Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't access internet and more


  • This topic is locked This topic is locked
23 replies to this topic

#1 Whirly

Whirly

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 24 March 2010 - 10:38 PM

I was trying to watch a movie online when i accidentally clicked one of the divx ads, which started the download which i accidentally confirmed.

I ran malwarebytes and SAS and they removed oodles of things, but whenever I boot up after a scan, these two items will not get deleted.

QUOTE
C:\PROGRAM FILES\INTERNET EXPLORER\WMPSCFGS.EXE
C:\WINDOWS\Prefetch\WMPSCFGS.EXE-2DC2A9E2.pf


After removal, whenever I try to use an internet browser, it gives me a usp10.dll error. This happens when I use windows explorer as well. My wireless adapter can connect to the family router, but it says there is no connection regardless. I can't run system restore either, as when i do it in regular mode, it says it is disabled by group policy, and when tried in safe mode it says i should try outside of safemode.

Malwarebytes was fine before removing, but after the mbam.exe did not work anymore even though it was named something else, and when i tried installing again, the mbam.exe did not appear. SAS works fine though.

Using Windows xP Home SP3

QUOTE
DDS (Ver_10-03-17.01) - NTFSx86
Run by Family at 22:18:30.37 on Wed 03/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.158 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\analog devices\core\smax4pnp .exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\program files\google\google talk\googletalk .exe
c:\windows\system32\hkcmd .exe
c:\program files\razer\habu\razerhid .exe
c:\progra~1\musicm~1\musicm~1\MMDiag.exe
c:\program files\java\jre6\bin\jusched .exe
c:\program files\itunes\ituneshelper .exe
c:\program files\siber systems\ai roboform\robotaskbaricon .exe
c:\program files\razer\habu\razerofa.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\iMicro\NT-USB54M\Installer\WINXP\NT-USB54M Wireless Client Utility.exe
c:\program files\maiden2a\superantispyware .exe
C:\Program Files\Citrix\GoToAssist\514\G2AProcessFactory.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iMicro\NT-USB54M\Installer\WINXP\NT-USB54M Wireless Client Utility.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Family\Application Data\Dropbox\bin\Dropbox.exe
c:\program files\google\google talk\googletalk .exe
C:\Program Files\Slacker\Software Player\slacker.tray.exe
c:\windows\system32\hkcmd .exe
c:\program files\razer\habu\razerhid .exe
c:\program files\analog devices\core\smax4pnp .exe
c:\program files\java\jre6\bin\jusched .exe
c:\program files\razer\habu\razerofa.exe
c:\program files\itunes\ituneshelper .exe
c:\documents and settings\family\local settings\application data\google\update\googleupdate .exe
c:\program files\siber systems\ai roboform\robotaskbaricon .exe
c:\program files\sandboxie\sbiectrl .exe
C:\Documents and Settings\Family\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe
c:\program files\aim6\aim6 .exe
c:\program files\maiden2a\superantispyware .exe
c:\program files\skype\phone\skype .exe
c:\program files\AIM6\aolsoftware.exe
c:\docume~1\family\locals~1\temp\login .exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
c:\windows\bcygea .exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\AntiV\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\tbSwa1.dll
BHO: {805758c9-3f01-43b7-ad83-282e4a2d340f} - romipuja.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\tbSwa1.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Tunebite] c:\program files\rapidsolution\tunebite\Tunebite.exe -tray
uRun: [Google Update] "c:\documents and settings\family\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [feedreader.exe] "c:\documents and settings\family\my documents\downloads\feedreader314setup\feedreader.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [SUPERAntiSpyware] c:\program files\maiden2a\SUPERAntiSpyware.exe
uRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\docume~1\family\locals~1\temp\login .exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~1\mimboot.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [Habu] c:\program files\razer\habu\razerhid.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [putokeruwu] Rundll32.exe "kenefafa.dll",s
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mExplorerRun: [RTHDBPL] c:\documents and settings\family\application data\systemproc\lsass.exe
StartupFolder: c:\docume~1\family\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\family\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\family\startm~1\programs\startup\slacke~1.lnk - c:\program files\slacker\software player\slacker.tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nt-usb~1.lnk - c:\program files\imicro\nt-usb54m\installer\winxp\NT-USB54M Wireless Client Utility.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: clubbing.com
Trusted Zone: live.com\login
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\maiden2a\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\maiden2a\SASSEH.DLL
LSA: Notification Packages = scecli kavudawu.dll
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\family\applic~1\mozilla\firefox\profiles\qdru5n14.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Swag Bucks Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=2&q=
FF - plugin: c:\documents and settings\family\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Firefox security: No Registry Reference - c:\program files\mozilla firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-22 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\maiden2a\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\maiden2a\SASKUTIL.SYS [2010-2-17 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-22 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-22 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-22 55640]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe [2010-1-8 285744]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-31 24652]
R3 SASENUM;SASENUM;c:\program files\maiden2a\SASENUM.SYS [2010-2-17 12872]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-5-28 108032]
S3 DrmCDriverV32;DrmCDriverV32;c:\windows\system32\drivers\DrmCDriverV32.sys [2008-5-13 508544]
S3 DrmCVideo32;DrmCVideo32;c:\windows\system32\drivers\DrmCVideo32.sys [2008-5-13 3768]

=============== Created Last 30 ================

2010-03-25 03:16:54 0 ----a-w- c:\documents and settings\family\defogger_reenable
2010-03-25 01:44:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-19 16:20:58 0 ----a-w- c:\windows\system32\cd.dat
2010-03-15 16:43:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-15 16:43:25 0 d-----w- c:\program files\maiden2a
2010-03-15 16:43:25 0 d-----w- c:\docume~1\family\applic~1\SUPERAntiSpyware.com
2010-03-15 16:42:43 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-14 18:53:36 40448 ----a-w- c:\documents and settings\family\rundll32.exe
2010-03-14 05:36:56 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-03-14 05:36:55 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-03-14 05:36:46 129784 ------w- c:\windows\system32\pxafs.dll
2010-03-14 05:36:44 1628920 ----a-w- c:\windows\system32\pxsfs.dl~
2010-03-14 05:35:33 518904 ----a-w- c:\windows\system32\pxdrv.dl~
2010-03-14 05:35:31 88824 ----a-w- c:\windows\system32\vxblock.dl~
2010-03-14 05:35:30 379640 ----a-w- c:\windows\system32\pxwave.dl~
2010-03-14 05:35:28 187128 ----a-w- c:\windows\system32\pxmas.dl~
2010-03-14 05:35:22 551672 ----a-w- c:\windows\system32\px.dl~
2010-03-14 05:24:06 0 d-----w- c:\program files\common files\DivX Shared
2010-03-14 05:24:03 0 d-----w- c:\program files\DivX
2010-03-14 05:08:03 40448 ----a-w- c:\documents and settings\family\rundll32 .exe
2010-03-14 05:06:17 40448 ----a-w- c:\windows\bcygea.exe
2010-03-14 05:06:17 154624 ----a-w- c:\windows\bcygea .exe
2010-03-14 05:00:40 0 d-sh--w- c:\docume~1\family\applic~1\SystemProc

==================== Find3M ====================

2010-03-25 02:00:04 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-14 05:08:14 40448 ----a-w- c:\windows\system32\igfxpers.exe
2010-01-25 05:36:50 5853176 ----a-w- c:\windows\Call of Duty 4.scr
1601-01-01 00:03:52 64512 --sha-w- c:\windows\system32\kavudawu.dll
1601-01-01 00:03:52 64512 --sha-w- c:\windows\system32\kenefafa.dll
1601-01-01 00:03:52 64512 --sha-w- c:\windows\system32\romipuja.dll
2009-07-22 01:39:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072120090722\index.dat

============= FINISH: 22:19:46.68 ===============


Other Thread

Attached Files



BC AdBot (Login to Remove)

 


#2 Whirly

Whirly
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 24 March 2010 - 10:40 PM

GMER just froze upon loading, wouldn't let me configure it, so I skipped it, as per boopme's instructions

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 AM

Posted 25 March 2010 - 04:04 PM

Hi Whirly,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Due to the type of infection it is important to run a renamed Combofix. Regardless of Combofix being able to connect to internet or not to download Microsoft Recovery Console please just proceed to run ComboFix. We can always install the Recovery Console the next round.

Download ComboFix from one of these locations to your flash drive but rename it to whirly.exe before transferring it to the infected computer :

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#4 Whirly

Whirly
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 26 March 2010 - 11:08 AM

yes, I agree

QUOTE
ComboFix 10-03-25.04 - Family 03/25/2010 17:36:55.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.183 [GMT -5:00]
Running from: c:\documents and settings\Family\Desktop\Whirly.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
The following files were disabled during the run:
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\xetpmk.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Family\Application Data\SystemProc
c:\documents and settings\Family\Application Data\SystemProc\lsass.exe
c:\documents and settings\Family\Local Settings\Application Data\Windows Server
c:\documents and settings\Family\Local Settings\Application Data\Windows Server\xetpmk.dll
c:\documents and settings\Family\My Documents\ZbThumbnail.info
c:\documents and settings\Family\rundll32 .exe
c:\documents and settings\Family\rundll32.exe
c:\documents and settings\Family_2\rundll32.exe
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\xetpmk.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\xetpmk.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\xetpmk.dll.vir
c:\program files\Adobe\acrotray .exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\program files\maiden2a\46135ad1-1012-458e-ab0c-0bfebe3a45b9.exe
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\program files\Mozilla Firefox\usp10.dll
c:\windows\bcygea .exe
c:\windows\system32\config\systemprofile\Local Settings\Application Data\Windows Server
c:\windows\system32\config\systemprofile\Local Settings\Application Data\Windows Server\xetpmk.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\kavudawu.dll
c:\windows\system32\kenefafa.dll
c:\windows\system32\romipuja.dll
c:\windows\system32\rundll32 .exe
c:\windows\system32\spool\prtprocs\w32x86\000079c3.tmp
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\Temp\2569615624.exe
.
---- Previous Run -------
.
c:\program files\USS\unins000.dat
c:\program files\USS\unins000.exe
c:\windows\0downlzade51194.exe
c:\windows\10099z5o952a.ocx
c:\windows\1025s5yware1z89.ocx
c:\windows\105759a5ktozl465.ocx
c:\windows\10853z9oj524.bin
c:\windows\109a5hzef3938.bin
c:\windows\11754w9rm7e5z.bin
c:\windows\1185backdooz2935.cpl
c:\windows\1196vi515z9.exe
c:\windows\11bbs5yz9re458.bin
c:\windows\11z28s5ambo94f0.exe
c:\windows\12451not-a-viru94bz.exe
c:\windows\12582zpambot595.exe
c:\windows\12795hacktzol570.ocx
c:\windows\12863noz-a-vi59s41b.bin
c:\windows\129879ackto5l64z.dll
c:\windows\132ddown5oa9er2z41.dll
c:\windows\141279ackt5ol5ez.dll
c:\windows\14432not-5-v9rzs58b.dll
c:\windows\1530wz5m9f5.bin
c:\windows\1546znot5a-9irus44f.ocx
c:\windows\15520viru9z7.ocx
c:\windows\1552z9roj659.dll
c:\windows\1559zparse331.dll
c:\windows\155zspar9e2727.ocx
c:\windows\1565pzware968.ocx
c:\windows\15832sp91z95.cpl
c:\windows\15848t9ojz5.exe
c:\windows\15905ot-a-virus9z1.cpl
c:\windows\15945t9oj3fz.exe
c:\windows\159fspyw5re1z2.bin
c:\windows\15z649pambot2d9.ocx
c:\windows\15z89teal540.bin
c:\windows\1635zackdo9r1005.dll
c:\windows\16519zirus48f.cpl
c:\windows\16929spambo56dz9.exe
c:\windows\16a99ackd5or3z14.cpl
c:\windows\17274n5t-a-vizus4609.exe
c:\windows\17316spy659z.exe
c:\windows\17429zp5162.exe
c:\windows\1810t5ie9291z.ocx
c:\windows\181zspam9ot4f5.bin
c:\windows\18499spazb5t631.cpl
c:\windows\18868tzo57de9.ocx
c:\windows\18909w5rm6ez.cpl
c:\windows\1890sp950az.ocx
c:\windows\18bethreat27950z.dll
c:\windows\18ez9ackd5or1685.bin
c:\windows\192589ozm521.cpl
c:\windows\1925t9ief29z9.bin
c:\windows\192975py595z.ocx
c:\windows\192z5v5rus431.cpl
c:\windows\19354vizus3ac.bin
c:\windows\1945sp5rse11z0.cpl
c:\windows\19735worm435z.cpl
c:\windows\1982t5re9t5740z.dll
c:\windows\19923zo5m18.ocx
c:\windows\19989troj5ez.exe
c:\windows\19z0backdo59844.bin
c:\windows\1bdfszars5903.dll
c:\windows\1d6cspaz5e319.bin
c:\windows\1e81sza5se2059.dll
c:\windows\1e87thief51z9.dll
c:\windows\1fb1b9ck5oor5z9.exe
c:\windows\1z13759rm24c.dll
c:\windows\1z1959yware206.cpl
c:\windows\1z59vir9s140.ocx
c:\windows\204z2v9rus5c8.bin
c:\windows\20z99vir9548f.exe
c:\windows\21040vizus7d59.exe
c:\windows\210z9hackt5ol37.bin
c:\windows\211zworm589.cpl
c:\windows\2159zno9-5-virus49c.cpl
c:\windows\21625ze9l1339.cpl
c:\windows\2165szeal14559.bin
c:\windows\22691s9y4z5.exe
c:\windows\22844not9a-viruz5a.dll
c:\windows\22e4tz5eat28679.ocx
c:\windows\23554hacktz9l1e6.cpl
c:\windows\237fdownloaz592258.ocx
c:\windows\23989szyd15.dll
c:\windows\23czvir29925.dll
c:\windows\2459zworm50c.ocx
c:\windows\24625zor56ef9.bin
c:\windows\24798s5amboz491.bin
c:\windows\2484znot-a-9iru515b.ocx
c:\windows\24z85sp528b9.cpl
c:\windows\25076vzrus9e9.ocx
c:\windows\25226wor9165z.ocx
c:\windows\25550zp9mbot25e.bin
c:\windows\2575zha5kt9ol647.bin
c:\windows\25858spamzot2c99.dll
c:\windows\2599backdoorz793.ocx
c:\windows\25z2stea59528.cpl
c:\windows\25z84vir9s611.bin
c:\windows\26192t59j3zf.dll
c:\windows\2625spam9ot45z.dll
c:\windows\26734hackt9zl2905.exe
c:\windows\26838nzt-59virus20b.dll
c:\windows\26de5zyware2393.dll
c:\windows\26z05sp960c.bin
c:\windows\27478not-a-viru5z9d.ocx
c:\windows\274z6spy9425.exe
c:\windows\27733vzr5s5659.exe
c:\windows\27845ha5kto9lz04.cpl
c:\windows\279z9wo5m58e.dll
c:\windows\2899695zm759.dll
c:\windows\289zth5ea920446.exe
c:\windows\28c89hi5z2623.cpl
c:\windows\294499roz5f3.ocx
c:\windows\29489zpambot58.bin
c:\windows\296495rus66z.ocx
c:\windows\29695hzcktoo54b.ocx
c:\windows\2972t5zef2216.dll
c:\windows\29761spamboz615.cpl
c:\windows\29876z5rm781.ocx
c:\windows\29892notza-virus530.dll
c:\windows\2a02v5r25z69.cpl
c:\windows\2aezs5eal1589.dll
c:\windows\2c19addzare358.dll
c:\windows\2cfdvi914z65.ocx
c:\windows\2d27sp9zar5290.cpl
c:\windows\2d3e5teal954z.dll
c:\windows\2e94addwa9z3537.ocx
c:\windows\2f66t9i5f2246z.exe
c:\windows\2f97th5ef99z8.ocx
c:\windows\2z081no5-a-virus19.exe
c:\windows\2z379wor57f5.exe
c:\windows\2z58steal3095.exe
c:\windows\2z97threat15285.dll
c:\windows\2zb19p5rse1795.ocx
c:\windows\302c9hrzat51664.bin
c:\windows\305z89pambot341.ocx
c:\windows\3097backdooz29485.bin
c:\windows\30afs5zware2395.dll
c:\windows\31366not-9-virus596z.exe
c:\windows\31520wozm19b.ocx
c:\windows\3154zs9y756.ocx
c:\windows\31790sp95bot6z2.dll
c:\windows\31935za9ktool7f4.ocx
c:\windows\319865pambzt319.dll
c:\windows\31z90virus2405.dll
c:\windows\32151worz9a.bin
c:\windows\321585zy39a.dll
c:\windows\32522spy5z9.exe
c:\windows\329cs5arsez92.exe
c:\windows\33bfbackdoo527z29.dll
c:\windows\3439thzeat12559.dll
c:\windows\3485z9yware2071.dll
c:\windows\350bstez92293.cpl
c:\windows\350zst5a92777.exe
c:\windows\352bvir293z.bin
c:\windows\357thi9f2957z.ocx
c:\windows\3586zpy309.dll
c:\windows\35994not-a-viruz2e7.ocx
c:\windows\3650baczdoo9868.dll
c:\windows\3657dow5lo9der2886z.bin
c:\windows\377f9pyware31z65.ocx
c:\windows\39066zor5da.dll
c:\windows\390dst5alz082.cpl
c:\windows\39249ackdo5r96z.bin
c:\windows\394cth5efz25.dll
c:\windows\39691zro52fe.cpl
c:\windows\396zthr5at9593.dll
c:\windows\3d7bz95eat28008.cpl
c:\windows\3d7thze52889.bin
c:\windows\3e47downlzader2953.exe
c:\windows\3f90downlzader1995.ocx
c:\windows\3zab5hief2907.bin
c:\windows\405aspy9zre1556.exe
c:\windows\40c5spywarez6709.ocx
c:\windows\415bspywarez109.cpl
c:\windows\4225owzloade93207.ocx
c:\windows\42f9st5al11z19.dll
c:\windows\44e09pyzar52749.dll
c:\windows\450vir2z449.dll
c:\windows\4552hacz5ool49f.ocx
c:\windows\4631ste5z9576.ocx
c:\windows\47z9spambot591.bin
c:\windows\4849backzoo92655.dll
c:\windows\4946ste5z8289.bin
c:\windows\4961spzrse1105.cpl
c:\windows\49735azkdoor3191.dll
c:\windows\49bethrezt53704.bin
c:\windows\4b525hiez3093.ocx
c:\windows\4c77spaz591914.bin
c:\windows\4z85not-9-virus28d.dll
c:\windows\50659irusz05.cpl
c:\windows\5074thizf9273.exe
c:\windows\50796worm7cz9.exe
c:\windows\50cfthiefz946.ocx
c:\windows\510z3hac9tool26f.bin
c:\windows\511bv953121z.ocx
c:\windows\5193hackto5z248.exe
c:\windows\51b5ste9l5749z.dll
c:\windows\51c1zh9eat19065.bin
c:\windows\523095dwaze1215.exe
c:\windows\5286spyzf49.bin
c:\windows\53eetzie59328.dll
c:\windows\5459zdware385.dll
c:\windows\545csteaz971.cpl
c:\windows\545zst9al542.ocx
c:\windows\54638virus19z.dll
c:\windows\54z55hr9at14617.cpl
c:\windows\5539thiez576.exe
c:\windows\554f9irz24.bin
c:\windows\5559backdzor586.exe
c:\windows\5583szy7a9.ocx
c:\windows\5589downloaderz8.ocx
c:\windows\5595sparse5z4.exe
c:\windows\559cspywaze9546.dll
c:\windows\55d2threat195z65.ocx
c:\windows\55ed9zwnloader5089.exe
c:\windows\5699sparsz1480.exe
c:\windows\56a3thi9f19z9.ocx
c:\windows\56f6sp9rsez924.ocx
c:\windows\56zha9ktool636.cpl
c:\windows\583ezack5oor790.ocx
c:\windows\58449ot-z-virus605.ocx
c:\windows\585109ot-a-vizus650.bin
c:\windows\5856spywa9e3z55.dll
c:\windows\58bathi9fz9275.exe
c:\windows\59c5hzef2729.exe
c:\windows\59cftzreat59712.dll
c:\windows\5a19zackdoor1508.ocx
c:\windows\5ae1s5zrse954.bin
c:\windows\5b3spyw95e1716z.ocx
c:\windows\5b4thie9z39.exe
c:\windows\5b80virz9985.exe
c:\windows\5b81th5eatz997.ocx
c:\windows\5b9czownload5r137.exe
c:\windows\5c52th9ef26z0.cpl
c:\windows\5ca0spzware909.ocx
c:\windows\5cb9spyw5re20z9.dll
c:\windows\5d60s9ealz521.dll
c:\windows\5de2ste5lz6939.bin
c:\windows\5e015ir2z849.bin
c:\windows\5e2ftzi9f3153.dll
c:\windows\5f08adzware23569.dll
c:\windows\5f11down59zder498.bin
c:\windows\5z08worm79.ocx
c:\windows\5z56down9oader1806.cpl
c:\windows\5z5vir9181.exe
c:\windows\5z7badd9are529.dll
c:\windows\5z7fvi92094.bin
c:\windows\5z85addwa5e18679.ocx
c:\windows\5z8tro57369.cpl
c:\windows\5z92tro5618.exe
c:\windows\5za3steal2969.dll
c:\windows\5zf6backdoor897.cpl
c:\windows\60059acktzol5f.ocx
c:\windows\6138spamz596c1.ocx
c:\windows\61879ownload5z286.ocx
c:\windows\61despz5ar9915.ocx
c:\windows\6534zpar9e2309.dll
c:\windows\65bfsteal98z9.dll
c:\windows\6894t5ief1z29.bin
c:\windows\69485parse255z.exe
c:\windows\6950troz4b4.ocx
c:\windows\6990szar9e853.exe
c:\windows\69e0addw5rez1239.cpl
c:\windows\6a1zadd5ar9648.bin
c:\windows\6a495iz589.bin
c:\windows\6b89vir5559z.ocx
c:\windows\6ccbt9reat7z395.dll
c:\windows\6e53threaz19590.ocx
c:\windows\6ee9thie52z59.cpl
c:\windows\6f13z9re5t2339.ocx
c:\windows\6fa3baczdoor2598.ocx
c:\windows\6z5esparse9541.bin
c:\windows\7007sp5ware2z99.cpl
c:\windows\714zt5i9f1973.cpl
c:\windows\7172s9ambzt4315.dll
c:\windows\7198zparse10215.dll
c:\windows\725steal5z97.ocx
c:\windows\72czspywa9e585.ocx
c:\windows\74319ackto5ze9.ocx
c:\windows\751adownloz9er252.ocx
c:\windows\7529zirus5a6.exe
c:\windows\757z59reat2944.ocx
c:\windows\7589zddware2592.exe
c:\windows\75a2t9iez563.ocx
c:\windows\75a9addware95z0.cpl
c:\windows\766dszar5e911.bin
c:\windows\775e9ir2796z.exe
c:\windows\77af9ir519z.cpl
c:\windows\7892backdzo5410.exe
c:\windows\78b5ba9kdooz1628.cpl
c:\windows\790zadd5are1009.dll
c:\windows\799cbac5doorz693.exe
c:\windows\79c8backdooz5678.dll
c:\windows\7a40sp9r5ez074.ocx
c:\windows\7a589pywzre1658.ocx
c:\windows\7a7back5ozr1019.cpl
c:\windows\7ad2downlo9dzr16825.dll
c:\windows\7c2zs9eal1535.ocx
c:\windows\7c49addwarz5455.exe
c:\windows\7cfe5tezl1938.bin
c:\windows\7ed9thz5f1202.bin
c:\windows\7ezbd9wnloa5er1979.ocx
c:\windows\7ezthief9351.exe
c:\windows\7f13t9ze51095.cpl
c:\windows\7f63dowz5oader9426.bin
c:\windows\7fdzba5kdoor3094.exe
c:\windows\7z7b9ack5oor670.ocx
c:\windows\842s5yz9re900.bin
c:\windows\90b3a5zware1465.dll
c:\windows\90e0thre5t4497z.cpl
c:\windows\91222nzt-a-virus452.bin
c:\windows\91500spy151z.cpl
c:\windows\91a5threaz28914.ocx
c:\windows\93120hzckto5l7cc.ocx
c:\windows\934045pyz3b.exe
c:\windows\938z5orm453.dll
c:\windows\9459zpy765.cpl
c:\windows\950zsparse19.exe
c:\windows\9529dow5loadzr492.cpl
c:\windows\95553spyz29.dll
c:\windows\95d6s5arsz278.ocx
c:\windows\95evir27z7.ocx
c:\windows\9613hacktoolz599.bin
c:\windows\962th5efz272.exe
c:\windows\96839pamb5z7a.cpl
c:\windows\96d7steal221z5.ocx
c:\windows\96evir258z5.ocx
c:\windows\97145hzck5ool6f7.exe
c:\windows\973z1spam5ot30.cpl
c:\windows\97627spz7425.cpl
c:\windows\97699spyz5b.bin
c:\windows\98639py257z.dll
c:\windows\991fszarse2105.dll
c:\windows\9970spy3z65.exe
c:\windows\998z3virus575.bin
c:\windows\99dvir2635z.exe
c:\windows\99t5ief105z.bin
c:\windows\9aaddware5063z.ocx
c:\windows\9b25ddwaze2985.exe
c:\windows\9dd4vzr5715.dll
c:\windows\9z08threa524470.exe
c:\windows\9z29spy5389.bin
c:\windows\9z38sparse5468.bin
c:\windows\a1bspy9ar51697z.ocx
c:\windows\acc5iz8189.exe
c:\windows\af6b9ckzoor16535.cpl
c:\windows\az59ief2571.bin
c:\windows\d55s9arsz1365.cpl
c:\windows\deazown9oader956.bin
c:\windows\Installer\34b77d.msi
c:\windows\Installer\ad4a08.msi
c:\windows\system32\10048no95a-virus667z.cpl
c:\windows\system32\101szywa9e1105.exe
c:\windows\system32\115779roj3z5.ocx
c:\windows\system32\118z9troj3175.bin
c:\windows\system32\11zcspywar527139.bin
c:\windows\system32\12259zorm2d9.bin
c:\windows\system32\12543zpy4a59.exe
c:\windows\system32\127bbac9d5zr2681.ocx
c:\windows\system32\12809tea5z265.exe
c:\windows\system32\1286not-a-vizus895.exe
c:\windows\system32\12939t5zjd6.bin
c:\windows\system32\12995wzrm79a.exe
c:\windows\system32\133159zoj31.exe
c:\windows\system32\13566spambzt629.dll
c:\windows\system32\13912z5a9bot669.ocx
c:\windows\system32\139z5sp564e.exe
c:\windows\system32\140935iruszc5.exe
c:\windows\system32\1415tzoj6a9.ocx
c:\windows\system32\14569hreat61z.exe
c:\windows\system32\146dthiz5898.exe
c:\windows\system32\1475sp9r5e15z0.ocx
c:\windows\system32\14914z5oj149.dll
c:\windows\system32\14f5spzrse2459.bin
c:\windows\system32\15023nzt-9-virus255.ocx
c:\windows\system32\15071troj95z.dll
c:\windows\system32\153259zrm2395.dll
c:\windows\system32\153z1troj690.exe
c:\windows\system32\155fadzware1559.ocx
c:\windows\system32\155z9not-a-viru912f.bin
c:\windows\system32\15675not-a5v9zus92.dll
c:\windows\system32\156z5p93f.bin
c:\windows\system32\15895ir193z.dll
c:\windows\system32\15a9s9arse5z3.dll
c:\windows\system32\160129irusz35.dll
c:\windows\system32\16488nzt-a5virus1159.cpl
c:\windows\system32\165055acktoo9z8a.ocx
c:\windows\system32\16911vzrus9c5.bin
c:\windows\system32\16z57tro59a3.exe
c:\windows\system32\174bthr95t27z98.dll
c:\windows\system32\178z5spa9bot5c0.cpl
c:\windows\system32\17z95hacktoo9396.cpl
c:\windows\system32\180bdownlozde91586.dll
c:\windows\system32\182z9w5rm597.dll
c:\windows\system32\18351not-a9virusz91.exe
c:\windows\system32\18379viru95z1.exe
c:\windows\system32\185z2spamb9t39c.ocx
c:\windows\system32\18770z5rm7129.cpl
c:\windows\system32\1882t9zj5295.cpl
c:\windows\system32\18889zot9a-virus6fa5.exe
c:\windows\system32\189z95roj3a8.exe
c:\windows\system32\19267w9zm3fe5.bin
c:\windows\system32\194zwor5d3.dll
c:\windows\system32\1954zvirus14c5.exe
c:\windows\system32\197fspzware1095.dll
c:\windows\system32\19858worz405.ocx
c:\windows\system32\198z5virus7d75.cpl
c:\windows\system32\19928not-a-vir5s3cz.cpl
c:\windows\system32\19962zpambot158.cpl
c:\windows\system32\19z10w9r57e.exe
c:\windows\system32\19zvi5us93.exe
c:\windows\system32\1b2fbacz5oo91340.cpl
c:\windows\system32\1b5cdownzoader5719.exe
c:\windows\system32\1de8dowzloa9er2856.exe
c:\windows\system32\1e029hre5tz626.dll
c:\windows\system32\1e39th5ezt31284.bin
c:\windows\system32\1eefthr9zt9516.dll
c:\windows\system32\1f83spzware1459.bin
c:\windows\system32\1z197h5cktool688.bin
c:\windows\system32\1z3639p5mbot736.dll
c:\windows\system32\1z5cs5eal2095.ocx
c:\windows\system32\1zd5thi9f2012.ocx
c:\windows\system32\20091n5t-a-virus49ez.dll
c:\windows\system32\2034addwarez159.bin
c:\windows\system32\203z8virus995.dll
c:\windows\system32\20597not-a-9irus178z.bin
c:\windows\system32\206z9pa5bot2be.dll
c:\windows\system32\20908hack5ooz753.ocx
c:\windows\system32\21557spamboze9.ocx
c:\windows\system32\2185zworm12d9.bin
c:\windows\system32\21cazhi9f5474.ocx
c:\windows\system32\22019tz59670.cpl
c:\windows\system32\22753not-9-virus2z4.bin
c:\windows\system32\22935tzoj6109.ocx
c:\windows\system32\22fd9ackd5or138z.cpl
c:\windows\system32\23206spaz9ot2e5.dll
c:\windows\system32\23405wzrm4a99.cpl
c:\windows\system32\23406t9z56ba.bin
c:\windows\system32\23568wozm49d.ocx
c:\windows\system32\23581wormz99.cpl
c:\windows\system32\240z35pambo9623.ocx
c:\windows\system32\242faddwar5z5709.exe
c:\windows\system32\2435ztroj109.cpl
c:\windows\system32\245a5ackdzor15209.ocx
c:\windows\system32\24955spamzot19d.cpl
c:\windows\system32\24e9dzwnloader1665.cpl
c:\windows\system32\25101tzo9556.bin
c:\windows\system32\25296woz9581.ocx
c:\windows\system32\25296zir5s649.dll
c:\windows\system32\25386not-a-v5ru9adz.bin
c:\windows\system32\25473trzj69.exe
c:\windows\system32\25599wzr9204.cpl
c:\windows\system32\25695worm2z5.bin
c:\windows\system32\256zs9arse1148.ocx
c:\windows\system32\25755z5y529.cpl
c:\windows\system32\25814hazktoo9445.ocx
c:\windows\system32\258z2troj79f.ocx
c:\windows\system32\25b9stea9z471.bin
c:\windows\system32\25fvir915z.bin
c:\windows\system32\26809hack5ool1zc.bin
c:\windows\system32\27589vzru935a.bin
c:\windows\system32\28439troj55z.ocx
c:\windows\system32\28663hackto5lz99.ocx
c:\windows\system32\29025spamzot6c7.bin
c:\windows\system32\29536zorm7e5.cpl
c:\windows\system32\29552hacktooz10a.cpl
c:\windows\system32\2974spywa5z2323.dll
c:\windows\system32\297825ot-a-vi9zs53d.cpl
c:\windows\system32\297fdownloaderz275.exe
c:\windows\system32\297zvir2539.bin
c:\windows\system32\2994ztr5jce.cpl
c:\windows\system32\29956z5ru9259.cpl
c:\windows\system32\299925py9za.exe
c:\windows\system32\2ac5t5reat9z74.cpl
c:\windows\system32\2bz7th5eat11799.dll
c:\windows\system32\2c10zt5a93008.cpl
c:\windows\system32\2cb79zdw5re2625.bin
c:\windows\system32\2cbds59rse3z67.cpl
c:\windows\system32\2cz95ir594.cpl
c:\windows\system32\2d6a5hreat19958z.bin
c:\windows\system32\2d8adow9zo5der1122.cpl
c:\windows\system32\2de5b9ckdoo5201z.cpl
c:\windows\system32\2z202h9cktool593.exe
c:\windows\system32\2z307hack9ool3535.cpl
c:\windows\system32\2z599troj516.cpl
c:\windows\system32\2z5e9ir2597.exe
c:\windows\system32\2z8479pambot545.dll
c:\windows\system32\2z994v59us7ed.dll
c:\windows\system32\2zsparse7529.dll
c:\windows\system32\drivers\ESQULphiennvwwrunxuuuhehpunjhyvybjtno.sys
c:\windows\system32\ESQULbejrodwroqrvqoaulnpubrfuwglynqqj.dll
c:\windows\system32\ESQULkxheoyxjskhkvkmilmkfwgskqfdtbvlm.dll
c:\windows\system32\ESQULzcounter
c:\windows\z0256troj389.cpl
c:\windows\z1573s5ambot7df9.exe
c:\windows\z2158t9oj556.exe
c:\windows\z454viru95c75.dll
c:\windows\z5459troj5ce.dll
c:\windows\z56espy9are957.cpl
c:\windows\z6555tro95f2.ocx
c:\windows\z65bspywa9e819.exe
c:\windows\z7945w9rm655.ocx
c:\windows\z809th5e91891.dll
c:\windows\z82bdown9oader5834.exe
c:\windows\z869thief2605.ocx
c:\windows\z8dspyw95e582.bin
c:\windows\z8f7thre9t57353.ocx
c:\windows\z9202sp57de9.dll
c:\windows\z9345hacktoo565c.exe
c:\windows\za73t5re9t15526.dll
c:\windows\zba5addwar52987.ocx
c:\windows\zcfs9yware22655.bin
c:\windows\zd2559dware3124.ocx
c:\windows\zd5addware1519.dll
c:\windows\zea9thief5222.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-25 22:50 . 2010-03-25 22:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
2010-03-25 22:49 . 2010-03-25 22:52 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Windows Server
2010-03-25 22:49 . 2010-03-25 22:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
2010-03-25 02:21 . 2010-03-25 02:21 52224 ----a-w- c:\documents and settings\Family_2\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-25 02:21 . 2010-03-25 02:21 117760 ----a-w- c:\documents and settings\Family_2\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-25 02:21 . 2010-03-25 02:21 -------- d-----w- c:\documents and settings\Family_2\Application Data\SUPERAntiSpyware.com
2010-03-25 01:44 . 2010-03-25 02:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-19 16:20 . 2010-03-19 16:20 0 ----a-w- c:\windows\system32\cd.dat
2010-03-15 16:44 . 2010-03-15 16:44 52224 ----a-w- c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-15 16:43 . 2010-03-15 16:43 117760 ----a-w- c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-15 16:43 . 2010-03-15 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-15 16:43 . 2010-03-25 22:55 -------- d-----w- c:\program files\maiden2a
2010-03-15 16:43 . 2010-03-15 16:43 -------- d-----w- c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com
2010-03-15 16:42 . 2010-03-15 16:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-14 15:36 . 2010-03-14 15:36 92856 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 06:08 . 2010-03-14 06:08 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-03-14 05:36 . 2009-11-14 00:49 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-03-14 05:36 . 2009-11-14 00:49 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-03-14 05:36 . 2009-11-14 00:49 129784 ------w- c:\windows\system32\pxafs.dll
2010-03-14 05:24 . 2010-03-14 05:30 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-14 05:24 . 2010-03-14 05:40 -------- d-----w- c:\program files\DivX
2010-03-14 05:06 . 2010-03-22 21:59 40448 ----a-w- c:\windows\bcygea.exe
2010-03-01 00:36 . 2010-03-01 00:36 13264416 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\cache\Dropbox-update-0.7.110.exe
2010-02-26 05:10 . 2010-02-26 05:10 21979992 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\Dropbox.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 22:56 . 2008-11-10 00:34 -------- d-----w- c:\documents and settings\Family\Application Data\skypePM
2010-03-25 22:55 . 2010-03-25 22:55 40448 ----a-w- c:\documents and settings\Family\rundll32.exe
2010-03-25 22:55 . 2009-12-22 01:18 -------- d-----w- c:\program files\iTunes
2010-03-25 22:55 . 2008-02-02 21:47 -------- d-----w- c:\program files\QuickTime
2010-03-25 22:55 . 2007-11-24 02:38 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-25 22:55 . 2009-08-01 03:43 -------- d-----w- c:\program files\AIM6
2010-03-25 22:55 . 2009-11-26 18:43 -------- d-----w- c:\program files\Sandboxie
2010-03-25 22:54 . 2009-12-14 03:55 -------- d-----w- c:\documents and settings\Family\Application Data\Dropbox
2010-03-25 22:42 . 2007-11-24 02:38 40448 ----a-w- c:\windows\system32\hkcmd .exe
2010-03-25 22:30 . 2008-11-10 00:33 -------- d-----w- c:\documents and settings\Family\Application Data\Skype
2010-03-25 02:30 . 2009-07-30 04:34 -------- d-----w- c:\documents and settings\Family\Application Data\Feedreader
2010-03-22 22:12 . 2009-07-22 17:33 -------- d-----w- c:\program files\zztoy
2010-03-15 05:26 . 2009-09-27 20:36 -------- d-----w- c:\documents and settings\Family\Application Data\vlc
2010-03-14 05:08 . 2005-09-20 16:36 40448 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-01 00:36 . 2009-12-14 03:55 91696 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\Uninstall.exe
2010-01-25 05:36 . 2010-01-25 05:36 5853176 ----a-w- c:\windows\Call of Duty 4.scr
2010-01-25 05:22 . 2009-08-12 03:43 -------- d-----w- c:\program files\Hotspot Shield
2010-01-02 18:29 . 2008-05-26 07:02 1 ----a-w- c:\documents and settings\Family\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-31 16:50 . 2004-08-12 14:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 22:52 . 2008-01-23 00:20 92856 ----a-w- c:\documents and settings\Family_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\AIM6\aim6 .exe
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\Common Files\Sonic\Update Manager\sgtray .exe
c:\program files\Google\Google Talk\googletalk .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\maiden2a\superantispyware .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Musicmatch\Musicmatch Jukebox\mimboot .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\RapidSolution\Tunebite\tunebite .exe
c:\program files\Razer\Habu\razerhid .exe
c:\program files\Sandboxie\sbiectrl .exe
c:\program files\Siber Systems\AI RoboForm\robotaskbaricon .exe
c:\program files\Skype\Phone\skype .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\dla\tfswctrl .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwa1.dll" [2009-11-27 2166296]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwa1.dll" [2009-11-27 2166296]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}"= "c:\program files\Swag_Bucks\tbSwa1.dll" [2009-11-27 2166296]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tunebite"="c:\program files\RapidSolution\Tunebite\Tunebite.exe" [2010-03-25 40448]
"Google Update"="c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-25 40448]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-03-25 40448]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-03-25 40448]
"feedreader.exe"="c:\documents and settings\Family\My Documents\Downloads\FeedReader314Setup\feedreader.exe" [2010-03-25 40448]
"Aim6"="c:\program files\AIM6\aim6.exe" [2010-03-25 40448]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-25 40448]
"SUPERAntiSpyware"="c:\program files\maiden2a\SUPERAntiSpyware.exe" [2010-03-25 40448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2010-03-25 40448]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2010-03-25 40448]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-03-25 40448]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2010-03-25 40448]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2010-03-25 40448]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2010-03-25 40448]
"Habu"="c:\program files\Razer\Habu\razerhid.exe" [2010-03-25 40448]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-25 40448]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-25 40448]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-25 40448]
"putokeruwu"="kenefafa.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-03-25 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"RTHDBPL"="c:\documents and settings\Family\Application Data\SystemProc\lsass.exe" [N/A]

c:\documents and settings\Family\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Family\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
Slacker Tray App.lnk - c:\program files\Slacker\Software Player\slacker.tray.exe [2008-3-3 262848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-11-23 82026]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NT-USB54M Wireless Client Utility.lnk - c:\program files\iMicro\NT-USB54M\Installer\WINXP\NT-USB54M Wireless Client Utility.exe [2009-11-6 598016]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-10 525640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\maiden2a\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\maiden2a\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-31 03:06 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\xetpmk.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Slacker\\Software Player\\slacker.tray.exe"=
"c:\\Program Files\\Slacker\\Software Player\\slacker.jukebox.exe"=
"c:\\Program Files\\Slacker\\Software Player\\slacker.jukebox.launch.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Documents and Settings\\Family\\My Documents\\utorrent-1.6.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Slacker\\Software Player\\slacker.player.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Family\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\maiden2a\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\maiden2a\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/22/2009 12:12 PM 108289]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [1/8/2010 6:42 PM 285744]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/31/2009 10:44 PM 24652]
R3 SASENUM;SASENUM;c:\program files\maiden2a\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S3 DrmCDriverV32;DrmCDriverV32;c:\windows\system32\drivers\DrmCDriverV32.sys [5/13/2008 7:23 PM 508544]
S3 DrmCVideo32;DrmCVideo32;c:\windows\system32\drivers\DrmCVideo32.sys [5/13/2008 7:23 PM 3768]
.
Contents of the 'Scheduled Tasks' folder

2010-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-03-25 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:55]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-115176313-725345543-1004Core.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 22:55]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-115176313-725345543-1004UA.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 22:55]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: clubbing.com
Trusted Zone: live.com\login
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\qdru5n14.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Swag Bucks Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=2&q=
FF - plugin: c:\documents and settings\Family\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

BHO-{805758c9-3f01-43b7-ad83-282e4a2d340f} - romipuja.dll
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 17:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Family\Application Data\SystemProc\lsass.exe??????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\system32\hkcmd .exe 40448 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,87,3b,8f,4a,04,bc,51,4d,93,fc,55,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,87,3b,8f,4a,04,bc,51,4d,93,fc,55,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\program files\maiden2a\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'explorer.exe'(4044)
c:\windows\system32\WININET.dll
c:\documents and settings\Family\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\analog devices\core\smax4pnp .exe
c:\program files\google\google talk\googletalk .exe
c:\progra~1\musicm~1\musicm~1\MMDiag.exe
c:\program files\razer\habu\razerhid .exe
c:\program files\java\jre6\bin\jusched .exe
c:\program files\razer\habu\razerofa.exe
c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe
c:\program files\siber systems\ai roboform\robotaskbaricon .exe
c:\program files\itunes\ituneshelper .exe
c:\program files\sandboxie\sbiectrl .exe
c:\program files\aim6\aim6 .exe
c:\documents and settings\family\local settings\application data\google\update\googleupdate .exe
c:\program files\skype\phone\skype .exe
c:\program files\maiden2a\superantispyware .exe
c:\documents and settings\Family\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-03-25 18:04:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-25 23:04

Pre-Run: 13,960,749,056 bytes free
Post-Run: 14,207,021,056 bytes free

- - End Of File - - 890F7CBC2E936FF8E2CCE9555E3BFED1


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 AM

Posted 26 March 2010 - 04:19 PM

Please don't put the log in the code box.

Open notepad and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/t/304715/cant-access-internet-and-more/
collect::
c:\documents and settings\Family\rundll32.exe
c:\documents and settings\Family\Application Data\SystemProc\lsass.exe
RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\AIM6\aim6 .exe
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\Common Files\Sonic\Update Manager\sgtray .exe
c:\program files\Google\Google Talk\googletalk .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\maiden2a\superantispyware .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Musicmatch\Musicmatch Jukebox\mimboot .exe
c:\program files\QuickTime\qttask.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\program files\QuickTime\qttask .exe
c:\program files\RapidSolution\Tunebite\tunebite .exe
c:\program files\Razer\Habu\razerhid .exe
c:\program files\Sandboxie\sbiectrl .exe
c:\program files\Siber Systems\AI RoboForm\robotaskbaricon .exe
c:\program files\Skype\Phone\skype .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\dla\tfswctrl .exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"RTHDBPL"=-
AtJob::
DDS::
Trusted Zone: clubbing.com


Save this as CFScript.txt





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

**Important Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

#6 Whirly

Whirly
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 27 March 2010 - 10:39 AM

QUOTE
ComboFix 10-03-25.04 - Family 03/26/2010 16:29:39.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.222 [GMT -5:00]
Running from: c:\documents and settings\Family\Desktop\Whirly.exe
Command switches used :: c:\documents and settings\Family\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

file zipped: c:\documents and settings\Family\rundll32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Family\rundll32.exe
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\config\systemprofile\Local Settings\Application Data\Windows Server
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-25 23:11 . 2010-03-25 23:11 -------- d-----w- c:\windows\LastGood
2010-03-25 02:21 . 2010-03-25 02:21 52224 ----a-w- c:\documents and settings\Family_2\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-25 02:21 . 2010-03-25 02:21 117760 ----a-w- c:\documents and settings\Family_2\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-25 02:21 . 2010-03-25 02:21 -------- d-----w- c:\documents and settings\Family_2\Application Data\SUPERAntiSpyware.com
2010-03-25 01:44 . 2010-03-25 02:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-19 16:20 . 2010-03-19 16:20 0 ----a-w- c:\windows\system32\cd.dat
2010-03-15 16:44 . 2010-03-15 16:44 52224 ----a-w- c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-15 16:43 . 2010-03-15 16:43 117760 ----a-w- c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-15 16:43 . 2010-03-15 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-15 16:43 . 2010-03-26 21:29 -------- d-----w- c:\program files\maiden2a
2010-03-15 16:43 . 2010-03-15 16:43 -------- d-----w- c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com
2010-03-15 16:42 . 2010-03-15 16:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-14 15:36 . 2010-03-14 15:36 92856 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 06:08 . 2010-03-14 06:08 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-03-14 05:36 . 2009-11-14 00:49 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-03-14 05:36 . 2009-11-14 00:49 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-03-14 05:36 . 2009-11-14 00:49 129784 ------w- c:\windows\system32\pxafs.dll
2010-03-14 05:24 . 2010-03-14 05:30 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-14 05:24 . 2010-03-14 05:40 -------- d-----w- c:\program files\DivX
2010-03-14 05:06 . 2010-03-22 21:59 40448 ----a-w- c:\windows\bcygea.exe
2010-03-01 00:36 . 2010-03-01 00:36 13264416 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\cache\Dropbox-update-0.7.110.exe
2010-02-26 05:10 . 2010-02-26 05:10 21979992 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\Dropbox.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 21:29 . 2009-11-26 18:43 -------- d-----w- c:\program files\Sandboxie
2010-03-26 21:29 . 2008-02-02 21:47 -------- d-----w- c:\program files\QuickTime
2010-03-26 21:29 . 2009-12-22 01:18 -------- d-----w- c:\program files\iTunes
2010-03-26 21:29 . 2009-08-01 03:43 -------- d-----w- c:\program files\AIM6
2010-03-25 22:56 . 2008-11-10 00:34 -------- d-----w- c:\documents and settings\Family\Application Data\skypePM
2010-03-25 22:54 . 2009-12-14 03:55 -------- d-----w- c:\documents and settings\Family\Application Data\Dropbox
2010-03-25 22:42 . 2007-11-24 02:38 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-25 22:30 . 2008-11-10 00:33 -------- d-----w- c:\documents and settings\Family\Application Data\Skype
2010-03-25 02:30 . 2009-07-30 04:34 -------- d-----w- c:\documents and settings\Family\Application Data\Feedreader
2010-03-22 22:12 . 2009-07-22 17:33 -------- d-----w- c:\program files\zztoy
2010-03-15 05:26 . 2009-09-27 20:36 -------- d-----w- c:\documents and settings\Family\Application Data\vlc
2010-03-14 05:08 . 2005-09-20 16:36 40448 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-01 00:36 . 2009-12-14 03:55 91696 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\Uninstall.exe
2010-01-25 05:36 . 2010-01-25 05:36 5853176 ----a-w- c:\windows\Call of Duty 4.scr
2010-01-02 18:29 . 2008-05-26 07:02 1 ----a-w- c:\documents and settings\Family\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-31 16:50 . 2004-08-12 14:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 22:52 . 2008-01-23 00:20 92856 ----a-w- c:\documents and settings\Family_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwa1.dll" [2009-11-27 2166296]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwa1.dll" [2009-11-27 2166296]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}"= "c:\program files\Swag_Bucks\tbSwa1.dll" [2009-11-27 2166296]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tunebite"="c:\program files\RapidSolution\Tunebite\Tunebite.exe" [2010-03-14 40448]
"Google Update"="c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-25 40448]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-05-14 160592]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-05-28 380416]
"feedreader.exe"="c:\documents and settings\Family\My Documents\Downloads\FeedReader314Setup\feedreader.exe" [2010-03-25 40448]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-10-09 25623336]
"SUPERAntiSpyware"="c:\program files\maiden2a\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2010-03-25 40448]
"Habu"="c:\program files\Razer\Habu\razerhid.exe" [2006-08-23 159744]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-05-14 160592]

c:\documents and settings\Family\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Family\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
Slacker Tray App.lnk - c:\program files\Slacker\Software Player\slacker.tray.exe [2008-3-3 262848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-11-23 82026]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NT-USB54M Wireless Client Utility.lnk - c:\program files\iMicro\NT-USB54M\Installer\WINXP\NT-USB54M Wireless Client Utility.exe [2009-11-6 598016]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-10 525640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\maiden2a\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\maiden2a\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-31 03:06 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\xetpmk.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Slacker\\Software Player\\slacker.tray.exe"=
"c:\\Program Files\\Slacker\\Software Player\\slacker.jukebox.exe"=
"c:\\Program Files\\Slacker\\Software Player\\slacker.jukebox.launch.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Documents and Settings\\Family\\My Documents\\utorrent-1.6.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Slacker\\Software Player\\slacker.player.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Family\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\maiden2a\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\maiden2a\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/22/2009 12:12 PM 108289]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [1/8/2010 6:42 PM 285744]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/31/2009 10:44 PM 24652]
R3 SASENUM;SASENUM;c:\program files\maiden2a\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S3 DrmCDriverV32;DrmCDriverV32;c:\windows\system32\drivers\DrmCDriverV32.sys [5/13/2008 7:23 PM 508544]
S3 DrmCVideo32;DrmCVideo32;c:\windows\system32\drivers\DrmCVideo32.sys [5/13/2008 7:23 PM 3768]
.
Contents of the 'Scheduled Tasks' folder

2010-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-115176313-725345543-1004Core.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 22:55]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-115176313-725345543-1004UA.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 22:55]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: live.com\login
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\qdru5n14.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Swag Bucks Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=2&q=
FF - plugin: c:\documents and settings\Family\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-putokeruwu - kenefafa.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-26 16:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,87,3b,8f,4a,04,bc,51,4d,93,fc,55,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,87,3b,8f,4a,04,bc,51,4d,93,fc,55,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\program files\maiden2a\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2010-03-26 16:44:28
ComboFix-quarantined-files.txt 2010-03-26 21:44
ComboFix2.txt 2010-03-25 23:05

Pre-Run: 14,202,052,608 bytes free
Post-Run: 14,157,205,504 bytes free

- - End Of File - - 1F728683F578D203D675B630C08442E7


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 AM

Posted 27 March 2010 - 06:11 PM

Well done. thumbup2.gif

Please don't put the log in the quote box. Thank you.
  1. I recommend you to uninstall this adware/spyware related software via Add/Remove programs:

    Swag_Bucks Toolbar

  2. Open notepad and copy/paste the text in the code box below into it:

    CODE
    http://www.bleepingcomputer.com/forums/t/304715/cant-access-internet-and-more/

    Collect::
    c:\windows\bcygea.exe
    Dirlook::
    c:\program files\zztoy
    c:\documents and settings\Family\Application Data\vlc
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"=-


    Save this as CFScript.txt





    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  3. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 18 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

  4. Run CCleaner (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked). Then click run cleaner.

  5. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  6. Tell me how is your computer running.




#8 Whirly

Whirly
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 27 March 2010 - 08:54 PM

Combofix Log:

ComboFix 10-03-25.04 - Family 03/27/2010 18:43:20.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.205 [GMT -5:00]
Running from: c:\documents and settings\Family\Desktop\Whirly.exe
Command switches used :: c:\documents and settings\Family\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

file zipped: c:\windows\bcygea.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\bcygea.exe
c:\windows\system32\hkcmd .exe

.
((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-25 23:11 . 2010-03-25 23:11 -------- d-----w- c:\windows\LastGood
2010-03-25 02:21 . 2010-03-25 02:21 52224 ----a-w- c:\documents and settings\Family_2\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-25 02:21 . 2010-03-25 02:21 117760 ----a-w- c:\documents and settings\Family_2\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-25 02:21 . 2010-03-25 02:21 -------- d-----w- c:\documents and settings\Family_2\Application Data\SUPERAntiSpyware.com
2010-03-25 01:44 . 2010-03-25 02:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-19 16:20 . 2010-03-19 16:20 0 ----a-w- c:\windows\system32\cd.dat
2010-03-15 16:44 . 2010-03-15 16:44 52224 ----a-w- c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-15 16:43 . 2010-03-15 16:43 117760 ----a-w- c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-15 16:43 . 2010-03-15 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-15 16:43 . 2010-03-26 22:01 -------- d-----w- c:\program files\maiden2a
2010-03-15 16:43 . 2010-03-15 16:43 -------- d-----w- c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com
2010-03-15 16:42 . 2010-03-15 16:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-14 15:36 . 2010-03-14 15:36 92856 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 06:08 . 2010-03-14 06:08 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-03-14 05:36 . 2009-11-14 00:49 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-03-14 05:36 . 2009-11-14 00:49 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-03-14 05:36 . 2009-11-14 00:49 129784 ------w- c:\windows\system32\pxafs.dll
2010-03-14 05:24 . 2010-03-14 05:30 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-14 05:24 . 2010-03-14 05:40 -------- d-----w- c:\program files\DivX
2010-03-01 00:36 . 2010-03-01 00:36 13264416 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\cache\Dropbox-update-0.7.110.exe
2010-02-26 05:10 . 2010-02-26 05:10 21979992 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\Dropbox.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 22:01 . 2009-12-22 01:18 -------- d-----w- c:\program files\iTunes
2010-03-26 22:01 . 2008-02-02 21:47 -------- d-----w- c:\program files\QuickTime
2010-03-26 22:01 . 2007-11-24 02:38 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-26 22:01 . 2009-08-01 03:43 -------- d-----w- c:\program files\AIM6
2010-03-26 22:01 . 2009-11-26 18:43 -------- d-----w- c:\program files\Sandboxie
2010-03-25 22:56 . 2008-11-10 00:34 -------- d-----w- c:\documents and settings\Family\Application Data\skypePM
2010-03-25 22:54 . 2009-12-14 03:55 -------- d-----w- c:\documents and settings\Family\Application Data\Dropbox
2010-03-25 22:30 . 2008-11-10 00:33 -------- d-----w- c:\documents and settings\Family\Application Data\Skype
2010-03-25 02:30 . 2009-07-30 04:34 -------- d-----w- c:\documents and settings\Family\Application Data\Feedreader
2010-03-22 22:12 . 2009-07-22 17:33 -------- d-----w- c:\program files\zztoy
2010-03-15 05:26 . 2009-09-27 20:36 -------- d-----w- c:\documents and settings\Family\Application Data\vlc
2010-03-14 05:08 . 2005-09-20 16:36 40448 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-01 00:36 . 2009-12-14 03:55 91696 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\Uninstall.exe
2010-01-25 05:36 . 2010-01-25 05:36 5853176 ----a-w- c:\windows\Call of Duty 4.scr
2010-01-02 18:29 . 2008-05-26 07:02 1 ----a-w- c:\documents and settings\Family\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-31 16:50 . 2004-08-12 14:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 22:52 . 2008-01-23 00:20 92856 ----a-w- c:\documents and settings\Family_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\AIM6\aim6 .exe
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\Common Files\Sonic\Update Manager\sgtray .exe
c:\program files\Google\Google Talk\googletalk .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\maiden2a\superantispyware .exe
c:\program files\Musicmatch\Musicmatch Jukebox\mimboot .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\RapidSolution\Tunebite\tunebite .exe
c:\program files\Razer\Habu\razerhid .exe
c:\program files\Sandboxie\sbiectrl .exe
c:\program files\Siber Systems\AI RoboForm\robotaskbaricon .exe
c:\program files\Skype\Phone\skype .exe
c:\windows\system32\dla\tfswctrl .exe
</pre>


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Family\Application Data\vlc ----

2010-02-01 03:01 . 2010-02-01 03:01 92743 ----a-w- c:\documents and settings\Family\Application Data\vlc\art\artistalbum\Rob Zombie\Hellbilly Deluxe 2\art.jpg
2010-01-13 22:38 . 2010-02-26 04:13 307637 ----a-w- c:\documents and settings\Family\Application Data\vlc\cache\plugins-04041e.dat
2010-01-13 22:38 . 2010-02-26 04:13 193 ----a-w- c:\documents and settings\Family\Application Data\vlc\cache\CACHEDIR.TAG
2009-09-27 20:46 . 2010-03-15 05:26 193 ----a-w- c:\documents and settings\Family\Application Data\vlc\CACHEDIR.TAG
2009-09-27 20:46 . 2010-03-15 05:26 383799 ----a-w- c:\documents and settings\Family\Application Data\vlc\plugins-04041e.dat
2009-09-27 20:46 . 2010-03-15 05:26 614 ----a-w- c:\documents and settings\Family\Application Data\vlc\vlc-qt-interface.ini
2009-09-27 20:46 . 2010-03-15 05:26 304 ----a-w- c:\documents and settings\Family\Application Data\vlc\ml.xspf
2009-09-27 20:36 . 2010-03-15 05:26 70126 ----a-w- c:\documents and settings\Family\Application Data\vlc\vlcrc

---- Directory of c:\program files\zztoy ----

2009-07-22 17:33 . 2009-07-13 18:36 70928 ----a-w- c:\program files\zztoy\mbamext.dll


((((((((((((((((((((((((((((( SnapShot@2010-03-26_21.40.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-24 02:11 . 2010-03-26 22:01 40448 c:\windows\system32\dla\tfswctrl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwa1.dll" [2009-11-27 2166296]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwa1.dll" [2009-11-27 2166296]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}"= "c:\program files\Swag_Bucks\tbSwa1.dll" [2009-11-27 2166296]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Family\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tunebite"="c:\program files\RapidSolution\Tunebite\Tunebite.exe" [2010-03-26 40448]
"Google Update"="c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-25 40448]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-03-26 40448]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-03-26 40448]
"feedreader.exe"="c:\documents and settings\Family\My Documents\Downloads\FeedReader314Setup\feedreader.exe" [2010-03-26 40448]
"Aim6"="c:\program files\AIM6\aim6.exe" [2010-03-26 40448]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-26 40448]
"SUPERAntiSpyware"="c:\program files\maiden2a\SUPERAntiSpyware.exe" [2010-03-26 40448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2010-03-26 40448]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2010-03-26 40448]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-03-26 40448]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2010-03-26 40448]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2010-03-26 40448]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2010-03-26 40448]
"Habu"="c:\program files\Razer\Habu\razerhid.exe" [2010-03-26 40448]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-26 40448]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-26 40448]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 40448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-03-26 40448]

c:\documents and settings\Family\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Family\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
Slacker Tray App.lnk - c:\program files\Slacker\Software Player\slacker.tray.exe [2008-3-3 262848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-11-23 82026]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NT-USB54M Wireless Client Utility.lnk - c:\program files\iMicro\NT-USB54M\Installer\WINXP\NT-USB54M Wireless Client Utility.exe [2009-11-6 598016]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-10 525640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\maiden2a\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\maiden2a\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-31 03:06 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\xetpmk.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Slacker\\Software Player\\slacker.tray.exe"=
"c:\\Program Files\\Slacker\\Software Player\\slacker.jukebox.exe"=
"c:\\Program Files\\Slacker\\Software Player\\slacker.jukebox.launch.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Documents and Settings\\Family\\My Documents\\utorrent-1.6.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Slacker\\Software Player\\slacker.player.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Family\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\maiden2a\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\maiden2a\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/22/2009 12:12 PM 108289]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [1/8/2010 6:42 PM 285744]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/31/2009 10:44 PM 24652]
R3 SASENUM;SASENUM;c:\program files\maiden2a\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S3 DrmCDriverV32;DrmCDriverV32;c:\windows\system32\drivers\DrmCDriverV32.sys [5/13/2008 7:23 PM 508544]
S3 DrmCVideo32;DrmCVideo32;c:\windows\system32\drivers\DrmCVideo32.sys [5/13/2008 7:23 PM 3768]
.
Contents of the 'Scheduled Tasks' folder

2010-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-03-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-115176313-725345543-1004Core.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 22:55]

2010-03-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-115176313-725345543-1004UA.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 22:55]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: live.com\login
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\qdru5n14.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Swag Bucks Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=2&q=
FF - plugin: c:\documents and settings\Family\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 18:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\program files\maiden2a\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2010-03-27 18:58:52
ComboFix-quarantined-files.txt 2010-03-27 23:58
ComboFix2.txt 2010-03-26 21:44
ComboFix3.txt 2010-03-25 23:05

Pre-Run: 14,172,172,288 bytes free
Post-Run: 14,151,335,936 bytes free

- - End Of File - - 7F0B533697952AB128C1FD97FD25CD13


MB Log:
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/27/2010 7:49:09 PM
mbam-log-2010-03-27 (19-49-09).txt

Scan type: Quick Scan
Objects scanned: 124809
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Family\Local Settings\temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.



My computer is running pretty much exactly the same, malwarebytes picked up the same things that SAS picked up that I originally posted, and I still can't connect to the internet via browser. After the initial combofix though, my wireless adapter can connect to the router and esatblish a connection, but that connection cannot be transmitted to the windows wireless connection thing, it constantly says wireless network connection 4 has limited or no connection, why it is 4 i have no idea as it was not this prior to the virus


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 AM

Posted 28 March 2010 - 06:51 AM

Just to let you know your system is infected with a file infector. We repaired the infected files in the second run of ComboFix but they got infected again.
One of the reasons is that the file infector infects the running processes and you have too many unneeded running processes. I'm going to narrow down the malware territory by removing those unneeded start up entries. It means some of the programs and utilities will not start with Windows any more and should be started when you need them. We can restore those entries at the end if you wanted.

For the time being the computer should not be used or rebooted frequently as it infects and reinfects the running processes of those programs you run.
I need you to read the instruction fully and carefully and carry on them as they are. Then give me feedback when you did it or something prevented doing it.
    • Did you performed the step 1 from previous post. Because I still see the entries on the log. If not please uninstall Swag_Bucks Toolbar right now. If you decide to keep it anyway please don't proceed with Combofix step and let me know because I've listed the entries for removal. Of course you can install it again after we are done if you insist to use it.
    • Did you try to update MBAM as instructed and got an error? Because the version is not updated and you don't mention any error while trying to update.
    • If you have no internet connection how come the Microsoft Recovery Console is installed. Was it already installed? Or Combofix was able to connect to internet and download it?

  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    del /a/f look*.txt
    regedit /e look1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    regedit /e look2.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    regedit /e look3.txt "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run"
    Type look*.txt >log.txt
    reg delete HKLM\system\currentcontrolset\control\session manager\appcertdlls /v AppSecDll /f
    md c:\startupbackup
    move "c:\documents and settings\Family\Start Menu\Programs\Startup\Dropbox.lnk" c:\startupbackup
    move "c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk" c:\startupbackup
    move "c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk" c:\startupbackup
    move "c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk" c:\startupbackup
    dir /a/b/s c:\startupbackup >>log.txt
    sc config "Viewpoint Manager Service" start= disabled
    START log.txt
    del look*.txt
    del %0

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  2. Open notepad and copy/paste the text in the code box below into it:

    CODE
    http://www.bleepingcomputer.com/forums/t/304715/cant-access-internet-and-more/

    Collect::
    c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\xetpmk.dll
    RenV::
    c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
    c:\program files\AIM6\aim6 .exe
    c:\program files\Analog Devices\Core\smax4pnp .exe
    c:\program files\Common Files\Sonic\Update Manager\sgtray .exe
    c:\program files\Google\Google Talk\googletalk .exe
    c:\program files\iTunes\ituneshelper .exe
    c:\program files\Java\jre6\bin\jusched .exe
    c:\program files\maiden2a\superantispyware .exe
    c:\program files\Musicmatch\Musicmatch Jukebox\mimboot .exe
    c:\program files\QuickTime\qttask .exe
    c:\program files\RapidSolution\Tunebite\tunebite .exe
    c:\program files\Razer\Habu\razerhid .exe
    c:\program files\Sandboxie\sbiectrl .exe
    c:\program files\Siber Systems\AI RoboForm\robotaskbaricon .exe
    c:\program files\Skype\Phone\skype .exe
    c:\windows\system32\dla\tfswctrl .exe
    Folder::
    c:\program files\Swag_Bucks
    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
    AppSecDll=-
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    [-HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    [-HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    [-HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Tunebite"=-
    "Google Update"=-
    "RoboForm"=-
    "SandboxieControl"=-
    "feedreader.exe"=-
    "Aim6"=-
    "Skype"=-
    "SUPERAntiSpyware"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UpdateManager"=-
    "SoundMAXPnP"=-
    "googletalk"=-
    "MimBoot"=-
    "igfxhkcmd"=-
    "Adobe Reader Speed Launcher"=-
    "SunJavaUpdateSched"=-
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "RoboForm"=-


    Save this as CFScript.txt





    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.


  3. Please update MBAM manually. To do that download http://www.malwarebytes.org/mbam/database/mbam-rules.exe and transfer it to the infected computer.
    Double-click mbam-rules.exe to run it.
    Then run MBAM, let remove what it finds, reboot if needed and post the log.

  4. Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (this one also should be unchecked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.





#10 Whirly

Whirly
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 28 March 2010 - 09:20 AM

1.
◦Did you performed the step 1 from previous post. Because I still see the entries on the log. If not please uninstall Swag_Bucks Toolbar right now. If you decide to keep it anyway please don't proceed with Combofix step and let me know because I've listed the entries for removal. Of course you can install it again after we are done if you insist to use it.
◦Did you try to update MBAM as instructed and got an error? Because the version is not updated and you don't mention any error while trying to update.
◦If you have no internet connection how come the Microsoft Recovery Console is installed. Was it already installed? Or Combofix was able to connect to internet and download it?


I did not uninstall it, as you said you recomend it, and I know what it is, I have it from a trusted source. I'll get rid of it to save you the trouble of editing these though.

I updated MBAM via the mbam rules updater

I had Microsoft Recovery COnsole installed previously, as I had to run combofix about 9 months ago on this computer previously for another problem, and at that time internet was usable.

I'll get back to you with the rest of that

Edited by Whirly, 28 March 2010 - 09:58 AM.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 AM

Posted 28 March 2010 - 11:59 AM

Thanks for the feedback.

Of course you are entitled to keep anything even the malware but I just need you to tell me. A sentence about your decision to keep the software could have saved me some time of guessing, then including the entries and then writing to you asking about it.

Also in case of updating MBAM you should have mentioned it.

Please make my job easier and spare me detective work and additional work by giving proper feedback so that I know what is going on at the other end with minimum effort.

#12 Whirly

Whirly
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 28 March 2010 - 12:36 PM

Sorry

I am currently running the gmer scan, I initially ran the combo-fix scan, but it froze while I was trying to save the log, is there somewhere that the combo-fix logs are archived?

I ran the scan again anyways.

Hopefully Gmer will finish up pretty soon, ill check back in a couple hours

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 AM

Posted 28 March 2010 - 12:44 PM

Combofix log will be saved here: C:\Combofix.txt

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 AM

Posted 28 March 2010 - 01:06 PM

QUOTE
I ran the scan again anyways.

Please don't miss my previous post. Please tell me if you mean Combofix scan. If yes, you don't need to run the scan again.


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 AM

Posted 02 April 2010 - 06:18 AM

Are you still there?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users