Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with PWS.LDPinchIE and Virtumonde.sdn


  • This topic is locked This topic is locked
18 replies to this topic

#1 michael74

michael74

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 10 June 2009 - 12:17 PM

I tried to open a program that came in the guise of audio editing software but was infected with viruses.

I use Mcafee antivirus and scan the program first but Mcafee did not detect it.

I ran spybot search and destroy and it showed the PWS.LDPinchIE which rendered my Internet Explorer useless and Virtumonde.sdn

Virtumonde.sdn does not show up on subsequent scans but the PWS.LDPinchIE does.

My latest Mcafee virus scan show 13 trojans and a PUP.

Can someone please help. Following is the log file that I created:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Michael Searcy at 11:52:10.28 on Wed 06/10/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.391 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Cox Security Suite Anti-Virus *On-access scanning disabled* (Outdated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\AutoDetect.exe
F:\ceedo\Ceedo\Ceedo.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Michael Searcy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: {2C0A5F28-48D8-408B-9172-9C6121025BCE} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [Ceedo Repair] c:\docume~1\michae~1\locals~1\temp\AutoDetect.exe /repair /drive=F /name=Ceedo
mRun: [15968] C:\lsass.exe
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [<NO NAME>]
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://www3.authentium.com/cssrelease/bin/wizard.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155940240966
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michae~1\applic~1\mozilla\firefox\profiles\s436pkv3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.cox.net
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {062A7533-C366-46E9-8749-CFB5BDE27BFD} - c:\documents and settings\michael searcy\local settings\application data\{062A7533-C366-46E9-8749-CFB5BDE27BFD}
FF - HiddenExtension: XUL Cache: {78F02675-FE38-4417-8157-E62F915ABF7C} - c:\windows\system32\config\systemprofile\local settings\application data\{78f02675-fe38-4417-8157-e62f915abf7c}\

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2007-12-4 9088]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214024]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2007-12-4 328448]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-10 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-5-10 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-5-10 144704]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\seagate\sync\SeaSyncServices.exe [2007-1-18 24120]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-5-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-5-10 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-5-10 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-5-10 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-5-10 40552]
S1 3416b9a9;3416b9a9;c:\windows\system32\drivers\3416b9a9.sys [2009-6-7 0]
S2 gupdate1c9e128215a4dbc;Google Update Service (gupdate1c9e128215a4dbc);c:\program files\google\update\GoogleUpdate.exe [2009-5-30 133104]
S3 AngelUsb;Angel USB MPEG Device;c:\windows\system32\drivers\AngelUsb.sys [2006-3-18 375424]

=============== Created Last 30 ================

2009-06-09 07:24 54,156 a---h--- c:\windows\QTFont.qfn
2009-06-09 07:24 1,409 a------- c:\windows\QTFont.for
2009-06-07 02:11 711 a------- C:\Settings.ini
2009-06-07 02:05 0 a------- c:\windows\system32\drivers\3416b9a9.sys
2009-06-07 02:04 1 ----h--- c:\windows\f23567.dat
2009-06-07 02:04 <DIR> --d----- c:\windows\system32\sysloc
2009-06-07 02:04 2 ----h--- c:\windows\ro122715.dat
2009-06-07 02:03 2 a------- C:\-1325789422
2009-06-07 02:01 348,160 a------- c:\windows\system32\NCTWMAFile2.dll
2009-06-07 02:01 113,486 a------- c:\windows\system32\NCTWMAProfiles.prx
2009-06-07 02:01 602,112 a------- c:\windows\system32\NCTAudioTransform2.dll
2009-06-07 02:01 479,232 a------- c:\windows\system32\NCTAudioVisualization2.dll
2009-06-07 02:01 458,752 a------- c:\windows\system32\NCTAudioRecord2.dll
2009-06-07 02:01 458,752 a------- c:\windows\system32\NCTAudioPlayer2.dll
2009-06-07 02:01 1,986,560 a------- c:\windows\system32\NCTAudioFile2.dll
2009-06-07 02:01 1,212,416 a------- c:\windows\system32\NCTAudioInformation2.dll
2009-06-07 02:01 880,640 a------- c:\windows\system32\NCTAudioEditor2.dll
2009-06-07 02:01 417,792 a------- c:\windows\system32\NCTAudioDisplay2.dll
2009-06-07 02:01 2,084,864 a------- c:\windows\system32\NCTAudioDesign2.dll
2009-06-07 02:01 835,584 a------- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-06-07 02:00 1,101,824 a------- c:\windows\system32\NMSDVDXU.dll
2009-06-07 02:00 544,768 a------- c:\windows\system32\msvcr71d.dll
2009-05-18 13:30 <DIR> --d----- c:\program files\CardPlayer
2009-05-18 13:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CardPlayer

==================== Find3M ====================

2009-04-28 03:32 364 a------- C:\drmHeader.bin
2009-04-14 12:14 109,091 ac--h--- c:\windows\hpoins08.dat
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2008-05-21 13:32 47,360 -------- c:\docume~1\michae~1\applic~1\pcouffin.sys
2008-03-19 17:03 87,608 -------- c:\docume~1\michae~1\applic~1\ezpinst.exe
2006-08-08 00:24 251 ac------ c:\program files\wt3d.ini
2006-05-16 22:56 56 -c-shr-- c:\windows\system32\53E6920607.sys
2008-08-27 00:37 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 11:54:46.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 19 June 2009 - 08:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 michael74

michael74
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 19 June 2009 - 09:52 PM

Ok, I've run subsequent scans adaware and spybot and the PWS.LDPinch.IE kept showing on the spybot scans but the virtumonde.sdn was gone.

I ran another McAfee scan and deleted whatever infections it showed. I also run Uniblue Registy Booster periodically to clean my registry.

Subsequent scans with adaware, spybot and mcafee showed no infections.

I uprgaded to Internet Explorer 8 from 7 but it still was not working.

I found in IE tools - internet options - connections, that "use a proxy server" was ticked.

I un-ticked it and it started working. However, each time I did a search (I use a google search enging) that whenever I clicked a link I was re-directed to a different site then the one I clicked.

Usually other search sites.

I didn't care for IE 8 and unistalled it back to 7 and it seems to be working fine. But I'm afaid that something may be lurking.

Here is a new Hijack this(DDS) attachment. Please let me know if you see anything out the ordinary.



DDS (Ver_09-05-14.01) - NTFSx86
Run by Michael Searcy at 21:47:08.09 on Fri 06/19/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.555 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Cox Security Suite Anti-Virus *On-access scanning disabled* (Outdated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
svchost.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Michael Searcy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.cox.net/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: PopKiller Class: {9a23b8a4-c6c9-4a68-8fa6-5f905dc8ff80} - c:\program files\system & internet washer\pkext.dll
TB: {2C0A5F28-48D8-408B-9172-9C6121025BCE} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [15968] C:\lsass.exe
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [<NO NAME>]
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://www3.authentium.com/cssrelease/bin/wizard.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155940240966
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michae~1\applic~1\mozilla\firefox\profiles\s436pkv3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.cox.net
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {062A7533-C366-46E9-8749-CFB5BDE27BFD} - c:\documents and settings\michael searcy\local settings\application data\{062A7533-C366-46E9-8749-CFB5BDE27BFD}
FF - HiddenExtension: XUL Cache: {78F02675-FE38-4417-8157-E62F915ABF7C} - c:\windows\system32\config\systemprofile\local settings\application data\{78f02675-fe38-4417-8157-e62f915abf7c}\

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2007-12-4 9088]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214024]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2007-12-4 328448]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-10 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-5-10 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-5-10 144704]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\seagate\sync\SeaSyncServices.exe [2007-1-18 24120]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-5-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-5-10 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-5-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-5-10 40552]
S1 3416b9a9;3416b9a9;c:\windows\system32\drivers\3416b9a9.sys [2009-6-7 0]
S2 gupdate1c9e128215a4dbc;Google Update Service (gupdate1c9e128215a4dbc);c:\program files\google\update\GoogleUpdate.exe [2009-5-30 133104]
S3 AngelUsb;Angel USB MPEG Device;c:\windows\system32\drivers\AngelUsb.sys [2006-3-18 375424]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-5-10 34216]

=============== Created Last 30 ================

2009-06-12 15:12 <DIR> --dsh--- c:\documents and settings\michael searcy\PrivacIE
2009-06-12 15:10 <DIR> --dsh--- c:\documents and settings\michael searcy\IETldCache
2009-06-12 15:05 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-12 15:05 78,336 a------- c:\windows\system32\dllcache\ieencode.dll
2009-06-12 14:51 1,152 a------- C:\reregisterie.cmd
2009-06-07 02:11 711 a------- C:\Settings.ini
2009-06-07 02:05 0 a------- c:\windows\system32\drivers\3416b9a9.sys
2009-06-07 02:04 1 ----h--- c:\windows\f23567.dat
2009-06-07 02:04 <DIR> --d----- c:\windows\system32\sysloc
2009-06-07 02:04 2 ----h--- c:\windows\ro122715.dat
2009-06-07 02:03 2 a------- C:\-1325789422
2009-06-07 02:01 348,160 a------- c:\windows\system32\NCTWMAFile2.dll
2009-06-07 02:01 113,486 a------- c:\windows\system32\NCTWMAProfiles.prx
2009-06-07 02:01 602,112 a------- c:\windows\system32\NCTAudioTransform2.dll
2009-06-07 02:01 479,232 a------- c:\windows\system32\NCTAudioVisualization2.dll
2009-06-07 02:01 458,752 a------- c:\windows\system32\NCTAudioRecord2.dll
2009-06-07 02:01 458,752 a------- c:\windows\system32\NCTAudioPlayer2.dll
2009-06-07 02:01 1,986,560 a------- c:\windows\system32\NCTAudioFile2.dll
2009-06-07 02:01 1,212,416 a------- c:\windows\system32\NCTAudioInformation2.dll
2009-06-07 02:01 880,640 a------- c:\windows\system32\NCTAudioEditor2.dll
2009-06-07 02:01 417,792 a------- c:\windows\system32\NCTAudioDisplay2.dll
2009-06-07 02:01 2,084,864 a------- c:\windows\system32\NCTAudioDesign2.dll
2009-06-07 02:01 835,584 a------- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-06-07 02:00 1,101,824 a------- c:\windows\system32\NMSDVDXU.dll
2009-06-07 02:00 544,768 a------- c:\windows\system32\msvcr71d.dll

==================== Find3M ====================

2009-04-28 03:32 364 a------- C:\drmHeader.bin
2009-04-14 12:14 109,091 ac--h--- c:\windows\hpoins08.dat
2008-05-21 13:32 47,360 -------- c:\docume~1\michae~1\applic~1\pcouffin.sys
2008-03-19 17:03 87,608 -------- c:\docume~1\michae~1\applic~1\ezpinst.exe
2006-08-08 00:24 251 ac------ c:\program files\wt3d.ini
2006-05-16 22:56 56 -c-shr-- c:\windows\system32\53E6920607.sys
2008-08-27 00:37 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 21:49:20.10 ===============

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 20 June 2009 - 08:42 AM

Hi michael74-

I've had a chance to look through your log and you are definitely infected.

One or more of the identified infections is a backdoor rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the rootkit has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of rootkit, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.


Step 1.
I see Viewpoint is installed on your machine. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to the Control Panel, then Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.


Step 2.
Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.


Step 3
Now, we need to scan for rootkits (hidden infections) with GMER.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.



Step 4
Please reply to this post with the following information:
  • Combofix log
  • GMER log
  • A description of any symptoms or issues remaining on your computer after you finish up with the above.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 michael74

michael74
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 20 June 2009 - 02:39 PM

Ok, I've run combofix and GMER. Although GMER when I started ran an initial scan it would not allow me to press the scan button again.

One other issue I had was with my wireless net work. This also started right after I was infected.

When ever I boot up my computer my wireless network always started automatically.

I used Intel Proset Wireless. Now on boot I have to start it manually. And I get the following message:

"Another wireless network utility is communicating with intel pro/wireless adapter. To avoid conflicts Intel's profile management features have been temporarily disabled"

I'm not aware of any other utility. I click enable and it works fine.

Here are my combofix and GMER logs:

ComboFix 09-06-20.01 - Michael Searcy 06/20/2009 13:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.537 [GMT -5:00]
Running from: c:\documents and settings\Michael Searcy\Desktop\ComboFix.exe
AV: Cox Security Suite Anti-Virus *On-access scanning disabled* (Outdated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\sysloc
C:\-1325789422
c:\windows\f23567.dat
c:\windows\kb913800.exe
c:\windows\system32\drivers\SKYNETguhsorsn.sys
c:\windows\system32\SKYNETlog.dat
c:\windows\system32\SKYNETlxdwwpbd.dll
c:\windows\system32\SKYNETmnepqsed.dat
c:\windows\system32\SKYNETocoiqxlp.dat
c:\windows\system32\SKYNETppejumnm.dll
c:\windows\system32\sysloc\sysloc.dll

----- BITS: Possible infected sites -----

hxxp://binuser.fileave.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETyjacyjnj


((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

2009-10-01 16:26 . 2009-05-09 03:46 -------- d-----w- C:\arctmp
2009-10-01 16:26 . 2009-10-01 16:26 -------- d-----w- c:\documents and settings\Michael Searcy\Application Data\dvdcss
2009-10-01 16:20 . 2009-10-01 16:22 -------- d-----w- c:\program files\Arc DVD Copy
2009-06-14 02:46 . 2009-06-14 02:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-12 20:12 . 2009-06-12 20:12 -------- d-sh--w- c:\documents and settings\Michael Searcy\PrivacIE
2009-06-12 20:11 . 2009-06-12 20:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-12 20:10 . 2009-06-12 20:10 -------- d-sh--w- c:\documents and settings\Michael Searcy\IETldCache
2009-06-12 20:05 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-12 20:05 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-06-12 19:51 . 2009-06-12 19:51 1152 ----a-w- C:\reregisterie.cmd
2009-06-07 11:35 . 2009-06-07 11:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-06-07 07:05 . 2009-06-07 13:58 0 ----a-w- c:\windows\system32\drivers\3416b9a9.sys
2009-06-07 07:04 . 2009-06-07 07:04 2 ---h--w- c:\windows\ro122715.dat
2009-06-07 07:01 . 2005-04-04 20:06 348160 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2009-06-07 07:01 . 2005-04-04 22:21 602112 ----a-w- c:\windows\system32\NCTAudioTransform2.dll
2009-06-07 07:01 . 2005-03-28 20:54 479232 ----a-w- c:\windows\system32\NCTAudioVisualization2.dll
2009-06-07 07:01 . 2005-04-25 18:01 458752 ----a-w- c:\windows\system32\NCTAudioRecord2.dll
2009-06-07 07:01 . 2005-04-25 18:01 458752 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2009-06-07 07:01 . 2005-05-18 16:52 1212416 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2009-06-07 07:01 . 2005-05-17 17:37 1986560 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-06-07 07:01 . 2005-04-15 17:08 880640 ----a-w- c:\windows\system32\NCTAudioEditor2.dll
2009-06-07 07:01 . 2005-03-28 20:56 417792 ----a-w- c:\windows\system32\NCTAudioDisplay2.dll
2009-06-07 07:01 . 2005-03-29 12:57 2084864 ----a-w- c:\windows\system32\NCTAudioDesign2.dll
2009-06-07 07:01 . 2004-11-04 18:31 835584 ----a-w- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-06-07 07:00 . 2006-12-07 12:39 1101824 ----a-w- c:\windows\system32\NMSDVDXU.dll
2009-06-07 07:00 . 2003-03-19 16:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2009-06-01 05:55 . 2009-06-01 05:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-05-30 13:11 . 2009-05-30 13:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 08:34 . 2006-03-25 02:41 -------- d-----w- c:\program files\Questview
2009-06-20 08:12 . 2007-08-27 06:38 -------- d-----w- c:\program files\Agent
2009-06-17 18:25 . 2009-05-10 07:23 -------- d-----w- c:\program files\McAfee
2009-06-07 23:11 . 2008-10-27 18:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-06 02:56 . 2006-04-07 00:44 -------- d-----w- c:\program files\Blubster
2009-06-01 20:15 . 2009-03-23 03:26 390664 ------w- c:\documents and settings\Michael Searcy\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-06-01 12:53 . 2008-10-01 20:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-05-30 13:14 . 2006-03-18 22:06 -------- d-----w- c:\program files\Google
2009-05-18 18:30 . 2009-05-18 18:30 -------- d-----w- c:\program files\CardPlayer
2009-05-18 18:30 . 2009-05-18 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\CardPlayer
2009-05-11 15:30 . 2009-05-11 15:30 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-05-10 07:30 . 2008-07-02 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-05-10 07:24 . 2009-05-10 07:23 -------- d-----w- c:\program files\Common Files\McAfee
2009-05-10 07:24 . 2009-05-10 07:23 -------- d-----w- c:\program files\McAfee.com
2009-04-28 08:32 . 2009-01-24 09:50 364 ----a-w- C:\drmHeader.bin
2009-04-14 17:14 . 2006-10-27 19:38 109091 -c-ha-w- c:\windows\hpoins08.dat
2009-04-14 16:47 . 2006-03-30 04:07 31128 -c----w- c:\documents and settings\Michael Searcy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 16:06 . 2009-05-10 07:25 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 16:06 . 2009-05-10 07:25 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 16:06 . 2009-05-10 07:25 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 16:06 . 2009-03-25 16:06 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 16:05 . 2009-05-10 07:19 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2006-08-08 05:24 . 2006-08-08 05:24 251 -c--a-w- c:\program files\wt3d.ini
2006-05-17 03:56 . 2006-03-30 04:07 56 -csh--r- c:\windows\system32\53E6920607.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-12-06 839680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-18 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael Searcy^Start Menu^Programs^Startup^System & Internet Washer.lnk]
backup=c:\windows\pss\System & Internet Washer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CrossWire\\The SWORD Project\\InstallMgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [12/4/2007 6:41 PM 9088]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [12/4/2007 6:41 PM 328448]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/10/2009 2:28 AM 210216]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [1/18/2007 1:20 PM 24120]
S1 3416b9a9;3416b9a9;c:\windows\system32\drivers\3416b9a9.sys [6/7/2009 2:05 AM 0]
S2 gupdate1c9e128215a4dbc;Google Update Service (gupdate1c9e128215a4dbc);c:\program files\Google\Update\GoogleUpdate.exe [5/30/2009 8:11 AM 133104]
S3 AngelUsb;Angel USB MPEG Device;c:\windows\system32\drivers\AngelUsb.sys [3/18/2006 4:19 PM 375424]
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 13:10]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-10 15:53]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-10 15:53]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-15968 - C:\lsass.exe
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.cox.net/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://www3.authentium.com/cssrelease/bin/wizard.exe
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 13:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1611611726-279218397-1700775994-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8C098B8F-A548-896D-D336-61FF1191876E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\@* ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\p* 6*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\* ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
Completion time: 2009-06-20 13:53
ComboFix-quarantined-files.txt 2009-06-20 18:53

Pre-Run: 50,258,546,688 bytes free
Post-Run: 50,283,716,608 bytes free

210 --- E O F --- 2009-06-03 05:12


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-20 14:25:49
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA9A684EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA9A68581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9A68498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA9A684AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA9A68595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA9A685C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA9A6862F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA9A68619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9A6852A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA9A6865B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA9A6856D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA9A68470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA9A68484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA9A684FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA9A68697]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA9A68603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA9A685ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA9A685AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA9A68683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA9A6866F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA9A684D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA9A684C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA9A685D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9A68559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA9A68645]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9A68540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA9A68514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----


Thank you so much for your help.

Michael

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 21 June 2009 - 09:54 AM

Hi michael74-

Combofix did catch quite a lot of the malware, but we still have some cleanup. Please print these instructions before starting.

Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/232970/infected-with-pwsldpinchie-and-virtumondesdn/

Collect::
c:\windows\ro122715.dat
c:\windows\system32\drivers\3416b9a9.sys

Driver::
3416b9a9


Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 14 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.


Please perform this online scan: Kaspersky Webscan
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.


I noticed that CF has been run several times. Can you please navigate to C:\Qoobox\ ? Once there, you will see several TXT files. Please post Combofix3.txt and Combofix4.txt in your next reply. It is important to know what else it has caught.

So, in your new reply, please post:
Combofix.txt, combofix3.txt, combofix4.txt and the Kapersky log.

Please also let me know what symptoms are still there (e.g. the Intel Proset issue, or any others).

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 michael74

michael74
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 21 June 2009 - 01:35 PM

The last time I used ComboFix was several months back when I picked up an infection from a hyperlink on the internet.

Someone with Bleeping Computer helped me clean my computer that time and instructed on it's use.

I am not showing combofix3.txt or 4 in that folder only a combofix2.txt. Also, the link to kapersky did not work. I get a 404 not found message.

I still have the wireless connect problem. It works but I have to start manually. When I first realized I was being infected I clicked to disable my connection

and shut my computer down. Not sure if I did something. I was getting a blocked message from Mcafee for access to my computer. I allowed it to block.

I also got buffer overflow messages as well. But after initial scans using Mcafee, adaware and spybot that all went away. Right now there is nothing else

unusual happening with my system.

Here is the lastes combofix log. Can I getter a better link for kapersky so I can send you that as well. Not sure if my previous problem is archived at this site.


ComboFix 09-06-20.04 - Michael Searcy 06/21/2009 12:15.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.499 [GMT -5:00]
Running from: c:\documents and settings\Michael Searcy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael Searcy\Desktop\CFScript.txt
AV: Cox Security Suite Anti-Virus *On-access scanning disabled* (Outdated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\windows\ro122715.dat
file zipped: c:\windows\system32\drivers\3416b9a9.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ro122715.dat
c:\windows\system32\drivers\3416b9a9.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_3416b9a9


((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.

2009-10-01 16:26 . 2009-05-09 03:46 -------- d-----w- C:\arctmp
2009-10-01 16:26 . 2009-10-01 16:26 -------- d-----w- c:\documents and settings\Michael Searcy\Application Data\dvdcss
2009-10-01 16:20 . 2009-10-01 16:22 -------- d-----w- c:\program files\Arc DVD Copy
2009-06-20 18:56 . 2009-06-20 18:56 -------- d-----w- C:\GMER
2009-06-14 02:46 . 2009-06-14 02:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-12 20:12 . 2009-06-12 20:12 -------- d-sh--w- c:\documents and settings\Michael Searcy\PrivacIE
2009-06-12 20:11 . 2009-06-12 20:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-12 20:10 . 2009-06-12 20:10 -------- d-sh--w- c:\documents and settings\Michael Searcy\IETldCache
2009-06-12 20:05 . 2009-04-29 04:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-12 20:05 . 2009-04-29 04:55 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-06-12 19:51 . 2009-06-12 19:51 1152 ----a-w- C:\reregisterie.cmd
2009-06-07 11:35 . 2009-06-07 11:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-06-07 07:01 . 2005-04-04 20:06 348160 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2009-06-07 07:01 . 2005-04-04 22:21 602112 ----a-w- c:\windows\system32\NCTAudioTransform2.dll
2009-06-07 07:01 . 2005-03-28 20:54 479232 ----a-w- c:\windows\system32\NCTAudioVisualization2.dll
2009-06-07 07:01 . 2005-04-25 18:01 458752 ----a-w- c:\windows\system32\NCTAudioRecord2.dll
2009-06-07 07:01 . 2005-04-25 18:01 458752 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2009-06-07 07:01 . 2005-05-18 16:52 1212416 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2009-06-07 07:01 . 2005-05-17 17:37 1986560 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-06-07 07:01 . 2005-04-15 17:08 880640 ----a-w- c:\windows\system32\NCTAudioEditor2.dll
2009-06-07 07:01 . 2005-03-28 20:56 417792 ----a-w- c:\windows\system32\NCTAudioDisplay2.dll
2009-06-07 07:01 . 2005-03-29 12:57 2084864 ----a-w- c:\windows\system32\NCTAudioDesign2.dll
2009-06-07 07:01 . 2004-11-04 18:31 835584 ----a-w- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-06-07 07:00 . 2006-12-07 12:39 1101824 ----a-w- c:\windows\system32\NMSDVDXU.dll
2009-06-07 07:00 . 2003-03-19 16:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2009-06-01 05:55 . 2009-06-01 05:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-05-30 13:11 . 2009-05-30 13:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 08:34 . 2006-03-25 02:41 -------- d-----w- c:\program files\Questview
2009-06-20 08:12 . 2007-08-27 06:38 -------- d-----w- c:\program files\Agent
2009-06-17 18:25 . 2009-05-10 07:23 -------- d-----w- c:\program files\McAfee
2009-06-07 23:11 . 2008-10-27 18:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-06 02:56 . 2006-04-07 00:44 -------- d-----w- c:\program files\Blubster
2009-06-01 20:15 . 2009-03-23 03:26 390664 ------w- c:\documents and settings\Michael Searcy\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-06-01 12:53 . 2008-10-01 20:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-05-30 13:14 . 2006-03-18 22:06 -------- d-----w- c:\program files\Google
2009-05-18 18:30 . 2009-05-18 18:30 -------- d-----w- c:\program files\CardPlayer
2009-05-18 18:30 . 2009-05-18 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\CardPlayer
2009-05-11 15:30 . 2009-05-11 15:30 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-05-10 07:30 . 2008-07-02 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-05-10 07:24 . 2009-05-10 07:23 -------- d-----w- c:\program files\Common Files\McAfee
2009-05-10 07:24 . 2009-05-10 07:23 -------- d-----w- c:\program files\McAfee.com
2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-08-16 10:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-28 08:32 . 2009-01-24 09:50 364 ----a-w- C:\drmHeader.bin
2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 17:14 . 2006-10-27 19:38 109091 -c-ha-w- c:\windows\hpoins08.dat
2009-04-14 16:47 . 2006-03-30 04:07 31128 -c----w- c:\documents and settings\Michael Searcy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 16:06 . 2009-05-10 07:25 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 16:06 . 2009-05-10 07:25 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 16:06 . 2009-05-10 07:25 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 16:06 . 2009-03-25 16:06 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 16:05 . 2009-05-10 07:19 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2006-08-08 05:24 . 2006-08-08 05:24 251 -c--a-w- c:\program files\wt3d.ini
2006-05-17 03:56 . 2006-03-30 04:07 56 -csh--r- c:\windows\system32\53E6920607.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-20_18.52.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-16 10:18 . 2009-04-29 04:56 44544 c:\windows\system32\pngfilt.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
- 2006-10-27 21:09 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
+ 2006-10-27 21:09 . 2009-04-29 04:55 52224 c:\windows\system32\msfeedsbs.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
+ 2005-08-16 10:18 . 2009-04-29 04:55 27648 c:\windows\system32\jsproxy.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
+ 2005-08-16 10:18 . 2009-04-29 04:55 44544 c:\windows\system32\iernonce.dll
- 2005-08-16 10:18 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
+ 2005-08-16 10:18 . 2009-04-28 09:05 70656 c:\windows\system32\ie4uinit.exe
- 2006-10-17 18:58 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
+ 2006-10-17 18:58 . 2009-04-29 04:55 63488 c:\windows\system32\icardie.dll
+ 2006-05-10 05:25 . 2009-04-29 04:56 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2006-05-10 05:25 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2007-05-08 21:05 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-08 21:05 . 2009-04-29 04:55 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2006-05-10 05:25 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:25 . 2009-04-29 04:55 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-05-08 21:05 . 2009-04-28 09:05 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2007-05-08 21:05 . 2009-02-20 10:20 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2006-10-27 08:44 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2006-10-27 08:44 . 2009-04-29 04:55 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2006-10-27 08:44 . 2009-04-28 09:05 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2006-10-27 08:44 . 2009-02-20 10:20 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-20 10:04 . 2009-04-29 04:55 63488 c:\windows\system32\dllcache\icardie.dll
- 2007-08-20 10:04 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
+ 2006-03-23 22:45 . 2009-06-21 17:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-03-23 22:45 . 2009-06-20 18:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-03-23 22:45 . 2009-06-20 18:19 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-03-23 22:45 . 2009-06-21 17:07 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-03-18 21:55 . 2009-04-29 12:23 23040 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-03-18 21:55 . 2009-06-21 05:59 23040 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-03-18 21:55 . 2009-06-21 05:59 27136 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-03-18 21:55 . 2009-04-29 12:23 27136 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-03-18 21:55 . 2009-06-21 05:59 11264 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-03-18 21:55 . 2009-04-29 12:23 11264 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-03-18 21:55 . 2009-04-29 12:23 12288 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-03-18 21:55 . 2009-06-21 05:59 12288 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-06-21 06:00 . 2009-06-21 06:00 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2009-05-13 15:28 . 2009-05-13 15:28 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2006-10-27 03:13 . 2006-10-27 03:13 72472 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\XL12CNVP.DLL
+ 2009-06-21 05:54 . 2009-02-20 18:09 44544 c:\windows\ie7updates\KB969897-IE7\pngfilt.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 52224 c:\windows\ie7updates\KB969897-IE7\msfeedsbs.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 27648 c:\windows\ie7updates\KB969897-IE7\jsproxy.dll
+ 2009-06-21 05:54 . 2009-02-20 10:20 13824 c:\windows\ie7updates\KB969897-IE7\ieudinit.exe
+ 2009-06-21 05:54 . 2009-02-20 18:09 44544 c:\windows\ie7updates\KB969897-IE7\iernonce.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 78336 c:\windows\ie7updates\KB969897-IE7\ieencode.dll
+ 2009-06-21 05:54 . 2009-02-20 10:20 70656 c:\windows\ie7updates\KB969897-IE7\ie4uinit.exe
+ 2009-06-21 05:54 . 2009-02-20 18:09 63488 c:\windows\ie7updates\KB969897-IE7\icardie.dll
- 2006-03-18 21:55 . 2009-04-29 12:23 4096 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-03-18 21:55 . 2009-06-21 05:59 4096 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2005-08-16 10:18 . 2009-04-29 04:56 233472 c:\windows\system32\webcheck.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2005-08-16 10:18 . 2009-04-29 04:56 105984 c:\windows\system32\url.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
+ 2005-08-16 10:18 . 2009-04-29 04:56 102912 c:\windows\system32\occache.dll
+ 2005-08-16 10:18 . 2009-04-29 04:56 671232 c:\windows\system32\mstime.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
+ 2005-08-16 10:18 . 2009-04-29 04:56 193024 c:\windows\system32\msrating.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
+ 2005-08-16 10:18 . 2009-04-29 04:56 477696 c:\windows\system32\mshtmled.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
- 2006-10-27 21:09 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
+ 2006-10-27 21:09 . 2009-04-29 04:55 459264 c:\windows\system32\msfeeds.dll
- 2006-10-17 18:57 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
+ 2006-10-17 18:57 . 2009-04-29 04:55 268288 c:\windows\system32\iertutil.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
+ 2005-08-16 10:18 . 2009-04-29 04:55 385024 c:\windows\system32\iedkcs32.dll
- 2006-10-17 18:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
+ 2006-10-17 18:27 . 2009-04-29 04:55 383488 c:\windows\system32\ieapfltr.dll
+ 2005-08-16 10:18 . 2009-04-25 05:26 161792 c:\windows\system32\ieakui.dll
- 2005-08-16 10:18 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
+ 2005-08-16 10:18 . 2009-04-29 04:55 230400 c:\windows\system32\ieaksie.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
+ 2005-08-16 10:18 . 2009-04-29 04:55 153088 c:\windows\system32\ieakeng.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
- 2005-08-16 10:27 . 2009-03-11 11:21 151584 c:\windows\system32\FNTCACHE.DAT
+ 2005-08-16 10:27 . 2009-06-21 17:01 151584 c:\windows\system32\FNTCACHE.DAT
- 2005-08-16 10:18 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
+ 2005-08-16 10:18 . 2009-04-29 04:55 133120 c:\windows\system32\extmgr.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
+ 2005-08-16 10:18 . 2009-04-29 04:55 214528 c:\windows\system32\dxtrans.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
+ 2005-08-16 10:18 . 2009-04-29 04:55 347136 c:\windows\system32\dxtmsft.dll
+ 2006-05-10 05:25 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\wininet.dll
+ 2006-10-27 21:09 . 2009-04-29 04:56 233472 c:\windows\system32\dllcache\webcheck.dll
- 2006-10-27 21:09 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2006-10-17 19:05 . 2009-04-29 04:56 105984 c:\windows\system32\dllcache\url.dll
- 2006-10-17 19:05 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll
+ 2006-10-17 19:04 . 2009-04-29 04:56 102912 c:\windows\system32\dllcache\occache.dll
- 2006-10-17 19:04 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
- 2006-05-10 05:25 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
+ 2006-05-10 05:25 . 2009-04-29 04:56 671232 c:\windows\system32\dllcache\mstime.dll
- 2006-05-10 05:25 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-05-10 05:25 . 2009-04-29 04:56 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-05-10 05:25 . 2009-04-29 04:56 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2006-05-10 05:25 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-08 21:05 . 2009-04-29 04:55 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-08 21:05 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
+ 2006-10-17 19:04 . 2009-04-25 05:27 636088 c:\windows\system32\dllcache\iexplore.exe
+ 2007-05-08 21:05 . 2009-04-29 04:55 268288 c:\windows\system32\dllcache\iertutil.dll
- 2007-05-08 21:05 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2006-10-27 08:44 . 2009-04-29 04:55 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2006-10-27 08:44 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-05-08 21:05 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
+ 2007-05-08 21:05 . 2009-04-29 04:55 383488 c:\windows\system32\dllcache\ieapfltr.dll
+ 2006-10-27 08:42 . 2009-04-25 05:26 161792 c:\windows\system32\dllcache\ieakui.dll
- 2006-10-27 08:42 . 2009-02-20 05:14 161792 c:\windows\system32\dllcache\ieakui.dll
- 2006-10-27 08:44 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-10-27 08:44 . 2009-04-29 04:55 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2006-10-27 08:44 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-10-27 08:44 . 2009-04-29 04:55 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-05-10 05:25 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-05-10 05:25 . 2009-04-29 04:55 133120 c:\windows\system32\dllcache\extmgr.dll
- 2006-05-10 05:25 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-05-10 05:25 . 2009-04-29 04:55 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2006-05-10 05:25 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-05-10 05:25 . 2009-04-29 04:55 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-10-27 08:44 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
+ 2006-10-27 08:44 . 2009-04-29 04:55 124928 c:\windows\system32\dllcache\advpack.dll
+ 2005-08-16 10:18 . 2009-04-29 04:55 124928 c:\windows\system32\advpack.dll
- 2005-08-16 10:18 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
+ 2006-03-18 21:55 . 2009-06-21 05:59 409600 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-03-18 21:55 . 2009-04-29 12:23 409600 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-03-18 21:55 . 2009-06-21 05:59 286720 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-03-18 21:55 . 2009-04-29 12:23 286720 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-03-18 21:55 . 2009-04-29 12:23 794624 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-03-18 21:55 . 2009-06-21 05:59 794624 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-03-18 21:55 . 2009-06-21 05:59 135168 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-03-18 21:55 . 2009-04-29 12:23 135168 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-06-21 05:54 . 2009-03-03 00:18 826368 c:\windows\ie7updates\KB969897-IE7\wininet.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 233472 c:\windows\ie7updates\KB969897-IE7\webcheck.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 105984 c:\windows\ie7updates\KB969897-IE7\url.dll
+ 2009-06-21 05:54 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB969897-IE7\spuninst\updspapi.dll
+ 2009-06-21 05:54 . 2008-07-09 07:38 231288 c:\windows\ie7updates\KB969897-IE7\spuninst\spuninst.exe
+ 2009-06-21 05:54 . 2009-02-20 18:09 102912 c:\windows\ie7updates\KB969897-IE7\occache.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 671232 c:\windows\ie7updates\KB969897-IE7\mstime.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 193024 c:\windows\ie7updates\KB969897-IE7\msrating.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 477696 c:\windows\ie7updates\KB969897-IE7\mshtmled.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 459264 c:\windows\ie7updates\KB969897-IE7\msfeeds.dll
+ 2009-06-21 05:54 . 2009-02-28 04:54 636072 c:\windows\ie7updates\KB969897-IE7\iexplore.exe
+ 2009-06-21 05:54 . 2009-02-20 18:09 268288 c:\windows\ie7updates\KB969897-IE7\iertutil.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 385024 c:\windows\ie7updates\KB969897-IE7\iedkcs32.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 383488 c:\windows\ie7updates\KB969897-IE7\ieapfltr.dll
+ 2009-06-21 05:54 . 2009-02-20 05:14 161792 c:\windows\ie7updates\KB969897-IE7\ieakui.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 230400 c:\windows\ie7updates\KB969897-IE7\ieaksie.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 153088 c:\windows\ie7updates\KB969897-IE7\ieakeng.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 133120 c:\windows\ie7updates\KB969897-IE7\extmgr.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 214528 c:\windows\ie7updates\KB969897-IE7\dxtrans.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 347136 c:\windows\ie7updates\KB969897-IE7\dxtmsft.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 124928 c:\windows\ie7updates\KB969897-IE7\advpack.dll
+ 2005-08-16 10:18 . 2009-04-29 04:56 1159680 c:\windows\system32\urlmon.dll
+ 2005-08-16 10:18 . 2009-04-29 04:56 3596288 c:\windows\system32\mshtml.dll
+ 2006-10-27 21:09 . 2009-04-29 04:55 6066176 c:\windows\system32\ieframe.dll
- 2006-10-27 21:09 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
+ 2008-10-15 17:12 . 2009-04-17 12:26 1847168 c:\windows\system32\dllcache\win32k.sys
+ 2006-05-10 05:25 . 2009-04-29 04:56 1159680 c:\windows\system32\dllcache\urlmon.dll
+ 2006-05-19 15:06 . 2009-04-29 04:56 3596288 c:\windows\system32\dllcache\mshtml.dll
- 2007-05-08 21:05 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
+ 2007-05-08 21:05 . 2009-04-29 04:55 6066176 c:\windows\system32\dllcache\ieframe.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 1160192 c:\windows\ie7updates\KB969897-IE7\urlmon.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 3595264 c:\windows\ie7updates\KB969897-IE7\mshtml.dll
+ 2009-06-21 05:54 . 2009-02-20 18:09 6066176 c:\windows\ie7updates\KB969897-IE7\ieframe.dll
+ 2009-06-21 05:54 . 2008-07-09 14:25 2455488 c:\windows\ie7updates\KB969897-IE7\ieapfltr.dat
+ 2006-03-25 19:09 . 2009-06-01 16:51 23635392 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-12-06 839680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-18 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael Searcy^Start Menu^Programs^Startup^System & Internet Washer.lnk]
backup=c:\windows\pss\System & Internet Washer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CrossWire\\The SWORD Project\\InstallMgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [12/4/2007 6:41 PM 9088]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [12/4/2007 6:41 PM 328448]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/10/2009 2:28 AM 210216]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [1/18/2007 1:20 PM 24120]
S2 gupdate1c9e128215a4dbc;Google Update Service (gupdate1c9e128215a4dbc);c:\program files\Google\Update\GoogleUpdate.exe [5/30/2009 8:11 AM 133104]
S3 AngelUsb;Angel USB MPEG Device;c:\windows\system32\drivers\AngelUsb.sys [3/18/2006 4:19 PM 375424]
.
Contents of the 'Scheduled Tasks' folder

2009-06-21 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 13:10]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-10 15:53]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-10 15:53]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.cox.net/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://www3.authentium.com/cssrelease/bin/wizard.exe
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 12:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1611611726-279218397-1700775994-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8C098B8F-A548-896D-D336-61FF1191876E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\@* ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\p* 6*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\* ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3604)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-06-21 12:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-21 17:27
ComboFix2.txt 2009-06-20 18:53

Pre-Run: 72,005,595,136 bytes free
Post-Run: 71,915,458,560 bytes free

405 --- E O F --- 2009-06-21 06:00

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 21 June 2009 - 02:10 PM

Hi michael74-

Sorry about the bad link. Thanks for the CF logs and the explanation. I wasn't sure if you had run it against this particular infection.

Here's the updated Kapersky instructions:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 michael74

michael74
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 21 June 2009 - 05:31 PM

Here is my kaspersky scan file:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, June 21, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, June 21, 2009 20:38:53
Records in database: 2375016
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 71575
Threat name: 7
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 01:47:26


File name / Threat name / Threats count
C:\Documents and Settings\Michael Searcy\Application Data\Sun\Java\Deployment\cache\6.0\58\44eef97a-2f10403b Infected: Trojan-Downloader.Java.Agent.f 1
C:\Documents and Settings\Michael Searcy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-7f71aa7f.zip Infected: Trojan-Downloader.Java.Agent.f 1
C:\Documents and Settings\Michael Searcy\My Documents\Program Downloads\blubstersetup250.exe Infected: not-a-virus:AdWare.Win32.MyWay.ac 1
C:\Documents and Settings\Michael Searcy\My Documents\Program Downloads\blubstersetup250.exe Infected: not-a-virus:AdWare.Win32.HelpExpress 1
C:\Documents and Settings\Michael Searcy\My Documents\Program Downloads\blubstersetup250.exe Infected: not-a-virus:AdWare.Win32.WebHancer 5
C:\Documents and Settings\Michael Searcy\My Documents\Program Downloads\blubstersetup250.exe Infected: not-a-virus:AdWare.Win32.Cydoor 2
C:\Program Files\Messenger\profsywuyn.html Infected: Trojan-Clicker.HTML.IFrame.dn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sysloc\sysloc.dll.vir Infected: Trojan.Win32.BHO.ugq 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP115\A0025513.dll Infected: Trojan.Win32.BHO.ugq 1

The selected area was scanned.


Thank you
Michael

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 22 June 2009 - 07:13 PM

Hi michael74-

OK, Kapersky caught a few more items. Hopefully this will be the last round of fixes.

First, we need to submit a few files for analysis. Please do this:

Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Where date and time will be similar to 2009-06-18_170001.18.zip

Click Here to upload the submit.zip please.

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case Blubster). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care.

In addition, Blubster is ad-supported, which explains why Kapersky picked it out as Adware.

If you would like to uninstall (your choice), please go to Start --> Control Panel --> Add/Remove Programs and remove Blubster 2.6.8



Next, we need to take care of the other files that Kapersky identified.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

file::
C:\Documents and Settings\Michael Searcy\Application Data\Sun\Java\Deployment\cache\6.0\58\44eef97a-2f10403b
C:\Documents and Settings\Michael Searcy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-7f71aa7f.zip
C:\Documents and Settings\Michael Searcy\My Documents\Program Downloads\blubstersetup250.exe
C:\Program Files\Messenger\profsywuyn.html


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your reply, please post combofix.txt and the Kapersky log and also please confirm that the file upload went ok.

thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 michael74

michael74
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 23 June 2009 - 01:30 AM

Wanted to let you know that the file you requested was sucessfully uploaded.

Here are the latest combofix and kaspersky logs:

ComboFix 09-06-22.05 - Michael Searcy 06/22/2009 22:48.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.654 [GMT -5:00]
Running from: c:\documents and settings\Michael Searcy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael Searcy\Desktop\CFScript.txt
AV: Cox Security Suite Anti-Virus *On-access scanning disabled* (Outdated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\Michael Searcy\Application Data\Sun\Java\Deployment\cache\6.0\58\44eef97a-2f10403b"
"c:\documents and settings\Michael Searcy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-7f71aa7f.zip"
"c:\documents and settings\Michael Searcy\My Documents\Program Downloads\blubstersetup250.exe"
"c:\program files\Messenger\profsywuyn.html"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Michael Searcy\Application Data\Sun\Java\Deployment\cache\6.0\58\44eef97a-2f10403b
c:\documents and settings\Michael Searcy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-7f71aa7f.zip
c:\documents and settings\Michael Searcy\My Documents\Program Downloads\blubstersetup250.exe
c:\program files\Messenger\profsywuyn.html

.
((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-06-23 )))))))))))))))))))))))))))))))
.

2009-10-01 16:26 . 2009-05-09 03:46 -------- d-----w- C:\arctmp
2009-10-01 16:26 . 2009-10-01 16:26 -------- d-----w- c:\documents and settings\Michael Searcy\Application Data\dvdcss
2009-10-01 16:20 . 2009-10-01 16:22 -------- d-----w- c:\program files\Arc DVD Copy
2009-06-21 17:57 . 2009-06-21 17:56 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-20 18:56 . 2009-06-20 18:56 -------- d-----w- C:\GMER
2009-06-14 02:46 . 2009-06-14 02:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-12 20:12 . 2009-06-12 20:12 -------- d-sh--w- c:\documents and settings\Michael Searcy\PrivacIE
2009-06-12 20:11 . 2009-06-12 20:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-12 20:10 . 2009-06-12 20:10 -------- d-sh--w- c:\documents and settings\Michael Searcy\IETldCache
2009-06-12 20:05 . 2009-04-29 04:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-12 20:05 . 2009-04-29 04:55 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-06-12 19:51 . 2009-06-12 19:51 1152 ----a-w- C:\reregisterie.cmd
2009-06-07 11:35 . 2009-06-07 11:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-06-07 07:01 . 2005-04-04 20:06 348160 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2009-06-07 07:01 . 2005-04-04 22:21 602112 ----a-w- c:\windows\system32\NCTAudioTransform2.dll
2009-06-07 07:01 . 2005-03-28 20:54 479232 ----a-w- c:\windows\system32\NCTAudioVisualization2.dll
2009-06-07 07:01 . 2005-04-25 18:01 458752 ----a-w- c:\windows\system32\NCTAudioRecord2.dll
2009-06-07 07:01 . 2005-04-25 18:01 458752 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2009-06-07 07:01 . 2005-05-18 16:52 1212416 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2009-06-07 07:01 . 2005-05-17 17:37 1986560 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-06-07 07:01 . 2005-04-15 17:08 880640 ----a-w- c:\windows\system32\NCTAudioEditor2.dll
2009-06-07 07:01 . 2005-03-28 20:56 417792 ----a-w- c:\windows\system32\NCTAudioDisplay2.dll
2009-06-07 07:01 . 2005-03-29 12:57 2084864 ----a-w- c:\windows\system32\NCTAudioDesign2.dll
2009-06-07 07:01 . 2004-11-04 18:31 835584 ----a-w- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-06-07 07:00 . 2006-12-07 12:39 1101824 ----a-w- c:\windows\system32\NMSDVDXU.dll
2009-06-07 07:00 . 2003-03-19 16:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2009-06-01 05:55 . 2009-06-01 05:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-05-30 13:11 . 2009-05-30 13:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-23 02:03 . 2006-03-25 02:41 -------- d-----w- c:\program files\Questview
2009-06-23 01:04 . 2007-08-27 06:38 -------- d-----w- c:\program files\Agent
2009-06-21 17:56 . 2006-03-18 21:44 -------- d-----w- c:\program files\Java
2009-06-17 18:25 . 2009-05-10 07:23 -------- d-----w- c:\program files\McAfee
2009-06-07 23:11 . 2008-10-27 18:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-06 02:56 . 2006-04-07 00:44 -------- d-----w- c:\program files\Blubster
2009-06-01 20:15 . 2009-03-23 03:26 390664 ------w- c:\documents and settings\Michael Searcy\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-06-01 12:53 . 2008-10-01 20:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-05-30 13:14 . 2006-03-18 22:06 -------- d-----w- c:\program files\Google
2009-05-18 18:30 . 2009-05-18 18:30 -------- d-----w- c:\program files\CardPlayer
2009-05-18 18:30 . 2009-05-18 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\CardPlayer
2009-05-11 15:30 . 2009-05-11 15:30 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-05-10 07:30 . 2008-07-02 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-05-10 07:24 . 2009-05-10 07:23 -------- d-----w- c:\program files\Common Files\McAfee
2009-05-10 07:24 . 2009-05-10 07:23 -------- d-----w- c:\program files\McAfee.com
2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-08-16 10:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-28 08:32 . 2009-01-24 09:50 364 ----a-w- C:\drmHeader.bin
2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 17:14 . 2006-10-27 19:38 109091 -c-ha-w- c:\windows\hpoins08.dat
2009-04-14 16:47 . 2006-03-30 04:07 31128 -c----w- c:\documents and settings\Michael Searcy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 16:06 . 2009-05-10 07:25 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 16:06 . 2009-05-10 07:25 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 16:06 . 2009-05-10 07:25 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 16:06 . 2009-03-25 16:06 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 16:05 . 2009-05-10 07:19 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2006-08-08 05:24 . 2006-08-08 05:24 251 -c--a-w- c:\program files\wt3d.ini
2006-05-17 03:56 . 2006-03-30 04:07 56 -csh--r- c:\windows\system32\53E6920607.sys
.

------- Sigcheck -------

[-] 2004-08-10 11:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2004-08-10 11:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[-] 2004-08-10 11:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2005-10-21 03:38 661504 AF785C4947676A7FC1673FDC5C8D0B5B c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[7] 2007-03-07 17:40 823296 B8F4DB39CA7353752F245379D285C80E c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
[7] 2007-04-25 09:08 823808 431DEFBB4A3D7B0DC062C1B064623A2F c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
[7] 2007-06-27 14:40 824320 D6ED5E042C5207553E7F5E842918137F c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
[7] 2007-08-20 10:02 825344 357D54BF94FE9D6D8505A96B5C2A3BCA c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
[7] 2007-10-10 23:47 825344 0E5D918F87EFA7D2424D66B499C7EB04 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[7] 2007-12-07 02:01 825344 B5B411BB229AE6EAD7652A32ED47BFB9 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
[7] 2008-03-01 13:03 827392 6316C2F0C61271C8ABDFF7429174879E c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[7] 2008-04-23 03:35 827392 41546B396A526918DA7995A02EA04E51 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[7] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[7] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[7] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[7] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[7] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[-] 2005-10-21 03:39 658432 E7B27B6B6E06CE34EA019FD8B858C613 c:\windows\$NtUninstallKB912812$\wininet.dll
[-] 2006-03-04 03:58 663552 C0845ECBF4F9164E618EE381B79C9032 c:\windows\$NtUninstallKB916281$\wininet.dll
[-] 2006-05-10 05:25 663552 D94CFFDB53E7AC867438E2DFD50E7CBC c:\windows\$NtUninstallKB918899$\wininet.dll
[-] 2006-06-23 11:25 664576 64CE26DB72810B30F7855EA51E1DF836 c:\windows\ie7\wininet.dll
[7] 2006-10-27 21:09 818688 7CF0B0D5D9D47585853E2A6978441F64 c:\windows\ie7updates\KB928090-IE7\wininet.dll
[7] 2007-01-12 15:27 822784 BE43D00D802C92F01C8CC952C6F483F8 c:\windows\ie7updates\KB931768-IE7\wininet.dll
[7] 2007-03-07 17:45 822784 5B35DAE6E4886F64D1DA58C4E3E01EB9 c:\windows\ie7updates\KB933566-IE7\wininet.dll
[7] 2007-04-25 08:41 822784 0586A7F0B2FDB94D624F399D4728E7C8 c:\windows\ie7updates\KB937143-IE7\wininet.dll
[7] 2007-06-27 14:34 823808 8068CBB58FE60CC95AEB2CFF70178208 c:\windows\ie7updates\KB939653-IE7\wininet.dll
[7] 2007-08-20 10:04 824832 774435E499D8E9643EC961A6103C361F c:\windows\ie7updates\KB942615-IE7\wininet.dll
[7] 2007-10-10 23:56 824832 30C1E0F34AD2972C72A01DB5C74AB065 c:\windows\ie7updates\KB944533-IE7\wininet.dll
[7] 2007-12-07 02:21 824832 806D274C9A6C3AAEA5EAE8E4AF841E04 c:\windows\ie7updates\KB947864-IE7\wininet.dll
[7] 2008-03-01 13:06 826368 AD21461AEF8244EDEC2EF18E55E1DCF3 c:\windows\ie7updates\KB950759-IE7\wininet.dll
[7] 2008-04-23 04:16 826368 F6589BE784647CFDBC22EA51CCB1A57A c:\windows\ie7updates\KB953838-IE7\wininet.dll
[7] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[7] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[7] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[7] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\ie7updates\KB963027-IE7\wininet.dll
[7] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\ie7updates\KB969897-IE7\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\sp3gdr\wininet.dll
[7] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\sp3qfe\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\dllcache\wininet.dll

[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2004-08-10 11:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-10 11:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[-] 2004-08-10 11:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[-] 2004-08-10 11:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2017280 2DFB215E291E3D9B1CF9A6739B3BF16C c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2005-06-23 00:05 2015744 65F4B29A0793ADB5D924FB3F47F1BCA4 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
[-] 2006-12-19 16:12 2017280 FA64F313F5237C53A909906113ACAE7D c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-04-13 18:31 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2009-02-06 10:32 2023936 65D4220799E6FC2CB079070A6393CC0E c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2009-02-08 00:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2007-02-28 09:53 2137600 E6679C3023B17D8B78946BC5DF53FA20 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2005-06-23 00:30 2136064 5611F453C6D20AB0552956F39BCDDB88 c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[-] 2006-12-19 16:49 2137600 57B9D140E1EB8B0EA06DF927B63B0EEE c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-13 19:24 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2009-02-06 11:06 2145280 0CBA44D0938D57F334C0862424148B70 c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-10 11:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2004-08-10 11:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\services.exe

[-] 2004-08-10 11:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[-] 2004-08-10 11:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[7] 2008-04-14 00:12 111104 ED7262E52C31CF1625B65039102BC16C c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2008-10-16 20:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 20:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

[-] 2004-08-10 11:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[-] 2005-03-10 01:49 295424 C29A5286E64D97385178452D5F307B98 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2004-08-10 11:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtUninstallKB895961$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2006-07-05 10:57 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2004-08-10 11:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB917422$\kernel32.dll
[-] 2006-07-05 10:55 984064 D8DB5397DE07577C1CB50BA6D23B3AD4 c:\windows\$NtUninstallKB935839$\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\kernel32.dll

[-] 2004-08-10 11:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[-] 2004-08-10 11:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[-] 2004-08-10 11:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll

[-] 2004-08-10 11:00 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\$NtServicePackUninstall$\appmgmts.dll
[7] 2008-04-14 00:11 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\ServicePackFiles\i386\appmgmts.dll
[7] 2008-04-14 00:11 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\system32\appmgmts.dll

[7] 2004-08-04 04:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys
[7] 2004-08-04 03:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\system32\ReinstallBackups\0013\DriverFiles\i386\kbdclass.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-06-21_17.22.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-22 18:37 . 2009-06-22 18:37 16384 c:\windows\Temp\Perflib_Perfdata_600.dat
+ 2006-03-23 22:45 . 2009-06-22 23:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-03-23 22:45 . 2009-06-21 17:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-03-23 22:45 . 2009-06-22 23:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-03-23 22:45 . 2009-06-21 17:07 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-21 17:57 . 2009-06-21 17:56 148888 c:\windows\system32\javaws.exe
+ 2009-06-21 17:57 . 2009-06-21 17:56 144792 c:\windows\system32\javaw.exe
+ 2009-06-21 17:57 . 2009-06-21 17:56 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-12-06 839680]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-18 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael Searcy^Start Menu^Programs^Startup^System & Internet Washer.lnk]
backup=c:\windows\pss\System & Internet Washer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CrossWire\\The SWORD Project\\InstallMgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [12/4/2007 6:41 PM 9088]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [12/4/2007 6:41 PM 328448]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/10/2009 2:28 AM 210216]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [1/18/2007 1:20 PM 24120]
S2 gupdate1c9e128215a4dbc;Google Update Service (gupdate1c9e128215a4dbc);c:\program files\Google\Update\GoogleUpdate.exe [5/30/2009 8:11 AM 133104]
S3 AngelUsb;Angel USB MPEG Device;c:\windows\system32\drivers\AngelUsb.sys [3/18/2006 4:19 PM 375424]
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 13:10]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-10 15:53]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-10 15:53]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.cox.net/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://www3.authentium.com/cssrelease/bin/wizard.exe
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-22 22:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1611611726-279218397-1700775994-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8C098B8F-A548-896D-D336-61FF1191876E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\@* ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\p* 6*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\* ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
Completion time: 2009-06-23 22:55
ComboFix-quarantined-files.txt 2009-06-23 03:55
ComboFix2.txt 2009-06-21 17:27
ComboFix3.txt 2009-06-20 18:53

Pre-Run: 58,631,208,960 bytes free
Post-Run: 58,704,302,080 bytes free

373 --- E O F --- 2009-06-21 06:00



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, June 23, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, June 23, 2009 06:19:56
Records in database: 2382141
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 71235
Threat name: 7
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 01:46:13


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Michael Searcy\Application Data\Sun\Java\Deployment\cache\6.0\58\44eef97a-2f10403b.vir Infected: Trojan-Downloader.Java.Agent.f 1
C:\Qoobox\Quarantine\C\Documents and Settings\Michael Searcy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-7f71aa7f.zip.vir Infected: Trojan-Downloader.Java.Agent.f 1
C:\Qoobox\Quarantine\C\Documents and Settings\Michael Searcy\My Documents\Program Downloads\blubstersetup250.exe.vir Infected: not-a-virus:AdWare.Win32.MyWay.ac 1
C:\Qoobox\Quarantine\C\Documents and Settings\Michael Searcy\My Documents\Program Downloads\blubstersetup250.exe.vir Infected: not-a-virus:AdWare.Win32.HelpExpress 1
C:\Qoobox\Quarantine\C\Documents and Settings\Michael Searcy\My Documents\Program Downloads\blubstersetup250.exe.vir Infected: not-a-virus:AdWare.Win32.WebHancer 5
C:\Qoobox\Quarantine\C\Documents and Settings\Michael Searcy\My Documents\Program Downloads\blubstersetup250.exe.vir Infected: not-a-virus:AdWare.Win32.Cydoor 2
C:\Qoobox\Quarantine\C\Program Files\Messenger\profsywuyn.html.vir Infected: Trojan-Clicker.HTML.IFrame.dn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sysloc\sysloc.dll.vir Infected: Trojan.Win32.BHO.ugq 1

The selected area was scanned.



Thank you
Michael

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 24 June 2009 - 06:43 PM

Hi michael74-

Looking better. How is it running? Do you still have the wireless issue?

I notice that the scanners picked up two Antivirus's running.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

However, I also only saw one in the add/remove programs. Did you remove the Cox Security Suite at some point and install the McAfee Security Center? The uninstall may have been botched. Please let me know. Also, what, if any, antivirus icons do you have in the system tray (the area near the clock with a lot of icons). If you hold your cursor over one, a description will pop up.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 michael74

michael74
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 24 June 2009 - 10:51 PM

I did have Cox security suite, but Cox ISP contracted with Mcafee for all of there customers.

So I delected Cox SS and Started using Mcafee.

Mcafee should be the only AV running. It's the only one in my system tray.

And I don't have Cox SS in my add/remove program list.

Still the problem with wireless. It's not a big deal starting manually.

I might have changed something in the app. settings.

Also, Mcafee detected ComboFix as a virus (trojan) and remove it. It's done this twice.

I had to download it again when I ran it the last time You requested. It's gone now.

It detected it as Artemis! followed by different numbers and letters each time.

Nothing else unusual happening with my computer. Seems to be running fine.

Is there anything else I need to do. Do I need to delete the quarantined files?

Am I clean?

I want to also again thank you so much for your help. You've been great.

I would like to, if possible, be able to make a donation for you assistance.

Michael

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 26 June 2009 - 05:17 PM

Hi michael74-

Your log looks clean, but I would like to do one more thing before we clean up our mess (e.g. the quarantined files, remove the tools we've used and set up your system restore points so you can't accidentally restore the malware in the future). That is very important!

As for Combofix, AV scans often pick up malware-fighting software as malware since they both do similar things (e.g. they both change registry settings, etc.). Combofix is legimate so we're okay there. Sorry about the annoyance.

Now, the one thing left: Cox SS has been deleted, but Windows still thinks it is there. I'd like to fix that.

1. Please re-download ComboFix from one of these locations if your A/V has deleted it from your desktop.* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)


2. Close any open browsers.

3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

4. Open notepad and copy/paste the text in the quotebox below into it:

SecCenter::
{2565CEEE-6BDB-4A6D-AD6D-F682F2695014}


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt....as usual, please post that log in your reply.

Once that's done, my next post will have the final cleanup instructions. We're almost done! I just want to make sure everything is running well before we delete everything. We can't go backwards at that point.

I'm glad you feel I have been helpful. I would like to acknowledge kahdah for his help and coaching as I work with you. While you have not seen him, he has been following along and providing expert assistance as we work on your computer. If you would like to make a donation, please click here and donate to kahdah. This supports the malware removal effort.
Posted Image
Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 michael74

michael74
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 27 June 2009 - 02:06 AM

As requested the ComboFix file:

ComboFix 09-06-26.02 - Michael Searcy 06/27/2009 1:52.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.678 [GMT -5:00]
Running from: c:\documents and settings\Michael Searcy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael Searcy\Desktop\CFScript.txt
AV: Cox Security Suite Anti-Virus *On-access scanning disabled* (Outdated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-10-01 16:26 . 2009-05-09 03:46 -------- d-----w- C:\arctmp
2009-10-01 16:26 . 2009-10-01 16:26 -------- d-----w- c:\documents and settings\Michael Searcy\Application Data\dvdcss
2009-10-01 16:20 . 2009-10-01 16:22 -------- d-----w- c:\program files\Arc DVD Copy
2009-06-23 03:53 . 2009-06-23 03:53 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-21 17:57 . 2009-06-21 17:56 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-20 18:56 . 2009-06-20 18:56 -------- d-----w- C:\GMER
2009-06-14 02:46 . 2009-06-14 02:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-12 20:12 . 2009-06-12 20:12 -------- d-sh--w- c:\documents and settings\Michael Searcy\PrivacIE
2009-06-12 20:11 . 2009-06-12 20:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-12 20:10 . 2009-06-12 20:10 -------- d-sh--w- c:\documents and settings\Michael Searcy\IETldCache
2009-06-12 20:05 . 2009-04-29 04:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-12 20:05 . 2009-04-29 04:55 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-06-12 19:51 . 2009-06-12 19:51 1152 ----a-w- C:\reregisterie.cmd
2009-06-07 11:35 . 2009-06-07 11:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-06-07 07:01 . 2005-04-04 20:06 348160 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2009-06-07 07:01 . 2005-04-04 22:21 602112 ----a-w- c:\windows\system32\NCTAudioTransform2.dll
2009-06-07 07:01 . 2005-03-28 20:54 479232 ----a-w- c:\windows\system32\NCTAudioVisualization2.dll
2009-06-07 07:01 . 2005-04-25 18:01 458752 ----a-w- c:\windows\system32\NCTAudioRecord2.dll
2009-06-07 07:01 . 2005-04-25 18:01 458752 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2009-06-07 07:01 . 2005-05-18 16:52 1212416 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2009-06-07 07:01 . 2005-05-17 17:37 1986560 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-06-07 07:01 . 2005-04-15 17:08 880640 ----a-w- c:\windows\system32\NCTAudioEditor2.dll
2009-06-07 07:01 . 2005-03-28 20:56 417792 ----a-w- c:\windows\system32\NCTAudioDisplay2.dll
2009-06-07 07:01 . 2005-03-29 12:57 2084864 ----a-w- c:\windows\system32\NCTAudioDesign2.dll
2009-06-07 07:01 . 2004-11-04 18:31 835584 ----a-w- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-06-07 07:00 . 2006-12-07 12:39 1101824 ----a-w- c:\windows\system32\NMSDVDXU.dll
2009-06-07 07:00 . 2003-03-19 16:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2009-06-01 05:55 . 2009-06-01 05:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-05-30 13:11 . 2009-05-30 13:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 05:33 . 2006-03-25 02:41 -------- d-----w- c:\program files\Questview
2009-06-27 05:12 . 2007-08-27 06:38 -------- d-----w- c:\program files\Agent
2009-06-26 22:27 . 2008-10-01 20:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-21 17:56 . 2006-03-18 21:44 -------- d-----w- c:\program files\Java
2009-06-17 18:25 . 2009-05-10 07:23 -------- d-----w- c:\program files\McAfee
2009-06-07 23:11 . 2008-10-27 18:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-01 20:15 . 2009-03-23 03:26 390664 ------w- c:\documents and settings\Michael Searcy\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-30 13:14 . 2006-03-18 22:06 -------- d-----w- c:\program files\Google
2009-05-18 18:30 . 2009-05-18 18:30 -------- d-----w- c:\program files\CardPlayer
2009-05-18 18:30 . 2009-05-18 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\CardPlayer
2009-05-11 15:30 . 2009-05-11 15:30 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-05-10 07:30 . 2008-07-02 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-05-10 07:24 . 2009-05-10 07:23 -------- d-----w- c:\program files\Common Files\McAfee
2009-05-10 07:24 . 2009-05-10 07:23 -------- d-----w- c:\program files\McAfee.com
2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-08-16 10:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-28 08:32 . 2009-01-24 09:50 364 ----a-w- C:\drmHeader.bin
2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 17:14 . 2006-10-27 19:38 109091 -c-ha-w- c:\windows\hpoins08.dat
2009-04-14 16:47 . 2006-03-30 04:07 31128 -c----w- c:\documents and settings\Michael Searcy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-08-08 05:24 . 2006-08-08 05:24 251 -c--a-w- c:\program files\wt3d.ini
2006-05-17 03:56 . 2006-03-30 04:07 56 -csh--r- c:\windows\system32\53E6920607.sys
.

------- Sigcheck -------

[-] 2004-08-10 11:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2004-08-10 11:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[-] 2004-08-10 11:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2005-10-21 03:38 661504 AF785C4947676A7FC1673FDC5C8D0B5B c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[7] 2007-03-07 17:40 823296 B8F4DB39CA7353752F245379D285C80E c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
[7] 2007-04-25 09:08 823808 431DEFBB4A3D7B0DC062C1B064623A2F c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
[7] 2007-06-27 14:40 824320 D6ED5E042C5207553E7F5E842918137F c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
[7] 2007-08-20 10:02 825344 357D54BF94FE9D6D8505A96B5C2A3BCA c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
[7] 2007-10-10 23:47 825344 0E5D918F87EFA7D2424D66B499C7EB04 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[7] 2007-12-07 02:01 825344 B5B411BB229AE6EAD7652A32ED47BFB9 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
[7] 2008-03-01 13:03 827392 6316C2F0C61271C8ABDFF7429174879E c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[7] 2008-04-23 03:35 827392 41546B396A526918DA7995A02EA04E51 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[7] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[7] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[7] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[7] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[7] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[-] 2005-10-21 03:39 658432 E7B27B6B6E06CE34EA019FD8B858C613 c:\windows\$NtUninstallKB912812$\wininet.dll
[-] 2006-03-04 03:58 663552 C0845ECBF4F9164E618EE381B79C9032 c:\windows\$NtUninstallKB916281$\wininet.dll
[-] 2006-05-10 05:25 663552 D94CFFDB53E7AC867438E2DFD50E7CBC c:\windows\$NtUninstallKB918899$\wininet.dll
[-] 2006-06-23 11:25 664576 64CE26DB72810B30F7855EA51E1DF836 c:\windows\ie7\wininet.dll
[7] 2006-10-27 21:09 818688 7CF0B0D5D9D47585853E2A6978441F64 c:\windows\ie7updates\KB928090-IE7\wininet.dll
[7] 2007-01-12 15:27 822784 BE43D00D802C92F01C8CC952C6F483F8 c:\windows\ie7updates\KB931768-IE7\wininet.dll
[7] 2007-03-07 17:45 822784 5B35DAE6E4886F64D1DA58C4E3E01EB9 c:\windows\ie7updates\KB933566-IE7\wininet.dll
[7] 2007-04-25 08:41 822784 0586A7F0B2FDB94D624F399D4728E7C8 c:\windows\ie7updates\KB937143-IE7\wininet.dll
[7] 2007-06-27 14:34 823808 8068CBB58FE60CC95AEB2CFF70178208 c:\windows\ie7updates\KB939653-IE7\wininet.dll
[7] 2007-08-20 10:04 824832 774435E499D8E9643EC961A6103C361F c:\windows\ie7updates\KB942615-IE7\wininet.dll
[7] 2007-10-10 23:56 824832 30C1E0F34AD2972C72A01DB5C74AB065 c:\windows\ie7updates\KB944533-IE7\wininet.dll
[7] 2007-12-07 02:21 824832 806D274C9A6C3AAEA5EAE8E4AF841E04 c:\windows\ie7updates\KB947864-IE7\wininet.dll
[7] 2008-03-01 13:06 826368 AD21461AEF8244EDEC2EF18E55E1DCF3 c:\windows\ie7updates\KB950759-IE7\wininet.dll
[7] 2008-04-23 04:16 826368 F6589BE784647CFDBC22EA51CCB1A57A c:\windows\ie7updates\KB953838-IE7\wininet.dll
[7] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[7] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[7] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[7] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\ie7updates\KB963027-IE7\wininet.dll
[7] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\ie7updates\KB969897-IE7\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\sp3gdr\wininet.dll
[7] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\sp3qfe\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\dllcache\wininet.dll

[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2004-08-10 11:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-10 11:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[-] 2004-08-10 11:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[-] 2004-08-10 11:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2017280 2DFB215E291E3D9B1CF9A6739B3BF16C c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2005-06-23 00:05 2015744 65F4B29A0793ADB5D924FB3F47F1BCA4 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
[-] 2006-12-19 16:12 2017280 FA64F313F5237C53A909906113ACAE7D c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-04-13 18:31 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2009-02-06 10:32 2023936 65D4220799E6FC2CB079070A6393CC0E c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2009-02-08 00:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2007-02-28 09:53 2137600 E6679C3023B17D8B78946BC5DF53FA20 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2005-06-23 00:30 2136064 5611F453C6D20AB0552956F39BCDDB88 c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[-] 2006-12-19 16:49 2137600 57B9D140E1EB8B0EA06DF927B63B0EEE c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-13 19:24 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2009-02-06 11:06 2145280 0CBA44D0938D57F334C0862424148B70 c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-10 11:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2004-08-10 11:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\services.exe

[-] 2004-08-10 11:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[-] 2004-08-10 11:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[7] 2008-04-14 00:12 111104 ED7262E52C31CF1625B65039102BC16C c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2008-10-16 20:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 20:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

[-] 2004-08-10 11:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[-] 2005-03-10 01:49 295424 C29A5286E64D97385178452D5F307B98 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2004-08-10 11:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtUninstallKB895961$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2006-07-05 10:57 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2004-08-10 11:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB917422$\kernel32.dll
[-] 2006-07-05 10:55 984064 D8DB5397DE07577C1CB50BA6D23B3AD4 c:\windows\$NtUninstallKB935839$\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\kernel32.dll

[-] 2004-08-10 11:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[-] 2004-08-10 11:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[-] 2004-08-10 11:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll

[-] 2004-08-10 11:00 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\$NtServicePackUninstall$\appmgmts.dll
[7] 2008-04-14 00:11 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\ServicePackFiles\i386\appmgmts.dll
[7] 2008-04-14 00:11 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\system32\appmgmts.dll

[7] 2004-08-04 04:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys
[7] 2004-08-04 03:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\system32\ReinstallBackups\0013\DriverFiles\i386\kbdclass.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-12-06 839680]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-03 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-26 185896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-18 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael Searcy^Start Menu^Programs^Startup^System & Internet Washer.lnk]
backup=c:\windows\pss\System & Internet Washer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CrossWire\\The SWORD Project\\InstallMgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [12/4/2007 6:41 PM 9088]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [12/4/2007 6:41 PM 328448]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/10/2009 2:28 AM 210216]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [1/18/2007 1:20 PM 24120]
S2 gupdate1c9e128215a4dbc;Google Update Service (gupdate1c9e128215a4dbc);c:\program files\Google\Update\GoogleUpdate.exe [5/30/2009 8:11 AM 133104]
S3 AngelUsb;Angel USB MPEG Device;c:\windows\system32\drivers\AngelUsb.sys [3/18/2006 4:19 PM 375424]
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 13:10]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-10 15:53]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-10 15:53]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.cox.net/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://www3.authentium.com/cssrelease/bin/wizard.exe
FF - ProfilePath - c:\documents and settings\Michael Searcy\Application Data\Mozilla\Firefox\Profiles\s436pkv3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.cox.net
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: XUL Cache: {062A7533-C366-46E9-8749-CFB5BDE27BFD} - c:\documents and settings\Michael Searcy\Local Settings\Application Data\{062A7533-C366-46E9-8749-CFB5BDE27BFD}
FF - HiddenExtension: XUL Cache: {78F02675-FE38-4417-8157-E62F915ABF7C} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{78F02675-FE38-4417-8157-E62F915ABF7C}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 01:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1611611726-279218397-1700775994-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8C098B8F-A548-896D-D336-61FF1191876E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\@* ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\p* 6*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\* ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3868)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-27 2:00
ComboFix-quarantined-files.txt 2009-06-27 07:00
ComboFix2.txt 2009-06-23 03:55
ComboFix3.txt 2009-06-21 17:27
ComboFix4.txt 2009-06-20 18:53

Pre-Run: 53,872,115,712 bytes free
Post-Run: 53,864,230,912 bytes free

363 --- E O F --- 2009-06-21 06:00




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users