Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

security essentials 2010, TrojanSPM/LX, worm.win32.netsky detcted


  • This topic is locked This topic is locked
63 replies to this topic

#1 brigg

brigg

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:10 AM

Posted 28 February 2010 - 05:29 PM

I've got the security essentials 2010 infection and probably some other stuff too, as show in the title.
I've tried the mbam fix before, and it seemed okay for a day or two, but then didn't stay fixed...maybe because my firewall wasn't enabled.
I can only run in safe mode and get to the internet via a proxy, even though I have done the correction in internet tools, lan settings (do NOT use a proxy).
when I download files from my computer it changes the name to some long random list of letters and numbers and the files never work. I have to work from someone else's computer.

I"ve followed the instructions at http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ as much as I can.
The firewall is now enabled. I disabled the CD emulation (and have rebooted since).
I downloaded and ran DDS have attached those files.
I get an Adobe error when I try to execute the GMER application.

Someplace else it told me to download the rkill, whic I cannot. But I have that on my desktop already and can run it if I'm logged in as user one.
I downloaded it from a library computer.
I cannot run mbam, which I downloaded today from the library computer, and it will not execute.
Someplace else it suggested I run combo-fix, which just acts like its going to run, and then doesnt. same as mbam.
I can run Hijack this, and that's attached as well, just in case.
The system restore has been disabled (not my choice).

I see in someone else's post they suggested SUPERAntiSpyware Free. I will not try it until I get a response to this post so the logs remain valid.

Edited by brigg, 28 February 2010 - 07:13 PM.

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:05:10 AM

Posted 05 March 2010 - 10:08 PM

Hi brigg
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up.

Please do the following.


Download ComboFix from Here

Before saving it rename it to Mobofix.com then download it to your Desktop.

Please run rkill

Now run Mobofix.com

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click Mobofcix.exe and follow the prompts.
  • Vista users right click Mobofcix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.

Thanks
maranatha

Edited by maranatha, 05 March 2010 - 10:09 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:10 AM

Posted 06 March 2010 - 12:40 PM

Hello and thanks for the reply.

I was in safe mode with networking. I always run "eXplorer" so I can use the computer. This is a renamed "rkill" so I figured it was okay.

I downloaded the file from another computer, renamed it and copied it to the infected computer's desktop. I double clicked on the desktop icon, and I got a small
screen that showed "combofix" was running. It ran for probably less than a minute. No other messages or errors. I've waited a few minutes. Nothing else has happened.

Okay, about 7 more min and I got the "Disclaimer of Warranty on Software."
I realized I still had a window open and closed it.

A few more minutes and then I got the

"This machine does not have the miscrosft windows recovery console installed...without it combofix shall not attempt the fixing of some serious infections. click yes to have combofix download/install it." I clicked yes. I got a blue screen on top of my black desktop.
I received the message that it installed correctly, and a prompt to accept the user agreement. It continued to scan for infected files in the blue screen....

Combofix detectedc the present of rootkit activity and needs to reboot the machine..note these file names:
c:\windows\system32\drivers\_VOIDadgootqsta.sys
\_VOIDlsfyresbpf.dll
\_VOIDliufmmfkal.dat
\_VOIDuopbgpngxn.dll
\_VOIDxtvmtjvkvo.dll
and it's continuing to run now. Rebooted.
Cannot write boot sector.
Couldnt read the files on the e drive. I removed it.
Did not boot up into safe mode.
Came up and AntiVir guard found a virus. Antivir guard had not been running before so I did not think it was enabled. I don't know if things are comprimised now. I clicked on ignore, and it kept finding Trojans....\rundll32.exe, qdirsftav.exe, \rundll32.exe..same ones. I used the task mngr to kill the processes over and over again. they just kept popping up. I stopped combofix and started over.
restarted into regular mode. Ran eXplorer.
Kept getting Antiivir messages - this is totally new as of today. shows a trojan in c:\program files\skype\phone\skype.exe
uninstalled antivir, restarted, ran eXplorer.
Checked processes running in task manager - showed Avastsvc.exe - I don't have that installed. When I tried to kill the process i got "could not complete, access is denied"
ran mobofix.com, got "security warning, application canot be executed. the fil ljstsftav.exe is infected. do you want to activate your antivirus software now?" selected No. Combofix kept running. said no to get updated ver. of combofix. Combofix rebooted the system. I let it come up to regular mode. As it was preparing the log report, got two errors - error loading c:\windows\ayeciqusoletunex.dll and error loading c:\windows\system32\od3d2ljc9j.dll the specified module could not be found. i clicked ok.
log will be c:\combofix.txt.
log is attached.

Your last instruction was to run something from the desktop. I don't see that on my desktop. Please let me know what else I can do.
Thanks much for your time.


Edited by brigg, 06 March 2010 - 01:49 PM.

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:05:10 AM

Posted 06 March 2010 - 12:57 PM

Hi
OK please do this for right now and I will get back to you shortly.

Please go into Add/Remove and remove one 1 of these. if you can.

avast! Antivirus
Avira AntiVirus


Thanks

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:05:10 AM

Posted 06 March 2010 - 01:35 PM

Hi
You restarted Combofix?

Please post the log(s) you get from it. or what is happing now with the machine.
Also please post a new reply and not edit your replys. That way I'm sure not to miss anything.

Thanks

Edited by maranatha, 06 March 2010 - 01:38 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#6 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:10 AM

Posted 06 March 2010 - 01:53 PM

Sorry for all the edits. I was trying to reduce confusion. I believe I addressed all your comments in my edited post - I only just now saw you were posting while I was posting.

THANKS!

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

#7 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:05:10 AM

Posted 06 March 2010 - 02:59 PM

Hi
OK this PC is extreemly infected, Please only do what I ask and nothing more or less.
Did you remove one (1) of the Anti Virus software I told you to? If not please do so.
Also please remove FireFox broswer for now, you can redownload another one after you are clean.

Also please copy and paste the logs into the thread, makes it easier for me to read.
Thanks

Please do the following in normal mode if you can.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

CODE
http://www.bleepingcomputer.com/forums/t/299259/security-essentials-2010-trojanspmlx-wormwin32netsky-detcted/
KillAll::
MBR::
Collect::
c:\program files\106656.dat
c:\program files\106109.dat
c:\program files\106093.dat
c:\program files\106437.dat
c:\program files\615015.dat
c:\program files\607843.dat
c:\program files\606578.dat
c:\documents and settings\UserOne\Application Data\tnnsvl\drjnsftav .exe
c:\program files\168343.dat
c:\program files\168218.dat
c:\program files\166562.dat
c:\program files\166546.dat
c:\program files\184375.dat
c:\program files\173484.dat
c:\program files\378093.dat
c:\program files\378031.dat
c:\program files\321984.dat
c:\program files\320390.dat
c:\program files\175218.dat
c:\program files\168796.dat
c:\program files\168468.dat
c:\program files\319109.dat
c:\program files\166937.dat
c:\program files\161750.dat
c:\program files\161765.dat
c:\program files\161390.dat
c:\program files\230390.dat
c:\program files\208421.dat
c:\program files\2324531.dat
c:\program files\558625.dat
c:\windows\Jtazuvedidak.bin
c:\windows\Uleyuwax.dat
c:\windows\system32\drivers\bgfmzal.sys
c:\windows\system32\bharakiri32.dll
c:\windows\system32\harakiri.dll
c:\windows\system32\mlfcache.dat
c:\windows\system32\fadeafcfd5_d.dll
Folder::
c:\documents and settings\UserOne\Local Settings\Application Data\{9A993A82-F717-4ABD-957B-D65B19430EC9}
c:\documents and settings\w2
c:\documents and settings\w
AWF::
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray .exe
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Apoint\apoint .exe
c:\program files\Java\jre1.6.0_05\bin\jusched .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\QuickTime\qttask                     .exe
c:\program files\QuickTime\qttask                   .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\QuickTime\qttask                 .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Skype\Phone\skype .exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"smss32.exe"=-
"Remote System Protection"=-
"Security essentials 2010"=-
"Paladin Antivirus"=-
"xgtgqiwj"=-
"vmwvjslo"=-
"unywkwjx"=-
"pymcuixt"=-
"oyoqwchu"=-
"nyxqgdxx"=-
"bavybrjv"=-
"aapauaom"=-
"ccuapyba"=-
"bcmaicig"=-
"alpwltjs"=-
"ylaxvaxf"=-
"ylixfboi"=-
"xltyqhdv"=-
"faymueul"=-
"dutgsadn"=-
"cuehdgrb"=-
"oxrkjjhb"=-
"pmxirgns"=-
"pmpjkjuy"=-
"omhvcwqn"=-
"onrkmnsj"=-
"onjwecnx"=-
"onrwndeb"=-
"kafeawcd"=-
"jagfbcan"=-
"japfkdqq"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fnoqiqedukicuhuh"=-
"xgtgqiwj"=-
"vmwvjslo"=-
"unywkwjx"=-
"pymcuixt"=-
"oyoqwchu"=-
"nyxqgdxx"=-
"bavybrjv"=-
"aapauaom"=-
"ccuapyba"=-
"bcmaicig"=-
"alpwltjs"=-
"ylaxvaxf"=-
"ylixfboi"=-
"xltyqhdv"=-
"faymueul"=-
"dutgsadn"=-
"cuehdgrb"=-
"oxrkjjhb"=-
"pmxirgns"=-
"pmpjkjuy"=-
"omhvcwqn"=-
"onrkmnsj"=-
"onjwecnx"=-
"onrwndeb"=-
"kafeawcd"=-
"jagfbcan"=-
"japfkdqq"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs]
"{78CB6AC8-1B5B-4804-B4C8674161434618}"=-
"{16C41678-E97F-4126-80B152478DC2DCBB}"=-
"{4F89A508-B5EA-46AE-8F27FD3DA1622EF7}"=-
"{8AE3AE9E-ED34-421D-A84C7F90BCAA1950}"=-
Driver::
bgfmzal


Please post the Combofix log.

Thanks
maranatha

Edited by maranatha, 06 March 2010 - 03:03 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#8 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:10 AM

Posted 06 March 2010 - 03:05 PM

Hello - I'm here, beginning work. Just to let you know, I uninstalled Avira. Avast was not installed. I will follow your instructions now.

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

#9 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:10 AM

Posted 06 March 2010 - 03:12 PM

I don't have a combofix.exe.
I have a mobofix.com. Is that what you mean?

Edited by brigg, 06 March 2010 - 03:20 PM.

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

#10 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:05:10 AM

Posted 06 March 2010 - 03:17 PM

Yes, sorry.
It is the same thing.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#11 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:10 AM

Posted 06 March 2010 - 03:20 PM

Okay, I copied the file (from another computer) and Combofix is running now.

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

#12 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:05:10 AM

Posted 06 March 2010 - 03:28 PM

Hi
I have to run to the store for my wife. I'll be back shortly and look the log over.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#13 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:10 AM

Posted 06 March 2010 - 03:40 PM

Contents of combo fix log:

ComboFix 10-03-05.06 - UserOne 03/06/2010 14:22:09.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1527.1111 [GMT -6:00]
Running from: c:\documents and settings\UserOne\Desktop\Mobofix.com.exe
Command switches used :: c:\documents and settings\UserOne\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

file zipped: c:\documents and settings\UserOne\Application Data\tnnsvl\drjnsftav .exe
file zipped: c:\program files\106093.dat
file zipped: c:\program files\106109.dat
file zipped: c:\program files\106437.dat
file zipped: c:\program files\106656.dat
file zipped: c:\program files\161390.dat
file zipped: c:\program files\161750.dat
file zipped: c:\program files\161765.dat
file zipped: c:\program files\166546.dat
file zipped: c:\program files\166562.dat
file zipped: c:\program files\166937.dat
file zipped: c:\program files\168218.dat
file zipped: c:\program files\168343.dat
file zipped: c:\program files\168468.dat
file zipped: c:\program files\168796.dat
file zipped: c:\program files\173484.dat
file zipped: c:\program files\175218.dat
file zipped: c:\program files\184375.dat
file zipped: c:\program files\208421.dat
file zipped: c:\program files\230390.dat
file zipped: c:\program files\2324531.dat
file zipped: c:\program files\319109.dat
file zipped: c:\program files\320390.dat
file zipped: c:\program files\321984.dat
file zipped: c:\program files\378031.dat
file zipped: c:\program files\378093.dat
file zipped: c:\program files\558625.dat
file zipped: c:\program files\606578.dat
file zipped: c:\program files\607843.dat
file zipped: c:\program files\615015.dat
file zipped: c:\windows\Jtazuvedidak.bin
file zipped: c:\windows\system32\bharakiri32.dll
file zipped: c:\windows\system32\drivers\bgfmzal.sys
file zipped: c:\windows\system32\fadeafcfd5_d.dll
file zipped: c:\windows\system32\harakiri.dll
file zipped: c:\windows\system32\mlfcache.dat
file zipped: c:\windows\Uleyuwax.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\UserOne\Application Data\tnnsvl\drjnsftav .exe
c:\documents and settings\UserOne\Local Settings\Application Data\{9A993A82-F717-4ABD-957B-D65B19430EC9}
c:\documents and settings\UserOne\Local Settings\Application Data\{9A993A82-F717-4ABD-957B-D65B19430EC9}\chrome.manifest
c:\documents and settings\UserOne\Local Settings\Application Data\{9A993A82-F717-4ABD-957B-D65B19430EC9}\chrome\content\_cfg.js
c:\documents and settings\UserOne\Local Settings\Application Data\{9A993A82-F717-4ABD-957B-D65B19430EC9}\chrome\content\overlay.xul
c:\documents and settings\UserOne\Local Settings\Application Data\{9A993A82-F717-4ABD-957B-D65B19430EC9}\install.rdf
c:\program files\106093.dat
c:\program files\106109.dat
c:\program files\106437.dat
c:\program files\106656.dat
c:\program files\161390.dat
c:\program files\161750.dat
c:\program files\161765.dat
c:\program files\166546.dat
c:\program files\166562.dat
c:\program files\166937.dat
c:\program files\168218.dat
c:\program files\168343.dat
c:\program files\168468.dat
c:\program files\168796.dat
c:\program files\173484.dat
c:\program files\175218.dat
c:\program files\184375.dat
c:\program files\208421.dat
c:\program files\230390.dat
c:\program files\2324531.dat
c:\program files\319109.dat
c:\program files\320390.dat
c:\program files\321984.dat
c:\program files\378031.dat
c:\program files\378093.dat
c:\program files\558625.dat
c:\program files\606578.dat
c:\program files\607843.dat
c:\program files\615015.dat
c:\windows\Jtazuvedidak.bin
c:\windows\system32\bharakiri32.dll
c:\windows\system32\drivers\bgfmzal.sys
c:\windows\system32\fadeafcfd5_d.dll
c:\windows\system32\harakiri.dll
c:\windows\system32\mlfcache.dat
c:\windows\Uleyuwax.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BGFMZAL
-------\Service_bgfmzal


((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-06 18:12 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\dmdrrx
2010-03-06 18:12 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\mgyvrh
2010-03-06 18:12 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\pnjjql
2010-03-05 05:51 . 2010-03-05 05:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-03 18:48 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\ktsovc
2010-03-03 18:48 . 2010-03-06 20:25 -------- d-----w- c:\documents and settings\UserOne\Application Data\tnnsvl
2010-03-03 18:48 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\lkkujq
2010-03-03 18:48 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\wuyhvo
2010-03-03 18:48 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\orvjit
2010-03-03 18:48 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\hfmsin
2010-03-01 23:54 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\toxrco
2010-03-01 20:22 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\qegila
2010-03-01 20:22 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\dfmbkn
2010-03-01 00:22 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\fgclal
2010-02-28 21:59 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\uuxdoq
2010-02-28 21:58 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\hvevoe
2010-02-28 21:58 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\qpyaon
2010-02-28 21:58 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Application Data\dqfsnb
2010-02-28 20:50 . 2010-02-28 20:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-02-28 20:37 . 2010-02-28 20:37 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-28 20:37 . 2010-02-28 20:37 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-28 00:37 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Application Data\hcgfdr
2010-02-28 00:37 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\bpwodl
2010-02-26 20:30 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\yqmwlv
2010-02-26 20:29 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\ulotks
2010-02-26 02:55 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\weyxeo
2010-02-26 02:55 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\gxtcdx
2010-02-26 02:55 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\kvxwpp
2010-02-25 20:38 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\jvsdkx
2010-02-25 20:38 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\mddqkb
2010-02-25 19:31 . 2010-02-25 19:30 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-25 19:20 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\kwvosr
2010-02-25 18:33 . 2010-02-25 18:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-25 18:32 . 2010-02-25 18:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2010-02-25 16:49 . 2010-02-05 15:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-25 16:49 . 2009-10-06 22:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-25 16:49 . 2009-09-23 22:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-25 16:49 . 2010-02-05 15:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-25 16:49 . 2010-02-25 16:49 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-25 16:49 . 2010-02-25 16:49 -------- d-----w- c:\documents and settings\UserOne\Application Data\PC Tools
2010-02-25 16:49 . 2010-02-25 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-02-25 16:48 . 2010-02-25 19:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-25 02:29 . 2010-02-25 02:29 -------- d-----w- c:\program files\Avira
2010-02-25 02:29 . 2010-02-25 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-02-25 02:27 . 2010-03-06 18:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\pucwct
2010-02-25 01:55 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-25 01:55 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-25 01:55 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-25 01:55 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-25 01:55 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-25 01:55 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-25 01:55 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-25 01:54 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-25 01:54 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-25 01:54 . 2010-02-25 01:54 -------- d-----w- c:\program files\Alwil Software
2010-02-25 01:54 . 2010-02-25 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-22 18:48 . 2010-02-22 18:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-02-20 01:05 . 2010-02-20 01:05 -------- d-----w- c:\program files\Google
2010-02-19 19:17 . 2010-02-19 19:17 -------- d-----w- c:\documents and settings\UserOne\Local Settings\Application Data\Google
2010-02-18 02:23 . 2010-02-18 02:23 -------- d-----w- c:\documents and settings\w2
2010-02-18 01:48 . 2010-02-18 01:48 -------- d-----w- c:\documents and settings\w
2010-02-17 21:28 . 2010-02-26 20:29 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-16 21:19 . 2010-02-16 21:19 -------- d-----w- C:\~ErdUserProfile.$$$
2010-02-14 05:31 . 2010-02-14 05:32 -------- d-----w- c:\documents and settings\UserOne\Application Data\Media Player Classic
2010-02-14 03:10 . 2010-02-14 03:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-13 15:57 . 2010-02-13 15:57 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-11 00:43 . 2010-02-11 00:43 -------- d-----w- c:\program files\Favicon
2010-02-11 00:40 . 2010-02-11 00:40 6479 ----a-w- c:\program files\favicon_182337.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 20:29 . 2010-01-04 19:59 -------- d-----w- c:\program files\SOS Online Backup
2010-03-06 18:35 . 2010-01-14 00:23 -------- d-----w- c:\program files\QuickTime
2010-03-06 18:35 . 2007-03-01 19:45 -------- d-----w- c:\program files\Apoint
2010-03-02 00:26 . 2010-01-06 15:47 -------- d-----w- c:\documents and settings\UserOne\Application Data\Skype
2010-03-01 20:20 . 2007-02-28 21:17 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-28 20:54 . 2010-01-04 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-02-25 18:18 . 2007-03-01 20:15 -------- d-----w- c:\program files\a-squared Free
2010-02-25 02:27 . 2010-02-28 21:58 279296 ----a-w- c:\documents and settings\UserOne\Application Data\dqfsnb\klvfsftav .exe
2010-02-25 02:27 . 2010-02-28 00:37 279296 ----a-w- c:\documents and settings\UserOne\Application Data\hcgfdr\tqursftav .exe
2010-02-23 22:13 . 2010-01-05 02:18 -------- d-----w- c:\documents and settings\UserOne\Application Data\FileZilla
2010-02-20 23:36 . 2010-01-04 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-18 21:58 . 2010-01-04 18:30 -------- d-----w- c:\program files\Avast4
2010-02-18 19:52 . 2010-01-04 21:54 -------- d-----w- c:\program files\Bonjour
2010-02-16 22:27 . 2007-03-01 21:03 -------- d-----w- c:\documents and settings\UserOne\Application Data\OpenOffice.org2
2010-02-14 04:03 . 2010-01-14 00:22 -------- d-----w- c:\program files\Common Files\Apple
2010-02-04 20:04 . 2007-03-01 20:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-27 22:00 . 2010-01-06 15:50 -------- d-----w- c:\documents and settings\UserOne\Application Data\skypePM
2010-01-15 22:00 . 2010-01-07 20:30 -------- d-----w- c:\program files\Yahoo SiteBuilder
2010-01-14 00:33 . 2010-01-14 00:25 -------- d-----w- c:\documents and settings\UserOne\Application Data\Apple Computer
2010-01-14 00:25 . 2010-01-14 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-14 00:24 . 2010-01-14 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-14 00:23 . 2010-01-14 00:23 -------- d-----w- c:\program files\Apple Software Update
2010-01-14 00:22 . 2010-01-14 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-07 21:32 . 2010-01-07 21:30 -------- d-----w- c:\program files\WebLog Expert Lite
2010-01-07 21:30 . 2010-01-07 21:30 -------- d-----w- c:\program files\Common Files\Software FX Shared
2010-01-06 21:53 . 2010-01-06 21:53 1956072 ----a-w- c:\documents and settings\UserOne\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-01-06 15:50 . 2010-01-06 15:50 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-06 15:47 . 2010-01-06 15:46 -------- d-----r- c:\program files\Skype
2010-01-06 15:46 . 2010-01-06 15:46 -------- d-----w- c:\program files\Common Files\Skype
2010-01-06 15:46 . 2010-01-06 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-05 20:11 . 2007-02-28 20:28 75848 ----a-w- c:\documents and settings\UserOne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 00:36 . 2010-01-05 00:36 1 ----a-w- c:\documents and settings\UserOne\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-01-04 22:43 . 2010-01-04 22:43 1924744 ----a-w- c:\documents and settings\UserOne\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-12-16 22:05 . 2010-02-19 19:16 471040 ----a-w- c:\documents and settings\UserOne\Application Data\Mozilla\Firefox\Profiles\sbipzz3y.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2009-12-16 22:05 . 2010-02-19 19:16 347136 ----a-w- c:\documents and settings\UserOne\Application Data\Mozilla\Firefox\Profiles\sbipzz3y.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 22:05 . 2010-02-19 19:16 340992 ----a-w- c:\documents and settings\UserOne\Application Data\Mozilla\Firefox\Profiles\sbipzz3y.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 22:05 . 2010-02-19 19:16 43008 ----a-w- c:\documents and settings\UserOne\Application Data\Mozilla\Firefox\Profiles\sbipzz3y.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 22:05 . 2010-02-19 19:16 1452032 ----a-w- c:\documents and settings\UserOne\Application Data\Mozilla\Firefox\Profiles\sbipzz3y.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
.
CODE
<pre>
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray .exe
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Apoint\apoint .exe
c:\program files\Java\jre1.6.0_05\bin\jusched .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\QuickTime\qttask                     .exe
c:\program files\QuickTime\qttask                   .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\QuickTime\qttask                 .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Skype\Phone\skype .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-03-06_18.40.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-01-04 22:17 . 2010-01-04 22:17 23558 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2010-01-04 22:17 . 2010-03-06 19:17 23558 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
- 2010-01-04 22:17 . 2010-01-04 22:17 25214 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
+ 2010-01-04 22:17 . 2010-03-06 19:17 25214 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
+ 2010-01-04 22:17 . 2010-03-06 19:17 7278 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
- 2010-01-04 22:17 . 2010-01-04 22:17 7278 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
+ 2010-01-04 22:17 . 2010-03-06 19:17 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
- 2010-01-04 22:17 . 2010-01-04 22:17 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
+ 2010-01-04 22:17 . 2010-03-06 19:17 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
- 2010-01-04 22:17 . 2010-01-04 22:17 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
+ 2010-01-04 22:17 . 2010-03-06 19:17 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
- 2010-01-04 22:17 . 2010-01-04 22:17 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!1BackedupFileOverlay]
@="{3F1FB271-8290-4330-8069-310F32C030EF}"
[HKEY_CLASSES_ROOT\CLSID\{3F1FB271-8290-4330-8069-310F32C030EF}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!2LiveProtectedFileOverlay]
@="{C26F9E4A-0BA6-4005-90FE-8665DBC229C8}"
[HKEY_CLASSES_ROOT\CLSID\{C26F9E4A-0BA6-4005-90FE-8665DBC229C8}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!3ProtectedFileOverlay]
@="{A94C4834-6F18-491F-A205-3AFF24B16BC0}"
[HKEY_CLASSES_ROOT\CLSID\{A94C4834-6F18-491F-A205-3AFF24B16BC0}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!4SharedFileOverlay]
@="{C85F4084-C3E3-453c-B242-4BDABA8F58FB}"
[HKEY_CLASSES_ROOT\CLSID\{C85F4084-C3E3-453c-B242-4BDABA8F58FB}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!5SyncedFileOverlay]
@="{58605E40-AE20-45d7-887B-08F3D9FF3651}"
[HKEY_CLASSES_ROOT\CLSID\{58605E40-AE20-45d7-887B-08F3D9FF3651}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!6SyncingFileOverlay]
@="{06DF45CB-D312-4306-B97D-6CDA50A10B30}"
[HKEY_CLASSES_ROOT\CLSID\{06DF45CB-D312-4306-B97D-6CDA50A10B30}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!7ConflictedFileOverlay]
@="{D1542785-76CA-4d0c-9688-F290B1E77E01}"
[HKEY_CLASSES_ROOT\CLSID\{D1542785-76CA-4d0c-9688-F290B1E77E01}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [N/A]
"igfxtray"="c:\windows\system32\igfxtray.exe" [N/A]
"igfxpers"="c:\windows\system32\igfxpers.exe" [N/A]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [N/A]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-07-07 02:00 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2006-11-01 18:48 1392640 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 06:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-09-15 22:50 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
c:\windows\system32\igfxpers.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
c:\windows\system32\igfxtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2006-10-18 22:58 696320 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2006-10-18 23:04 802816 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
c:\program files\Intel\NCS\PROSet\PRONoMgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-05-16 21:33 77824 ----a-w- c:\program files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZCfgSvc.exe]
c:\windows\system32\ZCfgSvc.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2/25/2010 10:49 AM 207280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/24/2010 7:55 PM 162512]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [7/12/2007 2:45 PM 224888]
S2 aswFsBlk;aswFsBlk;aswFsBlk.sys --> aswFsBlk.sys [?]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/1/2007 10:05 AM 87936]
S3 sctdisk;sctdisk;c:\windows\system32\sctdisk.sys [7/16/2003 10:28 AM 2304]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
{78CB6AC8-1B5B-4804-B4C8674161434618}
{16C41678-E97F-4126-80B152478DC2DCBB}
{4F89A508-B5EA-46AE-8F27FD3DA1622EF7}
{8AE3AE9E-ED34-421D-A84C7F90BCAA1950}
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-03-06 c:\windows\Tasks\SOS Online Backup - briggreene.job
- c:\program files\SOS Online Backup\sosuploadagent.exe [2009-11-05 16:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?source=gama&hl=en
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
Trusted Zone: buy-security-essentials.com
Trusted Zone: download-soft-package.com
Trusted Zone: download-software-package.com
Trusted Zone: get-key-se10.com
Trusted Zone: is-software-download.com
Trusted Zone: buy-security-essentials.com
Trusted Zone: get-key-se10.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 14:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2632)
c:\windows\system32\WININET.dll
c:\program files\SOS Online Backup\ShlOverlays.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\SOS Online Backup\OverlayCache.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-03-06 14:33:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 20:33
ComboFix2.txt 2010-03-06 18:44

Pre-Run: 22,018,170,880 bytes free
Post-Run: 21,981,241,344 bytes free

- - End Of File - - 24C314B675FB826AAA0F881295EF0DF4

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

#14 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:05:10 AM

Posted 06 March 2010 - 04:19 PM

Hi
OK one more time.

Delete the CFScript that is on the desktop and run this one as before.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.
CODE
Folder::
c:\documents and settings\UserOne\Local Settings\Application Data\dmdrrx
c:\documents and settings\UserOne\Local Settings\Application Data\mgyvrh
c:\documents and settings\UserOne\Local Settings\Application Data\pnjjql
c:\documents and settings\UserOne\Local Settings\Application Data\ktsovc
c:\documents and settings\UserOne\Application Data\tnnsvl
c:\documents and settings\UserOne\Local Settings\Application Data\lkkujq
c:\documents and settings\UserOne\Local Settings\Application Data\wuyhvo
c:\documents and settings\UserOne\Local Settings\Application Data\orvjit
c:\documents and settings\UserOne\Local Settings\Application Data\hfmsin
c:\documents and settings\UserOne\Local Settings\Application Data\toxrco
c:\documents and settings\UserOne\Local Settings\Application Data\qegila
c:\documents and settings\UserOne\Local Settings\Application Data\dfmbkn
c:\documents and settings\UserOne\Local Settings\Application Data\fgclal
c:\documents and settings\UserOne\Local Settings\Application Data\uuxdoq
c:\documents and settings\UserOne\Local Settings\Application Data\hvevoe
c:\documents and settings\UserOne\Local Settings\Application Data\qpyaon
c:\documents and settings\UserOne\Application Data\dqfsnb
c:\documents and settings\UserOne\Application Data\hcgfdr
c:\documents and settings\UserOne\Local Settings\Application Data\bpwodl
c:\documents and settings\UserOne\Local Settings\Application Data\yqmwlv
c:\documents and settings\UserOne\Local Settings\Application Data\ulotks
c:\documents and settings\UserOne\Local Settings\Application Data\weyxeo
c:\documents and settings\UserOne\Local Settings\Application Data\gxtcdx
c:\documents and settings\UserOne\Local Settings\Application Data\kvxwpp
c:\documents and settings\UserOne\Local Settings\Application Data\jvsdkx
c:\documents and settings\UserOne\Local Settings\Application Data\mddqkb
c:\documents and settings\UserOne\Local Settings\Application Data\kwvosr
c:\documents and settings\NetworkService\Local Settings\Application Data\pucwct
File::
c:\documents and settings\UserOne\Application Data\hcgfdr\tqursftav .exe
c:\windows\system32\sctdisk.sys
Driver::
sctdisk
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] - NetSvcs
"{78CB6AC8-1B5B-4804-B4C8674161434618}"=-
"{16C41678-E97F-4126-80B152478DC2DCBB}"=-
"{4F89A508-B5EA-46AE-8F27FD3DA1622EF7}"=-
"{8AE3AE9E-ED34-421D-A84C7F90BCAA1950}"=-
AWF::
<pre>
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray .exe
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Apoint\apoint .exe
c:\program files\Java\jre1.6.0_05\bin\jusched .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Skype\Phone\skype .exe
</pre>


Post the log.

Thanks

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#15 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:10 AM

Posted 06 March 2010 - 04:20 PM

Going out for a run then will be back in an hour or so.

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users