tsK0B/46QXTxCiTiBv+XWRXoLnOZRul4OaiB7VQJgEl491RMz+xOgvKfCn:
W46o4v+XWRYLIRuAIOJXK99xKfCn
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1168c
timedatestamp.....: 0x49993ea0 (Mon Feb 16 10:23:28 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x1427 0x1480 7.94 c4e193e887f8efab300c29b41bf204e2
.rdata 0x1780 0x30d8 0x3100 7.98 c52c52152e48798c512e827d100f6a0e
.data 0x4880 0x5e4d 0x5e80 0.00 0c29493b8913d9a494c83b72d6b65e9f
INIT 0xa700 0xde 0x100 3.73 0d8d662aac5d1ec816f9147d1a332ea0
.reloc 0xa800 0x94 0x100 0.86 0e93d5809d53a9b87d741c56e3a07496

( 2 imports )
> ntoskrnl.exe: IoFreeMdl, IoGetRelatedDeviceObject, DbgPrint, IoAllocateMdl, IoFreeWorkItem
> HAL.dll: ExAcquireFastMutex

( 0 exports )
packers (Kaspersky): PE_Patch



======================================



File 81702730 received on 02.16.2009 04:16:33 (CET)
Current status: finished
Result: 0/39 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.16 -
AhnLab-V3 5.0.0.2 2009.02.15 -
AntiVir 7.9.0.79 2009.02.15 -
Authentium 5.1.0.4 2009.02.15 -
Avast 4.8.1335.0 2009.02.15 -
AVG 8.0.0.237 2009.02.15 -
BitDefender 7.2 2009.02.16 -
CAT-QuickHeal 10.00 2009.02.16 -
ClamAV 0.94.1 2009.02.16 -
Comodo 978 2009.02.15 -
DrWeb 4.44.0.09170 2009.02.16 -
eSafe 7.0.17.0 2009.02.15 -
eTrust-Vet 31.6.6358 2009.02.14 -
F-Prot 4.4.4.56 2009.02.15 -
F-Secure 8.0.14470.0 2009.02.16 -
Fortinet 3.117.0.0 2009.02.15 -
GData 19 2009.02.16 -
Ikarus T3.1.1.45.0 2009.02.16 -
K7AntiVirus 7.10.630 2009.02.14 -
Kaspersky 7.0.0.125 2009.02.16 -
McAfee 5527 2009.02.15 -
McAfee+Artemis 5527 2009.02.15 -
Microsoft 1.4306 2009.02.15 -
NOD32 3855 2009.02.16 -
Norman 6.00.02 2009.02.13 -
nProtect 2009.1.8.0 2009.02.15 -
Panda 10.0.0.10 2009.02.15 -
PCTools 4.4.2.0 2009.02.15 -
Prevx1 V2 2009.02.16 -
Rising 21.16.62.00 2009.02.15 -
SecureWeb-Gateway 6.7.6 2009.02.15 -
Sophos 4.38.0 2009.02.16 -
Sunbelt 3.2.1851.2 2009.02.12 -
Symantec 10 2009.02.16 -
TheHacker 6.3.2.1.258 2009.02.16 -
TrendMicro 8.700.0.1004 2009.02.16 -
VBA32 3.12.8.12 2009.02.16 -
ViRobot 2009.2.14.1607 2009.02.15 -
VirusBuster 4.5.11.0 2009.02.15 -
Additional information
File size: 2 bytes
MD5...: 444bcb3a3fcf8389296c49467f27e1d6
SHA1..: 7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb
SHA256: 2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df
SHA512: 9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936c
e83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570
ssdeep: 3:V:V
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
CWSandbox info: http://research.sunbelt-software.com/partn...96c49467f27e1d6




========================


File jreg32.dll received on 02.17.2009 13:52:08 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 8/39 (20.52%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 70 and 100 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.17 -
AhnLab-V3 2009.2.16.2 2009.02.17 -
AntiVir 7.9.0.79 2009.02.17 TR/Downloader.Gen
Authentium 5.1.0.4 2009.02.17 -
Avast 4.8.1335.0 2009.02.16 -
AVG 8.0.0.237 2009.02.17 -
BitDefender 7.2 2009.02.17 Trojan.Crypt.FE
CAT-QuickHeal 10.00 2009.02.17 -
ClamAV 0.94.1 2009.02.17 -
Comodo 978 2009.02.17 -
DrWeb 4.44.0.09170 2009.02.17 -
eSafe 7.0.17.0 2009.02.17 Suspicious File
eTrust-Vet 31.6.6361 2009.02.17 -
F-Prot 4.4.4.56 2009.02.17 -
F-Secure 8.0.14470.0 2009.02.17 -
Fortinet 3.117.0.0 2009.02.17 -
GData 19 2009.02.17 Trojan.Crypt.FE
Ikarus T3.1.1.45.0 2009.02.17 -
K7AntiVirus 7.10.582 2009.01.09 -
Kaspersky 7.0.0.125 2009.02.17 -
McAfee 5528 2009.02.16 -
McAfee+Artemis 5528 2009.02.16 -
Microsoft 1.4306 2009.02.17 Backdoor:Win32/Argech.A
NOD32 3861 2009.02.17 -
Norman 6.00.06 2009.02.16 -
nProtect 2009.1.8.0 2009.02.17 Trojan.Crypt.FE
Panda 9.4.3.20 2009.02.17 -
PCTools 4.4.2.0 2009.02.17 -
Prevx1 V2 2009.02.17 -
Rising 21.17.12.00 2009.02.17 -
SecureWeb-Gateway 6.7.6 2009.02.17 Trojan.Downloader.Gen
Sophos 4.38.0 2009.02.17 Mal/Behav-104
Sunbelt 3.2.1855.2 2009.02.17 -
Symantec 10 2009.02.17 -
TheHacker 6.3.2.2.259 2009.02.17 -
TrendMicro 8.700.0.1004 2009.02.17 -
VBA32 3.12.8.13 2009.02.17 -
ViRobot 2009.2.17.1611 2009.02.17 -
VirusBuster 4.5.11.0 2009.02.16 -
Additional information
File size: 42496 bytes
MD5...: ad3d13047b8b61cfc2cb3b4780eb53c1
SHA1..: d6d8da0fc9a99dc0a226ff4938e4e384ecb650ef
SHA256: 00e55173a080d3f8cd78068ab0e4d0a03551e03ac0415bbc1b9178eefc40fe3f
SHA512: fe0e95adacb63798ba77724df8c2e4a68731e4da2e86ee90e95f4a05c8468145
e87c7ffd433eaeb660cb76afff4334ead332d0d1c4583cebae6f3c26325c53b4
ssdeep: 768:ya9nOh9cfKeLJBqWfKTcNg+gsTCYAeztVsq9xW07c8zyIN9D6:y1v3eLfqWf
/NlPTPxW0wqyg9D6
PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10058660
timedatestamp.....: 0x49896c37 (Wed Feb 04 10:21:43 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x4e000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x4f000 0xa000 0x9a00 7.88 74664e7603f69ab55b9b43f7408ce74d
.rsrc 0x59000 0x1000 0x800 3.36 285a8bba8b62b7184a1b328bf0b15a2e

( 7 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect
> ADVAPI32.dll: RegCloseKey
> iphlpapi.dll: GetIfEntry
> RASAPI32.dll: RasEnumConnectionsA
> SHLWAPI.dll: StrStrIA
> USER32.dll: wsprintfA
> WS2_32.dll: -

( 0 exports )
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX





=====================================

File 40885269-16d9-1ed6-e11a-48af0fafe received on 02.12.2009 08:52:31 (CET)
Current status: finished
Result: 1/39 (2.56%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.12 -
AhnLab-V3 5.0.0.2 2009.02.11 -
AntiVir 7.9.0.76 2009.02.11 -
Authentium 5.1.0.4 2009.02.12 -
Avast 4.8.1335.0 2009.02.11 -
AVG 8.0.0.229 2009.02.11 -
BitDefender 7.2 2009.02.12 -
CAT-QuickHeal 10.00 2009.02.11 -
ClamAV 0.94.1 2009.02.12 -
Comodo 974 2009.02.11 -
DrWeb 4.44.0.09170 2009.02.12 -
eSafe 7.0.17.0 2009.02.11 -
eTrust-Vet 31.6.6352 2009.02.12 -
F-Prot 4.4.4.56 2009.02.11 -
F-Secure 8.0.14470.0 2009.02.12 -
Fortinet 3.117.0.0 2009.02.12 -
GData 19 2009.02.12 -
Ikarus T3.1.1.45.0 2009.02.12 -
K7AntiVirus 7.10.627 2009.02.11 -
Kaspersky 7.0.0.125 2009.02.12 -
McAfee 5523 2009.02.11 -
McAfee+Artemis 5523 2009.02.11 -
Microsoft 1.4306 2009.02.12 -
NOD32 3846 2009.02.11 -
Norman 6.00.02 2009.02.11 -
nProtect 2009.1.8.0 2009.02.12 -
Panda 10.0.0.10 2009.02.11 -
PCTools 4.4.2.0 2009.02.11 -
Prevx1 V2 2009.02.12 Cloaked Malware
Rising 21.16.31.00 2009.02.12 -
SecureWeb-Gateway 6.7.6 2009.02.11 -
Sophos 4.38.0 2009.02.12 -
Sunbelt 3.2.1851.2 2009.02.11 -
Symantec 10 2009.02.12 -
TheHacker 6.3.1.9.254 2009.02.12 -
TrendMicro 8.700.0.1004 2009.02.12 -
VBA32 3.12.8.12 2009.02.11 -
ViRobot 2009.2.12.1602 2009.02.12 -
VirusBuster 4.5.11.0 2009.02.11 -
Additional information
File size: 85637 bytes
MD5...: cc58c9aed42f3bb323ac85fd2f6d437b
SHA1..: f10872bf7885890716d89ca776116b89895a65e6
SHA256: c0b21801b77e2e1d271e3d741e796631225f432c4cfa8eba0a786c7438a69cfb
SHA512: 0f7b8f5675a78e6aa3d67e356a475917471315aad27ef066e0320365ac0462ba
15698a25797ab7135540521c0f5e6a4973335b98d09f8f58dfb2713ef887858b
ssdeep: 1536:5u4EQalMK/ewGnh0mJNZ+vH3fz0eZqF1ZQCgHkorv8qFDGayOdf4N6:5Nya
h0mJqgeZ23xrob8Ea1OWN6
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3225
timedatestamp.....: 0x48efcdc9 (Fri Oct 10 21:48:57 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5976 0x5a00 6.47 335c19bb25cd1d02eec2b0a4eacb979c
.rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75
.data 0x9000 0x1af98 0x400 4.69 59710519e577598f785044e4d95261f4
.ndata 0x24000 0xb000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x2f000 0x7d8 0x800 4.29 68b3d02c23844000b5aa5e3fda2096ff

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp...A529500C2438BAF





==============================


File ljbiugbl received on 02.17.2009 13:55:53 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 87 and 125 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.17 -
AhnLab-V3 2009.2.16.2 2009.02.17 -
AntiVir 7.9.0.79 2009.02.17 -
Authentium 5.1.0.4 2009.02.17 -
Avast 4.8.1335.0 2009.02.16 -
AVG 8.0.0.237 2009.02.17 -
BitDefender 7.2 2009.02.17 -
CAT-QuickHeal 10.00 2009.02.17 -
ClamAV 0.94.1 2009.02.17 -
Comodo 982 2009.02.17 -
DrWeb 4.44.0.09170 2009.02.17 -
eSafe 7.0.17.0 2009.02.17 -
eTrust-Vet 31.6.6361 2009.02.17 -
F-Prot 4.4.4.56 2009.02.17 -
F-Secure 8.0.14470.0 2009.02.17 -
Fortinet 3.117.0.0 2009.02.17 -
GData 19 2009.02.17 -
Ikarus T3.1.1.45.0 2009.02.17 -
K7AntiVirus 7.10.582 2009.01.09 -
Kaspersky 7.0.0.125 2009.02.17 -
McAfee 5528 2009.02.16 -
McAfee+Artemis 5528 2009.02.16 -
Microsoft 1.4306 2009.02.17 -
NOD32 3861 2009.02.17 -
Norman 6.00.06 2009.02.16 -
nProtect 2009.1.8.0 2009.02.17 -
Panda 9.4.3.20 2009.02.17 -
PCTools 4.4.2.0 2009.02.17 -
Prevx1 V2 2009.02.17 -
Rising 21.17.12.00 2009.02.17 -
SecureWeb-Gateway 6.7.6 2009.02.17 -
Sophos 4.38.0 2009.02.17 -
Sunbelt 3.2.1855.2 2009.02.17 -
Symantec 10 2009.02.17 -
TheHacker 6.3.2.2.259 2009.02.17 -
TrendMicro 8.700.0.1004 2009.02.17 -
VBA32 3.12.8.13 2009.02.17 -
ViRobot 2009.2.17.1611 2009.02.17 -
VirusBuster 4.5.11.0 2009.02.16 -
Additional information
File size: 3024 bytes
MD5...: 8020496c7f3cfaa5d3e8c05e8f346460
SHA1..: 23098445639e02fd7a7fcc191d26129d710dc316
SHA256: 531230aa03bb8fcb94ac73d41106f665b94d1fc207db97577edce073f9d7d0f9
SHA512: e0fea3d9c72618547903721cda2c70cb46b6da6b444dd097f93310749c87ca77
b0ca4172b8eba83346db70b9273250c4f952d0e11b7bb04a6ce11d9ff65a4cc6
ssdeep: 48:/PlWz8NAlWzdeZpYtJNAlWzt0mblWa88/PlWz8NAlWzdeZpYtJNAlWzt0mblW
a8w:1Wz8NAWzspMNAWzt0mBWsWz8NAWzspMz
PEiD..: -
TrID..: File type identification
Lumena CEL bitmap (58.3%)
Corel Photo Paint (37.9%)
MS Flight Simulator Aircraft Performance Info (3.7%)
PEInfo: -




==============================


File nsqD.dll received on 02.17.2009 13:56:49 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/39 (17.95%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 70 and 100 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.17 -
AhnLab-V3 2009.2.16.2 2009.02.17 -
AntiVir 7.9.0.79 2009.02.17 TR/BHO.tko
Authentium 5.1.0.4 2009.02.17 -
Avast 4.8.1335.0 2009.02.16 Win32:BHO-VX
AVG 8.0.0.237 2009.02.17 Generic3.AJJF
BitDefender 7.2 2009.02.17 -
CAT-QuickHeal 10.00 2009.02.17 -
ClamAV 0.94.1 2009.02.17 -
Comodo 978 2009.02.17 -
DrWeb 4.44.0.09170 2009.02.17 -
eSafe 7.0.17.0 2009.02.17 -
eTrust-Vet 31.6.6361 2009.02.17 -
F-Prot 4.4.4.56 2009.02.17 -
F-Secure 8.0.14470.0 2009.02.17 -
Fortinet 3.117.0.0 2009.02.17 -
GData 19 2009.02.17 Win32:BHO-VX
Ikarus T3.1.1.45.0 2009.02.17 -
K7AntiVirus 7.10.582 2009.01.09 -
Kaspersky 7.0.0.125 2009.02.17 -
McAfee 5528 2009.02.16 -
McAfee+Artemis 5528 2009.02.16 -
Microsoft 1.4306 2009.02.17 -
NOD32 3861 2009.02.17 Win32/Adware.GooochiBiz
Norman 6.00.06 2009.02.16 -
nProtect 2009.1.8.0 2009.02.17 -
Panda 9.4.3.20 2009.02.17 -
PCTools 4.4.2.0 2009.02.17 -
Prevx1 V2 2009.02.17 Malicious Software
Rising 21.17.12.00 2009.02.17 -
SecureWeb-Gateway 6.7.6 2009.02.17 Trojan.BHO.tko
Sophos 4.38.0 2009.02.17 -
Sunbelt 3.2.1855.2 2009.02.17 -
Symantec 10 2009.02.17 -
TheHacker 6.3.2.2.259 2009.02.17 -
TrendMicro 8.700.0.1004 2009.02.17 -
VBA32 3.12.8.13 2009.02.17 -
ViRobot 2009.2.17.1611 2009.02.17 -
VirusBuster 4.5.11.0 2009.02.16 -
Additional information
File size: 673280 bytes
MD5...: 6c80071759e5c14d10a12b3c048896c4
SHA1..: ac5bff4de849f8cdbe0c2217ac99127a6157b48b
SHA256: d92a3df146799d0a5624ba0f4e935b32be7a4c9c5c3374c73e3a10b58a6f6c06
SHA512: 37426c852b9df0abe2a6945c65398cc075588115526e4c581f4e4851e03f585f
a1634aa7a9cd7b12b92b1d1f395a3d5c02d514f4fb1c410bd25968d3412c3e80
ssdeep: 12288:e/U0DUdP59W2lGbzwKMKP3kY9RE5e//SOMXVseS+XNF+O87TQTNYHvuLzk
zX:x4Ih9qbqKP3kYk5eXSOsQ7cTNx2X
PEiD..: -
TrID..: File type identification
DirectShow filter (77.7%)
Win32 Executable MS Visual C++ (generic) (14.5%)
Win32 Executable Generic (3.2%)
Win32 Dynamic Link Library (generic) (2.9%)
Generic Win/DOS Executable (0.7%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10054c32
timedatestamp.....: 0x498b5493 (Thu Feb 05 21:05:23 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x801ce 0x80200 6.80 84ae73f19b49e84793059c9581d632ef
.rdata 0x82000 0x123ea 0x12400 5.24 9cf0465218595fa45b160eed829dcc61
.data 0x95000 0x62dc 0x2600 4.10 91fb2b3b5c036b58e461d6740b1b5122
.rsrc 0x9c000 0x4a0 0x600 4.53 7c0b4e5907fdcc71549f9f0c90523aec
.reloc 0x9d000 0xee88 0xf000 5.02 06a5cd1db3f85602e8aa74aa83e712a8

( 7 imports )
> SHLWAPI.dll: UrlEscapeW, PathMatchSpecW, UrlGetPartW, UrlUnescapeW, PathFileExistsW, StrCmpIW, PathIsDirectoryW, StrStrIW
> KERNEL32.dll: ExitThread, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, GetProcAddress, LoadLibraryA, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, SetLastError, MultiByteToWideChar, GetDriveTypeA, GetProcessHeap, SetEndOfFile, CreateFileA, GetTimeZoneInformation, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, CreateFileW, SetStdHandle, GetLocaleInfoW, InitializeCriticalSectionAndSpinCount, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, GetStringTypeA, GetLocaleInfoA, GetCurrentDirectoryA, GetDateFormatA, GetTimeFormatA, IsValidCodePage, GetOEMCP, GetACP, SetFilePointer, ReadFile, FlushFileBuffers, GetConsoleMode, Sleep, FreeLibrary, GetFullPathNameW, WideCharToMultiByte, GetSystemInfo, GetSystemTime, InterlockedExchange, GetConsoleCP, GetModuleHandleA, CloseHandle, WriteFile, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, InterlockedCompareExchange, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetLastError, HeapFree, GetCurrentThreadId, GetCommandLineA, SetEnvironmentVariableA, CreateThread, GetSystemTimeAsFileTime, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, GetDriveTypeW, FindFirstFileW, LCMapStringA, LCMapStringW, GetCPInfo, GetStringTypeW, HeapAlloc, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, HeapSize, ExitProcess, HeapCreate, HeapDestroy, VirtualFree, VirtualAlloc, HeapReAlloc, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA
> USER32.dll: EnumChildWindows, wsprintfW, SetWindowPos, GetWindowRect, SystemParametersInfoW, SetWindowTextW, GetWindowLongW, MoveWindow, SetWindowLongW, SendMessageW, CallWindowProcW, GetWindowTextW, RealGetWindowClassW
> ole32.dll: CoCreateInstance, CoTaskMemFree, CreateStreamOnHGlobal, CoCreateGuid, CoInitialize, CoUninitialize
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -
> WS2_32.dll: -
> SHELL32.dll: SHCreateDirectoryExW

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=47E5FF3700CD70BE46590AB1495B1A002863E4AC' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=47E5FF3700CD70BE46590AB1495B1A002863E4AC</a>

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:29 PM

Posted 17 February 2009 - 01:20 PM

Hi user111,

I dont see this file in my list of files to scan
File 137ae3f3.sys and it is not in your log. :thumbup2:
Where did you find it on your computer?

Please scan these files with Virus Total and post the outputs:
c:\windows\SYSTEM32\DRIVERS\ac9c00.sys
c:\windows\system32\drivers\atycikgl.sys
c:\windows\system32\drivers\uduyiqiv.sys

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 user111

user111
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 17 February 2009 - 01:58 PM

it's what it gave me when I tried to scan ac9c00.sys
also, is there any way for me to scan without having to use safe mode with networking?
or any way to get back my folder options in normal mode? because it won't let me access it and change view options?

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:29 PM

Posted 17 February 2009 - 02:26 PM

Hi user111,

also, is there any way for me to scan without having to use safe mode with networking?


I never told you to use safe mode with networking. :thumbup2: You should be doing all scans in the normal mode (If you can).

Can you still not reach Normal Mode?

Edited by SifuMike, 17 February 2009 - 03:22 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 user111

user111
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 17 February 2009 - 03:28 PM

I can load the computer in Normal mode, but virus scans don't work, task manager won't open, regedit won't open either, and there's no "folder options" tab under tools menu.
All of these work in the safe mode though...
I know you haven't told me to use safe mode, but it was the only way I knew how to do it when normal mode didn't work

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:29 PM

Posted 17 February 2009 - 05:01 PM

Do the Virus Total scans in my previous post with Safe Mode with Networking and post the results back here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 user111

user111
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 17 February 2009 - 10:52 PM

I checked for these c:\windows\system32\drivers\atycikgl.sys
c:\windows\system32\drivers\uduyiqiv.sys
they don't exist!

File ac9c00.sys received on 02.18.2009 04:45:37 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 6/39 (15.39%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 46 and 66 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.18 Backdoor.Winnt!IK
AhnLab-V3 5.0.0.2 2009.02.18 -
AntiVir 7.9.0.83 2009.02.17 -
Authentium 5.1.0.4 2009.02.18 -
Avast 4.8.1335.0 2009.02.17 -
AVG 8.0.0.237 2009.02.17 -
BitDefender 7.2 2009.02.18 -
CAT-QuickHeal 10.00 2009.02.18 -
ClamAV 0.94.1 2009.02.18 -
Comodo 982 2009.02.17 -
DrWeb 4.44.0.09170 2009.02.17 -
eSafe 7.0.17.0 2009.02.17 -
eTrust-Vet 31.6.6362 2009.02.17 -
F-Prot 4.4.4.56 2009.02.17 -
F-Secure 8.0.14470.0 2009.02.18 -
Fortinet 3.117.0.0 2009.02.17 -
GData 19 2009.02.18 -
Ikarus T3.1.1.45.0 2009.02.18 Backdoor.Winnt
K7AntiVirus 7.10.630 2009.02.14 -
Kaspersky 7.0.0.125 2009.02.18 -
McAfee 5529 2009.02.17 -
McAfee+Artemis 5529 2009.02.17 -
Microsoft 1.4306 2009.02.18 Backdoor:WinNT/Rustock.E
NOD32 3863 2009.02.18 Win32/Rustock
Norman 6.00.06 2009.02.17 -
nProtect 2009.1.8.0 2009.02.18 -
Panda 10.0.0.10 2009.02.17 Suspicious file
PCTools 4.4.2.0 2009.02.17 -
Prevx1 V2 2009.02.18 -
Rising 21.17.12.00 2009.02.17 -
SecureWeb-Gateway 6.7.6 2009.02.17 -
Sophos 4.38.0 2009.02.18 -
Sunbelt 3.2.1855.2 2009.02.17 -
Symantec 10 2009.02.18 -
TheHacker 6.3.2.2.259 2009.02.18 -
TrendMicro 8.700.0.1004 2009.02.17 -
VBA32 3.12.8.13 2009.02.17 suspected of Malware-Cryptor.Win32.General.3
ViRobot 2009.2.17.1611 2009.02.17 -
VirusBuster 4.5.11.0 2009.02.17 -
Additional information
File size: 89388 bytes
MD5...: e49bb4bd2f353f96fd7c17359375a19c
SHA1..: c11c12bc18b32d6166eeabd6bdf60e4ce4a3eedd
SHA256: 7d38e7391649cdb3fc8c64bf34c03441081a42134292773304297d2ca3c6e289
SHA512: b2bc8736d2110b7aca91f59776bab541a85d5f99298cbcc784fb44fa530a4d15
6049c5aff87c91053a9d2f512209199554d96754f7c695bba218a7a6d86fed9a
ssdeep: 1536:tsK0B/46QXTxCiTiBv+XWRXoLnOZRul4OaiB7VQJgEl491RMz+xOgvKfCn:
W46o4v+XWRYLIRuAIOJXK99xKfCn
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x168c
timedatestamp.....: 0x49993ea0 (Mon Feb 16 10:23:28 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x1427 0x1480 7.94 c4e193e887f8efab300c29b41bf204e2
.rdata 0x1780 0x30d8 0x3100 7.98 c52c52152e48798c512e827d100f6a0e
.data 0x4880 0x5e4d 0x5e80 0.00 0c29493b8913d9a494c83b72d6b65e9f
INIT 0xa700 0xde 0x100 3.73 0d8d662aac5d1ec816f9147d1a332ea0
.reloc 0xa800 0x94 0x100 0.86 0e93d5809d53a9b87d741c56e3a07496

( 2 imports )
> ntoskrnl.exe: IoFreeMdl, IoGetRelatedDeviceObject, DbgPrint, IoAllocateMdl, IoFreeWorkItem
> HAL.dll: ExAcquireFastMutex

( 0 exports )
packers (Kaspersky): PE_Patch

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:29 PM

Posted 17 February 2009 - 11:29 PM

Hi user111,

You need to disable your McAfee Antivirus before running ComboFix, as it will prevent it from running.

To disable McAfee Virusscan:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 
File::
c:\windows\SYSTEM32\bqxrqtolfouccdgu.exe
C:\pfkik.exe
c:\windows\SYSTEM32\jreg32.dll
c:\windows\ljbiugbl
c:\windows\SYSTEM32\nsqD.dll

Rootkit::
c:\windows\SYSTEM32\DRIVERS\ac9c00.sys
c:\windows\system32\drivers\uduyiqiv.sys
c:\windows\SYSTEM32\DRIVERS\atycikgl.sys
c:\docume~1\Michael\LOCALS~1\Temp\20910.sys
c:\docume~1\Luba\LOCALS~1\Temp\krdpdre.sys

Driver::
ljbiugbl
uomrutkg
20910
krdpdre

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"FirewallOverride"=dword:00000000


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 user111

user111
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 18 February 2009 - 08:49 AM

ComboFix 09-02-15.01 - Administrator 2009-02-18 8:08:41.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.776 [GMT -5:00]
Running from: c:\documents and settings\Entertainment\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

FILE ::
C:\pfkik.exe
c:\windows\ljbiugbl
c:\windows\SYSTEM32\bqxrqtolfouccdgu.exe
c:\windows\SYSTEM32\jreg32.dll
c:\windows\SYSTEM32\nsqD.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pfkik.exe
c:\windows\ljbiugbl
c:\windows\SYSTEM32\bqxrqtolfouccdgu.exe
c:\windows\SYSTEM32\DRIVERS\ac9c00.sys
c:\windows\SYSTEM32\DRIVERS\atycikgl.sys
c:\windows\SYSTEM32\nsqD.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KRDPDRE
-------\Legacy_LJBIUGBL
-------\Service_20910
-------\Service_krdpdre
-------\Service_ljbiugbl
-------\Service_uomrutkg


((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 )))))))))))))))))))))))))))))))
.

2009-02-16 14:47 . 2009-02-16 14:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-16 14:41 . 2009-02-16 14:41 <DIR> d-------- c:\documents and settings\Entertainment\Application Data\Malwarebytes
2009-02-16 14:40 . 2009-02-16 14:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-16 14:40 . 2009-02-16 14:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-16 14:40 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-16 14:40 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-16 14:37 . 2009-02-16 14:38 2 --a------ C:\-992608927
2009-02-12 13:48 . 2009-02-12 13:48 <DIR> d-------- c:\documents and settings\Alex\Application Data\SUPERAntiSpyware.com
2009-02-12 12:18 . 2009-02-16 16:29 <DIR> d-------- C:\backups
2009-02-12 11:27 . 2009-02-12 11:27 <DIR> d-------- c:\program files\Norton Support
2009-02-12 10:53 . 2009-02-12 10:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-02-12 09:55 . 2009-02-12 09:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-02-12 09:52 . 2009-02-12 09:51 36,272 -ra------ c:\windows\SYSTEM32\DRIVERS\SymIM.sys
2009-02-12 09:51 . 2009-02-12 09:51 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\NAV
2009-02-12 09:51 . 2009-02-12 09:51 <DIR> d-------- c:\program files\Windows Sidebar
2009-02-12 09:51 . 2009-02-12 09:51 <DIR> d-------- c:\program files\Symantec
2009-02-12 09:51 . 2009-02-12 09:51 <DIR> d-------- c:\program files\Norton AntiVirus
2009-02-12 09:51 . 2009-02-12 09:56 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-02-12 09:51 . 2009-02-12 09:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-02-12 09:51 . 2009-02-12 09:51 124,464 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
2009-02-12 09:51 . 2009-02-12 09:51 60,808 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
2009-02-12 09:51 . 2009-02-12 09:51 10,635 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.CAT
2009-02-12 09:51 . 2009-02-12 09:51 806 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.INF
2009-02-12 09:50 . 2009-02-12 09:50 <DIR> d-------- c:\program files\NortonInstaller
2009-02-12 09:50 . 2009-02-12 09:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-11 23:52 . 2009-02-11 23:52 <DIR> d-------- c:\windows\zoui
2009-02-11 23:52 . 2009-02-12 10:03 <DIR> d-------- c:\program files\Common Files\zoui
2009-02-11 08:20 . 2009-02-11 08:20 <DIR> d-------- c:\documents and settings\Entertainment\Application Data\SUPERAntiSpyware.com
2009-02-11 00:28 . 2009-02-11 00:28 552 --a------ c:\windows\SYSTEM32\d3d8caps.dat
2009-02-10 23:54 . 2009-02-10 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-10 23:50 . 2009-02-10 23:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-10 19:13 . 2009-02-10 19:13 42,320 --a------ c:\windows\SYSTEM32\xfcodec.dll
2009-02-09 21:27 . 2009-02-09 21:27 85,637 --a------ c:\windows\SYSTEM32\2162dd62-c61d-2ae2-dd89-e79775f1d47b.exe
2009-02-08 18:32 . 2009-02-13 07:13 <DIR> d-------- c:\documents and settings\Alex\Application Data\Twain
2009-02-08 18:27 . 2009-02-16 16:29 <DIR> d-------- c:\program files\WebShow
2009-02-07 22:04 . 2009-02-07 22:04 302,080 --a------ c:\windows\SYSTEM32\urqPgETl.dll
2009-02-07 18:07 . 2009-02-07 18:07 302,080 --a------ c:\windows\SYSTEM32\vtUmkiiI.dll.vir
2009-02-01 11:06 . 2009-02-01 11:07 <DIR> d-------- c:\documents and settings\Alex\Application Data\Apple Computer
2009-01-31 13:00 . 2009-02-07 19:47 <DIR> d-------- C:\BS1pr20085
2009-01-31 12:40 . 2009-01-31 12:40 <DIR> d-------- c:\documents and settings\Alex\Application Data\Runaware
2009-01-31 12:40 . 2009-01-31 12:40 <DIR> d-------- c:\documents and settings\Alex\Application Data\ICAClient
2009-01-31 11:14 . 2009-01-31 11:14 <DIR> d-------- c:\documents and settings\Alex\Application Data\Yahoo!
2009-01-31 11:13 . 2009-02-07 19:50 <DIR> d-------- c:\program files\Yahoo!
2009-01-31 11:13 . 2009-02-07 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-22 17:30 . 2009-01-29 14:43 <DIR> d-------- c:\documents and settings\Entertainment\Application Data\Apple Computer
2009-01-22 14:22 . 2009-01-22 14:23 <DIR> d-------- c:\documents and settings\Entertainment\Application Data\Money Manager Ex
2009-01-21 07:45 . 2009-01-21 07:45 <DIR> d-------- c:\program files\iTunes
2009-01-21 07:45 . 2009-01-21 07:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-21 07:43 . 2009-01-21 07:43 <DIR> d-------- c:\program files\Bonjour
2009-01-21 07:40 . 2009-01-21 07:40 <DIR> d-------- c:\program files\Apple Software Update
2009-01-21 00:24 . 2009-01-21 00:24 56 --ah----- c:\windows\SYSTEM32\ezsidmv.dat
2009-01-21 00:21 . 2009-01-21 00:21 <DIR> d-------- c:\program files\Skype
2009-01-21 00:21 . 2009-01-21 00:21 <DIR> d-------- c:\program files\Common Files\Skype
2009-01-21 00:21 . 2009-01-21 00:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-01-19 08:30 . 2009-01-19 08:30 <DIR> d-------- c:\windows\SYSTEM32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 12:15 --------- d-----w c:\program files\McAfee
2009-02-11 04:50 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-11 03:57 --------- d-----w c:\documents and settings\Michael\Application Data\Xfire
2009-02-08 00:48 --------- d-----w c:\program files\LimeWire
2009-02-08 00:44 --------- d-----w c:\program files\Common Files\Apple
2009-01-21 12:45 --------- d-----w c:\program files\iPod
2009-01-21 12:43 --------- d-----w c:\program files\QuickTime
2009-01-19 13:30 --------- d-----w c:\program files\Google
2009-01-12 20:14 --------- d-----w c:\program files\Common Files\Adobe
2009-01-12 19:41 --------- d-----w c:\program files\uTorrent
2009-01-11 19:43 --------- d-----w c:\program files\Java
2008-10-13 17:00 486,128 ----a-w c:\documents and settings\All Users\ChromeSetup.exe
2008-06-14 01:34 61,224 ----a-w c:\documents and settings\Michael\GoToAssistDownloadHelper.exe
2007-02-17 04:36 439,296 ----a-w c:\documents and settings\Michael\GoToAssist_phone__317_en.exe
2005-12-17 01:37 3,656,557 ----a-w c:\documents and settings\All Users\LimeWireWin.zip
2005-10-21 21:59 863 ----a-w c:\documents and settings\Incomplete\downloads.dat
2007-02-05 19:48 10,856 -csha-w c:\windows\SYSTEM32\KGyGaAvL.sys
2008-05-10 21:59 32,768 -csha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008051020080511\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-16_19.18.30.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-16 23:50:06 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2009-02-18 13:02:43 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2009-02-16 23:50:06 65,536 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-18 13:02:43 65,536 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NeroHomeFirstStart"="c:\program files\Common Files\Ahead\Lib\NeroScoutOptions.exe" [2005-09-04 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-01-12 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.WMV3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Luba^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Luba\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Luba^Start Menu^Programs^Startup^AOL OpenRide.lnk]
path=c:\documents and settings\Luba\Start Menu\Programs\Startup\AOL OpenRide.lnk
backup=c:\windows\pss\AOL OpenRide.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Michael\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=c:\documents and settings\Michael\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^V CAST Music Monitor.lnk]
path=c:\documents and settings\Michael\Start Menu\Programs\Startup\V CAST Music Monitor.lnk
backup=c:\windows\pss\V CAST Music Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Philips Intelligent Agent]
NOT_IN_USE_DUMMY_PATH [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2007-03-09 10:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-13 21:42 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2004-08-25 12:52 339968 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-09-03 15:18 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a--c--- 2005-12-10 09:57 133016 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 10:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-11-16 01:05 127035 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2004-10-12 16:54 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-11-15 12:12 473928 c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 19:52 50736 c:\program files\Common Files\AOL\1140756379\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2004-05-12 14:18 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2004-02-12 12:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2004-06-29 10:23 135168 c:\program files\Intel\Intel Application Accelerator\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2006-07-12 17:40 36864 c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2007-08-04 01:33 582992 c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2007-12-06 13:10 419152 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-03-15 07:58 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2006-07-29 18:34 5354792 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a--c--- 2001-07-09 11:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 11:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
--a------ 2006-08-30 11:46 183367 c:\program files\Plaxo\2.11.1.5\PlaxoHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2004-10-14 15:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-09-27 06:59 81920 c:\docume~1\Michael\MYDOCU~1\MYPROG~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a--c--- 2008-01-21 11:17 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2004-01-07 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a--c--- 2005-07-22 23:25 28160 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPTISRV"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\Steam.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\SteamApps\\berserk_fury89\\counter-strike source\\hl2.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\SteamApps\\berserk_fury89\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\SteamApps\\berserk_fury89\\half-life 2\\hl2.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP 7 Home\\cuteftp.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"c:\\Program Files\\Army Operations\\System\\ArmyOps.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\FileZilla\\FileZilla.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\FileZilla\\FzSFtp.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\SteamApps\\berserk_fury89\\dedicated server\\hlds.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140756379\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140756379\\ee\\aim6.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140756379\\ee\\AOLOpenRide.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Michael\\My Documents\\My Programs\\SteamApps\\genemech\\condition zero\\hl.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15491:TCP"= 15491:TCP:BitComet 15491 TCP
"15491:UDP"= 15491:UDP:BitComet 15491 UDP

R0 $sys$cor;$sys$cor;c:\windows\SYSTEM32\DRIVERS\$sys$cor.sys [2004-10-06 10368]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\SYSTEM32\DRIVERS\sonyhcb.sys [2005-07-15 6097]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NAV\1002000.007\SymEFA.sys [2009-02-12 309296]
S1 $sys$crater;$sys$crater;\??\c:\windows\system32\$sys$filesystem\crater.sys --> c:\windows\system32\$sys$filesystem\crater.sys [?]
S1 ac9c00;ac9c00;c:\windows\system32\drivers\ac9c00.sys --> c:\windows\system32\drivers\ac9c00.sys [?]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\NAV\1002000.007\BHDrvx86.sys [2009-02-12 255536]
S1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\NAV\1002000.007\cchpx86.sys [2009-02-12 362544]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20080826.006\IDSxpx86.sys [2009-02-12 274808]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-04-01 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-12 99376]
S3 Pptportfill;Pptportfill;c:\windows\SYSTEM32\DRIVERS\isapnp.sys [2001-08-17 37248]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\SYSTEM32\DRIVERS\sonyhcs.sys [2005-07-15 299923]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]
S4 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe [2009-02-12 115560]
.
Contents of the 'Scheduled Tasks' folder

2009-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2293484338-3401942740-572667067-1006.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-13 11:51]

2009-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2293484338-3401942740-572667067-1008.job
- c:\documents and settings\Nataliya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-13 12:01]

2009-02-06 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DIMENSION8400-Nataliya).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2007-02-17 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/virusInfo/default.asp?affid=105-37&dtag=cnqz671
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w4gt7pka.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 08:36:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\InprocServer32]
@DACL=(02 0000)
@="c:\\Program Files\\WebShow\\WebShow.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\ProgID]
@DACL=(02 0000)
@="BHO_CPV.WorkHorse.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\TypeLib]
@DACL=(02 0000)
@="{208CA45C-EB93-49AA-A353-CFE1FE3A6BD5}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\VersionIndependentProgID]
@DACL=(02 0000)
@="BHO_CPV.WorkHorse"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\TypeLib]
@DACL=(02 0000)
@="{63334394-3DA3-4B29-A041-03535909D361}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{63334394-3DA3-4B29-A041-03535909D361}\1.0]
@DACL=(02 0000)
@="BHO_CPV 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(308)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\alf2cd.acm
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-02-18 8:41:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-18 13:40:58
ComboFix2.txt 2009-02-17 00:19:40

Pre-Run: 39,613,423,616 bytes free
Post-Run: 39,589,314,560 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
422 --- E O F --- 2009-01-17 20:27:15




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users