Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

spyware/virus named 'Troj/Rustok-N' blocking updates


  • This topic is locked This topic is locked
42 replies to this topic

#1 soylentgreen1701

soylentgreen1701

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 18 February 2009 - 01:38 AM

a week and a half ago - 2 weeks the computer started acting wierd. specifically, it was getting slower & the left button on the mouse stopped working on a few websites when it was used to open a link. we've had to start right clicking on things & select from the pop-up scroll. over this time, fewer & fewer websites are enabling us to use the mouse left button. I also saw that updates from mcafee and defender stopped getting through, as well as the updates from microsoft. the computer would state that it was installing updates, go through the procedures, & then state "updates were not configured correctly. reverting changes." it has done that for windows updates every day. i went to the mcafee site to manually download updates & when i got to the last link, i got the google message "oops! this link appears broken - page not found - connection failure" when i went to the microsoft site to download updates, i got "404 not found. requested url was not found on this server." 3 days ago mcafee has been popping up saying that i need to re-install the entire program. windows defender cannot check for updates either, nor can it be manually downloaded. i get"error code 0x80244019 - cannot connect to site to manually install updates." also, often when we navigate, web pages that we had no intention on going to end up as our destination. most of the time they are pornographic, but not always. that's when i got this message from one of the sites:

Your computer (IP: 173.55.76.164) generates an attacking DOS requests at our servers.

This attack was provoked by the spyware/virus named 'Troj/Rustok-N'

We cannot provide you with an access to our content for browsing purposes

as it will lead to the inevitable crush of our website.

We strongly recommend you to run your antivirus edition and, if necessary,

check it for the latest updates available.

You may also download recommended software, which has been approved

by a number of our surfers who encountered the same problem and used

this software to overcome it.

Make sure your computer is protected before continue browsing.

Without this antivirus software your computer becomes a pushover for hackers.

Leaving computer unprotected may lead to:
- Computer performance slowdown and operating system crash
- Serious drop of traffic caused by hidden advertising
- Leak of personal and credit card information
- The inappropriate use of your personal photos by web sites
- Using you machine as a source for spam spreading
- Infection spreading to other removable devices such as
memory cards, writable CD and DVD disks
- Getting your cell phone infected through USB. The first sign
of infection in your cell phone device will appear as sms-messages sent to paid numbers
- etc

Make sure you use effective antivirus software. We recommend you to check your computer

right now and the software that have already helped thousands of our visitors.



Find more comments on the software at: aumhaphpbb.com

the site then directed me to install "WINIAMP" as my virus/spyware. i did not do that.

here is what i got from the DDS scan. only 1 notepad window appeared.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Dickey at 21:53:10.15 on Tue 02/17/2009
Internet Explorer: 7.0.6000.16757
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.2037.976 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated)
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dlcxcoms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k nfrsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\System32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Fast Browser SearchP\FastBrowserSearchProtection.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Dickey\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://search.bearshare.com/sidebar.html?src=ssb
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = hxxp://search.bearshare.com/sidebar.html?src=ssb
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=localhost:7070
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: TBSB07183 Class: {6c621f09-dff3-415a-b7d1-142678efeb34} - c:\program files\fast browser search\ie\FBStoolbar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Fast Browser Search: {c2dca7eb-22d2-4fd2-86a9-f99fcc8122bb} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
TB: {07AA283A-43D7-4CBE-A064-32A21112D94D} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FBSearch] c:\program files\fast browser searchp\FastBrowserSearchProtection.exe
mRun: [NSWatchDog] c:\windows\NSWATC~1.EXE &PT=MP&MI=60273502724&OS=Microsoft_Windows_Vista_version_6.0
mRun: [c:\windows\system32\baloon.exe] c:\windows\system32\baloon.exe
mRun: [promo.exe] c:\windows\system32\promo.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.18\amvconverter\grab.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: torrentportal.com\www
Trusted Zone: utorrent.com\www
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxps://register.facebook.com/controls/contactx.dll
TCP: NameServer = 85.255.112.39,85.255.112.40
TCP: {33FA6CA2-C705-45E5-9DE2-3E35819F507E} = 85.255.112.39,85.255.112.40
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 nfr.sys;nfr.sys;c:\windows\system32\drivers\nfr.sys [2009-2-17 9600]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 iWinGamesInstaller;iWinGamesInstaller;c:\program files\iwin games\iWinGamesInstaller.exe [2008-5-12 78104]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-15 206096]
R2 NFRAgent;NFRAgent;c:\windows\system32\svchost.exe -k nfrsvc [2006-11-2 22016]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-12 356920]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-20 24652]
S2 gupdate1c98d30b66d6f36;Google Update Service (gupdate1c98d30b66d6f36);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-6-25 29744]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-02-17 14:39 0 a------- c:\windows\system32\drivers\nfr.dll.gpref
2009-02-17 14:20 9,600 a------- c:\windows\system32\drivers\nfr.sys
2009-02-17 14:19 0 a------- c:\windows\system32\drivers\nfr.dll.assembly
2009-02-17 14:19 12,804 a------- c:\windows\system32\drivers\nfr.dll
2009-02-17 06:46 445 ---shr-- C:\autorun.inf
2009-02-16 05:54 14,272 a------- c:\windows\system32\b869ackzo5r2522.cpl
2009-02-16 04:35 16,585 a------- c:\windows\system32\29434h5zktool67e.ocx
2009-02-16 01:51 17,995 a------- c:\windows\system32\1c2zthief9593.cpl
2009-02-16 00:43 5,136 a------- c:\windows\system32\99140z5rm527.dll
2009-02-15 20:21 <DIR> --d----- c:\windows\system32\IOSUBSYS
2009-02-15 17:08 <DIR> --d----- c:\programdata\SiteAdvisor
2009-02-15 15:12 876,544 a------- c:\windows\system32\TEACico2.dll
2009-02-13 14:42 5,129 a------- c:\windows\system32\5b5fsp95zre2761.ocx
2009-02-12 09:46 <DIR> --d----- c:\programdata\Adobe
2009-02-12 08:43 <DIR> --d----- c:\users\dickey\appdata\roaming\PC Tools
2009-02-12 08:43 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-12 08:39 <DIR> --d----- c:\programdata\Google Updater
2009-02-12 00:46 <DIR> --d----- c:\users\dickey\appdata\roaming\AntiSpywareDAT
2009-02-12 00:46 <DIR> --d----- c:\program files\Security Scanner Full
2009-02-11 20:59 <DIR> --d----- c:\program files\DivX
2009-02-09 18:33 7,540 a------- c:\windows\system32\65c1ad9waze2605.ocx
2009-02-09 10:58 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-02-09 10:58 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-02-09 10:58 <DIR> --d----- c:\users\dickey\appdata\roaming\SUPERAntiSpyware.com
2009-02-09 10:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-09 10:57 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-09 09:38 43 a------- c:\windows\av_affiliate.ini
2009-02-09 09:38 120 a------- c:\windows\as_affiliate.ini
2009-02-09 09:12 8,704 a------- c:\windows\system32\rasha.exe
2009-02-09 03:48 4,599 a------- c:\windows\8460tr9j45z.cpl
2009-02-08 22:56 <DIR> --d----- c:\program files\Any Video Converter
2009-02-08 18:17 4,340 a------- c:\windows\system32\2fb1backdooz1095.ocx
2009-02-07 20:40 7,373 a------- c:\windows\11303spam95t5ze.ocx
2009-02-06 22:03 8,193 a------- c:\windows\system32\817threat589z.bin
2009-02-06 20:47 13,267 a------- c:\windows\system32\4955vzr2540.cpl
2009-02-06 15:04 <DIR> --d----- c:\program files\VS Revo Group
2009-02-06 09:53 283,966,797 a------- c:\windows\MEMORY.DMP
2009-02-04 23:19 3,015 a------- c:\windows\5214t9reat298z8.exe
2009-02-04 16:25 <DIR> --d----- c:\program files\coolplay
2009-02-04 13:33 8,848 a------- c:\windows\system32\6447szywa9e1752.cpl
2009-02-04 11:51 196,608 a------- c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-02-04 11:51 65,536 a------- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-02-04 11:51 34,799,616 a------- c:\windows\ocsetup_install_NetFx3.etl
2009-02-03 15:26 <DIR> --d----- c:\program files\uTorrent
2009-02-03 12:50 <DIR> --d----- c:\program files\VideoLAN
2009-01-29 08:39 <DIR> --d----- c:\program files\Selectsoft
2009-01-29 08:39 <DIR> --d----- c:\program files\OXXOGames
2009-01-28 19:07 <DIR> --d----- c:\programdata\PlayFirst
2009-01-28 15:06 2,965 a------- c:\windows\15759trojz8b.ocx
2009-01-27 17:05 2,601 a------- c:\windows\95z5spy598.bin
2009-01-26 21:44 6,391 a------- c:\windows\48359zar5e453.exe
2009-01-23 12:32 <DIR> --d----- c:\program files\Bonjour
2009-01-22 13:06 13,205 a------- c:\windows\d35z9yware2779.bin
2009-01-21 21:31 14,998 a------- c:\windows\z75fspyware7279.cpl
2009-01-21 19:25 11,104 a------- c:\windows\29866h9c5tool5cz.bin
2009-01-21 12:29 15,448 a------- c:\windows\9600vzrus7e95.exe
2009-01-21 01:38 17,915 a------- c:\windows\756ado9nloader30z0.cpl
2009-01-20 18:31 <DIR> --d----- c:\program files\Fast Browser SearchP
2009-01-20 18:30 <DIR> --d----- c:\program files\Fast Browser Search

==================== Find3M ====================

2009-02-17 07:13 5,378 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-16 19:40 20 ----h--- c:\programdata\PKP_DLec.DAT
2009-02-16 19:40 20 ----h--- c:\programdata\PKP_DLds.DAT
2009-02-16 19:40 20 ----h--- c:\progra~2\PKP_DLec.DAT
2009-02-16 19:40 20 ----h--- c:\progra~2\PKP_DLds.DAT
2009-02-16 17:44 174 a--sh--- c:\program files\desktop.ini
2009-02-15 15:15 86,016 a------- c:\windows\inf\infstrng.dat
2009-02-15 15:15 51,200 a------- c:\windows\inf\infpub.dat
2009-02-15 15:15 86,016 a------- c:\windows\inf\infstor.dat
2009-02-09 09:13 17,249 a------- c:\windows\system32\6935thief2z48.dll
2009-02-05 13:22 17,709 a------- c:\windows\system32\718page.dat
2009-01-26 11:25 155,648 a------- c:\windows\system32\Phanfare Screensaver.scr
2009-01-15 21:16 18,367 a------- c:\windows\5571trz595e.dll
2009-01-12 22:18 665,600 a------- c:\windows\inf\drvindex.dat
2009-01-12 11:31 3,874 a------- c:\windows\system32\5a0cback9zor1594.bin
2009-01-10 14:45 11,536 a------- c:\windows\609zddware5997.dll
2009-01-08 21:25 12,634 a------- c:\windows\system32\46vir15z9.bin
2009-01-07 04:20 5,735 a------- c:\windows\system32\659ztroj38c.exe
2009-01-06 09:16 15,999 a------- c:\windows\29f7virz553.exe
2009-01-05 14:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-26 09:40 14,327 a------- c:\windows\system32\9805spz57.bin
2008-12-25 04:50 12,114 a------- c:\windows\6c01bac95ozr905.exe
2008-12-23 11:46 5,011 a------- c:\windows\9635troz3b.dll
2008-12-22 16:14 5,990 a------- c:\windows\system32\6476no5-a9viruz59b.exe
2008-12-19 16:09 2,588 a------- c:\windows\system32\593spy330z.bin
2008-12-17 07:45 7,500 a------- c:\windows\system32\9839zir2951.dll
2008-12-13 10:48 15,021 a------- c:\windows\9z475roj992.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-12 08:45 10,028 a------- c:\windows\system32\93765not-a-vi5us69dz.exe
2008-12-11 16:50 3,056 a------- c:\windows\4a5ethief3191z.bin
2008-12-10 16:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 16:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 18:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 18:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 18:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 18:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-12-07 21:02 11,739 a------- c:\windows\z1c35ir9212.exe
2008-12-07 07:18 11,333 a------- c:\windows\system32\z20e5ddware901.exe
2008-12-06 22:50 16,634 a------- c:\windows\system32\56z5v9r784.exe
2008-12-03 01:59 3,542 a------- c:\windows\2954backzoor2750.bin
2008-11-28 13:40 6,001 a------- c:\windows\58czv592651.exe
2008-11-21 06:25 14,871 a------- c:\windows\system32\7599steal1z4.dll
2008-11-20 16:46 12,741 a------- c:\windows\system32\29758zp9185.exe
2008-11-20 00:39 17,157 a------- c:\windows\2000zhackt9ol265.exe
2008-05-22 13:12 6,820,032 a------- c:\users\dickey\phanfare_setup.exe
2006-11-02 04:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 04:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 04:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 04:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-08-01 06:45 88 a--shr-- c:\windows\system32\2538829589.sys
2008-03-03 09:36 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-03-03 09:36 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-03-03 09:36 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 21:54:09.89 ===============

i know you're going to need more details & i'll be as detailed as possible.

Thanks
soylentgreen1701

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 18 February 2009 - 06:26 AM

Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.




NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Please post these logs in your next reply... Post each log in separate post

1. SDFix
2. Malwarebytes'
3. ComboFix
4. A fresh HijackThis log

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 soylentgreen1701

soylentgreen1701
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 19 February 2009 - 05:14 AM

Okay, this is what i did...

[Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)]

[Please reboot into Safe Mode
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
A new folder will be extracted to your %systemdrive%, typically C:\SDFix
Open the extracted folder and double click RunThis.bat to start the script.]

i got as far as that, and when i click on the RunThis.bat, a 6x4 blue screen flashes on the screen for about 1 second, & then vanishes.
it almost looks like it gets downsized as it traces to the bottom of the screen. but nothing is actually down there to be restored to the screen.
i noticed the Add_DBFix_RunOnce_key, but did not install that, as I have no idea what it does.
"Look pal, the only thing you're in charge of is Jack and $h!t....and Jack left town."
-Ash, Army of Darkness

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 19 February 2009 - 05:48 AM

Proceed with the next step please :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 soylentgreen1701

soylentgreen1701
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 19 February 2009 - 02:22 PM

Okay, here is the MBAM Report:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 6.0.6000

2/19/2009 9:45:59 AM
mbam-log-2009-02-19 (09-45-59).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 354416
Time elapsed: 1 hour(s), 51 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 4
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7370f91f-6994-4595-9949-601fa2261c8d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\coolplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\coolplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coolplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33fa6ca2-c705-45e5-9de2-3e35819f507e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{33fa6ca2-c705-45e5-9de2-3e35819f507e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\coolplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\Dickey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\coolplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\coolplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\Dickey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\coolplay\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\coolplay\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\RECYCLER\S-0-4-35-100012443-100030565-100026715-7895.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-9-0-36-100010603-100009696-100004373-2774.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\nfr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Dickey\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Windows\System32\gaopdxeomphpcf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\gaopdxealbkgnp.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\gaopdxncbtxmbg.sys (Trojan.Agent) -> Quarantined and deleted successfully.
"Look pal, the only thing you're in charge of is Jack and $h!t....and Jack left town."
-Ash, Army of Darkness

#6 soylentgreen1701

soylentgreen1701
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 19 February 2009 - 02:24 PM

ComboFix Report:

ComboFix 09-02-18.01 - Dickey 2009-02-19 10:19:20.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.2037.1164 [GMT -8:00]
Running from: c:\users\Dickey\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Dickey\AppData\Roaming\AntiSpywareDAT
c:\users\Dickey\AppData\Roaming\AntiSpywareDAT\BlockedCookies.dat
c:\users\Dickey\AppData\Roaming\AntiSpywareDAT\date.dat
c:\users\Dickey\AppData\Roaming\AntiSpywareDAT\DirectoryDefinition.dat
c:\users\Dickey\AppData\Roaming\AntiSpywareDAT\ENoSignature.dat
c:\users\Dickey\AppData\Roaming\AntiSpywareDAT\ExeDefinition.dat
c:\users\Dickey\AppData\Roaming\AntiSpywareDAT\FileDefinition.dat
c:\users\Dickey\AppData\Roaming\AntiSpywareDAT\RegistryDefinition.dat
c:\users\Dickey\AppData\Roaming\AntiSpywareDAT\Safety.dat
c:\users\Dickey\AppData\Roaming\AntiSpywareDAT\Scan_Log.txt
c:\windows\101a5zdw9re2275.exe
c:\windows\system32\gaopdxcounter
c:\windows\system32\Memman.vxd
c:\windows\system32\skinboxer43.dll
c:\windows\system32\TEACico2.dll
c:\windows\system32\x64
D:\Autorun.inf
d:\recycler\S-0-4-35-100012443-100030565-100026715-7895.com
d:\recycler\S-9-0-36-100010603-100009696-100004373-2774.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NFR.SYS
-------\Service_iWinGamesInstaller


((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-12-27 20:45 . 2009-12-27 20:45 9,519 --a------ c:\windows\System32\301nzt-a-vi9us552.exe
2009-12-25 23:28 . 2009-12-25 23:28 11,164 --a------ c:\windows\System32\2975znot-a-virus69b.ocx
2009-12-25 15:09 . 2009-12-25 15:09 14,746 --a------ c:\windows\System32\9336spz6c5.dll
2009-12-21 21:11 . 2009-12-21 21:11 5,943 --a------ c:\windows\System32\5332zddwa9e1444.bin
2009-12-21 16:59 . 2009-12-21 16:59 16,557 --a------ c:\windows\System32\201zsp9wa5e913.cpl
2009-12-20 06:56 . 2009-12-20 06:56 3,430 --a------ c:\windows\System32\59zfs59al110.bin
2009-12-19 15:26 . 2009-12-19 15:26 2,857 --a------ c:\windows\System32\3976ztro555b.cpl
2009-12-17 18:46 . 2009-12-17 18:46 4,084 --a------ c:\windows\System32\96448wzrm325.ocx
2009-12-14 18:04 . 2009-12-14 18:04 9,647 --a------ c:\windows\System32\z5895tr9576a.cpl
2009-12-13 16:09 . 2009-12-13 16:09 10,303 --a------ c:\windows\System32\z46199orm35d5.dll
2009-12-01 18:38 . 2009-12-01 18:38 8,366 --a------ c:\windows\System32\5df4doznload9r2551.exe
2009-12-01 13:26 . 2009-12-01 13:26 8,288 --a------ c:\windows\System32\58ezspy5are24549.exe
2009-12-01 10:09 . 2009-12-01 10:09 9,186 --a------ c:\windows\System32\z839ba9kd5or2400.cpl
2009-11-28 08:02 . 2009-11-28 08:02 4,894 --a------ c:\windows\System32\9e58thiz53177.bin
2009-11-27 03:04 . 2009-11-27 03:04 12,154 --a------ c:\windows\System32\1c8z9parse5680.ocx
2009-11-26 08:20 . 2009-11-26 08:20 5,619 --a------ c:\windows\System32\988zspa5se351.ocx
2009-11-23 06:46 . 2009-11-23 06:46 12,925 --a------ c:\windows\System32\199cbaczdoor2475.cpl
2009-11-20 00:16 . 2009-11-20 00:16 6,377 --a------ c:\windows\System32\ab3sp5rsz219.exe
2009-11-16 04:30 . 2009-11-16 04:30 3,525 --a------ c:\windows\System32\743ezownloade91215.dll
2009-11-11 23:04 . 2009-11-11 23:04 15,338 --a------ c:\windows\System32\27352not-a-9zrus647.dll
2009-11-04 02:45 . 2009-11-04 02:45 4,156 --a------ c:\windows\System32\1797znot-a9vir5s8e.exe
2009-11-03 15:59 . 2009-11-03 15:59 3,369 --a------ c:\windows\System32\z9f7thie52925.ocx
2009-11-02 14:07 . 2009-11-02 14:07 10,000 --a------ c:\windows\System32\7359spazse59.ocx
2009-10-27 11:11 . 2009-10-27 11:11 13,858 --a------ c:\windows\System32\2z259hief305.exe
2009-10-24 04:16 . 2009-10-24 04:16 12,517 --a------ c:\windows\System32\13550trz92ad.dll
2009-10-23 04:20 . 2009-10-23 04:20 15,984 --a------ c:\windows\System32\52z66s9ambot521.dll
2009-10-22 10:38 . 2009-10-22 10:38 10,340 --a------ c:\windows\System32\15608spy959z.exe
2009-10-21 03:18 . 2009-10-21 03:18 10,381 --a------ c:\windows\System32\6d9bsteal255z.dll
2009-10-20 16:09 . 2009-10-20 16:09 2,896 --a------ c:\windows\System32\9zcspywa5e9031.dll
2009-10-20 02:31 . 2009-10-20 02:31 3,735 --a------ c:\windows\System32\47faa5dzare2289.ocx
2009-10-18 08:45 . 2009-10-18 08:45 18,018 --a------ c:\windows\System32\29364not-azv5rus55.cpl
2009-10-17 10:17 . 2009-10-17 10:17 7,923 --a------ c:\windows\System32\1605h9ckt5zl763.cpl
2009-10-12 23:43 . 2009-10-12 23:43 16,280 --a------ c:\windows\System32\2392zspambo548b9.bin
2009-10-11 16:29 . 2009-10-11 16:29 8,111 --a------ c:\windows\System32\50952t9oj71ez.exe
2009-10-09 13:23 . 2009-10-09 13:23 14,518 --a------ c:\windows\System32\126355ot-a-viz9s84.ocx
2009-10-08 21:07 . 2009-10-08 21:07 6,949 --a------ c:\windows\System32\55670not-azvi9us48f.ocx
2009-10-07 22:20 . 2009-10-07 22:20 6,496 --a------ c:\windows\System32\9c9eviz2540.ocx
2009-10-06 17:09 . 2009-10-06 17:09 15,601 --a------ c:\windows\System32\54dd9ownloade5z18.bin
2009-10-04 07:13 . 2009-10-04 07:13 2,693 --a------ c:\windows\System32\4908zd9w5re1571.bin
2009-10-02 10:45 . 2009-10-02 10:45 11,095 --a------ c:\windows\System32\z3566s9ambot5b75.ocx
2009-09-28 06:43 . 2009-09-28 06:43 16,628 --a------ c:\windows\System32\18508not-5-vir9s32z.exe
2009-09-26 13:15 . 2009-09-26 13:15 16,769 --a------ c:\windows\System32\48a9t5zea91106.bin
2009-09-24 13:17 . 2009-09-24 13:17 18,046 --a------ c:\windows\System32\1819ztroj705.exe
2009-09-22 06:17 . 2009-09-22 06:17 18,323 --a------ c:\windows\System32\7970dz5nloader2249.ocx
2009-09-18 06:50 . 2009-09-18 06:50 13,872 --a------ c:\windows\System32\9051v5rz260.ocx
2009-09-13 08:44 . 2009-09-13 08:44 5,779 --a------ c:\windows\System32\5d75zteal2659.ocx
2009-09-09 16:23 . 2009-09-09 16:23 4,177 --a------ c:\windows\System32\509189orz3a2.cpl
2009-09-05 13:20 . 2009-09-05 13:20 5,361 --a------ c:\windows\System32\27d0z5r919.cpl
2009-09-04 23:07 . 2009-09-04 23:07 9,113 --a------ c:\windows\System32\5746spamboz979.exe
2009-09-04 00:51 . 2009-09-04 00:51 6,219 --a------ c:\windows\System32\z9502w9rm144.dll
2009-09-03 23:56 . 2009-09-03 23:56 6,942 --a------ c:\windows\System32\19554not-a-v59uz55b.dll
2009-09-03 16:46 . 2009-09-03 16:46 2,698 --a------ c:\windows\System32\355zpambot2f9.ocx
2009-09-02 16:19 . 2009-09-02 16:19 14,401 --a------ c:\windows\System32\z3s9arse953.exe
2009-08-26 08:57 . 2009-08-26 08:57 5,502 --a------ c:\windows\System32\5d53thie5z095.bin
2009-08-23 11:41 . 2009-08-23 11:41 13,449 --a------ c:\windows\System32\5355zparse2699.exe
2009-08-21 15:53 . 2009-08-21 15:53 7,140 --a------ c:\windows\System32\z9290spambot546.dll
2009-08-21 06:52 . 2009-08-21 06:52 18,259 --a------ c:\windows\System32\40235pa9se913z.ocx
2009-08-20 23:46 . 2009-08-20 23:46 4,641 --a------ c:\windows\System32\22945wozm913.dll
2009-08-20 14:18 . 2009-08-20 14:18 9,912 --a------ c:\windows\System32\2650sp95zot56d.ocx
2009-08-19 22:43 . 2009-08-19 22:43 12,632 --a------ c:\windows\System32\7c5fbackdooz1590.exe
2009-08-14 17:39 . 2009-08-14 17:39 2,941 --a------ c:\windows\System32\11649wor9544z.bin
2009-08-13 22:52 . 2009-08-13 22:52 13,840 --a------ c:\windows\System32\422zvi914045.bin
2009-08-13 14:28 . 2009-08-13 14:28 6,724 --a------ c:\windows\System32\30929zr30965.dll
2009-08-13 12:48 . 2009-08-13 12:48 16,765 --a------ c:\windows\System32\428zaddw9r51800.exe
2009-08-05 19:49 . 2009-08-05 19:49 2,940 --a------ c:\windows\System32\5456zteal957.cpl
2009-08-04 01:32 . 2009-08-04 01:32 16,366 --a------ c:\windows\System32\20920zi5us40a.bin
2009-08-03 20:53 . 2009-08-03 20:53 3,626 --a------ c:\windows\System32\32053tro5ze59.cpl
2009-08-02 21:39 . 2009-08-02 21:39 3,136 --a------ c:\windows\System32\10243h9cktoo5z9f.ocx
2009-08-02 07:58 . 2009-08-02 07:58 11,873 --a------ c:\windows\System32\1e39p5waze2400.dll
2009-07-31 23:53 . 2009-07-31 23:53 18,365 --a------ c:\windows\System32\254dad9ware51z7.bin
2009-07-25 21:41 . 2009-07-25 21:41 10,551 --a------ c:\windows\System32\3ez25t9al1081.ocx
2009-07-25 12:40 . 2009-07-25 12:40 17,828 --a------ c:\windows\System32\4595st9az1592.dll
2009-07-24 07:42 . 2009-07-24 07:42 2,774 --a------ c:\windows\System32\6b27thie9524z.cpl
2009-07-23 03:25 . 2009-07-23 03:25 14,422 --a------ c:\windows\System32\3z7baddwa5e1149.ocx
2009-07-21 13:38 . 2009-07-21 13:38 7,622 --a------ c:\windows\System32\5539zroj456.bin
2009-07-21 13:36 . 2009-07-21 13:36 5,278 --a------ c:\windows\System32\393ztroj755.exe
2009-07-21 04:48 . 2009-07-21 04:48 13,109 --a------ c:\windows\System32\6829spars5400z.exe
2009-07-20 16:21 . 2009-07-20 16:21 2,967 --a------ c:\windows\System32\51566not-a-virus925z.exe
2009-07-17 02:37 . 2009-07-17 02:37 2,966 --a------ c:\windows\System32\91059wozm65c.bin
2009-07-13 10:49 . 2009-07-13 10:49 3,280 --a------ c:\windows\System32\27650ha9k5ool5zc.exe
2009-07-13 04:37 . 2009-07-13 04:37 2,592 --a------ c:\windows\System32\3cb1th5eat295z09.ocx
2009-07-12 00:29 . 2009-07-12 00:29 9,079 --a------ c:\windows\System32\130sz5al9790.cpl
2009-07-06 23:54 . 2009-07-06 23:54 14,870 --a------ c:\windows\System32\4903s9ambot1z85.exe
2009-07-02 02:27 . 2009-07-02 02:27 10,472 --a------ c:\windows\System32\7192z5rm234.cpl
2009-06-28 06:56 . 2009-06-28 06:56 13,868 --a------ c:\windows\System32\97z38spy5d8.cpl
2009-06-26 20:03 . 2009-06-26 20:03 16,691 --a------ c:\windows\System32\2zd3download5r9276.dll
2009-06-26 15:56 . 2009-06-26 15:56 2,863 --a------ c:\windows\System32\289z3hackt5ol4f1.bin
2009-06-26 11:51 . 2009-06-26 11:51 12,484 --a------ c:\windows\System32\39758spambot4z6.dll
2009-06-25 06:33 . 2009-06-25 06:33 4,344 --a------ c:\windows\System32\6z5bste9l217.exe
2009-06-22 20:38 . 2009-06-22 20:38 11,397 --a------ c:\windows\System32\2acead9zare1053.bin
2009-06-19 17:05 . 2009-06-19 17:05 3,528 --a------ c:\windows\System32\42zfba5kd9or2130.ocx
2009-06-19 08:33 . 2009-06-19 08:33 4,033 --a------ c:\windows\System32\73bbspyza5e30369.dll
2009-06-14 22:01 . 2009-06-14 22:01 17,047 --a------ c:\windows\System32\225559otza-virus7b1.bin
2009-06-12 14:19 . 2009-06-12 14:19 16,825 --a------ c:\windows\System32\2244zn9t-a-virus7265.bin
2009-06-12 02:45 . 2009-06-12 02:45 17,833 --a------ c:\windows\System32\35z9teal5178.cpl
2009-06-09 12:21 . 2009-06-09 12:21 2,990 --a------ c:\windows\System32\16475hie92z67.bin
2009-06-08 16:25 . 2009-06-08 16:25 14,273 --a------ c:\windows\System32\z798vir7685.dll
2009-06-08 00:23 . 2009-06-08 00:23 11,943 --a------ c:\windows\System32\650aspar5e1z399.bin
2009-06-07 09:29 . 2009-06-07 09:29 12,431 --a------ c:\windows\System32\1f96threatz9506.dll
2009-06-05 01:25 . 2009-06-05 01:25 8,027 --a------ c:\windows\System32\25494s5amboz6a2.bin
2009-06-02 07:03 . 2009-06-02 07:03 12,897 --a------ c:\windows\System32\2zebv5r23469.bin
2009-06-01 02:22 . 2009-06-01 02:22 4,191 --a------ c:\windows\System32\2519z9acktool52c.ocx
2009-05-28 07:47 . 2009-05-28 07:47 10,824 --a------ c:\windows\System32\1e6ezd9war51356.cpl
2009-05-27 17:22 . 2009-05-27 17:22 3,977 --a------ c:\windows\System32\ze47downloa9er2095.bin
2009-05-24 13:45 . 2009-05-24 13:45 12,022 --a------ c:\windows\System32\319z7not-a-viruscf5.exe
2009-05-23 23:00 . 2009-05-23 23:00 15,516 --a------ c:\windows\System32\zf95backdoor1504.exe
2009-05-22 00:37 . 2009-05-22 00:37 3,581 --a------ c:\windows\System32\a52addw9ze2720.exe
2009-05-21 02:18 . 2009-05-21 02:18 10,257 --a------ c:\windows\System32\14692no5-azvirus678.bin
2009-05-20 12:18 . 2009-05-20 12:18 2,722 --a------ c:\windows\System32\z591spyware2689.cpl
2009-05-19 00:35 . 2009-05-19 00:35 9,365 --a------ c:\windows\System32\7559spazbo55f6.cpl
2009-05-18 22:48 . 2009-05-18 22:48 10,926 --a------ c:\windows\System32\3155zsp96d9.bin
2009-05-15 06:11 . 2009-05-15 06:11 6,116 --a------ c:\windows\System32\2195sparsz1069.cpl
2009-05-12 01:50 . 2009-05-12 01:50 6,986 --a------ c:\windows\System32\2570ha9ktoolz85.exe
2009-05-10 09:16 . 2009-05-10 09:16 7,611 --a------ c:\windows\System32\3159ztroj2b0.exe
2009-05-08 23:06 . 2009-05-08 23:06 6,918 --a------ c:\windows\System32\94429worz256.cpl
2009-05-08 04:14 . 2009-05-08 04:14 11,086 --a------ c:\windows\System32\88185py9za.dll
2009-05-04 12:53 . 2009-05-04 12:53 6,140 --a------ c:\windows\System32\5941s9yware243z.bin
2009-04-25 03:18 . 2009-04-25 03:18 15,898 --a------ c:\windows\System32\39aebaczdoo51694.ocx
2009-04-22 17:49 . 2009-04-22 17:49 8,787 --a------ c:\windows\System32\5e59backdozr3955.dll
2009-04-20 22:02 . 2009-04-20 22:02 18,041 --a------ c:\windows\System32\25b8add9are2562z.dll
2009-04-16 19:03 . 2009-04-16 19:03 11,682 --a------ c:\windows\System32\246329ot-a-virus65z.exe
2009-04-13 21:17 . 2009-04-13 21:17 7,040 --a------ c:\windows\System32\25369viruz1d2.dll
2009-04-12 18:24 . 2009-04-12 18:24 6,805 --a------ c:\windows\System32\6523w9rmz655.cpl
2009-04-11 18:41 . 2009-04-11 18:41 11,343 --a------ c:\windows\System32\5c19spywz592168.bin
2009-04-01 20:12 . 2009-04-01 20:12 11,671 --a------ c:\windows\System32\5f8bac5dzo92457.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 18:12 --------- d-----w c:\program files\Dl_cats
2009-02-19 15:22 --------- d-----w c:\users\Dickey\AppData\Roaming\uTorrent
2009-02-19 10:59 --------- d---a-w c:\programdata\TEMP
2009-02-18 11:54 174 --sha-w c:\program files\desktop.ini
2009-02-18 11:34 --------- d-----w c:\program files\Windows Mail
2009-02-17 15:13 --------- d-----w c:\users\Dickey\AppData\Roaming\Corel
2009-02-17 03:40 20 ---h--w c:\programdata\PKP_DLec.DAT
2009-02-17 03:40 20 ---h--w c:\programdata\PKP_DLds.DAT
2009-02-16 04:21 --------- d-----w c:\program files\Google
2009-02-16 01:08 --------- d-----w c:\programdata\McAfee
2009-02-16 01:08 --------- d-----w c:\program files\McAfee
2009-02-15 23:12 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-12 04:59 --------- d-----w c:\program files\Common Files\PX Storage Engine
2009-02-10 18:06 --------- d-----w c:\program files\WildGames
2009-02-10 16:55 --------- d-----w c:\users\Dickey\AppData\Roaming\TaxCut
2009-02-10 16:55 --------- d-----w c:\program files\TaxCut07
2009-02-09 20:48 --------- d-----w c:\program files\iWin Games
2009-02-06 00:01 --------- d-----w c:\program files\Common Files\Nikon
2009-01-29 16:36 --------- d-----w c:\programdata\WildTangent
2009-01-17 17:44 --------- d-----w c:\program files\Dell Games
2009-01-17 05:49 --------- d-----w c:\program files\iTunes
2009-01-16 05:16 18,367 ----a-w c:\windows\5571trz595e.dll
2009-01-13 06:18 --------- d-----w c:\program files\Windows Defender
2009-01-13 00:21 --------- d-----w c:\programdata\21A7
2009-01-12 20:49 336,256 ----a-w c:\users\Public\FastBrowserURLDownload.exe
2009-01-12 00:33 --------- d-----w c:\program files\bfgclient
2009-01-10 22:45 11,536 ----a-w c:\windows\609zddware5997.dll
2009-01-08 02:00 --------- d-----w c:\programdata\61D1
2009-01-07 03:22 --------- d-----w c:\programdata\16225
2009-01-07 01:54 --------- d-----w c:\programdata\22388
2009-01-06 17:16 15,999 ----a-w c:\windows\29f7virz553.exe
2009-01-06 07:40 --------- d-----w c:\programdata\25389
2009-01-04 21:30 --------- d-----w c:\programdata\22177
2009-01-04 21:23 --------- d-----w c:\programdata\1F341
2009-01-04 21:16 --------- d-----w c:\programdata\34362
2009-01-03 04:36 --------- d-----w c:\programdata\392B1
2009-01-02 16:27 --------- d-----w c:\programdata\1F27E
2009-01-02 01:40 --------- d-----w c:\programdata\D1C3
2009-01-02 01:35 --------- d-----w c:\programdata\2F2A
2009-01-01 21:26 --------- d-----w c:\users\Dickey\AppData\Roaming\MusicNet
2009-01-01 21:26 --------- d-----w c:\programdata\2E37B
2009-01-01 19:05 --------- d-----w c:\programdata\277382832
2009-01-01 18:21 --------- d-----w c:\users\Dickey\AppData\Roaming\iWin
2009-01-01 18:12 --------- d-----w c:\users\Dickey\AppData\Roaming\WildTangent
2008-12-28 01:31 --------- d-----w c:\programdata\2A2D4
2008-12-27 22:58 --------- d-----w c:\program files\PDF995
2008-12-27 18:00 --------- d-----w c:\program files\MP3 Player Utilities 4.18
2008-12-25 12:50 12,114 ----a-w c:\windows\6c01bac95ozr905.exe
2008-12-24 16:09 --------- d-----w c:\programdata\Microsoft Help
2008-12-23 19:46 5,011 ----a-w c:\windows\9635troz3b.dll
2008-12-13 18:48 15,021 ----a-w c:\windows\9z475roj992.dll
2008-12-12 00:50 3,056 ----a-w c:\windows\4a5ethief3191z.bin
2008-12-08 05:02 11,739 ----a-w c:\windows\z1c35ir9212.exe
2008-12-03 09:59 3,542 ----a-w c:\windows\2954backzoor2750.bin
2008-11-28 21:40 6,001 ----a-w c:\windows\58czv592651.exe
2008-11-20 08:39 17,157 ----a-w c:\windows\2000zhackt9ol265.exe
2008-05-22 21:12 6,820,032 ----a-w c:\users\Dickey\phanfare_setup.exe
2008-08-01 14:45 88 --sha-r c:\windows\System32\2538829589.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C621F09-DFF3-415A-B7D1-142678EFEB34}]
2008-11-05 17:07 2435584 --a------ c:\program files\Fast Browser Search\IE\FBStoolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}"= "c:\program files\Fast Browser Search\IE\FBStoolbar.dll" [2008-11-05 2435584]

[HKEY_CLASSES_ROOT\clsid\{c2dca7eb-22d2-4fd2-86a9-f99fcc8122bb}]
[HKEY_CLASSES_ROOT\TBSB07183.TBSB07183.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB07183.TBSB07183]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}"= "c:\program files\Fast Browser Search\IE\FBStoolbar.dll" [2008-11-05 2435584]

[HKEY_CLASSES_ROOT\clsid\{c2dca7eb-22d2-4fd2-86a9-f99fcc8122bb}]
[HKEY_CLASSES_ROOT\TBSB07183.TBSB07183.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB07183.TBSB07183]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-09 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-09 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-09 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"DLCXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-15 106496]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"FBSearch"="c:\program files\Fast Browser SearchP\FastBrowserSearchProtection.exe" [2008-11-26 325504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-07 c:\windows\sttray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DoNotAllowExceptions"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D739DF33-DF1A-4EDF-B160-6653256CDBD4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{945E9439-A120-4C29-BD96-6C90E6CE5976}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{68711050-F471-45B7-86F8-4E08EC36299B}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{C3DCD8F1-4702-41F2-929C-31E7148C34C9}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{58175F46-11D4-467A-9FCF-31830E945013}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{E5A1FB82-E182-4884-8817-ADC7061EE02C}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{6A871F27-E5EA-4414-99A9-AA5F22D8BAA0}"= UDP:c:\windows\System32\dlcxcoms.exe:Dell 926 Server
"{179A6AF1-4DE8-41C4-8260-F1C63C4C47B0}"= TCP:c:\windows\System32\dlcxcoms.exe:Dell 926 Server
"{2DA3EE08-EF28-477F-96B2-D3ABBA4D7814}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8B95E322-87E1-4F6B-A4C3-13F925C43E39}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{63AD004E-5522-457E-AEBC-2CB64C72707F}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{303C1814-DF46-4283-866D-403A86D4AD99}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{71854770-82F2-4E3D-A612-7D4F671D95F4}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2B308204-4D62-4159-88BC-7FCBED79A891}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{57AD6AB4-0CA3-4875-A782-293C211F0E3B}"= Disabled:UDP:c:\windows\System32\P2P Networking\P2P Networking.exe:P2P Networking
"{64CDA4F2-6727-4BA4-8684-D27EDE7F86D3}"= Disabled:TCP:c:\windows\System32\P2P Networking\P2P Networking.exe:P2P Networking
"{82DC1496-CFF1-4CB0-AC31-1D8D7F6DB676}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{CEBB6C2E-C3EF-497C-A736-CDACF9C75CCB}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{68638BEA-093F-41D7-8023-3DAA38742461}"= UDP:c:\program files\iWin Games\iWinGames.exe:iWin Games application.
"{39FD28CA-97E7-4A8A-AEAF-9E673F0D446B}"= TCP:c:\program files\iWin Games\iWinGames.exe:iWin Games application.
"{5C645DBA-40D7-4F95-A1AC-B0B806C30E0C}"= UDP:c:\program files\iWin Games\WebUpdater.exe:iWin Games updater.
"{79274724-20BC-4DC6-9479-A4FF75E0993D}"= TCP:c:\program files\iWin Games\WebUpdater.exe:iWin Games updater.
"{4157B6D3-0301-42AB-B002-128CAD0ABFD3}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{CAC0D325-2735-4D5F-BD33-E0799A237B98}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{7AEDD761-01BE-4BB4-8387-776ED29D1519}"= c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{10D18E7E-481C-4302-B04E-E9E2491EF0CC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7C3DE93B-E93E-451E-888C-3A524D4EA213}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{C8356992-80E8-488C-8C1F-9AE0CA4D6FAE}"= UDP:c:\program files\Google\Google Desktop Search\GoogleDesktop.exe:Google Desktop
"{AA7B71C6-D1EC-4F32-9072-5C2D088C5CFE}"= TCP:c:\program files\Google\Google Desktop Search\GoogleDesktop.exe:Google Desktop
"{062BADEA-2D19-40C9-8949-74E761900899}"= UDP:c:\program files\iMesh Applications\iMesh\iMesh.exe:iMesh
"{E422DF2C-1E7D-4C3F-A44A-61D68A8010AB}"= TCP:c:\program files\iMesh Applications\iMesh\iMesh.exe:iMesh
"{3D6F31F9-3C2C-4688-B9F1-1EDD164571D7}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0D8795F1-81AD-4CE4-B270-B1FF51E5D638}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9A29C237-ADD2-4273-B9EE-DEC07B5D614B}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{BD547A06-30BD-4B87-AB04-EFDAD5C66E22}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{9B4874A5-F587-4DA3-B2DA-FE3E4A415785}"= UDP:c:\program files\Phanfare 2.0\Phanfare.exe:Phanfare 2.0
"{6D127A3B-7887-404F-9108-DA59AC30ACC5}"= TCP:c:\program files\Phanfare 2.0\Phanfare.exe:Phanfare 2.0
"{AD6533D6-C4E2-460A-9B43-DBDE238384B4}"= UDP:c:\program files\McAfee\MSC\mcshell.exe:McAfee SecurityCenter
"{3E7BAA36-70B8-435A-A169-8AEF0FC16816}"= TCP:c:\program files\McAfee\MSC\mcshell.exe:McAfee SecurityCenter
"{1691F22C-5655-4587-9B30-ABEDADBEAAE4}"= UDP:c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe:SUPERAntiSpyware Free Edition
"{DF0842D0-37C4-40B3-A08F-E17FFAA73338}"= TCP:c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe:SUPERAntiSpyware Free Edition
"{458F4ED7-5039-4EAE-984B-4F26268B2AC3}"= UDP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
"{CD93251A-A1EF-4B5B-8646-B4504ED64725}"= TCP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
"{A5AB2DDB-74C2-4B50-BF8F-FE3714A57FFD}"= UDP:c:\program files\SUPERAntiSpyware\RUNSAS.EXE:SUPERAntiSpyware Alternate Start
"{DEB42641-33FA-4BF4-A77F-8A188B179462}"= TCP:c:\program files\SUPERAntiSpyware\RUNSAS.EXE:SUPERAntiSpyware Alternate Start
"{6D9845B9-D610-4995-A514-EF69FC720EE3}"= UDP:c:\program files\TaxCut07\Program\TaxCut.exe:TaxCut
"{33A3DC5F-96E7-4660-A5BA-E6B3264B4E5F}"= TCP:c:\program files\TaxCut07\Program\TaxCut.exe:TaxCut
"{943C2906-FA73-4B15-A51D-E067DC731587}"= UDP:c:\program files\TaxCut07\Program\TaxCutSWmgr.exe:TaxCutSWmgr
"{C320C17C-C054-429D-BD1F-8B3C4D9BFCC6}"= TCP:c:\program files\TaxCut07\Program\TaxCutSWmgr.exe:TaxCutSWmgr
"{E33E08ED-1C94-42A1-B0D2-783A45D8B108}"= UDP:c:\program files\TaxCut07\Program\ConnectionTool.exe:ConnectionTool
"{0CF5C4B7-8887-4176-A2B9-1CBB72459DBC}"= TCP:c:\program files\TaxCut07\Program\ConnectionTool.exe:ConnectionTool

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-15 206096]
R2 NFRAgent;NFRAgent;c:\windows\system32\svchost.exe -k nfrsvc [2006-11-02 22016]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-11-20 24652]
S2 gupdate1c98d30b66d6f36;Google Update Service (gupdate1c98d30b66d6f36);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-06-25 29744]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-12 356920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
nfrsvc REG_MULTI_SZ NFRAgent

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41109f7a-2d7a-11dc-b470-0019d1e70f3f}]
\shell\AutoRun\command - L:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-16 c:\windows\Tasks\Cleaning.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-02-13 c:\windows\Tasks\EasyShare Registration Task.job
- c:\progra~2\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 []

2009-02-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-12 08:39]

2009-02-19 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 08:40]

2009-02-16 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-02-19 c:\windows\Tasks\User_Feed_Synchronization-{52617E42-C70A-4CC0-8BC5-BF46FA34FABF}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 01:45]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{811FB681-61C2-4442-9C96-9F164F619ED7} - (no file)
HKLM-Run-NSWatchDog - c:\windows\NSWATC~1.EXE
HKLM-Run-c:\windows\system32\baloon.exe - c:\windows\system32\baloon.exe
HKLM-Run-promo.exe - c:\windows\system32\promo.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=localhost:7070
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.18\AMVConverter\grab.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: torrentportal.com\www
Trusted Zone: utorrent.com\www
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxps://register.facebook.com/controls/contactx.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-19 10:28:12
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
FBSearch = c:\program files\Fast Browser SearchP\FastBrowserSearchProtection.exe??CLASSPATH=.;c:\program files\

scanning hidden files ...


c:\users\Dickey\AppData\Roaming\Microsoft\Windows\Cookies\dickey@atwola[2].txt
c:\users\Dickey\AppData\Roaming\Microsoft\Windows\Cookies\Low\dickey@my.screenname.aol[2].txt 110 bytes
c:\users\Dickey\AppData\Roaming\Microsoft\Windows\Cookies\Low\dickey@aol[2].txt 143 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2920)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\dlcxcoms.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\windows\System32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\System32\PSIService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Internet Explorer\ieuser.exe
.
**************************************************************************
.
Completion time: 2009-02-19 10:36:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-19 18:35:58

Pre-Run: 149,354,655,744 bytes free
Post-Run: 149,608,275,968 bytes free

491 --- E O F --- 2009-02-18 11:08:38
"Look pal, the only thing you're in charge of is Jack and $h!t....and Jack left town."
-Ash, Army of Darkness

#7 soylentgreen1701

soylentgreen1701
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 19 February 2009 - 02:28 PM

And the last report....



DDS (Ver_09-02-01.01) - NTFSx86 MINIMAL
Run by Dickey at 10:56:24.89 on Thu 02/19/2009
Internet Explorer: 7.0.6000.16757
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.2037.1599 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Users\Dickey\Desktop\Maintenance\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=localhost:7070
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: TBSB07183 Class: {6c621f09-dff3-415a-b7d1-142678efeb34} - c:\program files\fast browser search\ie\FBStoolbar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Fast Browser Search: {c2dca7eb-22d2-4fd2-86a9-f99fcc8122bb} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FBSearch] c:\program files\fast browser searchp\FastBrowserSearchProtection.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.18\amvconverter\grab.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: torrentportal.com\www
Trusted Zone: utorrent.com\www
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mahjong%20Quest%203/Images/stg_drm.ocx
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxps://register.facebook.com/controls/contactx.dll
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%20Quest%203/Images/armhelper.ocx
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
S2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
S2 gupdate1c98d30b66d6f36;Google Update Service (gupdate1c98d30b66d6f36);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-15 206096]
S2 NFRAgent;NFRAgent;c:\windows\system32\svchost.exe -k nfrsvc [2006-11-2 22016]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-20 24652]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-6-25 29744]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-12 356920]

=============== Created Last 30 ================

2009-02-19 10:17 161,792 a------- c:\windows\SWREG.exe
2009-02-19 10:17 98,816 a------- c:\windows\sed.exe
2009-02-19 07:27 <DIR> --d----- c:\users\dickey\appdata\roaming\Malwarebytes
2009-02-19 07:27 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-19 07:27 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-19 07:27 <DIR> --d----- c:\programdata\Malwarebytes
2009-02-19 07:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-19 07:27 <DIR> --d----- c:\progra~2\Malwarebytes
2009-02-19 02:45 <DIR> --d----- c:\program files\Mahjong Quest 3
2009-02-19 01:00 <DIR> --d----- C:\SDFix
2009-02-17 14:39 0 a------- c:\windows\system32\drivers\nfr.dll.gpref
2009-02-17 14:19 0 a------- c:\windows\system32\drivers\nfr.dll.assembly
2009-02-17 14:19 12,804 a------- c:\windows\system32\drivers\nfr.dll
2009-02-16 05:54 14,272 a------- c:\windows\system32\b869ackzo5r2522.cpl
2009-02-16 04:35 16,585 a------- c:\windows\system32\29434h5zktool67e.ocx
2009-02-16 01:51 17,995 a------- c:\windows\system32\1c2zthief9593.cpl
2009-02-16 00:43 5,136 a------- c:\windows\system32\99140z5rm527.dll
2009-02-15 20:21 <DIR> --d----- c:\windows\system32\IOSUBSYS
2009-02-15 17:08 <DIR> --d----- c:\programdata\SiteAdvisor
2009-02-13 14:42 5,129 a------- c:\windows\system32\5b5fsp95zre2761.ocx
2009-02-12 09:46 <DIR> --d----- c:\programdata\Adobe
2009-02-12 08:43 <DIR> --d----- c:\users\dickey\appdata\roaming\PC Tools
2009-02-12 08:43 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-12 08:39 <DIR> --d----- c:\programdata\Google Updater
2009-02-12 00:46 <DIR> --d----- c:\program files\Security Scanner Full
2009-02-11 20:59 <DIR> --d----- c:\program files\DivX
2009-02-09 18:33 7,540 a------- c:\windows\system32\65c1ad9waze2605.ocx
2009-02-09 10:58 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-02-09 10:58 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-02-09 10:58 <DIR> --d----- c:\users\dickey\appdata\roaming\SUPERAntiSpyware.com
2009-02-09 10:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-09 10:57 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-09 09:38 43 a------- c:\windows\av_affiliate.ini
2009-02-09 09:38 120 a------- c:\windows\as_affiliate.ini
2009-02-09 09:12 8,704 a------- c:\windows\system32\rasha.exe
2009-02-09 03:48 4,599 a------- c:\windows\8460tr9j45z.cpl
2009-02-08 22:56 <DIR> --d----- c:\program files\Any Video Converter
2009-02-08 18:17 4,340 a------- c:\windows\system32\2fb1backdooz1095.ocx
2009-02-07 20:40 7,373 a------- c:\windows\11303spam95t5ze.ocx
2009-02-06 22:03 8,193 a------- c:\windows\system32\817threat589z.bin
2009-02-06 20:47 13,267 a------- c:\windows\system32\4955vzr2540.cpl
2009-02-06 15:04 <DIR> --d----- c:\program files\VS Revo Group
2009-02-06 09:53 202,997,069 a------- c:\windows\MEMORY.DMP
2009-02-04 23:19 3,015 a------- c:\windows\5214t9reat298z8.exe
2009-02-04 13:33 8,848 a------- c:\windows\system32\6447szywa9e1752.cpl
2009-02-04 11:51 196,608 a------- c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-02-04 11:51 65,536 a------- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-02-04 11:51 34,799,616 a------- c:\windows\ocsetup_install_NetFx3.etl
2009-02-03 15:26 <DIR> --d----- c:\program files\uTorrent
2009-02-03 12:50 <DIR> --d----- c:\program files\VideoLAN
2009-01-29 08:39 <DIR> --d----- c:\program files\Selectsoft
2009-01-29 08:39 <DIR> --d----- c:\program files\OXXOGames
2009-01-28 19:07 <DIR> --d----- c:\programdata\PlayFirst
2009-01-28 15:06 2,965 a------- c:\windows\15759trojz8b.ocx
2009-01-27 17:05 2,601 a------- c:\windows\95z5spy598.bin
2009-01-26 21:44 6,391 a------- c:\windows\48359zar5e453.exe
2009-01-23 12:32 <DIR> --d----- c:\program files\Bonjour
2009-01-22 13:06 13,205 a------- c:\windows\d35z9yware2779.bin
2009-01-21 21:31 14,998 a------- c:\windows\z75fspyware7279.cpl
2009-01-21 19:25 11,104 a------- c:\windows\29866h9c5tool5cz.bin
2009-01-21 12:29 15,448 a------- c:\windows\9600vzrus7e95.exe
2009-01-21 01:38 17,915 a------- c:\windows\756ado9nloader30z0.cpl
2009-01-20 18:31 <DIR> --d----- c:\program files\Fast Browser SearchP
2009-01-20 18:30 <DIR> --d----- c:\program files\Fast Browser Search

==================== Find3M ====================

2009-02-18 03:54 174 a--sh--- c:\program files\desktop.ini
2009-02-17 07:13 5,378 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-16 19:40 20 ----h--- c:\programdata\PKP_DLec.DAT
2009-02-16 19:40 20 ----h--- c:\programdata\PKP_DLds.DAT
2009-02-16 19:40 20 ----h--- c:\progra~2\PKP_DLec.DAT
2009-02-16 19:40 20 ----h--- c:\progra~2\PKP_DLds.DAT
2009-02-15 15:15 86,016 a------- c:\windows\inf\infstrng.dat
2009-02-15 15:15 51,200 a------- c:\windows\inf\infpub.dat
2009-02-15 15:15 86,016 a------- c:\windows\inf\infstor.dat
2009-02-09 09:13 17,249 a------- c:\windows\system32\6935thief2z48.dll
2009-02-05 13:22 17,709 a------- c:\windows\system32\718page.dat
2009-01-26 11:25 155,648 a------- c:\windows\system32\Phanfare Screensaver.scr
2009-01-15 21:16 18,367 a------- c:\windows\5571trz595e.dll
2009-01-12 22:18 665,600 a------- c:\windows\inf\drvindex.dat
2009-01-12 11:31 3,874 a------- c:\windows\system32\5a0cback9zor1594.bin
2009-01-10 14:45 11,536 a------- c:\windows\609zddware5997.dll
2009-01-08 21:25 12,634 a------- c:\windows\system32\46vir15z9.bin
2009-01-07 04:20 5,735 a------- c:\windows\system32\659ztroj38c.exe
2009-01-06 09:16 15,999 a------- c:\windows\29f7virz553.exe
2009-01-05 14:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-26 09:40 14,327 a------- c:\windows\system32\9805spz57.bin
2008-12-25 04:50 12,114 a------- c:\windows\6c01bac95ozr905.exe
2008-12-23 11:46 5,011 a------- c:\windows\9635troz3b.dll
2008-12-22 16:14 5,990 a------- c:\windows\system32\6476no5-a9viruz59b.exe
2008-12-19 16:09 2,588 a------- c:\windows\system32\593spy330z.bin
2008-12-17 07:45 7,500 a------- c:\windows\system32\9839zir2951.dll
2008-12-13 10:48 15,021 a------- c:\windows\9z475roj992.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-12 08:45 10,028 a------- c:\windows\system32\93765not-a-vi5us69dz.exe
2008-12-11 16:50 3,056 a------- c:\windows\4a5ethief3191z.bin
2008-12-10 16:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 16:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 18:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 18:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 18:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 18:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-12-07 21:02 11,739 a------- c:\windows\z1c35ir9212.exe
2008-12-07 07:18 11,333 a------- c:\windows\system32\z20e5ddware901.exe
2008-12-06 22:50 16,634 a------- c:\windows\system32\56z5v9r784.exe
2008-12-03 01:59 3,542 a------- c:\windows\2954backzoor2750.bin
2008-11-28 13:40 6,001 a------- c:\windows\58czv592651.exe
2008-05-22 13:12 6,820,032 a------- c:\users\dickey\phanfare_setup.exe
2006-11-02 04:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 04:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 04:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 04:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-08-01 06:45 88 a--shr-- c:\windows\system32\2538829589.sys

============= FINISH: 10:57:58.32 ===============
"Look pal, the only thing you're in charge of is Jack and $h!t....and Jack left town."
-Ash, Army of Darkness

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 19 February 2009 - 02:45 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\System32\301nzt-a-vi9us552.exe
c:\windows\System32\2975znot-a-virus69b.ocx
c:\windows\System32\9336spz6c5.dll
c:\windows\System32\5332zddwa9e1444.bin
c:\windows\System32\201zsp9wa5e913.cpl
c:\windows\System32\59zfs59al110.bin
c:\windows\System32\3976ztro555b.cpl
c:\windows\System32\96448wzrm325.ocx
c:\windows\System32\z5895tr9576a.cpl
c:\windows\System32\z46199orm35d5.dll
c:\windows\System32\5df4doznload9r2551.exe
c:\windows\System32\58ezspy5are24549.exe
c:\windows\System32\z839ba9kd5or2400.cpl
c:\windows\System32\9e58thiz53177.bin
c:\windows\System32\1c8z9parse5680.ocx
c:\windows\System32\988zspa5se351.ocx
c:\windows\System32\199cbaczdoor2475.cpl
c:\windows\System32\ab3sp5rsz219.exe
c:\windows\System32\743ezownloade91215.dll
c:\windows\System32\27352not-a-9zrus647.dll
c:\windows\System32\1797znot-a9vir5s8e.exe
c:\windows\System32\z9f7thie52925.ocx
c:\windows\System32\7359spazse59.ocx
c:\windows\System32\2z259hief305.exe
c:\windows\System32\13550trz92ad.dll
c:\windows\System32\52z66s9ambot521.dll
c:\windows\System32\15608spy959z.exe
c:\windows\System32\6d9bsteal255z.dll
c:\windows\System32\9zcspywa5e9031.dll
c:\windows\System32\47faa5dzare2289.ocx
c:\windows\System32\29364not-azv5rus55.cpl
c:\windows\System32\1605h9ckt5zl763.cpl
c:\windows\System32\2392zspambo548b9.bin
c:\windows\System32\50952t9oj71ez.exe
c:\windows\System32\126355ot-a-viz9s84.ocx
c:\windows\System32\55670not-azvi9us48f.ocx
c:\windows\System32\9c9eviz2540.ocx
c:\windows\System32\54dd9ownloade5z18.bin
c:\windows\System32\4908zd9w5re1571.bin
c:\windows\System32\z3566s9ambot5b75.ocx
c:\windows\System32\18508not-5-vir9s32z.exe
c:\windows\System32\48a9t5zea91106.bin
c:\windows\System32\1819ztroj705.exe
c:\windows\System32\7970dz5nloader2249.ocx
c:\windows\System32\9051v5rz260.ocx
c:\windows\System32\5d75zteal2659.ocx
c:\windows\System32\509189orz3a2.cpl
c:\windows\System32\27d0z5r919.cpl
c:\windows\System32\5746spamboz979.exe
c:\windows\System32\z9502w9rm144.dll
c:\windows\System32\19554not-a-v59uz55b.dll
c:\windows\System32\355zpambot2f9.ocx
c:\windows\System32\z3s9arse953.exe
c:\windows\System32\5d53thie5z095.bin
c:\windows\System32\5355zparse2699.exe
c:\windows\System32\z9290spambot546.dll
c:\windows\System32\40235pa9se913z.ocx
c:\windows\System32\22945wozm913.dll
c:\windows\System32\2650sp95zot56d.ocx
c:\windows\System32\7c5fbackdooz1590.exe
c:\windows\System32\11649wor9544z.bin
c:\windows\System32\422zvi914045.bin
c:\windows\System32\30929zr30965.dll
c:\windows\System32\428zaddw9r51800.exe
c:\windows\System32\5456zteal957.cpl
c:\windows\System32\20920zi5us40a.bin
c:\windows\System32\32053tro5ze59.cpl
c:\windows\System32\10243h9cktoo5z9f.ocx
c:\windows\System32\1e39p5waze2400.dll
c:\windows\System32\254dad9ware51z7.bin
c:\windows\System32\3ez25t9al1081.ocx
c:\windows\System32\4595st9az1592.dll
c:\windows\System32\6b27thie9524z.cpl
c:\windows\System32\3z7baddwa5e1149.ocx
c:\windows\System32\5539zroj456.bin
c:\windows\System32\393ztroj755.exe
c:\windows\System32\6829spars5400z.exe
c:\windows\System32\51566not-a-virus925z.exe
c:\windows\System32\91059wozm65c.bin
c:\windows\System32\27650ha9k5ool5zc.exe
c:\windows\System32\3cb1th5eat295z09.ocx
c:\windows\System32\130sz5al9790.cpl
c:\windows\System32\4903s9ambot1z85.exe
c:\windows\System32\7192z5rm234.cpl
c:\windows\System32\97z38spy5d8.cpl
c:\windows\System32\2zd3download5r9276.dll
c:\windows\System32\289z3hackt5ol4f1.bin
c:\windows\System32\39758spambot4z6.dll
c:\windows\System32\6z5bste9l217.exe
c:\windows\System32\2acead9zare1053.bin
c:\windows\System32\42zfba5kd9or2130.ocx
c:\windows\System32\73bbspyza5e30369.dll
c:\windows\System32\225559otza-virus7b1.bin
c:\windows\System32\2244zn9t-a-virus7265.bin
c:\windows\System32\35z9teal5178.cpl
c:\windows\System32\16475hie92z67.bin
c:\windows\System32\z798vir7685.dll
c:\windows\System32\650aspar5e1z399.bin
c:\windows\System32\1f96threatz9506.dll
c:\windows\System32\25494s5amboz6a2.bin
c:\windows\System32\2zebv5r23469.bin
c:\windows\System32\2519z9acktool52c.ocx
c:\windows\System32\1e6ezd9war51356.cpl
c:\windows\System32\ze47downloa9er2095.bin
c:\windows\System32\319z7not-a-viruscf5.exe
c:\windows\System32\zf95backdoor1504.exe
c:\windows\System32\a52addw9ze2720.exe
c:\windows\System32\14692no5-azvirus678.bin
c:\windows\System32\z591spyware2689.cpl
c:\windows\System32\7559spazbo55f6.cpl
c:\windows\System32\3155zsp96d9.bin
c:\windows\System32\2195sparsz1069.cpl
c:\windows\System32\2570ha9ktoolz85.exe
c:\windows\System32\3159ztroj2b0.exe
c:\windows\System32\94429worz256.cpl
c:\windows\System32\88185py9za.dll
c:\windows\System32\5941s9yware243z.bin
c:\windows\System32\39aebaczdoo51694.ocx
c:\windows\System32\5e59backdozr3955.dll
c:\windows\System32\25b8add9are2562z.dll
c:\windows\System32\246329ot-a-virus65z.exe
c:\windows\System32\25369viruz1d2.dll
c:\windows\System32\6523w9rmz655.cpl
c:\windows\System32\5c19spywz592168.bin
c:\windows\System32\5f8bac5dzo92457.dll
c:\windows\5571trz595e.dll
c:\windows\609zddware5997.dll
c:\windows\29f7virz553.exe
c:\windows\6c01bac95ozr905.exe
c:\windows\9635troz3b.dll
c:\windows\9z475roj992.dll
c:\windows\4a5ethief3191z.bin
c:\windows\z1c35ir9212.exe
c:\windows\2954backzoor2750.bin
c:\windows\58czv592651.exe
c:\windows\2000zhackt9ol265.exe
c:\windows\System32\2538829589.sys

Folder::
c:\programdata\21A7
c:\programdata\61D1
c:\programdata\16225
c:\programdata\22388
c:\programdata\25389
c:\programdata\22177
c:\programdata\1F341
c:\programdata\34362
c:\programdata\392B1
c:\programdata\1F27E
c:\programdata\D1C3
c:\programdata\2F2A
c:\programdata\2E37B
c:\programdata\277382832
c:\programdata\2A2D4

RegLock::
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 soylentgreen1701

soylentgreen1701
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 19 February 2009 - 08:08 PM

okey dokey, here's ComboFix:






ComboFix 09-02-18.01 - Dickey 2009-02-19 16:27:16.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.2037.1059 [GMT -8:00]
Running from: c:\users\Dickey\Desktop\ComboFix.exe
Command switches used :: c:\users\Dickey\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\2000zhackt9ol265.exe
c:\windows\2954backzoor2750.bin
c:\windows\29f7virz553.exe
c:\windows\4a5ethief3191z.bin
c:\windows\5571trz595e.dll
c:\windows\58czv592651.exe
c:\windows\609zddware5997.dll
c:\windows\6c01bac95ozr905.exe
c:\windows\9635troz3b.dll
c:\windows\9z475roj992.dll
c:\windows\System32\10243h9cktoo5z9f.ocx
c:\windows\System32\11649wor9544z.bin
c:\windows\System32\126355ot-a-viz9s84.ocx
c:\windows\System32\130sz5al9790.cpl
c:\windows\System32\13550trz92ad.dll
c:\windows\System32\14692no5-azvirus678.bin
c:\windows\System32\15608spy959z.exe
c:\windows\System32\1605h9ckt5zl763.cpl
c:\windows\System32\16475hie92z67.bin
c:\windows\System32\1797znot-a9vir5s8e.exe
c:\windows\System32\1819ztroj705.exe
c:\windows\System32\18508not-5-vir9s32z.exe
c:\windows\System32\19554not-a-v59uz55b.dll
c:\windows\System32\199cbaczdoor2475.cpl
c:\windows\System32\1c8z9parse5680.ocx
c:\windows\System32\1e39p5waze2400.dll
c:\windows\System32\1e6ezd9war51356.cpl
c:\windows\System32\1f96threatz9506.dll
c:\windows\System32\201zsp9wa5e913.cpl
c:\windows\System32\20920zi5us40a.bin
c:\windows\System32\2195sparsz1069.cpl
c:\windows\System32\2244zn9t-a-virus7265.bin
c:\windows\System32\225559otza-virus7b1.bin
c:\windows\System32\22945wozm913.dll
c:\windows\System32\2392zspambo548b9.bin
c:\windows\System32\246329ot-a-virus65z.exe
c:\windows\System32\2519z9acktool52c.ocx
c:\windows\System32\25369viruz1d2.dll
c:\windows\System32\2538829589.sys
c:\windows\System32\25494s5amboz6a2.bin
c:\windows\System32\254dad9ware51z7.bin
c:\windows\System32\2570ha9ktoolz85.exe
c:\windows\System32\25b8add9are2562z.dll
c:\windows\System32\2650sp95zot56d.ocx
c:\windows\System32\27352not-a-9zrus647.dll
c:\windows\System32\27650ha9k5ool5zc.exe
c:\windows\System32\27d0z5r919.cpl
c:\windows\System32\289z3hackt5ol4f1.bin
c:\windows\System32\29364not-azv5rus55.cpl
c:\windows\System32\2975znot-a-virus69b.ocx
c:\windows\System32\2acead9zare1053.bin
c:\windows\System32\2z259hief305.exe
c:\windows\System32\2zd3download5r9276.dll
c:\windows\System32\2zebv5r23469.bin
c:\windows\System32\301nzt-a-vi9us552.exe
c:\windows\System32\30929zr30965.dll
c:\windows\System32\3155zsp96d9.bin
c:\windows\System32\3159ztroj2b0.exe
c:\windows\System32\319z7not-a-viruscf5.exe
c:\windows\System32\32053tro5ze59.cpl
c:\windows\System32\355zpambot2f9.ocx
c:\windows\System32\35z9teal5178.cpl
c:\windows\System32\393ztroj755.exe
c:\windows\System32\39758spambot4z6.dll
c:\windows\System32\3976ztro555b.cpl
c:\windows\System32\39aebaczdoo51694.ocx
c:\windows\System32\3cb1th5eat295z09.ocx
c:\windows\System32\3ez25t9al1081.ocx
c:\windows\System32\3z7baddwa5e1149.ocx
c:\windows\System32\40235pa9se913z.ocx
c:\windows\System32\422zvi914045.bin
c:\windows\System32\428zaddw9r51800.exe
c:\windows\System32\42zfba5kd9or2130.ocx
c:\windows\System32\4595st9az1592.dll
c:\windows\System32\47faa5dzare2289.ocx
c:\windows\System32\48a9t5zea91106.bin
c:\windows\System32\4903s9ambot1z85.exe
c:\windows\System32\4908zd9w5re1571.bin
c:\windows\System32\509189orz3a2.cpl
c:\windows\System32\50952t9oj71ez.exe
c:\windows\System32\51566not-a-virus925z.exe
c:\windows\System32\52z66s9ambot521.dll
c:\windows\System32\5332zddwa9e1444.bin
c:\windows\System32\5355zparse2699.exe
c:\windows\System32\5456zteal957.cpl
c:\windows\System32\54dd9ownloade5z18.bin
c:\windows\System32\5539zroj456.bin
c:\windows\System32\55670not-azvi9us48f.ocx
c:\windows\System32\5746spamboz979.exe
c:\windows\System32\58ezspy5are24549.exe
c:\windows\System32\5941s9yware243z.bin
c:\windows\System32\59zfs59al110.bin
c:\windows\System32\5c19spywz592168.bin
c:\windows\System32\5d53thie5z095.bin
c:\windows\System32\5d75zteal2659.ocx
c:\windows\System32\5df4doznload9r2551.exe
c:\windows\System32\5e59backdozr3955.dll
c:\windows\System32\5f8bac5dzo92457.dll
c:\windows\System32\650aspar5e1z399.bin
c:\windows\System32\6523w9rmz655.cpl
c:\windows\System32\6829spars5400z.exe
c:\windows\System32\6b27thie9524z.cpl
c:\windows\System32\6d9bsteal255z.dll
c:\windows\System32\6z5bste9l217.exe
c:\windows\System32\7192z5rm234.cpl
c:\windows\System32\7359spazse59.ocx
c:\windows\System32\73bbspyza5e30369.dll
c:\windows\System32\743ezownloade91215.dll
c:\windows\System32\7559spazbo55f6.cpl
c:\windows\System32\7970dz5nloader2249.ocx
c:\windows\System32\7c5fbackdooz1590.exe
c:\windows\System32\88185py9za.dll
c:\windows\System32\9051v5rz260.ocx
c:\windows\System32\91059wozm65c.bin
c:\windows\System32\9336spz6c5.dll
c:\windows\System32\94429worz256.cpl
c:\windows\System32\96448wzrm325.ocx
c:\windows\System32\97z38spy5d8.cpl
c:\windows\System32\988zspa5se351.ocx
c:\windows\System32\9c9eviz2540.ocx
c:\windows\System32\9e58thiz53177.bin
c:\windows\System32\9zcspywa5e9031.dll
c:\windows\System32\a52addw9ze2720.exe
c:\windows\System32\ab3sp5rsz219.exe
c:\windows\System32\z3566s9ambot5b75.ocx
c:\windows\System32\z3s9arse953.exe
c:\windows\System32\z46199orm35d5.dll
c:\windows\System32\z5895tr9576a.cpl
c:\windows\System32\z591spyware2689.cpl
c:\windows\System32\z798vir7685.dll
c:\windows\System32\z839ba9kd5or2400.cpl
c:\windows\System32\z9290spambot546.dll
c:\windows\System32\z9502w9rm144.dll
c:\windows\System32\z9f7thie52925.ocx
c:\windows\System32\ze47downloa9er2095.bin
c:\windows\System32\zf95backdoor1504.exe
c:\windows\z1c35ir9212.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\16225
c:\programdata\16225\{75A49011-B73C-4592-A6F8-143CA48DC99E}.swf
c:\programdata\1F27E
c:\programdata\1F27E\{31B5273A-2DB9-4347-AE2D-282207A5BFE4}.swf
c:\programdata\1F341
c:\programdata\1F341\{F5A837BF-8E29-4DDE-8ADE-AD4B44857F9D}.swf
c:\programdata\21A7
c:\programdata\21A7\{387A13AC-3662-4E7A-8088-6D301233695D}.swf
c:\programdata\22177
c:\programdata\22177\{E2905A22-D638-4067-BF5B-01A13031FFCF}.swf
c:\programdata\22388
c:\programdata\22388\{EE0B3B54-4F5F-46D8-91D9-51780110CFCB}.swf
c:\programdata\25389
c:\programdata\25389\{2EE06272-62EC-429B-B73A-25125454EE28}.swf
c:\programdata\277382832
c:\programdata\277382832\config.udb
c:\programdata\277382832\init.udb
c:\programdata\277382832\Languages\English.lng
c:\programdata\277382832\Languages\German.lng
c:\programdata\277382832\Languages\Spanish.lng
c:\programdata\2A2D4
c:\programdata\2A2D4\{07F36359-D05A-411B-B776-1D5CD97A3941}.swf
c:\programdata\2E37B
c:\programdata\2E37B\{25F55A50-6251-498F-AAC6-0D53241AE2A6}.swf
c:\programdata\2F2A
c:\programdata\2F2A\{B7D80B13-D991-4043-95F7-63E56829BDFA}.swf
c:\programdata\34362
c:\programdata\34362\{3B0F9470-387D-4619-B375-86CF79BAF78A}.swf
c:\programdata\392B1
c:\programdata\392B1\{8C7CCE1E-9D48-4EE8-B00E-790300B02C57}.swf
c:\programdata\61D1
c:\programdata\61D1\{9ACD682C-343F-458C-9988-541FBF217E49}.swf
c:\programdata\D1C3
c:\programdata\D1C3\{8E9ED743-237E-48EB-BA18-F6BF0B28C64F}.swf
c:\windows\2000zhackt9ol265.exe
c:\windows\2954backzoor2750.bin
c:\windows\29f7virz553.exe
c:\windows\4a5ethief3191z.bin
c:\windows\5571trz595e.dll
c:\windows\58czv592651.exe
c:\windows\609zddware5997.dll
c:\windows\6c01bac95ozr905.exe
c:\windows\9635troz3b.dll
c:\windows\9z475roj992.dll
c:\windows\System32\10243h9cktoo5z9f.ocx
c:\windows\System32\11649wor9544z.bin
c:\windows\System32\126355ot-a-viz9s84.ocx
c:\windows\System32\130sz5al9790.cpl
c:\windows\System32\13550trz92ad.dll
c:\windows\System32\14692no5-azvirus678.bin
c:\windows\System32\15608spy959z.exe
c:\windows\System32\1605h9ckt5zl763.cpl
c:\windows\System32\16475hie92z67.bin
c:\windows\System32\1797znot-a9vir5s8e.exe
c:\windows\System32\1819ztroj705.exe
c:\windows\System32\18508not-5-vir9s32z.exe
c:\windows\System32\19554not-a-v59uz55b.dll
c:\windows\System32\199cbaczdoor2475.cpl
c:\windows\System32\1c8z9parse5680.ocx
c:\windows\System32\1e39p5waze2400.dll
c:\windows\System32\1e6ezd9war51356.cpl
c:\windows\System32\1f96threatz9506.dll
c:\windows\System32\201zsp9wa5e913.cpl
c:\windows\System32\20920zi5us40a.bin
c:\windows\System32\2195sparsz1069.cpl
c:\windows\System32\2244zn9t-a-virus7265.bin
c:\windows\System32\225559otza-virus7b1.bin
c:\windows\System32\22945wozm913.dll
c:\windows\System32\2392zspambo548b9.bin
c:\windows\System32\246329ot-a-virus65z.exe
c:\windows\System32\2519z9acktool52c.ocx
c:\windows\System32\25369viruz1d2.dll
c:\windows\System32\2538829589.sys
c:\windows\System32\25494s5amboz6a2.bin
c:\windows\System32\254dad9ware51z7.bin
c:\windows\System32\2570ha9ktoolz85.exe
c:\windows\System32\25b8add9are2562z.dll
c:\windows\System32\2650sp95zot56d.ocx
c:\windows\System32\27352not-a-9zrus647.dll
c:\windows\System32\27650ha9k5ool5zc.exe
c:\windows\System32\27d0z5r919.cpl
c:\windows\System32\289z3hackt5ol4f1.bin
c:\windows\System32\29364not-azv5rus55.cpl
c:\windows\System32\2975znot-a-virus69b.ocx
c:\windows\System32\2acead9zare1053.bin
c:\windows\System32\2z259hief305.exe
c:\windows\System32\2zd3download5r9276.dll
c:\windows\System32\2zebv5r23469.bin
c:\windows\System32\301nzt-a-vi9us552.exe
c:\windows\System32\30929zr30965.dll
c:\windows\System32\3155zsp96d9.bin
c:\windows\System32\3159ztroj2b0.exe
c:\windows\System32\319z7not-a-viruscf5.exe
c:\windows\System32\32053tro5ze59.cpl
c:\windows\System32\355zpambot2f9.ocx
c:\windows\System32\35z9teal5178.cpl
c:\windows\System32\393ztroj755.exe
c:\windows\System32\39758spambot4z6.dll
c:\windows\System32\3976ztro555b.cpl
c:\windows\System32\39aebaczdoo51694.ocx
c:\windows\System32\3cb1th5eat295z09.ocx
c:\windows\System32\3ez25t9al1081.ocx
c:\windows\System32\3z7baddwa5e1149.ocx
c:\windows\System32\40235pa9se913z.ocx
c:\windows\System32\422zvi914045.bin
c:\windows\System32\428zaddw9r51800.exe
c:\windows\System32\42zfba5kd9or2130.ocx
c:\windows\System32\4595st9az1592.dll
c:\windows\System32\47faa5dzare2289.ocx
c:\windows\System32\48a9t5zea91106.bin
c:\windows\System32\4903s9ambot1z85.exe
c:\windows\System32\4908zd9w5re1571.bin
c:\windows\System32\509189orz3a2.cpl
c:\windows\System32\50952t9oj71ez.exe
c:\windows\System32\51566not-a-virus925z.exe
c:\windows\System32\52z66s9ambot521.dll
c:\windows\System32\5332zddwa9e1444.bin
c:\windows\System32\5355zparse2699.exe
c:\windows\System32\5456zteal957.cpl
c:\windows\System32\54dd9ownloade5z18.bin
c:\windows\System32\5539zroj456.bin
c:\windows\System32\55670not-azvi9us48f.ocx
c:\windows\System32\5746spamboz979.exe
c:\windows\System32\58ezspy5are24549.exe
c:\windows\System32\5941s9yware243z.bin
c:\windows\System32\59zfs59al110.bin
c:\windows\System32\5c19spywz592168.bin
c:\windows\System32\5d53thie5z095.bin
c:\windows\System32\5d75zteal2659.ocx
c:\windows\System32\5df4doznload9r2551.exe
c:\windows\System32\5e59backdozr3955.dll
c:\windows\System32\5f8bac5dzo92457.dll
c:\windows\System32\650aspar5e1z399.bin
c:\windows\System32\6523w9rmz655.cpl
c:\windows\System32\6829spars5400z.exe
c:\windows\System32\6b27thie9524z.cpl
c:\windows\System32\6d9bsteal255z.dll
c:\windows\System32\6z5bste9l217.exe
c:\windows\System32\7192z5rm234.cpl
c:\windows\System32\7359spazse59.ocx
c:\windows\System32\73bbspyza5e30369.dll
c:\windows\System32\743ezownloade91215.dll
c:\windows\System32\7559spazbo55f6.cpl
c:\windows\System32\7970dz5nloader2249.ocx
c:\windows\System32\7c5fbackdooz1590.exe
c:\windows\System32\88185py9za.dll
c:\windows\System32\9051v5rz260.ocx
c:\windows\System32\91059wozm65c.bin
c:\windows\System32\9336spz6c5.dll
c:\windows\System32\94429worz256.cpl
c:\windows\System32\96448wzrm325.ocx
c:\windows\System32\97z38spy5d8.cpl
c:\windows\System32\988zspa5se351.ocx
c:\windows\System32\9c9eviz2540.ocx
c:\windows\System32\9e58thiz53177.bin
c:\windows\System32\9zcspywa5e9031.dll
c:\windows\System32\a52addw9ze2720.exe
c:\windows\System32\ab3sp5rsz219.exe
c:\windows\System32\z3566s9ambot5b75.ocx
c:\windows\System32\z3s9arse953.exe
c:\windows\System32\z46199orm35d5.dll
c:\windows\System32\z5895tr9576a.cpl
c:\windows\System32\z591spyware2689.cpl
c:\windows\System32\z798vir7685.dll
c:\windows\System32\z839ba9kd5or2400.cpl
c:\windows\System32\z9290spambot546.dll
c:\windows\System32\z9502w9rm144.dll
c:\windows\System32\z9f7thie52925.ocx
c:\windows\System32\ze47downloa9er2095.bin
c:\windows\System32\zf95backdoor1504.exe
c:\windows\z1c35ir9212.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 )))))))))))))))))))))))))))))))
.

2009-04-01 19:59 . 2009-04-01 19:59 7,284 --a------ c:\windows\System32\25614no59a-vzrusb9.bin
2009-03-27 01:18 . 2009-03-27 01:18 17,855 --a------ c:\windows\System32\22z69a5kdoor83.dll
2009-03-26 19:31 . 2009-03-26 19:31 7,950 --a------ c:\windows\System32\z585v5rus291.dll
2009-03-26 09:55 . 2009-03-26 09:55 13,773 --a------ c:\windows\System32\4c59zownlo5der77.ocx
2009-03-22 16:08 . 2009-03-22 16:08 11,217 --a------ c:\windows\System32\45dzsp9rse99.cpl
2009-03-21 14:04 . 2009-03-21 14:04 4,173 --a------ c:\windows\System32\20b9zt95l860.bin
2009-03-21 05:13 . 2009-03-21 05:13 12,055 --a------ c:\windows\System32\12691hazkt5ol266.exe
2009-03-19 12:12 . 2009-03-19 12:12 8,008 --a------ c:\windows\System32\25z19s5y299.ocx
2009-03-17 00:15 . 2009-03-17 00:15 5,941 --a------ c:\windows\System32\7435wo9mz62.dll
2009-03-16 02:32 . 2009-03-16 02:32 18,410 --a------ c:\windows\System32\5678d5wzloader1591.exe
2009-03-15 20:45 . 2009-03-15 20:45 11,328 --a------ c:\windows\System32\9z94not-a-virus5.dll
2009-03-12 05:48 . 2009-03-12 05:48 18,204 --a------ c:\windows\System32\5z55thre9t24138.dll
2009-03-08 21:30 . 2009-03-08 21:30 16,783 --a------ c:\windows\System32\z036295oj6e8.dll
2009-03-05 23:40 . 2009-03-05 23:40 6,509 --a------ c:\windows\System32\3z4c9ackdoor865.bin
2009-03-05 10:51 . 2009-03-05 10:51 15,213 --a------ c:\windows\System32\252z9troj66.ocx
2009-03-04 20:33 . 2009-03-04 20:33 14,377 --a------ c:\windows\System32\b91stealz506.dll
2009-03-03 22:20 . 2009-03-03 22:20 18,288 --a------ c:\windows\System32\29c69hzeat24523.cpl
2009-03-02 03:23 . 2009-03-02 03:23 9,027 --a------ c:\windows\System32\24893w5rm60z.dll
2009-02-28 13:54 . 2009-02-28 13:54 16,235 --a------ c:\windows\System32\8240vir591edz.bin
2009-02-27 15:13 . 2009-02-27 15:13 11,438 --a------ c:\windows\System32\178bst5alz39.exe
2009-02-26 10:13 . 2009-02-26 10:13 5,741 --a------ c:\windows\System32\52zbvir1969.ocx
2009-02-23 12:13 . 2009-02-23 12:13 15,857 --a------ c:\windows\System32\5488s9yware31z4.cpl
2009-02-23 10:34 . 2009-02-23 10:34 12,035 --a------ c:\windows\System32\29635iz580.dll
2009-02-19 21:25 . 2009-02-19 21:25 13,484 --a------ c:\windows\System32\965avir1z52.cpl
2009-02-19 11:56 . 2009-02-19 11:56 17,379 --a------ c:\windows\System32\8335zot-a-virus7ec9.dll
2009-02-19 07:27 . 2009-02-19 07:27 <DIR> d-------- c:\users\Dickey\AppData\Roaming\Malwarebytes
2009-02-19 07:27 . 2009-02-19 07:27 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-19 07:27 . 2009-02-19 07:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-19 07:27 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-19 07:27 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-19 02:45 . 2009-02-19 02:59 <DIR> d-------- c:\program files\Mahjong Quest 3
2009-02-19 01:00 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-02-17 14:39 . 2009-02-17 14:39 0 --a------ c:\windows\System32\drivers\nfr.dll.gpref
2009-02-17 14:19 . 2009-02-17 14:19 12,804 --a------ c:\windows\System32\drivers\nfr.dll
2009-02-17 14:19 . 2009-02-17 14:19 0 --a------ c:\windows\System32\drivers\nfr.dll.assembly
2009-02-16 18:15 . 2009-02-16 18:15 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-02-16 05:54 . 2009-02-16 05:54 14,272 --a------ c:\windows\System32\b869ackzo5r2522.cpl
2009-02-16 04:35 . 2009-02-16 04:35 16,585 --a------ c:\windows\System32\29434h5zktool67e.ocx
2009-02-16 01:51 . 2009-02-16 01:51 17,995 --a------ c:\windows\System32\1c2zthief9593.cpl
2009-02-16 00:43 . 2009-02-16 00:43 5,136 --a------ c:\windows\System32\99140z5rm527.dll
2009-02-15 20:21 . 2009-02-15 20:21 <DIR> d-------- c:\windows\System32\IOSUBSYS
2009-02-15 17:08 . 2009-02-15 17:08 <DIR> d-------- c:\programdata\SiteAdvisor
2009-02-13 14:42 . 2009-02-13 14:42 5,129 --a------ c:\windows\System32\5b5fsp95zre2761.ocx
2009-02-12 09:45 . 2009-02-15 18:37 <DIR> d-------- c:\program files\Common Files\Adobe
2009-02-12 08:43 . 2009-02-12 08:43 <DIR> d-------- c:\users\Dickey\AppData\Roaming\PC Tools
2009-02-12 08:43 . 2009-02-15 00:54 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-12 08:39 . 2009-02-18 15:55 <DIR> d-------- c:\programdata\Google Updater
2009-02-12 00:46 . 2009-02-12 04:54 <DIR> d-------- c:\program files\Security Scanner Full
2009-02-11 21:03 . 2009-02-11 21:06 <DIR> d-------- c:\users\Dickey\AppData\Roaming\DivX
2009-02-11 20:59 . 2009-02-11 20:59 <DIR> d-------- c:\program files\DivX
2009-02-11 15:04 . 2009-02-11 15:04 <DIR> d-------- c:\users\Dickey\AppData\Roaming\dvdcss
2009-02-09 18:33 . 2009-02-09 18:33 7,540 --a------ c:\windows\System32\65c1ad9waze2605.ocx
2009-02-09 10:58 . 2009-02-09 10:58 <DIR> d-------- c:\users\Dickey\AppData\Roaming\SUPERAntiSpyware.com
2009-02-09 10:58 . 2009-02-09 10:58 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-02-09 10:58 . 2009-02-09 10:58 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-09 10:57 . 2009-02-09 10:57 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-09 09:38 . 2009-02-09 09:38 120 --a------ c:\windows\as_affiliate.ini
2009-02-09 09:38 . 2009-02-09 09:38 43 --a------ c:\windows\av_affiliate.ini
2009-02-09 09:33 . 2009-02-09 09:33 <DIR> d-------- c:\users\Dickey\AppData\Roaming\Download Manager
2009-02-09 09:12 . 2009-02-09 09:12 8,704 --a------ c:\windows\System32\rasha.exe
2009-02-09 03:48 . 2009-02-09 03:48 4,599 --a------ c:\windows\8460tr9j45z.cpl
2009-02-08 22:56 . 2009-02-08 22:58 <DIR> d-------- c:\program files\Any Video Converter
2009-02-08 18:17 . 2009-02-08 18:17 4,340 --a------ c:\windows\System32\2fb1backdooz1095.ocx
2009-02-07 20:40 . 2009-02-07 20:40 7,373 --a------ c:\windows\11303spam95t5ze.ocx
2009-02-06 22:03 . 2009-02-06 22:03 8,193 --a------ c:\windows\System32\817threat589z.bin
2009-02-06 20:47 . 2009-02-06 20:47 13,267 --a------ c:\windows\System32\4955vzr2540.cpl
2009-02-06 15:04 . 2009-02-06 15:04 <DIR> d-------- c:\program files\VS Revo Group
2009-02-06 09:53 . 2009-02-19 07:36 202,997,069 --a------ c:\windows\MEMORY.DMP
2009-02-05 19:30 . 2009-02-06 19:07 <DIR> dr------- c:\users\Dickey\Searches
2009-02-05 16:22 . 2009-02-05 16:22 <DIR> d-------- c:\program files\Alwil Software
2009-02-04 23:19 . 2009-02-04 23:19 3,015 --a------ c:\windows\5214t9reat298z8.exe
2009-02-04 13:33 . 2009-02-04 13:33 8,848 --a------ c:\windows\System32\6447szywa9e1752.cpl
2009-02-04 11:51 . 2009-02-04 11:54 34,799,616 --a------ c:\windows\ocsetup_install_NetFx3.etl
2009-02-04 11:51 . 2009-02-04 11:54 196,608 --a------ c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-02-04 11:51 . 2009-02-04 11:54 65,536 --a------ c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-02-04 11:14 . 2009-02-06 10:42 <DIR> dr------- c:\users\Public\Videos
2009-02-04 11:14 . 2009-02-06 10:42 <DIR> dr------- c:\users\Public\Music
2009-02-04 11:14 . 2009-02-17 06:53 <DIR> dr------- c:\users\Public\Downloads
2009-02-03 15:26 . 2009-02-03 15:26 <DIR> d-------- c:\program files\uTorrent
2009-02-03 12:51 . 2009-02-03 12:51 <DIR> d-------- c:\users\Dickey\AppData\Roaming\vlc
2009-02-03 12:50 . 2009-02-03 12:50 <DIR> d-------- c:\program files\VideoLAN
2009-01-29 08:39 . 2009-01-29 08:39 <DIR> d-------- c:\program files\Selectsoft
2009-01-29 08:39 . 2009-01-29 08:39 <DIR> d-------- c:\program files\OXXOGames
2009-01-28 19:07 . 2009-01-28 19:07 <DIR> d-------- c:\users\Dickey\AppData\Roaming\PlayFirst
2009-01-28 19:07 . 2009-01-28 19:07 <DIR> d-------- c:\programdata\PlayFirst
2009-01-28 15:06 . 2009-01-28 15:06 2,965 --a------ c:\windows\15759trojz8b.ocx
2009-01-27 17:05 . 2009-01-27 17:05 2,601 --a------ c:\windows\95z5spy598.bin
2009-01-26 21:44 . 2009-01-26 21:44 6,391 --a------ c:\windows\48359zar5e453.exe
2009-01-23 12:32 . 2009-01-23 12:32 <DIR> d-------- c:\program files\Bonjour
2009-01-22 13:06 . 2009-01-22 13:06 13,205 --a------ c:\windows\d35z9yware2779.bin
2009-01-21 21:31 . 2009-01-21 21:31 14,998 --a------ c:\windows\z75fspyware7279.cpl
2009-01-21 19:25 . 2009-01-21 19:25 11,104 --a------ c:\windows\29866h9c5tool5cz.bin
2009-01-21 12:29 . 2009-01-21 12:29 15,448 --a------ c:\windows\9600vzrus7e95.exe
2009-01-21 01:38 . 2009-01-21 01:38 17,915 --a------ c:\windows\756ado9nloader30z0.cpl
2009-01-20 18:31 . 2009-01-20 18:31 <DIR> d-------- c:\program files\Fast Browser SearchP
2009-01-20 18:30 . 2009-01-20 18:30 <DIR> d-------- c:\program files\Fast Browser Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 00:35 --------- d-----w c:\program files\Dl_cats
2009-02-20 00:24 --------- d-----w c:\users\Dickey\AppData\Roaming\uTorrent
2009-02-19 10:59 --------- d---a-w c:\programdata\TEMP
2009-02-18 11:54 174 --sha-w c:\program files\desktop.ini
2009-02-18 11:34 --------- d-----w c:\program files\Windows Mail
2009-02-17 15:13 --------- d-----w c:\users\Dickey\AppData\Roaming\Corel
2009-02-17 03:40 20 ---h--w c:\programdata\PKP_DLec.DAT
2009-02-17 03:40 20 ---h--w c:\programdata\PKP_DLds.DAT
2009-02-16 04:21 --------- d-----w c:\program files\Google
2009-02-16 01:08 --------- d-----w c:\programdata\McAfee
2009-02-16 01:08 --------- d-----w c:\program files\McAfee
2009-02-15 23:12 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-12 04:59 --------- d-----w c:\program files\Common Files\PX Storage Engine
2009-02-10 18:06 --------- d-----w c:\program files\WildGames
2009-02-10 16:55 --------- d-----w c:\users\Dickey\AppData\Roaming\TaxCut
2009-02-10 16:55 --------- d-----w c:\program files\TaxCut07
2009-02-09 20:48 --------- d-----w c:\program files\iWin Games
2009-02-06 00:01 --------- d-----w c:\program files\Common Files\Nikon
2009-01-29 16:36 --------- d-----w c:\programdata\WildTangent
2009-01-17 17:44 --------- d-----w c:\program files\Dell Games
2009-01-17 05:49 --------- d-----w c:\program files\iTunes
2009-01-13 06:18 --------- d-----w c:\program files\Windows Defender
2009-01-12 20:49 336,256 ----a-w c:\users\Public\FastBrowserURLDownload.exe
2009-01-12 00:33 --------- d-----w c:\program files\bfgclient
2009-01-01 21:26 --------- d-----w c:\users\Dickey\AppData\Roaming\MusicNet
2009-01-01 18:21 --------- d-----w c:\users\Dickey\AppData\Roaming\iWin
2009-01-01 18:12 --------- d-----w c:\users\Dickey\AppData\Roaming\WildTangent
2008-12-27 22:58 --------- d-----w c:\program files\PDF995
2008-12-27 18:00 --------- d-----w c:\program files\MP3 Player Utilities 4.18
2008-12-24 16:09 --------- d-----w c:\programdata\Microsoft Help
2008-05-22 21:12 6,820,032 ----a-w c:\users\Dickey\phanfare_setup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-02-19_10.34.39.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-20 00:23:40 6,733,824 ----a-w c:\windows\ERDNT\Hiv-backup\schema.dat
- 2009-02-19 18:26:51 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-02-20 00:32:21 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-02-19 18:26:51 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-02-20 00:32:21 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-02-19 18:28:05 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-02-20 00:32:57 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
- 2009-02-19 18:28:05 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-02-20 00:35:24 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2009-02-19 18:27:07 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-20 00:32:39 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-19 18:27:07 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-20 00:32:39 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 18:27:07 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-20 00:32:39 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-19 02:57:55 7,077,888 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-02-20 00:31:14 7,077,888 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-02-19 18:29:20 18,132 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3052170030-2585663779-3916077707-1000_UserData.bin
+ 2009-02-20 00:35:00 18,212 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3052170030-2585663779-3916077707-1000_UserData.bin
- 2009-02-19 18:29:19 66,796 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-20 00:35:00 66,964 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-19 17:50:44 67,034 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-20 00:34:41 67,434 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-02-19 03:15:20 20,580,527 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-02-19 20:11:14 74,239,583 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-02-22 05:01:41 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18203_none_01ebf827a1d05839\WininetPlugin.dll
+ 2007-08-19 13:27:29 2,455,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16809_none_f9b4de176e8fd9a5\ieapfltr.dat
+ 2007-08-19 13:27:29 2,455,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.20996_none_f9da2ab887f928e3\ieapfltr.dat
+ 2008-01-19 07:36:35 129,536 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18203_none_47a6af038c817696\sqmapi.dll
+ 2008-01-19 07:34:31 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.18203_none_64a57149ae1c4f9c\ieui.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C621F09-DFF3-415A-B7D1-142678EFEB34}]
2008-11-05 17:07 2435584 --a------ c:\program files\Fast Browser Search\IE\FBStoolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}"= "c:\program files\Fast Browser Search\IE\FBStoolbar.dll" [2008-11-05 2435584]

[HKEY_CLASSES_ROOT\clsid\{c2dca7eb-22d2-4fd2-86a9-f99fcc8122bb}]
[HKEY_CLASSES_ROOT\TBSB07183.TBSB07183.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB07183.TBSB07183]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}"= "c:\program files\Fast Browser Search\IE\FBStoolbar.dll" [2008-11-05 2435584]

[HKEY_CLASSES_ROOT\clsid\{c2dca7eb-22d2-4fd2-86a9-f99fcc8122bb}]
[HKEY_CLASSES_ROOT\TBSB07183.TBSB07183.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB07183.TBSB07183]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-09 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-09 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-09 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"DLCXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-15 106496]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"FBSearch"="c:\program files\Fast Browser SearchP\FastBrowserSearchProtection.exe" [2008-11-26 325504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-07 c:\windows\sttray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DoNotAllowExceptions"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D739DF33-DF1A-4EDF-B160-6653256CDBD4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{945E9439-A120-4C29-BD96-6C90E6CE5976}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{68711050-F471-45B7-86F8-4E08EC36299B}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{C3DCD8F1-4702-41F2-929C-31E7148C34C9}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{58175F46-11D4-467A-9FCF-31830E945013}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{E5A1FB82-E182-4884-8817-ADC7061EE02C}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{6A871F27-E5EA-4414-99A9-AA5F22D8BAA0}"= UDP:c:\windows\System32\dlcxcoms.exe:Dell 926 Server
"{179A6AF1-4DE8-41C4-8260-F1C63C4C47B0}"= TCP:c:\windows\System32\dlcxcoms.exe:Dell 926 Server
"{2DA3EE08-EF28-477F-96B2-D3ABBA4D7814}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8B95E322-87E1-4F6B-A4C3-13F925C43E39}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{63AD004E-5522-457E-AEBC-2CB64C72707F}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{303C1814-DF46-4283-866D-403A86D4AD99}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{71854770-82F2-4E3D-A612-7D4F671D95F4}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2B308204-4D62-4159-88BC-7FCBED79A891}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{57AD6AB4-0CA3-4875-A782-293C211F0E3B}"= Disabled:UDP:c:\windows\System32\P2P Networking\P2P Networking.exe:P2P Networking
"{64CDA4F2-6727-4BA4-8684-D27EDE7F86D3}"= Disabled:TCP:c:\windows\System32\P2P Networking\P2P Networking.exe:P2P Networking
"{82DC1496-CFF1-4CB0-AC31-1D8D7F6DB676}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{CEBB6C2E-C3EF-497C-A736-CDACF9C75CCB}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{68638BEA-093F-41D7-8023-3DAA38742461}"= UDP:c:\program files\iWin Games\iWinGames.exe:iWin Games application.
"{39FD28CA-97E7-4A8A-AEAF-9E673F0D446B}"= TCP:c:\program files\iWin Games\iWinGames.exe:iWin Games application.
"{5C645DBA-40D7-4F95-A1AC-B0B806C30E0C}"= UDP:c:\program files\iWin Games\WebUpdater.exe:iWin Games updater.
"{79274724-20BC-4DC6-9479-A4FF75E0993D}"= TCP:c:\program files\iWin Games\WebUpdater.exe:iWin Games updater.
"{4157B6D3-0301-42AB-B002-128CAD0ABFD3}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{CAC0D325-2735-4D5F-BD33-E0799A237B98}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{7AEDD761-01BE-4BB4-8387-776ED29D1519}"= c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{10D18E7E-481C-4302-B04E-E9E2491EF0CC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7C3DE93B-E93E-451E-888C-3A524D4EA213}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{C8356992-80E8-488C-8C1F-9AE0CA4D6FAE}"= UDP:c:\program files\Google\Google Desktop Search\GoogleDesktop.exe:Google Desktop
"{AA7B71C6-D1EC-4F32-9072-5C2D088C5CFE}"= TCP:c:\program files\Google\Google Desktop Search\GoogleDesktop.exe:Google Desktop
"{062BADEA-2D19-40C9-8949-74E761900899}"= UDP:c:\program files\iMesh Applications\iMesh\iMesh.exe:iMesh
"{E422DF2C-1E7D-4C3F-A44A-61D68A8010AB}"= TCP:c:\program files\iMesh Applications\iMesh\iMesh.exe:iMesh
"{3D6F31F9-3C2C-4688-B9F1-1EDD164571D7}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0D8795F1-81AD-4CE4-B270-B1FF51E5D638}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9A29C237-ADD2-4273-B9EE-DEC07B5D614B}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{BD547A06-30BD-4B87-AB04-EFDAD5C66E22}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{9B4874A5-F587-4DA3-B2DA-FE3E4A415785}"= UDP:c:\program files\Phanfare 2.0\Phanfare.exe:Phanfare 2.0
"{6D127A3B-7887-404F-9108-DA59AC30ACC5}"= TCP:c:\program files\Phanfare 2.0\Phanfare.exe:Phanfare 2.0
"{AD6533D6-C4E2-460A-9B43-DBDE238384B4}"= UDP:c:\program files\McAfee\MSC\mcshell.exe:McAfee SecurityCenter
"{3E7BAA36-70B8-435A-A169-8AEF0FC16816}"= TCP:c:\program files\McAfee\MSC\mcshell.exe:McAfee SecurityCenter
"{1691F22C-5655-4587-9B30-ABEDADBEAAE4}"= UDP:c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe:SUPERAntiSpyware Free Edition
"{DF0842D0-37C4-40B3-A08F-E17FFAA73338}"= TCP:c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe:SUPERAntiSpyware Free Edition
"{458F4ED7-5039-4EAE-984B-4F26268B2AC3}"= UDP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
"{CD93251A-A1EF-4B5B-8646-B4504ED64725}"= TCP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
"{A5AB2DDB-74C2-4B50-BF8F-FE3714A57FFD}"= UDP:c:\program files\SUPERAntiSpyware\RUNSAS.EXE:SUPERAntiSpyware Alternate Start
"{DEB42641-33FA-4BF4-A77F-8A188B179462}"= TCP:c:\program files\SUPERAntiSpyware\RUNSAS.EXE:SUPERAntiSpyware Alternate Start
"{E33E08ED-1C94-42A1-B0D2-783A45D8B108}"= UDP:c:\program files\TaxCut07\Program\ConnectionTool.exe:ConnectionTool
"{0CF5C4B7-8887-4176-A2B9-1CBB72459DBC}"= TCP:c:\program files\TaxCut07\Program\ConnectionTool.exe:ConnectionTool

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-15 206096]
R2 NFRAgent;NFRAgent;c:\windows\system32\svchost.exe -k nfrsvc [2006-11-02 22016]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-11-20 24652]
S2 0051161235070814mcinstcleanup;McAfee Application Installer Cleanup (0051161235070814);c:\windows\TEMP\005116~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\005116~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c98d30b66d6f36;Google Update Service (gupdate1c98d30b66d6f36);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-06-25 29744]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-12 356920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
nfrsvc REG_MULTI_SZ NFRAgent

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41109f7a-2d7a-11dc-b470-0019d1e70f3f}]
\shell\AutoRun\command - L:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-16 c:\windows\Tasks\Cleaning.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-02-13 c:\windows\Tasks\EasyShare Registration Task.job
- c:\progra~2\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 []

2009-02-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-12 08:39]

2009-02-20 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 08:40]

2009-02-16 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-02-19 c:\windows\Tasks\User_Feed_Synchronization-{52617E42-C70A-4CC0-8BC5-BF46FA34FABF}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 01:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=localhost:7070
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.18\AMVConverter\grab.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: torrentportal.com\www
Trusted Zone: utorrent.com\www
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxps://register.facebook.com/controls/contactx.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-19 16:34:09
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
FBSearch = c:\program files\Fast Browser SearchP\FastBrowserSearchProtection.exe??CLASSPATH=.;c:\program files\

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4196)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\dlcxcoms.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\windows\System32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\System32\PSIService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\program files\McAfee\MSC\mcuimgr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Internet Explorer\ieuser.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-02-19 16:42:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-20 00:42:31
ComboFix2.txt 2009-02-19 18:36:09

Pre-Run: 155,308,605,440 bytes free
Post-Run: 155,513,671,680 bytes free

745 --- E O F --- 2009-02-18 11:08:38
"Look pal, the only thing you're in charge of is Jack and $h!t....and Jack left town."
-Ash, Army of Darkness

#10 soylentgreen1701

soylentgreen1701
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 19 February 2009 - 08:30 PM

...and here's the other scan WITH an ATTACH.TXT that it told me to ZIP & attach to the thread, but not post it.



DDS (Ver_09-02-01.01) - NTFSx86
Run by Dickey at 16:47:44.14 on Thu 02/19/2009
Internet Explorer: 7.0.6000.16757
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.2037.1213 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dlcxcoms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k nfrsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\System32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Fast Browser SearchP\FastBrowserSearchProtection.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Dickey\Desktop\dds.scr
C:\Windows\system32\lpksetup.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=localhost:7070
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: TBSB07183 Class: {6c621f09-dff3-415a-b7d1-142678efeb34} - c:\program files\fast browser search\ie\FBStoolbar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Fast Browser Search: {c2dca7eb-22d2-4fd2-86a9-f99fcc8122bb} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FBSearch] c:\program files\fast browser searchp\FastBrowserSearchProtection.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.18\amvconverter\grab.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: torrentportal.com\www
Trusted Zone: utorrent.com\www
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mahjong%20Quest%203/Images/stg_drm.ocx
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxps://register.facebook.com/controls/contactx.dll
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%20Quest%203/Images/armhelper.ocx
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-15 206096]
R2 NFRAgent;NFRAgent;c:\windows\system32\svchost.exe -k nfrsvc [2006-11-2 22016]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-20 24652]
S2 0051161235070814mcinstcleanup;McAfee Application Installer Cleanup (0051161235070814);c:\windows\temp\005116~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\005116~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c98d30b66d6f36;Google Update Service (gupdate1c98d30b66d6f36);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-6-25 29744]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-12 356920]

=============== Created Last 30 ================

2009-02-19 11:56 17,379 a------- c:\windows\system32\8335zot-a-virus7ec9.dll
2009-02-19 10:17 161,792 a------- c:\windows\SWREG.exe
2009-02-19 10:17 98,816 a------- c:\windows\sed.exe
2009-02-19 07:27 <DIR> --d----- c:\users\dickey\appdata\roaming\Malwarebytes
2009-02-19 07:27 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-19 07:27 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-19 07:27 <DIR> --d----- c:\programdata\Malwarebytes
2009-02-19 07:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-19 07:27 <DIR> --d----- c:\progra~2\Malwarebytes
2009-02-19 02:45 <DIR> --d----- c:\program files\Mahjong Quest 3
2009-02-19 01:00 <DIR> --d----- C:\SDFix
2009-02-17 14:39 0 a------- c:\windows\system32\drivers\nfr.dll.gpref
2009-02-17 14:19 0 a------- c:\windows\system32\drivers\nfr.dll.assembly
2009-02-17 14:19 12,804 a------- c:\windows\system32\drivers\nfr.dll
2009-02-16 05:54 14,272 a------- c:\windows\system32\b869ackzo5r2522.cpl
2009-02-16 04:35 16,585 a------- c:\windows\system32\29434h5zktool67e.ocx
2009-02-16 01:51 17,995 a------- c:\windows\system32\1c2zthief9593.cpl
2009-02-16 00:43 5,136 a------- c:\windows\system32\99140z5rm527.dll
2009-02-15 20:21 <DIR> --d----- c:\windows\system32\IOSUBSYS
2009-02-15 17:08 <DIR> --d----- c:\programdata\SiteAdvisor
2009-02-13 14:42 5,129 a------- c:\windows\system32\5b5fsp95zre2761.ocx
2009-02-12 09:46 <DIR> --d----- c:\programdata\Adobe
2009-02-12 08:43 <DIR> --d----- c:\users\dickey\appdata\roaming\PC Tools
2009-02-12 08:43 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-12 08:39 <DIR> --d----- c:\programdata\Google Updater
2009-02-12 00:46 <DIR> --d----- c:\program files\Security Scanner Full
2009-02-11 20:59 <DIR> --d----- c:\program files\DivX
2009-02-09 18:33 7,540 a------- c:\windows\system32\65c1ad9waze2605.ocx
2009-02-09 10:58 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-02-09 10:58 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-02-09 10:58 <DIR> --d----- c:\users\dickey\appdata\roaming\SUPERAntiSpyware.com
2009-02-09 10:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-09 10:57 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-09 09:38 43 a------- c:\windows\av_affiliate.ini
2009-02-09 09:38 120 a------- c:\windows\as_affiliate.ini
2009-02-09 09:12 8,704 a------- c:\windows\system32\rasha.exe
2009-02-09 03:48 4,599 a------- c:\windows\8460tr9j45z.cpl
2009-02-08 22:56 <DIR> --d----- c:\program files\Any Video Converter
2009-02-08 18:17 4,340 a------- c:\windows\system32\2fb1backdooz1095.ocx
2009-02-07 20:40 7,373 a------- c:\windows\11303spam95t5ze.ocx
2009-02-06 22:03 8,193 a------- c:\windows\system32\817threat589z.bin
2009-02-06 20:47 13,267 a------- c:\windows\system32\4955vzr2540.cpl
2009-02-06 15:04 <DIR> --d----- c:\program files\VS Revo Group
2009-02-06 09:53 202,997,069 a------- c:\windows\MEMORY.DMP
2009-02-04 23:19 3,015 a------- c:\windows\5214t9reat298z8.exe
2009-02-04 13:33 8,848 a------- c:\windows\system32\6447szywa9e1752.cpl
2009-02-04 11:51 196,608 a------- c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-02-04 11:51 65,536 a------- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-02-04 11:51 34,799,616 a------- c:\windows\ocsetup_install_NetFx3.etl
2009-02-03 15:26 <DIR> --d----- c:\program files\uTorrent
2009-02-03 12:50 <DIR> --d----- c:\program files\VideoLAN
2009-01-29 08:39 <DIR> --d----- c:\program files\Selectsoft
2009-01-29 08:39 <DIR> --d----- c:\program files\OXXOGames
2009-01-28 19:07 <DIR> --d----- c:\programdata\PlayFirst
2009-01-28 15:06 2,965 a------- c:\windows\15759trojz8b.ocx
2009-01-27 17:05 2,601 a------- c:\windows\95z5spy598.bin
2009-01-26 21:44 6,391 a------- c:\windows\48359zar5e453.exe
2009-01-23 12:32 <DIR> --d----- c:\program files\Bonjour
2009-01-22 13:06 13,205 a------- c:\windows\d35z9yware2779.bin
2009-01-21 21:31 14,998 a------- c:\windows\z75fspyware7279.cpl
2009-01-21 19:25 11,104 a------- c:\windows\29866h9c5tool5cz.bin
2009-01-21 12:29 15,448 a------- c:\windows\9600vzrus7e95.exe
2009-01-21 01:38 17,915 a------- c:\windows\756ado9nloader30z0.cpl
2009-01-20 18:31 <DIR> --d----- c:\program files\Fast Browser SearchP
2009-01-20 18:30 <DIR> --d----- c:\program files\Fast Browser Search

==================== Find3M ====================

2009-02-18 03:54 174 a--sh--- c:\program files\desktop.ini
2009-02-17 07:13 5,378 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-16 19:40 20 ----h--- c:\programdata\PKP_DLec.DAT
2009-02-16 19:40 20 ----h--- c:\programdata\PKP_DLds.DAT
2009-02-16 19:40 20 ----h--- c:\progra~2\PKP_DLec.DAT
2009-02-16 19:40 20 ----h--- c:\progra~2\PKP_DLds.DAT
2009-02-15 15:15 86,016 a------- c:\windows\inf\infstrng.dat
2009-02-15 15:15 51,200 a------- c:\windows\inf\infpub.dat
2009-02-15 15:15 86,016 a------- c:\windows\inf\infstor.dat
2009-02-09 09:13 17,249 a------- c:\windows\system32\6935thief2z48.dll
2009-02-05 13:22 17,709 a------- c:\windows\system32\718page.dat
2009-01-26 11:25 155,648 a------- c:\windows\system32\Phanfare Screensaver.scr
2009-01-12 22:18 665,600 a------- c:\windows\inf\drvindex.dat
2009-01-12 11:31 3,874 a------- c:\windows\system32\5a0cback9zor1594.bin
2009-01-08 21:25 12,634 a------- c:\windows\system32\46vir15z9.bin
2009-01-07 04:20 5,735 a------- c:\windows\system32\659ztroj38c.exe
2009-01-05 14:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-26 09:40 14,327 a------- c:\windows\system32\9805spz57.bin
2008-12-22 16:14 5,990 a------- c:\windows\system32\6476no5-a9viruz59b.exe
2008-12-19 16:09 2,588 a------- c:\windows\system32\593spy330z.bin
2008-12-17 07:45 7,500 a------- c:\windows\system32\9839zir2951.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-12 08:45 10,028 a------- c:\windows\system32\93765not-a-vi5us69dz.exe
2008-12-10 16:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 16:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 18:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 18:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 18:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 18:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-12-07 07:18 11,333 a------- c:\windows\system32\z20e5ddware901.exe
2008-12-06 22:50 16,634 a------- c:\windows\system32\56z5v9r784.exe
2008-05-22 13:12 6,820,032 a------- c:\users\dickey\phanfare_setup.exe
2006-11-02 04:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 04:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 04:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 04:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 16:48:17.99 ===============

Attached Files


"Look pal, the only thing you're in charge of is Jack and $h!t....and Jack left town."
-Ash, Army of Darkness

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 20 February 2009 - 05:09 AM

Lets do this first....


Please download GMER and unzip it to your Desktop. <<mirror>>
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.



NEXT


Download avz4.zip from HERE
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again



1. Start AVZ.
2. Choose from the menu File => Standard scripts and mark the 3. Healing/Quarantine and Advanced System Investigation check box.
3. Click on the Execute selected scripts.
4. Automatic scanning, healing and system check will be executed.
5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
7. All applications will work properly after the system restart.


  • After that, please restart AVZ again,
  • From the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach virusinfo_syscheck.htm to your next reply

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results..



Attach these logs in your next reply..

1. GMER
2. virusinfo_syscheck.htm

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 soylentgreen1701

soylentgreen1701
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 20 February 2009 - 09:40 PM

GMER 1.0.14.14536 - http://www.gmer.net
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-20 16:10:39
Windows 6.0.6000


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8D4DB9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8D4DB958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8D4DB96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8D4DB9FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8D4DBA3F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8D4DB930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8D4DB944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8D4DB9D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8D4DBA67]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8D4DBA53]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8D4DB9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8D4DB996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8D4DBA2B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8D4DBA12]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8D4DB9E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8D4DB982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess


is this the right report for the GMER?




---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----
"Look pal, the only thing you're in charge of is Jack and $h!t....and Jack left town."
-Ash, Army of Darkness

#13 soylentgreen1701

soylentgreen1701
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 20 February 2009 - 09:51 PM

when i clicked on the htm document, it went online and then saked if i wanted ActiveX to run. after initially hitting yes, a disclaimer appeared which read

"Allowing active content such as script & ActiveX can be useful, but active content might also harm your computer. Are you sure you want to let this file run active content?"

At this point i clicked "no" i don't know if that would make a difference to this report.

BTW, you guys freaking ROCK. Thanks so much for all of this.



Results of system analysis
AVZ 4.30 http://z-oleg.com/secur/avz/

List of processes
File name PID Description Copyright MD5 Information
c:\program files\aim6\aim6.exe
Script: Quarantine, Delete, BC delete, Terminate 3776 AIM © 2007 AOL LLC. ?? 49.29 kb, rsAh,
created: 8/6/2008 7:21:06 AM,
modified: 8/6/2008 7:21:06 AM
Command line:
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
c:\program files\aim6\aolsoftware.exe
Script: Quarantine, Delete, BC delete, Terminate 1876 AOL Copyright © 2007 AOL LLC ?? 40.84 kb, rsAh,
created: 10/8/2007 1:50:56 PM,
modified: 10/8/2007 1:50:56 PM
Command line:
"C:\Program Files\AIM6\aolsoftware.exe" /h servicehost.defaultGrp
AppleMobileDeviceService.exe
Script: Quarantine, Delete, BC delete, Terminate 1896 ?? error getting file info
Command line:
c:\windows\explorer.exe
Script: Quarantine, Delete, BC delete, Terminate 3880 Windows Explorer © Microsoft Corporation. All rights reserved. ?? 2855.00 kb, rsAh,
created: 11/14/2007 12:13:52 PM,
modified: 11/14/2007 12:13:52 PM
Command line:
C:\Windows\Explorer.EXE
c:\program files\fast browser searchp\fastbrowsersearchprotection.exe
Script: Quarantine, Delete, BC delete, Terminate 3768 Fast Browser Search Protection Copyright 2008 ?? 317.88 kb, rsAh,
created: 1/20/2009 6:31:23 PM,
modified: 11/26/2008 11:17:42 AM
Command line:
"C:\Program Files\Fast Browser SearchP\FastBrowserSearchProtection.exe"
GoogleUpdate.exe
Script: Quarantine, Delete, BC delete, Terminate 504 ?? error getting file info
Command line:
c:\program files\intel\intel matrix storage manager\iaanotif.exe
Script: Quarantine, Delete, BC delete, Terminate 3128 Event Monitor User Notification Tool Copyright© Intel Corporation 2003-06 ?? 148.00 kb, rsAh,
created: 6/25/2007 10:05:13 AM,
modified: 9/29/2006 9:39:20 AM
Command line:
"C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe"
IAANTmon.exe
Script: Quarantine, Delete, BC delete, Terminate 316 ?? error getting file info
Command line:
iPodService.exe
Script: Quarantine, Delete, BC delete, Terminate 1276 ?? error getting file info
Command line:
c:\program files\common files\installshield\updateservice\issch.exe
Script: Quarantine, Delete, BC delete, Terminate 1548 Macrovision FLEXnet Connect Scheduler Copyright © 1990-2004 Macrovision Corporation ?? 80.00 kb, rsAh,
created: 10/3/2006 8:37:04 AM,
modified: 10/3/2006 8:37:04 AM
Command line:
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate 2436 iTunesHelper Module © 2003-2008 Apple Inc. All Rights Reserved. ?? 283.29 kb, rsAh,
created: 11/20/2008 1:20:54 PM,
modified: 11/20/2008 1:20:54 PM
Command line:
"C:\Program Files\iTunes\iTunesHelper.exe"
c:\progra~1\mcafee.com\agent\mcagent.exe
Script: Quarantine, Delete, BC delete, Terminate 3704 McAfee Integrated Security Platform Copyright © 2006 McAfee, Inc. ?? 569.33 kb, rsAh,
created: 8/5/2007 5:49:26 PM,
modified: 8/3/2007 11:33:14 PM
Command line:
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe -Embedding
mcmscsvc.exe
Script: Quarantine, Delete, BC delete, Terminate 3228 ?? error getting file info
Command line:
McNASvc.exe
Script: Quarantine, Delete, BC delete, Terminate 4764 ?? error getting file info
Command line:
McProxy.exe
Script: Quarantine, Delete, BC delete, Terminate 500 ?? error getting file info
Command line:
McSACore.exe
Script: Quarantine, Delete, BC delete, Terminate 336 ?? error getting file info
Command line:
Mcshield.exe
Script: Quarantine, Delete, BC delete, Terminate 568 ?? error getting file info
Command line:
mcsysmon.exe
Script: Quarantine, Delete, BC delete, Terminate 972 ?? error getting file info
Command line:
mDNSResponder.exe
Script: Quarantine, Delete, BC delete, Terminate 1912 ?? error getting file info
Command line:
MpfSrv.exe
Script: Quarantine, Delete, BC delete, Terminate 1204 ?? error getting file info
Command line:
msksrver.exe
Script: Quarantine, Delete, BC delete, Terminate 1804 ?? error getting file info
Command line:
RoxWatch9.exe
Script: Quarantine, Delete, BC delete, Terminate 2128 ?? error getting file info
Command line:
sprtsvc.exe
Script: Quarantine, Delete, BC delete, Terminate 2316 ?? error getting file info
Command line:
C:\Windows\system32\stacsv.exe
Script: Quarantine, Delete, BC delete, Terminate 2332 STacSV Module Copyright © 2004-2006, SigmaTel, Inc. ?? 88.00 kb, rsAh,
created: 6/25/2007 10:04:49 AM,
modified: 2/7/2007 9:16:22 PM
Command line:
c:\windows\sttray.exe
Script: Quarantine, Delete, BC delete, Terminate 1104 Sigmatel Audio system tray application Copyright © 2004-2006, SigmaTel, Inc. ?? 296.00 kb, rsAh,
created: 6/25/2007 10:04:49 AM,
modified: 2/7/2007 9:16:24 PM
Command line:
"C:\Windows\sttray.exe"
ViewpointService.exe
Script: Quarantine, Delete, BC delete, Terminate 2460 ?? error getting file info
Command line:
wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate 2076 ?? error getting file info
Command line:
XAudio.exe
Script: Quarantine, Delete, BC delete, Terminate 2608 ?? error getting file info
Command line:
Detected:69, recognized as trusted 44
Module name Handle Description Copyright MD5 Used by processes
C:\Program Files\AIM6\acccore.dll
Script: Quarantine, Delete, BC delete 1751777280 acccore Component Server Copyright 2003-2008 AOL LLC -- 3776
C:\Program Files\AIM6\aim6.exe
Script: Quarantine, Delete, BC delete 4194304 AIM © 2007 AOL LLC. ?? 3776
C:\Program Files\AIM6\aolsoftware.exe
Script: Quarantine, Delete, BC delete 4194304 AOL Copyright © 2007 AOL LLC ?? 1876
C:\Program Files\AIM6\AOLSvcMgr.dll
Script: Quarantine, Delete, BC delete 1811939328 AOLSvcMgr Copyright © 2007 AOL LLC -- 3776, 1876
C:\Program Files\AIM6\coolcore52.dll
Script: Quarantine, Delete, BC delete 1074790400 COOL Core Component Library Copyright © 1998-2008 AOL LLC -- 3776
C:\Program Files\AIM6\jgtktlk.dll
Script: Quarantine, Delete, BC delete 37486592 Talk DLL Copyright © 2003 America Online, Inc. -- 3776
C:\Program Files\AIM6\nspr4.dll
Script: Quarantine, Delete, BC delete 26673152 NSPR Library Copyright © 1996-2000 Netscape Communications Corporation -- 3776
C:\Program Files\AIM6\nss3.dll
Script: Quarantine, Delete, BC delete 37879808 NSS Base Library Copyright © 1994-2001 Netscape Communications Corporation -- 3776
C:\Program Files\AIM6\nssckbi.dll
Script: Quarantine, Delete, BC delete 37289984 -- 3776
C:\Program Files\AIM6\plc4.dll
Script: Quarantine, Delete, BC delete 805306368 PLC Library Copyright © 1996-2000 Netscape Communications Corporation -- 3776
C:\Program Files\AIM6\plds4.dll
Script: Quarantine, Delete, BC delete 22937600 PLDS Library Copyright © 1996-2000 Netscape Communications Corporation -- 3776
c:\program files\aim6\services\boxelyrenderer\ver3_1_3_4\boxelyRenderer.dll
Script: Quarantine, Delete, BC delete 1739456512 boxelyRenderer AOL Application Service Library © 2007 AOL LLC -- 3776
c:\program files\aim6\services\imApp\ver6_8_12_4\imAppService.dll
Script: Quarantine, Delete, BC delete 24182784 imAppService EE Application Service Copyright © 2007 AOL LLC. -- 3776
c:\program files\aim6\services\localStorage\ver7_3_2_1\clsSvc.dll
Script: Quarantine, Delete, BC delete 1732837376 clssvc EE Service Copyright © 2007 AOL LLC -- 3776, 1876
c:\program files\aim6\services\notification\ver6_4_1_1\Notify.dll
Script: Quarantine, Delete, BC delete 1733230592 Notification Service Copyright © 2007 AOL LLC -- 3776, 1876
c:\program files\aim6\services\os\ver5_2_1_1\AOLIdleMon.dll
Script: Quarantine, Delete, BC delete 3473408 AolIdleMon EE Service Copyright © 2006 AOL LLC -- 1876
c:\program files\aim6\services\os\ver5_2_1_1\OS.dll
Script: Quarantine, Delete, BC delete 1733492736 os EE Service Copyright © 2006 AOL LLC -- 1876
c:\program files\aim6\services\preferences\ver5_2_1_1\preferences.dll
Script: Quarantine, Delete, BC delete 1733754880 Preferences Service Copyright © 2007 AOL LLC -- 3776
c:\program files\aim6\services\softwareUpdate\ver2_14_11_12\stic.dll
Script: Quarantine, Delete, BC delete 1730543616 Active Update AOL EE Service - stic.dll Copyright © 1999-2007 AOL LLC. -- 1876
C:\Program Files\AIM6\sipxtapi.dll
Script: Quarantine, Delete, BC delete 1140850688 SIP User-Agent API Copyright © 2005-2007 Pingtel Corp. -- 3776
C:\Program Files\AIM6\smime3.dll
Script: Quarantine, Delete, BC delete 28114944 NSS S/MIME Library Copyright © 1994-2001 Netscape Communications Corporation -- 3776
C:\Program Files\AIM6\softokn3.dll
Script: Quarantine, Delete, BC delete 38273024 NSS PKCS #11 Library Copyright © 1994-2001 Netscape Communications Corporation -- 3776
C:\Program Files\AIM6\ssl3.dll
Script: Quarantine, Delete, BC delete 26869760 NSS SSL Library Copyright © 1994-2001 Netscape Communications Corporation -- 3776
C:\Program Files\AIM6\xprt5.dll
Script: Quarantine, Delete, BC delete 1073741824 XPRT Runtime Library Copyright 1998-2007 AOL LLC -- 3776, 1876
C:\Program Files\AIM6\xprt6.dll
Script: Quarantine, Delete, BC delete 3276800 XPRT Runtime Library Copyright © 1998-2008 AOL LLC -- 3776, 1876
C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
Script: Quarantine, Delete, BC delete 1811546112 AOL Diagnostics Copyright © 1998-2006 - SupportSoft Software, Inc. All Rights Reserved. -- 3776, 1876
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
Script: Quarantine, Delete, BC delete 4194304 Macrovision FLEXnet Connect Scheduler Copyright © 1990-2004 Macrovision Corporation ?? 1548
C:\Program Files\Common Files\McAfee\Core\mccoreps.dll
Script: Quarantine, Delete, BC delete 1654652928 McAfee Core Proxy Stub Copyright © 2006 McAfee, Inc. -- 3704
C:\Program Files\Fast Browser SearchP\FastBrowserSearchProtection.exe
Script: Quarantine, Delete, BC delete 4194304 Fast Browser Search Protection Copyright 2008 ?? 3768
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAMon_ENU.dll
Script: Quarantine, Delete, BC delete 3670016 Event Monitor User Notification Tool Copyright© Intel Corporation 2003-06 -- 3128
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
Script: Quarantine, Delete, BC delete 4194304 Event Monitor User Notification Tool Copyright© Intel Corporation 2003-06 ?? 3128
C:\Program Files\Intel\Intel Matrix Storage Manager\ISDI.dll
Script: Quarantine, Delete, BC delete 268435456 Intel Storage Driver Interface Dynamic Lib Copyright© Intel Corporation 2003-06 -- 3128
C:\Program Files\iTunes\iTunesHelper.Resources\en.lproj\iTunesHelperLocalized.DLL
Script: Quarantine, Delete, BC delete 1957429248 iTunesHelper Resource Library © 2003-2008 Apple Inc. All Rights Reserved. -- 2436
C:\Program Files\McAfee.com\Agent\mcagntps.dll
Script: Quarantine, Delete, BC delete 1711276032 McAfee Integrated Security Platform Copyright © 2006 McAfee, Inc. -- 3704
C:\Program Files\McAfee\MSC\mcmispps.dll
Script: Quarantine, Delete, BC delete 1721761792 McAfee MISP Proxy Stub DLL Copyright © 2006 McAfee, Inc. -- 3704
C:\Program Files\McAfee\MSC\oem\105-154\Mccobres.dll
Script: Quarantine, Delete, BC delete 1715470336 McAfee Co-Branded Resource DLL Copyright © 2008 McAfee, Inc. -- 3704
C:\Program Files\McAfee\SiteAdvisor\saPlugin.dll
Script: Quarantine, Delete, BC delete 47513600 -- 3776
C:\Program Files\McAfee\VirusScan\scriptsn.dll
Script: Quarantine, Delete, BC delete 340328448 VSCore Script Scanner Copyright© 1995-2007 McAfee, Inc. All Rights Reserved. -- 3880
C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll
Script: Quarantine, Delete, BC delete 76414976 DirectCD Shell Extention DLL Copyright © 1994-2006 Roxio -- 3880
C:\Program Files\Roxio\Drag-to-Disc\ShellRes.dll
Script: Quarantine, Delete, BC delete 36044800 DirectCD Shell Extention DLL Copyright © 1994-2006 Roxio -- 3880
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
Script: Quarantine, Delete, BC delete 4194304 McAfee Integrated Security Platform Copyright © 2006 McAfee, Inc. ?? 3704
c:\PROGRA~1\mcafee\msc\mccfgpv.dll
Script: Quarantine, Delete, BC delete 1714421760 MISP Default Configuration Provider Copyright © 2006 McAfee, Inc. -- 3704
C:\PROGRA~1\McAfee\MSC\Mccobres.dll
Script: Quarantine, Delete, BC delete 12779520 McAfee Co-Branded Resource DLL Copyright © 2006 McAfee, Inc. -- 3704
C:\PROGRA~1\McAfee\MSC\McLocRes.dll
Script: Quarantine, Delete, BC delete 1716518912 McAfee Localized Resource DLL Copyright © 2006 McAfee, Inc. -- 3704
C:\PROGRA~1\McAfee\MSC\McRes.dll
Script: Quarantine, Delete, BC delete 1730150400 McAfee Non-Localized Resource DLL Copyright © 2006 McAfee, Inc. -- 3704
c:\PROGRA~1\mcafee\msc\mcsubmgr\8_1_13~1\mcsubmgr.dll
Script: Quarantine, Delete, BC delete 1733296128 McAfee Subscription manager module Copyright © 2006 McAfee, Inc. -- 3704
c:\PROGRA~1\mcafee\msc\mcuicfg.dll
Script: Quarantine, Delete, BC delete 1734344704 McAfee Integrated Security Platform Copyright © 2006 McAfee, Inc. -- 3704
C:\Windows\system32\DLAAPI_W.DLL
Script: Quarantine, Delete, BC delete 34734080 -- 3880
C:\Windows\system32\STLang.dll
Script: Quarantine, Delete, BC delete 268435456 Localize Module Copyright © 2004-2006, SigmaTel, Inc. -- 1104
Modules detected:290, recognized as trusted 241

Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\Windows\System32\DLA\DLABMFSM.SYS
Script: Quarantine, Delete, BC delete 8A5B3000 007000 (28672) Drive Letter Access Component Copyright © 2006 Roxio
C:\Windows\System32\DLA\DLABOIOM.SYS
Script: Quarantine, Delete, BC delete 8A5BA000 007000 (28672) Drive Letter Access Component Copyright © 2006 Roxio
C:\Windows\System32\Drivers\DLACDBHM.SYS
Script: Quarantine, Delete, BC delete 88D39000 002000 (8192) Shared Driver Component Copyright © 2006 Roxio
C:\Windows\System32\DLA\DLADResM.SYS
Script: Quarantine, Delete, BC delete 8BF70000 001000 (4096) Drive Letter Access Component Copyright © 2006 Roxio
C:\Windows\System32\DLA\DLAIFS_M.SYS
Script: Quarantine, Delete, BC delete A58AC000 018000 (98304) Drive Letter Access Component Copyright © 2006 Roxio
C:\Windows\System32\DLA\DLAOPIOM.SYS
Script: Quarantine, Delete, BC delete 8A46E000 005000 (20480) Drive Letter Access Component Copyright © 2006 Roxio
C:\Windows\System32\DLA\DLAPoolM.SYS
Script: Quarantine, Delete, BC delete 956A8000 002000 (8192) Drive Letter Access Component Copyright © 2006 Roxio
C:\Windows\System32\Drivers\DLARTL_M.SYS
Script: Quarantine, Delete, BC delete 88C4B000 006000 (24576) Shared Driver Component Copyright © 2006 Roxio
C:\Windows\System32\DLA\DLAUDF_M.SYS
Script: Quarantine, Delete, BC delete A5866000 017000 (94208) Drive Letter Access Component Copyright © 2006 Roxio
C:\Windows\System32\DLA\DLAUDFAM.SYS
Script: Quarantine, Delete, BC delete A5896000 016000 (90112) Drive Letter Access Component Copyright © 2006 Roxio
C:\Windows\System32\Drivers\DRVNDDM.SYS
Script: Quarantine, Delete, BC delete 8CD87000 00B000 (45056) Device Driver Manager Copyright © Roxio
C:\Program Files\DellSupport\Drivers\dsunidrv.sys
Script: Quarantine, Delete, BC delete 956A6000 002000 (8192) GUniDriver Copyright © 2004 - 2006 Gteko Ltd.
C:\Windows\System32\Drivers\dump_iaStor.sys
Script: Quarantine, Delete, BC delete 8D08F000 0B8000 (753664)
C:\Windows\system32\drivers\mfeavfk.sys
Script: Quarantine, Delete, BC delete ACE1D000 012000 (73728) Anti-Virus File System Filter Driver Copyright© 1995-2007 McAfee, Inc. All Rights Reserved.
C:\Windows\system32\drivers\mfebopk.sys
Script: Quarantine, Delete, BC delete 8A5C8000 007000 (28672) Buffer Overflow Protection Driver Copyright© 1995-2007 McAfee, Inc. All Rights Reserved.
C:\Windows\system32\drivers\mfehidk.sys
Script: Quarantine, Delete, BC delete 8D155000 030000 (196608) Host Intrusion Detection Link Driver Copyright© 1995-2007 McAfee, Inc. All Rights Reserved.
C:\Windows\system32\drivers\mfesmfk.sys
Script: Quarantine, Delete, BC delete 8B3C1000 009000 (36864) System Monitor Filter Driver Copyright© 1995-2007 McAfee, Inc. All Rights Reserved.
C:\Windows\System32\Drivers\Mpfp.sys
Script: Quarantine, Delete, BC delete 8CC1E000 027000 (159744) McAfee Personal Firewall Plus Driver Copyright © 2007 McAfee, Inc. All rights reserved.
Modules detected - 152, recognized as trusted - 134

Services
Service Description Status File Group Dependencies
IAANTMON
Service: Stop, Delete, Disable Intel® Matrix Storage Event Monitor Running C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
Script: Quarantine, Delete, BC delete
McAfee SiteAdvisor Service
Service: Stop, Delete, Disable McAfee SiteAdvisor Service Running C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
Script: Quarantine, Delete, BC delete RPCSS
mcmscsvc
Service: Stop, Delete, Disable McAfee Services Running C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
Script: Quarantine, Delete, BC delete
McNASvc
Service: Stop, Delete, Disable McAfee Network Agent Running c:\program files\common files\mcafee\mna\mcnasvc.exe
Script: Quarantine, Delete, BC delete RPCSS
McProxy
Service: Stop, Delete, Disable McAfee Proxy Service Running c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
Script: Quarantine, Delete, BC delete
McShield
Service: Stop, Delete, Disable McAfee Real-time Scanner Running C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
Script: Quarantine, Delete, BC delete
McSysmon
Service: Stop, Delete, Disable McAfee SystemGuards Running C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
Script: Quarantine, Delete, BC delete
MpfService
Service: Stop, Delete, Disable McAfee Personal Firewall Service Running C:\Program Files\McAfee\MPF\MPFSrv.exe
Script: Quarantine, Delete, BC delete
MSK80Service
Service: Stop, Delete, Disable McAfee SpamKiller Service Running C:\Program Files\McAfee\MSK\MskSrver.exe
Script: Quarantine, Delete, BC delete
RoxWatch9
Service: Stop, Delete, Disable Roxio Hard Drive Watcher 9 Running C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
Script: Quarantine, Delete, BC delete
STacSV
Service: Stop, Delete, Disable SigmaTel Audio Service Running C:\Windows\System32\STacSV.exe
Script: Quarantine, Delete, BC delete
0051161235070814mcinstcleanup
Service: Stop, Delete, Disable McAfee Application Installer Cleanup (0051161235070814) Not started C:\Windows\TEMP\005116~1.EXE
Script: Quarantine, Delete, BC delete
DSBrokerService
Service: Stop, Delete, Disable DSBrokerService Not started C:\Program Files\DellSupport\brkrsvc.exe
Script: Quarantine, Delete, BC delete
GameConsoleService
Service: Stop, Delete, Disable GameConsoleService Not started C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
Script: Quarantine, Delete, BC delete RPCSS
McODS
Service: Stop, Delete, Disable McAfee Scanner Not started C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
Script: Quarantine, Delete, BC delete
MSCSPTISRV
Service: Stop, Delete, Disable MSCSPTISRV Not started C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
Script: Quarantine, Delete, BC delete RPCSS
PACSPTISVR
Service: Stop, Delete, Disable PACSPTISVR Not started C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
Script: Quarantine, Delete, BC delete RPCSS
RoxMediaDB9
Service: Stop, Delete, Disable RoxMediaDB9 Not started C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
Script: Quarantine, Delete, BC delete
sdCoreService
Service: Stop, Delete, Disable PC Tools Security Service Not started C:\Program Files\Spyware Doctor\pctsSvc.exe
Script: Quarantine, Delete, BC delete
SPTISRV
Service: Stop, Delete, Disable Sony SPTI Service Not started C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
Script: Quarantine, Delete, BC delete RPCSS
stllssvr
Service: Stop, Delete, Disable stllssvr Not started C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
Script: Quarantine, Delete, BC delete
Detected - 156, recognized as trusted - 135

Drivers
Service Description Status File Group Dependencies
DLABMFSM
Driver: Unload, Delete, Disable DLABMFSM Running C:\Windows\system32\DLA\DLABMFSM.SYS
Script: Quarantine, Delete, BC delete File system
DLABOIOM
Driver: Unload, Delete, Disable DLABOIOM Running C:\Windows\system32\DLA\DLABOIOM.SYS
Script: Quarantine, Delete, BC delete File system
DLACDBHM
Driver: Unload, Delete, Disable DLACDBHM Running C:\Windows\system32\Drivers\DLACDBHM.SYS
Script: Quarantine, Delete, BC delete Filter
DLADResM
Driver: Unload, Delete, Disable DLADResM Running C:\Windows\system32\DLA\DLADResM.SYS
Script: Quarantine, Delete, BC delete Base
DLAIFS_M
Driver: Unload, Delete, Disable DLAIFS_M Running C:\Windows\system32\DLA\DLAIFS_M.SYS
Script: Quarantine, Delete, BC delete Base
DLAOPIOM
Driver: Unload, Delete, Disable DLAOPIOM Running C:\Windows\system32\DLA\DLAOPIOM.SYS
Script: Quarantine, Delete, BC delete Base
DLAPoolM
Driver: Unload, Delete, Disable DLAPoolM Running C:\Windows\system32\DLA\DLAPoolM.SYS
Script: Quarantine, Delete, BC delete Base
DLARTL_M
Driver: Unload, Delete, Disable DLARTL_M Running C:\Windows\system32\Drivers\DLARTL_M.SYS
Script: Quarantine, Delete, BC delete Base
DLAUDF_M
Driver: Unload, Delete, Disable DLAUDF_M Running C:\Windows\system32\DLA\DLAUDF_M.SYS
Script: Quarantine, Delete, BC delete File system
DLAUDFAM
Driver: Unload, Delete, Disable DLAUDFAM Running C:\Windows\system32\DLA\DLAUDFAM.SYS
Script: Quarantine, Delete, BC delete File system
DRVNDDM
Driver: Unload, Delete, Disable DRVNDDM Running C:\Windows\system32\Drivers\DRVNDDM.SYS
Script: Quarantine, Delete, BC delete Filter
dsunidrv
Driver: Unload, Delete, Disable dsunidrv Running C:\Program Files\DellSupport\Drivers\dsunidrv.sys
Script: Quarantine, Delete, BC delete
mfeavfk
Driver: Unload, Delete, Disable McAfee Inc. mfeavfk Running C:\Windows\system32\drivers\mfeavfk.sys
Script: Quarantine, Delete, BC delete
mfebopk
Driver: Unload, Delete, Disable McAfee Inc. mfebopk Running C:\Windows\system32\drivers\mfebopk.sys
Script: Quarantine, Delete, BC delete
mfehidk
Driver: Unload, Delete, Disable McAfee Inc. mfehidk Running C:\Windows\system32\drivers\mfehidk.sys
Script: Quarantine, Delete, BC delete
MPFP
Driver: Unload, Delete, Disable MPFP Running C:\Windows\system32\Drivers\Mpfp.sys
Script: Quarantine, Delete, BC delete PNP_TDI TcpIp
blbdrive
Driver: Unload, Delete, Disable blbdrive Not started C:\Windows\system32\drivers\blbdrive.sys
Script: Quarantine, Delete, BC delete
DSproct
Driver: Unload, Delete, Disable DSproct Not started C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
Script: Quarantine, Delete, BC delete
IKFileSec
Driver: Unload, Delete, Disable File Security Driver Not started C:\Windows\system32\drivers\ikfilesec.sys
Script: Quarantine, Delete, BC delete FSFilter Anti-Virus FltMgr
IKSysSec
Driver: Unload, Delete, Disable System Security Driver Not started C:\Windows\system32\drivers\iksyssec.sys
Script: Quarantine, Delete, BC delete Boot Bus Extender IKSysFlt
IpInIp
Driver: Unload, Delete, Disable IP in IP Tunnel Driver Not started C:\Windows\system32\DRIVERS\ipinip.sys
Script: Quarantine, Delete, BC delete Tcpip
mferkdk
Driver: Unload, Delete, Disable McAfee Inc. mferkdk Not started C:\Windows\system32\drivers\mferkdk.sys
Script: Quarantine, Delete, BC delete
mfesmfk
Driver: Unload, Delete, Disable McAfee Inc. mfesmfk Not started C:\Windows\system32\drivers\mfesmfk.sys
Script: Quarantine, Delete, BC delete
NwlnkFlt
Driver: Unload, Delete, Disable IPX Traffic Filter Driver Not started C:\Windows\system32\DRIVERS\nwlnkflt.sys
Script: Quarantine, Delete, BC delete NwlnkFwd
NwlnkFwd
Driver: Unload, Delete, Disable IPX Traffic Forwarder Driver Not started C:\Windows\system32\DRIVERS\nwlnkfwd.sys
Script: Quarantine, Delete, BC delete
Detected - 250, recognized as trusted - 225

Autoruns
File name Status Startup method Description
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, ISUSPM Startup
C:\Program Files\AIM6\aim6.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, Aim6
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, ISUSScheduler
C:\Program Files\Fast Browser SearchP\FastBrowserSearchProtection.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, FBSearch
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, IAAnotif
C:\Program Files\McAfee.com\Agent\mcagent.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, mcagent_exe
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon, DLLName
rdpclip
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Autoruns items detected - 41, recognized as trusted - 33

Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
BHO {02478D38-C3F9-4EFB-9B51-7695ECA05670}
Delete
c:\PROGRA~1\mcafee\msk\mcapbho.dll
Script: Quarantine, Delete, BC delete BHO {377C180E-6F0E-4D4C-980F-F45BD3D40CF4}
Delete
C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll
Script: Quarantine, Delete, BC delete BHO IE Toolbar Engine Copyright © 2001-2008. All rights reserved. {6C621F09-DFF3-415A-B7D1-142678EFEB34}
Delete
c:\Program Files\Java\jre1.6.0\bin\ssv.dll
Script: Quarantine, Delete, BC delete BHO Java™ Platform SE binary Copyright © 2004 {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Delete
C:\Program Files\McAfee\VirusScan\scriptsn.dll
Script: Quarantine, Delete, BC delete BHO VSCore Script Scanner Copyright© 1995-2007 McAfee, Inc. All Rights Reserved. {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
Delete
c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
Script: Quarantine, Delete, BC delete BHO {B164E929-A1B6-4A06-B104-2CD0E90A88FF}
Delete
C:\Program Files\BAE\BAE.dll
Script: Quarantine, Delete, BC delete BHO BAE.dll © 2006. Dell Inc. All rights reserved. {CA6319C0-31B7-401E-A518-A07C3DB8F777}
Delete
C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll
Script: Quarantine, Delete, BC delete Toolbar IE Toolbar Engine Copyright © 2001-2008. All rights reserved. {C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}
Delete
c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
Script: Quarantine, Delete, BC delete Toolbar {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}
Delete
c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
Script: Quarantine, Delete, BC delete Extension module Java Plug-in 1.6.0 for Netscape Navigator (DLL Helper) Copyright © 2004 {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
Delete
Extension module {2670000A-7350-4f3c-8081-5663EE0C6C49}
Delete
Extension module {92780B25-18CC-41C8-B9BE-3C9C571A8263}
Delete
Elements detected - 17, recognized as trusted - 5

Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
%CommonProgramFiles%\System\Ole DB\oledb32.dll
Script: Quarantine, Delete, BC delete Microsoft Data Link {2206CDB2-19C1-11D1-89E0-00C04FD7A829}
lnkfile {00020d75-0000-0000-c000-000000000046}
Color Control Panel Applet {b2c761c6-29bc-4f19-9251-e6195265baf1}
Add New Hardware {7A979262-40CE-46ff-AEEE-7884AC3B6136}
Get Programs Online {3e7efb4c-faf1-453d-89eb-56026875ef90}
Taskbar and Start Menu {0DF44EAA-FF21-4412-828E-260A8728E7F1}
ActiveDirectory Folder {1b24a030-9b20-49bc-97ac-1be4426f9e59}
ActiveDirectory Folder {34449847-FD14-4fc8-A75A-7432F5181EFB}
Sam Account Folder {C8494E42-ACDD-4739-B0FB-217361E4894F}
Sam Account Folder {E29F9716-5C08-4FCD-955A-119FDB5A522D}
Control Panel command object for Start menu {5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
Default Programs command object for Start menu {E44E5D18-0652-4508-A4E2-8A090067BCB0}
Folder Options {6dfd7c5c-2451-11d3-a299-00c04f8ef6af}
Explorer Query Band {2C2577C2-63A7-40e3-9B7F-586602617ECB}
View Available Networks {38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b}
%CommonProgramFiles%\System\wab32.dll
Script: Quarantine, Delete, BC delete Windows Contact Preview Handler {13D3C4B8-B179-4ebb-BF62-F704173E7448}
Contacts folder {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48}
%CommonProgramFiles%\System\wab32.dll
Script: Quarantine, Delete, BC delete .group shell extension handler {4F58F63F-244B-4c07-B29F-210BE59BE9B4}
%CommonProgramFiles%\System\wab32.dll
Script: Quarantine, Delete, BC delete .contact shell extension handler {8082C5E6-4C27-48ec-A809-B8E1122E8F97}
%CommonProgramFiles%\System\wab32.dll
Script: Quarantine, Delete, BC delete group_wab_auto_file {16C2C29D-0E5F-45f3-A445-03E03F587B7D}
%CommonProgramFiles%\System\wab32.dll
Script: Quarantine, Delete, BC delete contact_wab_auto_file {CF67796C-F57F-45F8-92FB-AD698826C602}
Windows Firewall {4026492f-2f69-46b8-b9bf-5654fc07e423}
Problem Reports and Solutions {fcfeecae-ee1b-4849-ae50-685dcf7717ec}
iSCSI Initiator {a304259d-52b8-4526-8b1a-a1d6cecc8243}
.cab or .zip files {911051fa-c21c-4246-b470-070cd8df6dc4}
Windows Search Shell Service {da67b8ad-e81b-4c70-9b91b417b5e33527}
Microsoft.ScannersAndCameras {00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3}
"C:\Windows\System32\rundll32.exe" "C:\Program Files\\Windows Photo Gallery\PhotoViewer.dll",ImageView_COMServer {9D687A4C-1404-41ef-A089-883B6FBECDE6}
Script: Quarantine, Delete, BC delete Windows Photo Gallery Viewer Autoplay Handler {9D687A4C-1404-41ef-A089-883B6FBECDE6}
Windows Sidebar Properties {37efd44d-ef8d-41b1-940d-96973a50e9e0}
Windows Features {67718415-c450-4f3c-bf8a-b487642dc39b}
Windows Defender {d8559eb9-20c0-410e-beda-7ed416aecc2a}
Mobility Center Control Panel {5ea4f148-308c-46d7-98a9-49041b1dd468}
"C:\Program Files\\Windows Media Player\wmprph.exe"
Script: Quarantine, Delete, BC delete Windows Media Player Rich Preview Handler {031EE060-67BC-460d-8847-E4A7C5E45A27}
User Accounts {7A9D77BD-5403-11d2-8785-2E0420524153}
C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll
Script: Quarantine, Delete, BC delete Roxio DragToDisc Shell Extension DirectCD Shell Extention DLL Copyright © 1994-2006 Roxio {5E44E225-A408-11CF-B581-008029601108}
Elements detected - 284, recognized as trusted - 249

Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
Elements detected - 0, recognized as trusted - 0

Task Scheduler jobs
File name Job name Job status Description Manufacturer
Elements detected - 0, recognized as trusted - 0

SPI/LSP settings
Namespace providers (NSP) Manufacturer Status EXE file Description GUID
Detected - 0, recognized as trusted - 0
Transport protocol providers (TSP, LSP) Manufacturer EXE file Description
Detected - 0, recognized as trusted - 0
Results of automatic SPI settings check LSP settings checked. No errors detected


TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [0]
139 LISTENING 0.0.0.0 0 [0]
5354 LISTENING 0.0.0.0 0 [0]
6646 LISTENING 0.0.0.0 0 [0]
7070 LISTENING 0.0.0.0 0 [0]
10009 LISTENING 0.0.0.0 0 [0]
27015 ESTABLISHED 127.0.0.1 49172 [0]
27015 LISTENING 0.0.0.0 0 [0]
49152 LISTENING 0.0.0.0 0 [0]
49153 LISTENING 0.0.0.0 0 [0]
49154 LISTENING 0.0.0.0 0 [0]
49155 LISTENING 0.0.0.0 0 [0]
49156 LISTENING 0.0.0.0 0 [0]
49158 LISTENING 0.0.0.0 0 [0]
49172 ESTABLISHED 127.0.0.1 27015 [0]
49174 ESTABLISHED 205.188.7.207 443 [0]
49175 ESTABLISHED 64.12.165.102 443 [0]
49442 TIME_WAIT 216.49.94.13 80 [0]
UDP ports
123 LISTENING -- -- [0]
137 LISTENING -- -- [0]
138 LISTENING -- -- [0]
500 LISTENING -- -- [0]
1900 LISTENING -- -- [0]
1900 LISTENING -- -- [0]
3702 LISTENING -- -- [0]
3702 LISTENING -- -- [0]
4500 LISTENING -- -- [0]
5353 LISTENING -- -- [0]
5355 LISTENING -- -- [0]
6646 LISTENING -- -- [0]
50341 LISTENING -- -- [0]
55009 LISTENING -- -- [0]
55487 LISTENING -- -- [0]
55488 LISTENING -- -- [0]
56714 LISTENING -- -- [0]
57211 LISTENING -- -- [0]

Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
C:\Windows\DOWNLO~1\stg_drm.ocx
Script: Quarantine, Delete, BC delete SpinTopDRM Module Copyright 2007 {149E45D8-163E-4189-86FC-45022AB2B6C9}
Delete file:///C:/Program%20Files/Mahjong%20Quest%203/Images/stg_drm.ocx
C:\Program Files\\Windows Live Safety Center\wlscCtrl2.dll
Script: Quarantine, Delete, BC delete Windows Live OneCare Safety Scanner ActiveX Module © Microsoft Corporation. All rights reserved {3860DD98-0549-4D50-AA72-5D17D200EE10}
Delete http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab
C:\Windows\Downloaded Program Files\SnapfishActivia1000.ocx
Script: Quarantine, Delete, BC delete Snapfish Activia Copyright © 2005 Snapfish {406B5949-7190-4245-91A9-30A17DE16AD0}
Delete http://photos.walmart.com/WalmartActivia.cab
C:\Windows\Downloaded Program Files\contactx.dll
Script: Quarantine, Delete, BC delete Contact Extractor © 2008 Facebook. All rights reserved. {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C}
Delete https://register.facebook.com/controls/contactx.dll
./Images/armhelper.ocx
Script: Quarantine, Delete, BC delete {CC450D71-CC90-424C-8638-1F2DBAC87A54}
Delete file:///C:/Program%20Files/Mahjong%20Quest%203/Images/armhelper.ocx
Elements detected - 5, recognized as trusted - 0

Control Panel Applets (CPL)
File name Description Manufacturer
C:\Windows\106789zy5c7.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\138z2sp5ac9.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\177905oz-a-virus247.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\19z59virus2e4.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\1z4195py4d59.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\21959irusz62.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\219d5hreatz0556.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\22935not-a5vzrus69f.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\2318dow5lo9der13z.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\25394nzt5a-vi9us28b.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\27dzs5ywar91535.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\2914backdooz55.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\29254hazktoo962f.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\29542spamboza05.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\29645troj58ez.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\2b7559ealz55.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\2badzack5oor19679.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\2f70a9dwar52556z.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\2z595spy79a.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\2zd65hreat10059.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\30771w9rm5z5.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\3077not-a-zi9us355.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\33635ddwa9e210z.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\35175ackdoo92284z.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\3591back9oor2244z.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\3da5st9alz774.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\3z375pywar9242.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\459ddownlozder95695.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\4bed5hizf2899.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\50f5pazse1849.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\539ds5zal1911.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\5729zddware1196.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\5805zir3969.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\59bevi526z5.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\59fdsteal1z75.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\59zddownloader414.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\659zworm5df.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\65dz9ir2205.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\695threat405z.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\6dd5th5ez27289.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\745bspyware9z31.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\756ado9nloader30z0.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\75dbste9l547z.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\7895spambo95za.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\7955not-a-vi5us25bz.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\7f02t9reat6z51.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\8455vir9z201.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\8460tr9j45z.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\957not-a-vizus2a7.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\9686zworm1c05.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\97562zacktool513.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\9azsparse1651.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\9b8ezhrea510192.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\e55zhrea922193.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\fz8back59or2156.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\z131t5ief991.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\z1709t95j3ee.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\z2a9bac5door2803.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\z5633troj4b49.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\z648hacktoo51e9.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\z75fspyware7279.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\z7902virus6255.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\z97579o5m450.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\zd94v5r597.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\1790ba5kdoo91z01.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\17efspyza5e29119.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\19626hacktoo95z9.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\196espzware9530.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\19fadowz5oader219.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\1c2zthief9593.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\1d349teal7z85.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\239c5teal6z9.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\252zsteal1269.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\279bspyw5rz165.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\29535w9rz252.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\29753n9t-a-vi5zs8c.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\299285ozmcd.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\29c69hzeat24523.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\30476s5ambzt90f.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\351threzt31965.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\3902stealz655.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\3933steal23z95.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\399ezt5al9937.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\3cc8zhreat71935.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\41dzdow5loader94.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\4349zot-a-vi5us539.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\45dzsp9rse99.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\4955vzr2540.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\4cfedowzloader9595.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\547et5zea930575.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\5488s9yware31z4.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\55ddspywa9e134z.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\579dzpars9217.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\59518vzrus28.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\5b14spywaz91445.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\5z39thr5at2779.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\5z50addware3925.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\623azteal12945.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\6447szywa9e1752.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\65a5threa931964z.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\6z59worm574.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\6z76spyw9re5454.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\70addownload5z9.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\70edth59az28323.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\7bz95ddware3209.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\7z99thief13589.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\954vzr2645.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\961z7sp549a.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\965avir1z52.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\9761zvirus495.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\97c8bzc5door1105.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\99f5sza5se1554.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\9ace5ackdooz83.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\b869ackzo5r2522.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\b9aspy5are26z59.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\DModem.cpl
Script: Quarantine, Delete, BC delete Modem Diagnostic DLL Copyright © 2002
C:\Windows\system32\javacpl.cpl
Script: Quarantine, Delete, BC delete Java™ Control Panel Copyright © 2004
C:\Windows\system32\z441s9eal595.cpl
Script: Quarantine, Delete, BC delete
C:\Windows\system32\z6b1spyw9r5879.cpl
Script: Quarantine, Delete, BC delete
Elements detected - 141, recognized as trusted - 22

Active Setup
File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file
Hosts file record
127.0.0.1 localhost



Protocols and handlers
File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
Script: Quarantine, Delete, BC delete Handler () {5513F07E-936B-4E52-9B00-067394E91CC5}
Elements detected - 19, recognized as trusted - 15

Suspicious objects
File Description Type


--------------------------------------------------------------------------------

AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 2/20/2009 6:29:50 PM
Database loaded: signatures - 211074, NN profile(s) - 2, microprograms of healing - 56, signature database released 20.02.2009 23:52
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 97058
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 6.0.6000, ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Error loading driver - checking interrupted [C0000061]
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Error loading driver - checking interrupted [C0000061]
2. Scanning memory
Number of processes found: 19
Analyzer: process under analysis is 3704 C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 3128 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1548 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 3768 C:\Program Files\Fast Browser SearchP\FastBrowserSearchProtection.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 3776 C:\Program Files\AIM6\aim6.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1876 C:\Program Files\AIM6\aolsoftware.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Number of modules loaded: 272
Scanning memory - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL"
Checking - complete
8. Searching for vulnerabilities
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: terminal connections to the PC are allowed
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 292, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 2/20/2009 6:30:19 PM
Time of scanning: 00:00:30
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress

Script commands
Add commands to script:Blocking hooks using Anti-RootkitEnable AVZGuardBootCleaner - import list of deleted filesRegistry cleanup after deleting filesBootCleaner - activateRebootInsert template for QuarantineFile() - quarantining fileInsert template for BC_QrFile() - quarantining file via BootCleanerInsert template for DeleteFile() - deleting fileInsert template for DelCLSID() - deleting CLSID item from registryAdditional operations:Security tweaking: disable CD autorunSecurity tweaking: disable administrative sharesSecurity tweaking: disable anonymous user accessSecurity: prevent terminal connections to the PCSecurity: disable sending Remote Assistant queries--------------------------------------------------------------------------------
File list
"Look pal, the only thing you're in charge of is Jack and $h!t....and Jack left town."
-Ash, Army of Darkness

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 21 February 2009 - 12:57 AM

when i clicked on the htm document, it went online and then saked if i wanted ActiveX to run. after initially hitting yes, a disclaimer appeared which read


Err.. No.. I need you to zip the htm document (virusinfo_syscheck.htm) and upload it for me, so that we can analyze it :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 soylentgreen1701

soylentgreen1701
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 21 February 2009 - 06:13 PM

is this what you need?

Attached Files


"Look pal, the only thing you're in charge of is Jack and $h!t....and Jack left town."
-Ash, Army of Darkness




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users